-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
upgrade gitoxide to v0.54 #12731
upgrade gitoxide to v0.54 #12731
Conversation
r? @weihanglo (rustbot has picked a reviewer for you, use r? to override) |
At a glance it does deserve a security advisory, and I would be glad to help draft a RUSTSEC one. I believe something that clones untrusted URLs can end up with arbitrary code execution, is that correct? |
Yes, that's correct. Here is more details about how this can be abused: https://secure.phabricator.com/T12961 . I also sent an email to Rust-Sec (security@rust-lang) directly BTW, in case it helps to avoid duplication of effort, otherwise your help would definitely be appreciated. |
If possible, a point release for the previous series with the fix would also be great, so that affected API users could simply |
I think there is no API change, at least not for most, that's the way In practice, I think 'only' |
The presence of a point release defines how many packages will need to release new versions with the fix, and how many of these packages then need to be picked up by Linux distributions, etc. to get the issue fixed. Is it possible to take the 0.53.1 release, apply only the patch for this one issue, and release it as 0.53.2? That would be ideal. |
Technically, If this is what you'd suggest doing, and I support that choice, I can make it happen and all users of |
Could you release a minimum fix that does not properly report errors, but is semver-compatible? I believe that is warranted for a security patch. It is fine to leave proper error reporting to 0.54. |
Ok, a new version of |
This reduces the binary size and fixes an exploitable bug that could allow code execution by injection arguments into hostnames of ssh URLs.
ccb3d31
to
3f7d556
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks pretty good to me. Thank you all for taking care of security!
@bors r+ |
☀️ Test successful - checks-actions |
Update cargo 11 commits in 414d9e3a6d8096f3e276234ce220c868767a8792..e6aabe8b3fcf639be3a5bf68e77853bd7b3fa27d 2023-09-22 07:03:57 +0000 to 2023-09-26 16:31:53 +0000 - Use full target spec for `cargo rustc --print --target` (rust-lang/cargo#12743) - feat(embedded): Hack in code fence support (rust-lang/cargo#12681) - chore(ci): Update Renovate schema (rust-lang/cargo#12741) - more specific registry index not found msg (rust-lang/cargo#12732) - docs: warn about upload timeout (rust-lang/cargo#12733) - Fix some typos (rust-lang/cargo#12730) - upgrade gitoxide to v0.54 (rust-lang/cargo#12731) - Update target-arch-aware crates to support mips r6 targets (rust-lang/cargo#12720) - Buffer console status messages. (rust-lang/cargo#12727) - Fix spurious errors with networking tests. (rust-lang/cargo#12726) - refactor(SourceId): merge `name` and `alt_registry_key` into one enum (rust-lang/cargo#12675) r? ghost
gix: remove `revision` feature from cargo Feature was added in #12731, but cargo builds without it and looks like used in tests only, so unset it.
This reduces the binary size and fixes an exploitable bug that could allow
code execution by injection arguments into hostnames of ssh URLs.
Binary Sizes (Release)
master
: 27930520Possible Vulnerability
In versions prior to v0.54, running the following would cause the calculator app to be started on MacOS:
Now it prints
Error: Host name '-oProxyCommand=open-aCalculator' could be mistaken for a command-line argument
.Given the nature of builds with
cargo
and the availability of build scripts, I thinkcargo
isn't prone to this issue. However, I thought it was good to upgrade anyway.Please note that a CVE doesn't exist yet, but I will check with Rustsec on how to proceed with this.
CC @Shnatsel
Tasks
refs/remotes/origin/HEAD
to point to a non-existing branch.