Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update git2 #13412

Merged
merged 1 commit into from
Feb 7, 2024
Merged

Update git2 #13412

merged 1 commit into from
Feb 7, 2024

Conversation

ehuss
Copy link
Contributor

@ehuss ehuss commented Feb 7, 2024

This updates git2 primarily to pull in the update for libgit2 1.7.2 which fixes three security issues. @weihanglo did some investigation, and it looks like cargo may be susceptible to one of them with rev parsing. I am uncertain of the severity, but the CVE seems to imply that it is mainly a denial-of-service with an infinite loop from a well-crafted spec.

See https://github.com/libgit2/libgit2/releases/tag/v1.7.2 for more information.

@rustbot
Copy link
Collaborator

rustbot commented Feb 7, 2024

r? @epage

(rustbot has picked a reviewer for you, use r? to override)

@rustbot rustbot added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Feb 7, 2024
@weihanglo
Copy link
Member

Thanks!

@bors r+

@bors
Copy link
Contributor

bors commented Feb 7, 2024

📌 Commit c30c13b has been approved by weihanglo

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Feb 7, 2024
@bors
Copy link
Contributor

bors commented Feb 7, 2024

⌛ Testing commit c30c13b with merge fbebea2...

@bors
Copy link
Contributor

bors commented Feb 7, 2024

☀️ Test successful - checks-actions
Approved by: weihanglo
Pushing fbebea2 to master...

@bors bors merged commit fbebea2 into rust-lang:master Feb 7, 2024
23 checks passed
bors added a commit to rust-lang-ci/rust that referenced this pull request Feb 7, 2024
Update cargo

14 commits in cdf84b69d0416c57ac9dc3459af80dfb4883d27a..ccc84ccec4b7340eb916aefda1cb3e2fe17d8e7b
2024-02-02 19:39:16 +0000 to 2024-02-07 15:37:49 +0000
- Relax a test to permit warnings to be emitted, too. (rust-lang/cargo#13415)
- test: disable lldb test as it requires privileges to run on macOS (rust-lang/cargo#13416)
- Update git2 (rust-lang/cargo#13412)
- fix: Switch more notes/warnings to lowercase (rust-lang/cargo#13410)
- Don't add the new package to workspace.members if there is no existing workspace in Cargo.toml. (rust-lang/cargo#13391)
- Remove build metadata from curl-sys version. (rust-lang/cargo#13401)
- Fix markdown line break in cargo-add (rust-lang/cargo#13400)
- Remove `package.documentation` from the “before publishing” list. (rust-lang/cargo#13398)
- chore(deps): update gix (rust-lang/cargo#13380)
- chore(deps): update compatible (rust-lang/cargo#13379)
- feat(update): Tell users when they are still behind (rust-lang/cargo#13372)
- docs(changelog): Slight cleanup (rust-lang/cargo#13396)
- Bump to 0.79.0; update changelog (rust-lang/cargo#13392)
- doc: `[package]` doesn't require `version` field (rust-lang/cargo#13390)

r? ghost
bors added a commit that referenced this pull request Feb 7, 2024
[Beta-1.77] Update libgit2

This is a beta packport of #13412 to update libgit2 to fix the security issues mentioned in https://github.com/libgit2/libgit2/releases/tag/v1.7.2. From what I can tell, the threat to cargo is very small. The best I can come up with is a carefully crafted `rev` field in a `Cargo.toml` will cause cargo to hang. However, I would feel safer having this backported.
@rustbot rustbot added this to the 1.78.0 milestone Feb 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants