Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 891221 (CVE-2022-23521, CVE-2022-41903) - <dev-vcs/git-{2.37.5, 2.38.3, 2.39.1}: multiple vulnerabilities
Summary: <dev-vcs/git-{2.37.5, 2.38.3, 2.39.1}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-23521, CVE-2022-41903
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: A2 [glsa+]
Keywords:
Depends on: 891233
Blocks:
  Show dependency tree
 
Reported: 2023-01-17 18:15 UTC by John Helmert III
Modified: 2023-12-27 07:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-17 18:15:52 UTC
 "* CVE-2022-41903:

   git log has the ability to display commits using an arbitrary
   format with its --format specifiers. This functionality is also
   exposed to git archive via the export-subst gitattribute.

   When processing the padding operators (e.g., %<(, %<|(, %>(,
   %>>(, or %><( ), an integer overflow can occur in
   pretty.c::format_and_pad_commit() where a size_t is improperly
   stored as an int, and then added as an offset to a subsequent
   memcpy() call.

   This overflow can be triggered directly by a user running a
   command which invokes the commit formatting machinery (e.g., git
   log --format=...). It may also be triggered indirectly through
   git archive via the export-subst mechanism, which expands format
   specifiers inside of files within the repository during a git
   archive.

   This integer overflow can result in arbitrary heap writes, which
   may result in remote code execution.

* CVE-2022-23521:

    gitattributes are a mechanism to allow defining attributes for
    paths. These attributes can be defined by adding a `.gitattributes`
    file to the repository, which contains a set of file patterns and
    the attributes that should be set for paths matching this pattern.

    When parsing gitattributes, multiple integer overflows can occur
    when there is a huge number of path patterns, a huge number of
    attributes for a single pattern, or when the declared attribute
    names are huge.

    These overflows can be triggered via a crafted `.gitattributes` file
    that may be part of the commit history. Git silently splits lines
    longer than 2KB when parsing gitattributes from a file, but not when
    parsing them from the index. Consequentially, the failure mode
    depends on whether the file exists in the working tree, the index or
    both.

    This integer overflow can result in arbitrary heap reads and writes,
    which may result in remote code execution."

Please bump to 2.37.5, 2.38.3, 2.39.1 ASAP.
Comment 1 Larry the Git Cow gentoo-dev 2023-01-17 20:04:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=319f9abf98ba637da6fce506d2b573ca0298c8a2

commit 319f9abf98ba637da6fce506d2b573ca0298c8a2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-01-17 20:02:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-01-17 20:02:27 +0000

    dev-vcs/git: add 2.39.1
    
    Bug: https://bugs.gentoo.org/891221
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-vcs/git/git-2.39.1.ebuild | 657 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 657 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b71905322357112dcf7daeae4480976131cbcf2

commit 9b71905322357112dcf7daeae4480976131cbcf2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-01-17 19:56:47 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-01-17 20:02:27 +0000

    dev-vcs/git: add 2.38.3
    
    Bug: https://bugs.gentoo.org/891221
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-vcs/git/git-2.38.3.ebuild | 657 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 657 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0407b793c147e2d43435d17a49a8cdb8d628e9a

commit e0407b793c147e2d43435d17a49a8cdb8d628e9a
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-01-17 19:51:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-01-17 20:02:27 +0000

    dev-vcs/git: add 2.37.5
    
    Bug: https://bugs.gentoo.org/891221
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-vcs/git/Manifest          |   9 +
 dev-vcs/git/git-2.37.5.ebuild | 647 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 656 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-12-27 07:49:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=2c2ec5453e20060d4ec1717825d2874f0e663f91

commit 2c2ec5453e20060d4ec1717825d2874f0e663f91
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-12-27 07:49:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-12-27 07:49:42 +0000

    [ GLSA 202312-15 ] Git: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/838127
    Bug: https://bugs.gentoo.org/857831
    Bug: https://bugs.gentoo.org/877565
    Bug: https://bugs.gentoo.org/891221
    Bug: https://bugs.gentoo.org/894472
    Bug: https://bugs.gentoo.org/905088
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202312-15.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)