Impact
git log has the ability to display commits using an arbitrary format with its --format specifiers. This functionality is also exposed to git archive via the export-subst gitattribute.
When processing the padding operators (e.g., %<(, %<|(, %>(, %>>(, or %><( ), an integer overflow can occur in pretty.c::format_and_pad_commit() where a size_t is improperly stored as an int, and then added as an offset to a subsequent memcpy() call.
This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive.
This integer overflow can result in arbitrary heap writes, which may result in remote code execution.
Patches
The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7.
Workarounds
The most complete workaround is upgrading to the most recent patched version published.
If doing so is impractical, disable git archive in untrusted repositories. If you expose git archive via git daemon, disable it by running git config --global daemon.uploadArch false. If you do not, avoid running git archive directly on untrusted repositories.
Credit
Credit for finding this vulnerability goes to Joern Schneeweisz of GitLab. An early patch was authored by Markus Vervier of X41 D-Sec. Both of their work was on behalf of the OSTIF. The patches that appear in the releases have further been polished and extended by Patrick Steinhardt of GitLab.
Impact
git loghas the ability to display commits using an arbitrary format with its--formatspecifiers. This functionality is also exposed togit archivevia theexport-substgitattribute.When processing the padding operators (e.g.,
%<(,%<|(,%>(,%>>(, or%><(), an integer overflow can occur inpretty.c::format_and_pad_commit()where asize_tis improperly stored as anint, and then added as an offset to a subsequentmemcpy()call.This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g.,
git log --format=...). It may also be triggered indirectly throughgit archivevia theexport-substmechanism, which expands format specifiers inside of files within the repository during agit archive.This integer overflow can result in arbitrary heap writes, which may result in remote code execution.
Patches
The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7.
Workarounds
The most complete workaround is upgrading to the most recent patched version published.
If doing so is impractical, disable
git archivein untrusted repositories. If you exposegit archiveviagit daemon, disable it by runninggit config --global daemon.uploadArch false. If you do not, avoid runninggit archivedirectly on untrusted repositories.Credit
Credit for finding this vulnerability goes to Joern Schneeweisz of GitLab. An early patch was authored by Markus Vervier of X41 D-Sec. Both of their work was on behalf of the OSTIF. The patches that appear in the releases have further been polished and extended by Patrick Steinhardt of GitLab.