git is vulnerable to integer overflows. When processing the padding operators, there is a integer overflow in pretty.c::format_and_pad_commit()
where a size_t
is stored improperly as an int
, and then added as an offset to a memcpy()
. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...
). It may also be triggered indirectly through git archive via the export-subst mechanism.
git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst
git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem
github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76
github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq
secdb.alpinelinux.org/edge/main.yaml
secdb.alpinelinux.org/v3.14/main.yaml
secdb.alpinelinux.org/v3.15/main.yaml
secdb.alpinelinux.org/v3.16/main.yaml
secdb.alpinelinux.org/v3.17/main.yaml
security.gentoo.org/glsa/202312-15