Описание
Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| git | fixed | 1:2.39.1-0.1 | package |
Примечания
https://www.openwall.com/lists/oss-security/2023/01/17/4
https://github.com/git/git/commit/a244dc5b0a629290881641467c7a545de7508ab2
https://github.com/git/git/commit/81dc898df9b4b4035534a927f3234a3839b698bf
https://github.com/git/git/commit/b49f309aa16febeddb65e82526640a91bbba3be3
https://github.com/git/git/commit/f6e0b9f38987ad5e47bab551f8760b70689a5905
https://github.com/git/git/commit/1de69c0cdd388b0a5b7bdde0bfa0bda514a354b0
https://github.com/git/git/commit/48050c42c73c28b0c001d63d11dffac7e116847b
https://github.com/git/git/commit/522cc87fdc25449222a5894a428eebf4b8d5eaa9
https://github.com/git/git/commit/17d23e8a3812a5ca3dd6564e74d5250f22e5d76d
https://github.com/git/git/commit/937b71cc8b5b998963a7f9a33312ba3549d55510
https://github.com/git/git/commit/81c2d4c3a5ba0e6ab8c348708441fed170e63a82
https://github.com/git/git/commit/f930a2394303b902e2973f4308f96529f736b8bc
https://github.com/git/git/commit/304a50adff6480ede46b68f7545baab542cbfb46
https://github.com/git/git/files/10430260/X41-OSTIF-Gitlab-Git-Security-Audit-20230117-public.pdf
EPSS
Связанные уязвимости
Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable t...
Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable t...
Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to u
Уязвимость функции pretty.c::format_and_pad_commit() механизма форматирования коммитов распределенной системы контроля версий Git, позволяющая нарушителю выполнить произвольный код
EPSS