The git-log command has the ability to display commits using an arbitrary format with its --format specifiers. This functionality is also exposed to git-archive via the export-subst gitattribute.

When processing the padding operators (e.g., %<(, %<|(, %>(, %>>(, or %><( ), an integer overflow can occur in pretty.c::format_and_pad_commit() where a size_t is improperly stored as an int, and then added as an offset to a subsequent memcpy() call.

This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...). It may also be triggered indirectly through git-archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive.

This integer overflow can result in arbitrary heap writes, which may result in remote code execution.

W niedługim czasie pewnie usłyszymy o kilku atakach z wykorzystaniem tego exploita.

#programowanie #selfhosted

CVE.report

Komentarze (3)

adirm 2023-01-18T22:22:21+01:00

dzięki za info !

fitoplankton★2023-01-18T23:25:04+01:00

w sumie śmieszny bug, klasyka gatunku ( ͡° ͜ʖ ͡°) trzeba czekać na upowszechnienie rustowej religii

Razikus 2023-01-18T23:52:50+01:00

@fitoplankton ja w sumie bardzo polubiłem rust - ultra wydajny i bezpieczny i ma super package manager

Zaloguj się aby komentować