Impact
git log
has the ability to display commits using an arbitrary format with its --format
specifiers. This functionality is also exposed to git archive
via the export-subst
gitattribute.
When processing the padding operators (e.g., %<(
, %<|(
, %>(
, %>>(
, or %><(
), an integer overflow can occur in pretty.c::format_and_pad_commit()
where a size_t
is improperly stored as an int
, and then added as an offset to a subsequent memcpy()
call.
This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...
). It may also be triggered indirectly through git archive
via the export-subst
mechanism, which expands format specifiers inside of files within the repository during a git archive
.
This integer overflow can result in arbitrary heap writes, which may result in remote code execution.
Patches
The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7.
Workarounds
The most complete workaround is upgrading to the most recent patched version published.
If doing so is impractical, disable git archive
in untrusted repositories. If you expose git archive
via git daemon
, disable it by running git config --global daemon.uploadArch false
. If you do not, avoid running git archive
directly on untrusted repositories.
Credit
Credit for finding this vulnerability goes to Joern Schneeweisz of GitLab. An early patch was authored by Markus Vervier of X41 D-Sec. Both of their work was on behalf of the OSTIF. The patches that appear in the releases have further been polished and extended by Patrick Steinhardt of GitLab.
Impact
git log
has the ability to display commits using an arbitrary format with its--format
specifiers. This functionality is also exposed togit archive
via theexport-subst
gitattribute.When processing the padding operators (e.g.,
%<(
,%<|(
,%>(
,%>>(
, or%><(
), an integer overflow can occur inpretty.c::format_and_pad_commit()
where asize_t
is improperly stored as anint
, and then added as an offset to a subsequentmemcpy()
call.This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g.,
git log --format=...
). It may also be triggered indirectly throughgit archive
via theexport-subst
mechanism, which expands format specifiers inside of files within the repository during agit archive
.This integer overflow can result in arbitrary heap writes, which may result in remote code execution.
Patches
The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7.
Workarounds
The most complete workaround is upgrading to the most recent patched version published.
If doing so is impractical, disable
git archive
in untrusted repositories. If you exposegit archive
viagit daemon
, disable it by runninggit config --global daemon.uploadArch false
. If you do not, avoid runninggit archive
directly on untrusted repositories.Credit
Credit for finding this vulnerability goes to Joern Schneeweisz of GitLab. An early patch was authored by Markus Vervier of X41 D-Sec. Both of their work was on behalf of the OSTIF. The patches that appear in the releases have further been polished and extended by Patrick Steinhardt of GitLab.