Git up to 6.20170818 pretty.c format_and_pad_commit integer overflow

Summaryinfo

A vulnerability was found in Git and classified as critical. Affected is the function format_and_pad_commit of the file pretty.c. Executing a manipulation can lead to integer overflow. This vulnerability is handled as CVE-2022-41903. The attack can be executed remotely. There is not any exploit available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability has been found in Git (Versioning Software) and classified as critical. This vulnerability affects the function format_and_pad_commit of the file pretty.c. The manipulation with an unknown input leads to a integer overflow vulnerability. The CWE definition for the vulnerability is CWE-190. The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.

The weakness was released 01/18/2023 as GHSA-475x-2q3q-hvwq. The advisory is available at github.com. This vulnerability was named CVE-2022-41903 since 09/30/2022. Technical details are known, but there is no available exploit.

The vulnerability scanner Nessus provides a plugin with the ID 236669 (Alibaba Cloud Linux 3 : 0020: git (ALINUX3-SA-2023:0020)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 2023-01-17 eliminates this vulnerability. Applying the patch 508386c6c5857b4faa2c3e491f422c98cc69ae76 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published even before and not after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (236669). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Versioning Software

Name

• Git

Version

• 0.0.20080710
• 0.0.20090320
• 0.1.1
• 0.7.2
• 0.10.3
• 0.22.2
• 0.51.1
• 1
• 1.0.0
• 1.0.0b
• 1.0.1
• 1.0.3
• 1.0.4
• 1.0.5
• 1.0.6
• 1.0.7
• 1.0.8
• 1.1.0
• 1.1.0.0
• 1.1.1
• 1.1.2
• 1.1.3
• 1.1.4
• 1.1.5
• 1.3.0
• 1.3.1
• 1.4.2.2
• 1.5.2.1
• 1.5.5.3
• 1.5.5.4
• 1.5.6.1
• 1.5.6.2
• 1.5.6.3
• 1.6.0.2
• 1.7.0
• 1.8.1.3
• 1.8.2
• 1.9.3
• 1.11.0
• 1.13.0
• 1.13.2
• 1.22.0
• 1.22.1
• 2.0
• 2.0.2
• 2.0.289
• 2.1.1
• 2.1.2
• 2.3.10
• 2.4.9
• 2.4.10
• 2.4.12
• 2.5.0
• 2.5.3
• 2.5.4
• 2.5.5
• 2.5.6
• 2.6.0
• 2.6.1
• 2.6.6
• 2.6.7
• 2.7.4
• 2.7.5
• 2.8.0
• 2.8.0-rc3
• 2.8.4
• 2.8.5
• 2.9.3
• 2.9.4
• 2.10.2
• 2.10.3
• 2.10.5
• 2.11.1
• 2.11.2
• 2.11.3
• 2.11.4
• 2.12.0
• 2.12.2
• 2.12.3
• 2.12.4
• 2.12.5
• 2.13.2
• 2.13.5
• 2.13.6
• 2.13.7
• 2.14.1
• 2.14.2
• 2.14.3
• 2.14.4
• 2.14.5
• 2.14.6
• 2.15.1
• 2.15.2
• 2.15.3
• 2.15.4
• 2.16.3
• 2.16.4
• 2.16.5
• 2.16.6
• 2.17.0
• 2.17.1
• 2.17.2
• 2.17.3
• 2.17.4
• 2.18.0
• 2.18.1
• 2.18.2
• 2.18.3
• 2.19.0
• 2.19.1
• 2.19.2
• 2.19.3
• 2.19.4
• 2.20.1
• 2.20.2
• 2.20.3
• 2.21.0
• 2.21.1
• 2.21.2
• 2.22.1
• 2.22.2
• 2.22.3
• 2.23.0
• 2.23.1
• 2.23.2
• 2.24.0
• 2.24.1
• 2.24.2
• 2.25.2
• 2.25.3
• 2.26.0
• 2.26.1
• 2.30.1
• 2.30.5
• 2.30.6
• 2.30.8
• 2.30.9
• 2.31.1-2
• 2.31.3
• 2.31.4
• 2.31.5
• 2.31.6
• 2.31.7
• 2.31.8
• 2.32.2
• 2.32.3
• 2.32.4
• 2.32.5
• 2.32.6
• 2.32.7
• 2.33.3
• 2.33.4
• 2.33.5
• 2.33.6
• 2.33.7
• 2.33.8
• 2.34.3
• 2.34.4
• 2.34.5
• 2.34.6
• 2.34.7
• 2.34.8
• 2.35.3
• 2.35.4
• 2.35.5
• 2.35.6
• 2.35.7
• 2.35.8
• 2.36.1
• 2.36.2
• 2.36.3
• 2.36.4
• 2.36.5
• 2.36.6
• 2.37.0
• 2.37.1
• 2.37.3
• 2.37.4
• 2.37.5
• 2.37.6
• 2.37.7
• 2.38.3
• 2.38.4
• 2.38.5
• 2.39.1
• 2.39.2
• 2.39.3
• 2.40.0
• 2.40.1
• 2.40.4
• 2.41.2
• 2.41.3
• 2.42.3
• 2.42.4
• 2.43.5
• 2.43.6
• 2.44.2
• 2.44.3
• 2.45.2
• 2.45.3
• 2.46.2
• 2.46.3
• 2.47.0
• 2.47.1
• 2.48.0
• 2.48.1
• 3.0.0
• 3.0.8
• 3.1.3
• 3.3.0
• 3.5.0
• 3.6.1
• 3.15.0
• 3.16.0
• 4.0.3
• 5.11.0
• 5.13.0
• 6.5.0
• 6.20170818

License

• open-source

Website

• Product: https://github.com/git/git/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion