CVE-2022-41903
Published: 17 January 2023
Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.
Priority
Status
Package | Release | Status |
---|---|---|
git Launchpad, Ubuntu, Debian |
trusty |
Released
(1:1.9.1-1ubuntu0.10+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
jammy |
Released
(1:2.34.1-1ubuntu1.6)
|
|
kinetic |
Released
(1:2.37.2-1ubuntu1.2)
|
|
upstream |
Needs triage
|
|
bionic |
Released
(1:2.17.1-1ubuntu0.15)
|
|
focal |
Released
(1:2.25.1-1ubuntu3.8)
|
|
xenial |
Released
(1:2.7.4-0ubuntu1.10+esm4)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
lunar |
Released
(1:2.39.1-0.1ubuntu1)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903
- https://ubuntu.com/security/notices/USN-5810-1
- https://ubuntu.com/security/notices/USN-5810-2
- https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq
- https://ubuntu.com/security/notices/USN-5810-3
- https://ubuntu.com/security/notices/USN-5810-4
- NVD
- Launchpad
- Debian