Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update libgit2 to newer snapshot #839

Merged
merged 1 commit into from
Jul 13, 2022
Merged

Conversation

davidkna
Copy link
Contributor

@davidkna davidkna commented May 9, 2022

Fixes CVE 2022-24765

@justinsteven has a writeup of this issue (see also starship/starship#3974)

I think this also fixes #795.

I needed to make some changes to the libgit2-sys build.rs to get this to build and the owner validation needed to be disabled for the tests on Windows, I've not investigated the cause in detail.

Furthermore, I've increased the minor version and treated this as a breaking change, since this change could prevent opening a repository if it is not owned by the current user.

I am disclosing this security issue publicly because this class of vulnerability has already been reported publicly in several other similar projects.

@justinsteven
Copy link

@justinsteven has a writeup of this issue (see also starship/starship#3974)

For absolute clarity, the writeup linked to does not discuss CVE-2022-24765. The writeup is regarding similar but separate problems.

@ehuss
Copy link
Contributor

ehuss commented May 9, 2022

Thanks for the PR! I should have opened an issue about this, as we have been working on it.

There are some issues here:

@davidkna
Copy link
Contributor Author

davidkna commented May 9, 2022

@ehuss So should I rather close this for now, if you're already working on this? It looks like libgit2/libgit2#6279 is the cause of the ownership issue in the tests on Windows I fixed.

It looks like you defined GIT_OPT_GET_OWNER_VALIDATION twice.

It has GET and SET variants.

@ehuss
Copy link
Contributor

ehuss commented May 9, 2022

No, it's fine to keep this open, if you're willing to make the updates mentioned above.

@davidkna
Copy link
Contributor Author

davidkna commented May 9, 2022

Okay, I am fine with updating this a bit more. What exactly is missing in ehuss@5443555? It seems to mostly match what's in the libgit2 cmake files. Having to include sha256-support, despite it not having a stable release, is a bit unfortunate.

@ehuss
Copy link
Contributor

ehuss commented May 9, 2022

I think the only things missing on my branch were GIT_EOWNER and GIT_OPT_GET_OWNER_VALIDATION and GIT_OPT_SET_OWNER_VALIDATION.

@davidkna davidkna changed the title update libgit2 to 1.4.3 update libgit2 to newer snapshot Jul 12, 2022
@davidkna
Copy link
Contributor Author

@ehuss libgit2 v1.4.4 was just released, which is supposed to fix the Windows behavior. Updated to latest main libgit2.

CVE 2022-24765

Co-Authored-By: Eric Huss <43198+ehuss@users.noreply.github.com>
Copy link
Contributor

@ehuss ehuss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Hopefully the fallout from this won't be too severe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support for zdiff3 conflict-style from Git 2.35
3 participants