update libgit2 to 1.4.3

CVE 2022-24765

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "git2"
-version = "0.14.3"
+version = "0.15.0"
 authors = ["Josh Triplett <josh@joshtriplett.org>", "Alex Crichton <alex@alexcrichton.com>"]
 license = "MIT OR Apache-2.0"
 readme = "README.md"
@@ -20,7 +20,7 @@ url = "2.0"
 bitflags = "1.1.0"
 libc = "0.2"
 log = "0.4.8"
-libgit2-sys = { path = "libgit2-sys", version = "0.13.3" }
+libgit2-sys = { path = "libgit2-sys", version = "0.14.0+1.4.3" }
 
 [target."cfg(all(unix, not(target_os = \"macos\")))".dependencies]
 openssl-sys = { version = "0.9.0", optional = true }

git2-curl/Cargo.toml

@@ -16,7 +16,7 @@ edition = "2018"
 curl = "0.4.33"
 url = "2.0"
 log = "0.4"
-git2 = { path = "..", version = "0.14", default-features = false }
+git2 = { path = "..", version = "0.15", default-features = false }
 
 [dev-dependencies]
 civet = "0.11"

git2-curl/tests/all.rs

@@ -9,6 +9,11 @@ const PORT: u16 = 7848;
 fn main() {
     unsafe {
         git2_curl::register(curl::easy::Easy::new());
+
+        // In tests on Windows, the repository is created in a temporary directory.
+        // The ownership check will fail in these directories, so we need to disable it in tests.
+        #[cfg(windows)]
+        let _ = git2::opts::set_verify_owner_validation(false);
     }
 
     // Spin up a server for git-http-backend

libgit2-sys/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "libgit2-sys"
-version = "0.13.3+1.4.2"
+version = "0.14.0+1.4.3"
 authors = ["Josh Triplett <josh@joshtriplett.org>", "Alex Crichton <alex@alexcrichton.com>"]
 links = "git2"
 build = "build.rs"

libgit2-sys/build.rs

@@ -15,7 +15,7 @@ fn main() {
     if try_to_use_system_libgit2 {
         let mut cfg = pkg_config::Config::new();
         if let Ok(lib) = cfg
-            .range_version("1.4.0".."1.5.0")
+            .range_version("1.4.3".."1.5.0")
             .print_system_libs(false)
             .probe("libgit2")
         {
@@ -45,21 +45,20 @@ fn main() {
     cp_r("libgit2/include", &include);
 
     cfg.include(&include)
-        .include("libgit2/src/libgit2")
+        .include("libgit2/src")
         .include("libgit2/src/util")
         .out_dir(dst.join("build"))
         .warnings(false);
 
     // Include all cross-platform C files
-    add_c_files(&mut cfg, "libgit2/src/libgit2");
-    add_c_files(&mut cfg, "libgit2/src/util");
-    add_c_files(&mut cfg, "libgit2/src/libgit2/xdiff");
+    add_c_files(&mut cfg, "libgit2/src");
+    add_c_files(&mut cfg, "libgit2/src/xdiff");
 
     // These are activated by features, but they're all unconditionally always
     // compiled apparently and have internal #define's to make sure they're
     // compiled correctly.
-    add_c_files(&mut cfg, "libgit2/src/libgit2/transports");
-    add_c_files(&mut cfg, "libgit2/src/libgit2/streams");
+    add_c_files(&mut cfg, "libgit2/src/transports");
+    add_c_files(&mut cfg, "libgit2/src/streams");
 
     // Always use bundled http-parser for now
     cfg.include("libgit2/deps/http-parser")
@@ -88,11 +87,11 @@ fn main() {
     // when when COMPILE_PCRE8 is not defined, which is the default.
     add_c_files(&mut cfg, "libgit2/deps/pcre");
 
-    cfg.file("libgit2/src/util/allocators/failalloc.c");
-    cfg.file("libgit2/src/util/allocators/stdalloc.c");
+    cfg.file("libgit2/src/allocators/failalloc.c");
+    cfg.file("libgit2/src/allocators/stdalloc.c");
 
