update libgit2 to newer snapshot #839
Conversation
For absolute clarity, the writeup linked to does not discuss CVE-2022-24765. The writeup is regarding similar but separate problems. |
|
Thanks for the PR! I should have opened an issue about this, as we have been working on it. There are some issues here:
|
|
@ehuss So should I rather close this for now, if you're already working on this? It looks like libgit2/libgit2#6279 is the cause of the ownership issue in the tests on Windows I fixed.
It has GET and SET variants. |
|
No, it's fine to keep this open, if you're willing to make the updates mentioned above. |
|
Okay, I am fine with updating this a bit more. What exactly is missing in ehuss@5443555? It seems to mostly match what's in the libgit2 cmake files. Having to include sha256-support, despite it not having a stable release, is a bit unfortunate. |
|
I think the only things missing on my branch were GIT_EOWNER and GIT_OPT_GET_OWNER_VALIDATION and GIT_OPT_SET_OWNER_VALIDATION. |
|
@ehuss libgit2 v1.4.4 was just released, which is supposed to fix the Windows behavior. Updated to latest |
CVE 2022-24765 Co-Authored-By: Eric Huss <43198+ehuss@users.noreply.github.com>
Fixes CVE 2022-24765
@justinsteven has a writeup of this issue (see also starship/starship#3974)
I think this also fixes #795.
I needed to make some changes to the libgit2-sys
build.rsto get this to build and the owner validation needed to be disabled for the tests on Windows, I've not investigated the cause in detail.Furthermore, I've increased the minor version and treated this as a breaking change, since this change could prevent opening a repository if it is not owned by the current user.
I am disclosing this security issue publicly because this class of vulnerability has already been reported publicly in several other similar projects.