Git Security Vulnerabilities CVE-2022-41903 and CVE-2022-23521: Integer Overflows in Pretty Formatting and Gitattributes

Git has released a maintenance release v2.39.1 and several older maintenance releases (v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, v2.30.7) to address the security issues CVE‑2022‑41903 and CVE‑2022‑23521.

The first vulnerability (CVE‑2022‑41903) originates from the pretty.c::format_and_pad_commit() function, where a size_t value is incorrectly stored as an int and later used as an offset in a memcpy() call, leading to an integer overflow when processing format specifiers such as %<( , %<| , %>( , %>>( , or %><( . This overflow can be triggered directly by a user running git log --format=... or indirectly via the export‑subst mechanism during git archive , resulting in arbitrary heap writes and possible remote code execution.

The second vulnerability (CVE‑2022‑23521) is related to the handling of .gitattributes files. When parsing a large number of path patterns, many attributes per pattern, or extremely long attribute names, multiple integer overflows can occur in the attribute‑parsing code. These overflows can be triggered by a crafted .gitattributes file that may be part of the repository history. Git silently splits lines longer than 2 KB when reading from the working tree but not when reading from the index, causing different exploit paths depending on where the file resides. The result is arbitrary heap reads and writes, also leading to remote code execution.