| Name | CVE-2022-41903 |
| Description | Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3282-1, DSA-5332-1, ELA-788-1, ELA-803-1 |
| Debian Bugs | 1029114 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| git (PTS) | jessie, jessie (lts) | 1:2.1.4-2.1+deb8u13 | fixed |
| stretch (security) | 1:2.11.0-3+deb9u7 | vulnerable | |
| stretch (lts), stretch | 1:2.11.0-3+deb9u10 | fixed | |
| buster | 1:2.20.1-2+deb10u3 | vulnerable | |
| buster (security) | 1:2.20.1-2+deb10u8 | fixed | |
| bullseye (security), bullseye | 1:2.30.2-1+deb11u2 | fixed | |
| bookworm | 1:2.39.2-1.1 | fixed | |
| sid, trixie | 1:2.43.0-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| git | source | jessie | 1:2.1.4-2.1+deb8u12 | ELA-803-1 | ||
| git | source | stretch | 1:2.11.0-3+deb9u9 | ELA-788-1 | ||
| git | source | buster | 1:2.20.1-2+deb10u7 | DLA-3282-1 | ||
| git | source | bullseye | 1:2.30.2-1+deb11u1 | DSA-5332-1 | ||
| git | source | (unstable) | 1:2.39.1-0.1 | 1029114 |
https://www.openwall.com/lists/oss-security/2023/01/17/4
https://github.com/git/git/commit/a244dc5b0a629290881641467c7a545de7508ab2
https://github.com/git/git/commit/81dc898df9b4b4035534a927f3234a3839b698bf
https://github.com/git/git/commit/b49f309aa16febeddb65e82526640a91bbba3be3
https://github.com/git/git/commit/f6e0b9f38987ad5e47bab551f8760b70689a5905
https://github.com/git/git/commit/1de69c0cdd388b0a5b7bdde0bfa0bda514a354b0
https://github.com/git/git/commit/48050c42c73c28b0c001d63d11dffac7e116847b
https://github.com/git/git/commit/522cc87fdc25449222a5894a428eebf4b8d5eaa9
https://github.com/git/git/commit/17d23e8a3812a5ca3dd6564e74d5250f22e5d76d
https://github.com/git/git/commit/937b71cc8b5b998963a7f9a33312ba3549d55510
https://github.com/git/git/commit/81c2d4c3a5ba0e6ab8c348708441fed170e63a82
https://github.com/git/git/commit/f930a2394303b902e2973f4308f96529f736b8bc
https://github.com/git/git/commit/304a50adff6480ede46b68f7545baab542cbfb46
https://github.com/git/git/files/10430260/X41-OSTIF-Gitlab-Git-Security-Audit-20230117-public.pdf