FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

git -- Heap overflow in `git archive`, `git log --format` leading to RCE

Affected packages
git < 2.39.1


VuXML ID 2fcca7e4-b1d7-11ed-b0f4-002590f2a714
Discovery 2023-01-17
Entry 2023-02-21

The git team reports:

git log has the ability to display commits using an arbitrary format with its --format specifiers. This functionality is also exposed to git archive via the export-subst gitattribute.

When processing the padding operators (e.g., %<(, %<|(, %>(, %>>(, or %><( ), an integer overflow can occur in pretty.c::format_and_pad_commit() where a size_t is improperly stored as an int, and then added as an offset to a subsequent memcpy() call.

This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive.

This integer overflow can result in arbitrary heap writes, which may result in remote code execution.


CVE Name CVE-2022-41903