CVE-2022-41903

NameCVE-2022-41903
DescriptionGit is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3282-1, DSA-5332-1, ELA-788-1, ELA-803-1
Debian Bugs1029114

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
git (PTS)jessie, jessie (lts)1:2.1.4-2.1+deb8u14fixed
stretch (security)1:2.11.0-3+deb9u7vulnerable
stretch (lts), stretch1:2.11.0-3+deb9u11fixed
buster (security), buster, buster (lts)1:2.20.1-2+deb10u9fixed
bullseye1:2.30.2-1+deb11u2fixed
bullseye (security)1:2.30.2-1+deb11u3fixed
bookworm (security), bookworm1:2.39.5-0+deb12u1fixed
trixie1:2.45.2-1fixed
sid1:2.45.2-1.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gitsourcejessie1:2.1.4-2.1+deb8u12ELA-803-1
gitsourcestretch1:2.11.0-3+deb9u9ELA-788-1
gitsourcebuster1:2.20.1-2+deb10u7DLA-3282-1
gitsourcebullseye1:2.30.2-1+deb11u1DSA-5332-1
gitsource(unstable)1:2.39.1-0.11029114

Notes

https://www.openwall.com/lists/oss-security/2023/01/17/4
https://github.com/git/git/commit/a244dc5b0a629290881641467c7a545de7508ab2
https://github.com/git/git/commit/81dc898df9b4b4035534a927f3234a3839b698bf
https://github.com/git/git/commit/b49f309aa16febeddb65e82526640a91bbba3be3
https://github.com/git/git/commit/f6e0b9f38987ad5e47bab551f8760b70689a5905
https://github.com/git/git/commit/1de69c0cdd388b0a5b7bdde0bfa0bda514a354b0
https://github.com/git/git/commit/48050c42c73c28b0c001d63d11dffac7e116847b
https://github.com/git/git/commit/522cc87fdc25449222a5894a428eebf4b8d5eaa9
https://github.com/git/git/commit/17d23e8a3812a5ca3dd6564e74d5250f22e5d76d
https://github.com/git/git/commit/937b71cc8b5b998963a7f9a33312ba3549d55510
https://github.com/git/git/commit/81c2d4c3a5ba0e6ab8c348708441fed170e63a82
https://github.com/git/git/commit/f930a2394303b902e2973f4308f96529f736b8bc
https://github.com/git/git/commit/304a50adff6480ede46b68f7545baab542cbfb46
https://github.com/git/git/files/10430260/X41-OSTIF-Gitlab-Git-Security-Audit-20230117-public.pdf

Search for package or bug name: Reporting problems