CVE-2022-41903 - Critical Integer Overflow Vulnerability in Git’s Commit Formatting

Git is the backbone of collaborative software development—a distributed revision control system used worldwide. In December 2022, a serious vulnerability was discovered: CVE-2022-41903. This bug lurks in how Git handles commit formatting, specifically affecting both git log and git archive commands.

If exploited, attackers could run arbitrary code on your system by tricking Git’s formatting mechanism. In plain language—using a rogue repository or a tricky command, someone could take over your machine in certain scenarios.

This article explains the bug, the exploitation path, and how to protect yourself with references and code samples. This simple, exclusive guide will demystify the issue for both beginners and power users.

Git supports custom log formatting. For example

git log --format="%an %ad"

Behind the scenes, Git processes each format specifier. The issue lies in handling padding operators (like specifying output width). The function responsible is format_and_pad_commit() in the pretty.c file.

What went wrong?

It took a size_t returned from strbuf_expand(), stored it as an int (usually smaller).

- If the number is large enough (crafted by an attacker in the commit message), it wraps around (integer overflow).
- This value is then used as an offset in memcpy(), writing outside of intended memory (heap buffer overflow).

Vulnerable Code Snippet (Simplified)

size_t len = strbuf_expand();  // safe, size_t for memory length
int pad = len; // Oops! Potential overflow if len is big

memcpy(destination + pad, ...); // Arbitrary data write!

*If len is maliciously large and becomes a negative int, the system could write wherever.*

A user can directly trigger this by running

git log --format="%99999999C"

(The format string overflows the padding calculation)

2. Indirect Trigger: The “export-subst” Mechanism

Git exposes these same formatting routines in git archive. With the export-subst gitattribute, you can instruct Git to expand certain placeholders in files at archive/pack time.

This means, simply cloning and running git archive on a malicious repo, or receiving an archive from a remote, can trigger the bug.

- Repo has .gitattributes with

  *.txt export-subst
  

- README.txt contains a string like

  Some info: $Format:%99999999C$
  

When someone runs git archive, it processes this malicious format.

3. Real-World Impact

Because git archive is sometimes exposed over networked git daemon and CI systems often run git log scripts, this can turn into remote code execution if an attacker can introduce commits or push repositories.

Fixed Versions and Mitigations

Patched: 2.30.7, 2.31.6, 2.32.5, 2.33.6, 2.34.6, 2.35.6, 2.36.4, 2.37.5, 2.38.3, 2.39.1 and later (released Jan 17, 2023).

Upgrade Now:

Update Git as soon as possible

git --version
# If version is below 2.30.7, upgrade!

git config --global daemon.uploadArch false

<br><br><b>Never run git log or git archive on untrusted repositories.</b><br><br>---<br><br>## References and Further Reading<br><br>- Git Security Release Notes: CVE-2022-41903<br>- Original Patch<br>- CVE Details<br>- GitHub Advisory<br><br>---<br><br>## Final Recommendations<br><br>- Use the <b>latest Git release</b> at all times, especially if you download, clone, or work with public repositories.<br>- If you manage shared Linux environments or CI systems, <b>restrict</b> use of git log and git archive` commands on code you do not control.
- Monitor your systems for suspicious Git usage if you maintain critical infrastructure.

For advanced users, always test untrusted repositories inside secure containers or virtual machines.

---

Stay updated. Stay secure!

*If you found this post helpful, share it with your team. Early upgrades are the best defense against zero-day attacks in the software development world!*

Timeline

Published on: 01/17/2023 23:15:00 UTC
Last modified on: 01/25/2023 14:32:00 UTC