-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update git2 #13412
Merged
Merged
Update git2 #13412
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
r? @epage (rustbot has picked a reviewer for you, use r? to override) |
rustbot
added
the
S-waiting-on-review
Status: Awaiting review from the assignee but also interested parties.
label
Feb 7, 2024
weihanglo
approved these changes
Feb 7, 2024
Thanks! @bors r+ |
bors
added
S-waiting-on-bors
Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
and removed
S-waiting-on-review
Status: Awaiting review from the assignee but also interested parties.
labels
Feb 7, 2024
☀️ Test successful - checks-actions |
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Feb 7, 2024
Update cargo 14 commits in cdf84b69d0416c57ac9dc3459af80dfb4883d27a..ccc84ccec4b7340eb916aefda1cb3e2fe17d8e7b 2024-02-02 19:39:16 +0000 to 2024-02-07 15:37:49 +0000 - Relax a test to permit warnings to be emitted, too. (rust-lang/cargo#13415) - test: disable lldb test as it requires privileges to run on macOS (rust-lang/cargo#13416) - Update git2 (rust-lang/cargo#13412) - fix: Switch more notes/warnings to lowercase (rust-lang/cargo#13410) - Don't add the new package to workspace.members if there is no existing workspace in Cargo.toml. (rust-lang/cargo#13391) - Remove build metadata from curl-sys version. (rust-lang/cargo#13401) - Fix markdown line break in cargo-add (rust-lang/cargo#13400) - Remove `package.documentation` from the “before publishing” list. (rust-lang/cargo#13398) - chore(deps): update gix (rust-lang/cargo#13380) - chore(deps): update compatible (rust-lang/cargo#13379) - feat(update): Tell users when they are still behind (rust-lang/cargo#13372) - docs(changelog): Slight cleanup (rust-lang/cargo#13396) - Bump to 0.79.0; update changelog (rust-lang/cargo#13392) - doc: `[package]` doesn't require `version` field (rust-lang/cargo#13390) r? ghost
bors
added a commit
that referenced
this pull request
Feb 7, 2024
[Beta-1.77] Update libgit2 This is a beta packport of #13412 to update libgit2 to fix the security issues mentioned in https://github.com/libgit2/libgit2/releases/tag/v1.7.2. From what I can tell, the threat to cargo is very small. The best I can come up with is a carefully crafted `rev` field in a `Cargo.toml` will cause cargo to hang. However, I would feel safer having this backported.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
S-waiting-on-bors
Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This updates git2 primarily to pull in the update for libgit2 1.7.2 which fixes three security issues. @weihanglo did some investigation, and it looks like cargo may be susceptible to one of them with rev parsing. I am uncertain of the severity, but the CVE seems to imply that it is mainly a denial-of-service with an infinite loop from a well-crafted spec.
See https://github.com/libgit2/libgit2/releases/tag/v1.7.2 for more information.