diff --git a/kolla/image/build.py b/kolla/image/build.py
index 3d4fcc27a5..4a6ecd4955 100755
--- a/kolla/image/build.py
+++ b/kolla/image/build.py
@@ -368,8 +368,18 @@ class BuildTask(DockerTask):
                 image.status = Status.ERROR
                 return
 
+            # NOTE(mgoddard): Change ownership of files to root:root. This
+            # avoids an issue introduced by the fix for git CVE-2022-24765,
+            # which breaks PBR when the source checkout is not owned by the
+            # user installing it. LP#1969096
+            def reset_userinfo(tarinfo):
+                tarinfo.uid = tarinfo.gid = 0
+                tarinfo.uname = tarinfo.gname = "root"
+                return tarinfo
+
             with tarfile.open(dest_archive, 'w') as tar:
-                tar.add(clone_dir, arcname=os.path.basename(clone_dir))
+                tar.add(clone_dir, arcname=os.path.basename(clone_dir),
+                        filter=reset_userinfo)
 
         elif source.get('type') == 'local':
             self.logger.debug("Getting local archive from %s",
diff --git a/releasenotes/notes/git-security-fix-fix-ea56c0071585237d.yaml b/releasenotes/notes/git-security-fix-fix-ea56c0071585237d.yaml
new file mode 100644
index 0000000000..a168f5d619
--- /dev/null
+++ b/releasenotes/notes/git-security-fix-fix-ea56c0071585237d.yaml
@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    Fixes an issue building images that use a source with a ``type`` of
+    ``git``, when using a git that includes the fix for `CVE-2022-24765
+    <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765>`__ (2.35.2
+    or later). By default, this includes the ``gnocchi-base`` image, but may
+    include other images with a non-default configuration.  `LP#837710
+    <https://review.opendev.org/c/openstack/kolla/+/837710>`__