-
Notifications
You must be signed in to change notification settings - Fork 396
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update libgit2 to newer snapshot #839
Conversation
For absolute clarity, the writeup linked to does not discuss CVE-2022-24765. The writeup is regarding similar but separate problems. |
Thanks for the PR! I should have opened an issue about this, as we have been working on it. There are some issues here:
|
@ehuss So should I rather close this for now, if you're already working on this? It looks like libgit2/libgit2#6279 is the cause of the ownership issue in the tests on Windows I fixed.
It has GET and SET variants. |
No, it's fine to keep this open, if you're willing to make the updates mentioned above. |
Okay, I am fine with updating this a bit more. What exactly is missing in ehuss@5443555? It seems to mostly match what's in the libgit2 cmake files. Having to include sha256-support, despite it not having a stable release, is a bit unfortunate. |
I think the only things missing on my branch were GIT_EOWNER and GIT_OPT_GET_OWNER_VALIDATION and GIT_OPT_SET_OWNER_VALIDATION. |
@ehuss libgit2 v1.4.4 was just released, which is supposed to fix the Windows behavior. Updated to latest |
CVE 2022-24765 Co-Authored-By: Eric Huss <43198+ehuss@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Hopefully the fallout from this won't be too severe.
Fixes CVE 2022-24765
@justinsteven has a writeup of this issue (see also starship/starship#3974)
I think this also fixes #795.
I needed to make some changes to the libgit2-sys
build.rs
to get this to build and the owner validation needed to be disabled for the tests on Windows, I've not investigated the cause in detail.Furthermore, I've increased the minor version and treated this as a breaking change, since this change could prevent opening a repository if it is not owned by the current user.
I am disclosing this security issue publicly because this class of vulnerability has already been reported publicly in several other similar projects.