Skip to content

Heap overflow in `git archive`, `git log --format` leading to RCE

ttaylorr published GHSA-475x-2q3q-hvwq Jan 17, 2023


No package listed

Affected versions

<= v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, v2.39.0

Patched versions

>= v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, v2.39.1



git log has the ability to display commits using an arbitrary format with its --format specifiers. This functionality is also exposed to git archive via the export-subst gitattribute.

When processing the padding operators (e.g., %<(, %<|(, %>(, %>>(, or %><( ), an integer overflow can occur in pretty.c::format_and_pad_commit() where a size_t is improperly stored as an int, and then added as an offset to a subsequent memcpy() call.

This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive.

This integer overflow can result in arbitrary heap writes, which may result in remote code execution.


The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7.


The most complete workaround is upgrading to the most recent patched version published.

If doing so is impractical, disable git archive in untrusted repositories. If you expose git archive via git daemon, disable it by running git config --global daemon.uploadArch false. If you do not, avoid running git archive directly on untrusted repositories.


Credit for finding this vulnerability goes to Joern Schneeweisz of GitLab. An early patch was authored by Markus Vervier of X41 D-Sec. Both of their work was on behalf of the OSTIF. The patches that appear in the releases have further been polished and extended by Patrick Steinhardt of GitLab.