|
| 1 | +Git v2.30.7 Release Notes |
| 2 | +========================= |
| 3 | + |
| 4 | +This release addresses the security issues CVE-2022-41903 and |
| 5 | +CVE-2022-23521. |
| 6 | + |
| 7 | + |
| 8 | +Fixes since v2.30.6 |
| 9 | +------------------- |
| 10 | + |
| 11 | + * CVE-2022-41903: |
| 12 | + |
| 13 | + git log has the ability to display commits using an arbitrary |
| 14 | + format with its --format specifiers. This functionality is also |
| 15 | + exposed to git archive via the export-subst gitattribute. |
| 16 | + |
| 17 | + When processing the padding operators (e.g., %<(, %<|(, %>(, |
| 18 | + %>>(, or %><( ), an integer overflow can occur in |
| 19 | + pretty.c::format_and_pad_commit() where a size_t is improperly |
| 20 | + stored as an int, and then added as an offset to a subsequent |
| 21 | + memcpy() call. |
| 22 | + |
| 23 | + This overflow can be triggered directly by a user running a |
| 24 | + command which invokes the commit formatting machinery (e.g., git |
| 25 | + log --format=...). It may also be triggered indirectly through |
| 26 | + git archive via the export-subst mechanism, which expands format |
| 27 | + specifiers inside of files within the repository during a git |
| 28 | + archive. |
| 29 | + |
| 30 | + This integer overflow can result in arbitrary heap writes, which |
| 31 | + may result in remote code execution. |
| 32 | + |
| 33 | +* CVE-2022-23521: |
| 34 | + |
| 35 | + gitattributes are a mechanism to allow defining attributes for |
| 36 | + paths. These attributes can be defined by adding a `.gitattributes` |
| 37 | + file to the repository, which contains a set of file patterns and |
| 38 | + the attributes that should be set for paths matching this pattern. |
| 39 | + |
| 40 | + When parsing gitattributes, multiple integer overflows can occur |
| 41 | + when there is a huge number of path patterns, a huge number of |
| 42 | + attributes for a single pattern, or when the declared attribute |
| 43 | + names are huge. |
| 44 | + |
| 45 | + These overflows can be triggered via a crafted `.gitattributes` file |
| 46 | + that may be part of the commit history. Git silently splits lines |
| 47 | + longer than 2KB when parsing gitattributes from a file, but not when |
| 48 | + parsing them from the index. Consequentially, the failure mode |
| 49 | + depends on whether the file exists in the working tree, the index or |
| 50 | + both. |
| 51 | + |
| 52 | + This integer overflow can result in arbitrary heap reads and writes, |
| 53 | + which may result in remote code execution. |
| 54 | + |
| 55 | +Credit for finding CVE-2022-41903 goes to Joern Schneeweisz of GitLab. |
| 56 | +An initial fix was authored by Markus Vervier of X41 D-Sec. Credit for |
| 57 | +finding CVE-2022-23521 goes to Markus Vervier and Eric Sesterhenn of X41 |
| 58 | +D-Sec. This work was sponsored by OSTIF. |
| 59 | + |
| 60 | +The proposed fixes have been polished and extended to cover additional |
| 61 | +findings by Patrick Steinhardt of GitLab, with help from others on the |
| 62 | +Git security mailing list. |
| 63 | + |
| 64 | +Patrick Steinhardt (21): |
| 65 | + attr: fix overflow when upserting attribute with overly long name |
| 66 | + attr: fix out-of-bounds read with huge attribute names |
| 67 | + attr: fix integer overflow when parsing huge attribute names |
| 68 | + attr: fix out-of-bounds write when parsing huge number of attributes |
| 69 | + attr: fix out-of-bounds read with unreasonable amount of patterns |
| 70 | + attr: fix integer overflow with more than INT_MAX macros |
| 71 | + attr: harden allocation against integer overflows |
| 72 | + attr: fix silently splitting up lines longer than 2048 bytes |
| 73 | + attr: ignore attribute lines exceeding 2048 bytes |
| 74 | + attr: ignore overly large gitattributes files |
| 75 | + pretty: fix out-of-bounds write caused by integer overflow |
| 76 | + pretty: fix out-of-bounds read when left-flushing with stealing |
| 77 | + pretty: fix out-of-bounds read when parsing invalid padding format |
| 78 | + pretty: fix adding linefeed when placeholder is not expanded |
| 79 | + pretty: fix integer overflow in wrapping format |
| 80 | + utf8: fix truncated string lengths in `utf8_strnwidth()` |
| 81 | + utf8: fix returning negative string width |
| 82 | + utf8: fix overflow when returning string width |
| 83 | + utf8: fix checking for glyph width in `strbuf_utf8_replace()` |
| 84 | + utf8: refactor `strbuf_utf8_replace` to not rely on preallocated buffer |
| 85 | + pretty: restrict input lengths for padding and wrapping formats |
| 86 | + |
0 commit comments