     if windows {
-        add_c_files(&mut cfg, "libgit2/src/util/win32");
+        add_c_files(&mut cfg, "libgit2/src/win32");
         cfg.define("STRSAFE_NO_DEPRECATE", None);
         cfg.define("WIN32", None);
         cfg.define("_WIN32_WINNT", Some("0x0600"));
@@ -104,7 +103,7 @@ fn main() {
             cfg.define("__USE_MINGW_ANSI_STDIO", "1");
         }
     } else {
-        add_c_files(&mut cfg, "libgit2/src/util/unix");
+        add_c_files(&mut cfg, "libgit2/src/unix");
         cfg.flag("-fvisibility=hidden");
     }
     if target.contains("solaris") || target.contains("illumos") {
@@ -162,9 +161,9 @@ fn main() {
     cfg.define("SHA1DC_NO_STANDARD_INCLUDES", "1");
     cfg.define("SHA1DC_CUSTOM_INCLUDE_SHA1_C", "\"common.h\"");
     cfg.define("SHA1DC_CUSTOM_INCLUDE_UBC_CHECK_C", "\"common.h\"");
-    cfg.file("libgit2/src/util/hash/sha1/collisiondetect.c");
-    cfg.file("libgit2/src/util/hash/sha1/sha1dc/sha1.c");
-    cfg.file("libgit2/src/util/hash/sha1/sha1dc/ubc_check.c");
+    cfg.file("libgit2/src/hash/sha1/collisiondetect.c");
+    cfg.file("libgit2/src/hash/sha1/sha1dc/sha1.c");
+    cfg.file("libgit2/src/hash/sha1/sha1dc/ubc_check.c");
 
     if let Some(path) = env::var_os("DEP_Z_INCLUDE") {
         cfg.include(path);

libgit2-sys/lib.rs

@@ -1,4 +1,4 @@
-#![doc(html_root_url = "https://docs.rs/libgit2-sys/0.13")]
+#![doc(html_root_url = "https://docs.rs/libgit2-sys/0.14")]
 #![allow(non_camel_case_types, unused_extern_crates)]
 
 // This is required to link libz when libssh2-sys is not included.
@@ -1894,6 +1894,8 @@ git_enum! {
         GIT_OPT_SET_ODB_LOOSE_PRIORITY,
         GIT_OPT_GET_EXTENSIONS,
         GIT_OPT_SET_EXTENSIONS,
+        GIT_OPT_GET_OWNER_VALIDATION,
+        GIT_OPT_SET_OWNER_VALIDATION,
     }
 }
 

src/lib.rs

@@ -65,7 +65,7 @@
 //! source `Repository`, to ensure that they do not outlive the repository
 //! itself.
 
-#![doc(html_root_url = "https://docs.rs/git2/0.14")]
+#![doc(html_root_url = "https://docs.rs/git2/0.15")]
 #![allow(trivial_numeric_casts, trivial_casts)]
 #![deny(missing_docs)]
 #![warn(rust_2018_idioms)]

src/opts.rs

@@ -178,6 +178,19 @@ where
     Ok(())
 }
 
+/// Set wheter or not to verify ownership before performing a repository.
+/// Enabled by default, but disabling this can lead to code execution vulnerabilities.
+pub unsafe fn set_verify_owner_validation(enabled: bool) -> Result<(), Error> {
+    let error = raw::git_libgit2_opts(
+        raw::GIT_OPT_SET_OWNER_VALIDATION as libc::c_int,
+        enabled as libc::c_int,
+    );
+    // This function cannot actually fail, but the function has an error return
+    // for other options that can.
+    debug_assert!(error >= 0);
+    Ok(())
+}
+
 #[cfg(test)]
 mod test {
     use super::*;

src/test.rs

@@ -3,11 +3,18 @@ use std::io;
 use std::path::{Path, PathBuf};
 #[cfg(unix)]
 use std::ptr;
+#[cfg(windows)]
+use std::sync::Once;
 use tempfile::TempDir;
 use url::Url;
 
 use crate::{Branch, Oid, Repository, RepositoryInitOptions};
 
+/// In tests on Windows, the repository is created in a temporary directory.
+/// The ownership check will fail in these directories, so we need to disable it in tests.
+#[cfg(windows)]
+static DISABLE_OWNER_CHECK: Once = Once::new();
+
 macro_rules! t {
     ($e:expr) => {
         match $e {
@@ -18,6 +25,11 @@ macro_rules! t {
 }
 
 pub fn repo_init() -> (TempDir, Repository) {
+    #[cfg(windows)]
+    DISABLE_OWNER_CHECK.call_once(|| unsafe {
+        let _ = crate::opts::set_verify_owner_validation(false);
+    });
+
     let td = TempDir::new().unwrap();
     let mut opts = RepositoryInitOptions::new();
     opts.initial_head("main");