Git, a well-known distributed revision control system, has discovered a new vulnerability (CVE-2022-41903) that can result in arbitrary heap writes, potentially leading to arbitrary code execution. The vulnerability is caused by an integer overflow in the pretty.c::format_and_pad_commit() function, which is related to the processing of padding operators in the --format specifiers for the git log and git archive commands.

Code Snippet

The vulnerability can be found in the pretty.c::format_and_pad_commit() function, where a size_t type is improperly stored as an int and later added as an offset to a memcpy() operation:

static void format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
				  const char *placeholder,
				  struct format_commit_context *context)
{
    ...
    struct chunk buf; /* in reencoded form */
    size_t padding = atoi(placeholder + 1);
    ...
    n = utf8_strnwidth(buf.buffer, -1, 1);
    if (n > padding) {
        advance = buf.len;
    } else {
        advance = n + padding - s;
        memcpy(sb->buf + sb->len, buf.buffer, buf.len);
    }
    ...
}

Exploit Details

An attacker can trigger this integer overflow directly by running a command that invokes the commit formatting machinery, such as using a custom --format value with git log.

Additionally, this vulnerability can be triggered indirectly through the git archive command via the export-subst gitattribute, which expands format specifiers inside files within the repository during a git archive.

The issue was first reported and corrected in the following commits and mailing list discussions

- Patch 1/2: pretty.c: Correct integer overflow in format_and_pad_commit
- Patch 2/2: pretty, archive: Limit padding width to 1M bytes

Mitigation and Fixes

The vulnerability has been patched in Git versions published on 2023-01-17, starting from v2.30.7. Users are strongly encouraged to upgrade to one of these patched versions.

For users who are unable to upgrade, disabling git archive in untrusted repositories is recommended as a temporary workaround. If you expose the git archive feature via git daemon, you can disable it by running the following command:

git config --global daemon.uploadArch false

Please note that disabling git archive may not be enough to mitigate all risk factors associated with this vulnerability. Upgrading to a patched Git version remains the best course of action to protect your systems.

Timeline

Published on: 01/17/2023 23:15:00 UTC
Last modified on: 01/25/2023 14:32:00 UTC