Skip to content

Commit b7b37a3

Browse files
committed
Git 2.30.7
Signed-off-by: Junio C Hamano <[email protected]>
1 parent 6662a83 commit b7b37a3

File tree

3 files changed

+88
-2
lines changed

3 files changed

+88
-2
lines changed

Documentation/RelNotes/2.30.7.txt

Lines changed: 86 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,86 @@
1+
Git v2.30.7 Release Notes
2+
=========================
3+
4+
This release addresses the security issues CVE-2022-41903 and
5+
CVE-2022-23521.
6+
7+
8+
Fixes since v2.30.6
9+
-------------------
10+
11+
* CVE-2022-41903:
12+
13+
git log has the ability to display commits using an arbitrary
14+
format with its --format specifiers. This functionality is also
15+
exposed to git archive via the export-subst gitattribute.
16+
17+
When processing the padding operators (e.g., %<(, %<|(, %>(,
18+
%>>(, or %><( ), an integer overflow can occur in
19+
pretty.c::format_and_pad_commit() where a size_t is improperly
20+
stored as an int, and then added as an offset to a subsequent
21+
memcpy() call.
22+
23+
This overflow can be triggered directly by a user running a
24+
command which invokes the commit formatting machinery (e.g., git
25+
log --format=...). It may also be triggered indirectly through
26+
git archive via the export-subst mechanism, which expands format
27+
specifiers inside of files within the repository during a git
28+
archive.
29+
30+
This integer overflow can result in arbitrary heap writes, which
31+
may result in remote code execution.
32+
33+
* CVE-2022-23521:
34+
35+
gitattributes are a mechanism to allow defining attributes for
36+
paths. These attributes can be defined by adding a `.gitattributes`
37+
file to the repository, which contains a set of file patterns and
38+
the attributes that should be set for paths matching this pattern.
39+
40+
When parsing gitattributes, multiple integer overflows can occur
41+
when there is a huge number of path patterns, a huge number of
42+
attributes for a single pattern, or when the declared attribute
43+
names are huge.
44+
45+
These overflows can be triggered via a crafted `.gitattributes` file
46+
that may be part of the commit history. Git silently splits lines
47+
longer than 2KB when parsing gitattributes from a file, but not when
48+
parsing them from the index. Consequentially, the failure mode
49+
depends on whether the file exists in the working tree, the index or
50+
both.
51+
52+
This integer overflow can result in arbitrary heap reads and writes,
53+
which may result in remote code execution.
54+
55+
Credit for finding CVE-2022-41903 goes to Joern Schneeweisz of GitLab.
56+
An initial fix was authored by Markus Vervier of X41 D-Sec. Credit for
57+
finding CVE-2022-23521 goes to Markus Vervier and Eric Sesterhenn of X41
58+
D-Sec. This work was sponsored by OSTIF.
59+
60+
The proposed fixes have been polished and extended to cover additional
61+
findings by Patrick Steinhardt of GitLab, with help from others on the
62+
Git security mailing list.
63+
64+
Patrick Steinhardt (21):
65+
attr: fix overflow when upserting attribute with overly long name
66+
attr: fix out-of-bounds read with huge attribute names
67+
attr: fix integer overflow when parsing huge attribute names
68+
attr: fix out-of-bounds write when parsing huge number of attributes
69+
attr: fix out-of-bounds read with unreasonable amount of patterns
70+
attr: fix integer overflow with more than INT_MAX macros
71+
attr: harden allocation against integer overflows
72+
attr: fix silently splitting up lines longer than 2048 bytes
73+
attr: ignore attribute lines exceeding 2048 bytes
74+
attr: ignore overly large gitattributes files
75+
pretty: fix out-of-bounds write caused by integer overflow
76+
pretty: fix out-of-bounds read when left-flushing with stealing
77+
pretty: fix out-of-bounds read when parsing invalid padding format
78+
pretty: fix adding linefeed when placeholder is not expanded
79+
pretty: fix integer overflow in wrapping format
80+
utf8: fix truncated string lengths in `utf8_strnwidth()`
81+
utf8: fix returning negative string width
82+
utf8: fix overflow when returning string width
83+
utf8: fix checking for glyph width in `strbuf_utf8_replace()`
84+
utf8: refactor `strbuf_utf8_replace` to not rely on preallocated buffer
85+
pretty: restrict input lengths for padding and wrapping formats
86+

GIT-VERSION-GEN

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
#!/bin/sh
22

33
GVF=GIT-VERSION-FILE
4-
DEF_VER=v2.30.6
4+
DEF_VER=v2.30.7
55

66
LF='
77
'

RelNotes

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
Documentation/RelNotes/2.30.6.txt
1+
Documentation/RelNotes/2.30.7.txt

0 commit comments

Comments
 (0)