From 30fe22b260668815ee5e69d551c6707920feac07 Mon Sep 17 00:00:00 2001 From: Jon Gjengset Date: Wed, 17 Aug 2022 21:55:13 +0000 Subject: [PATCH 1/2] Bump git2 to 0.15 and libgit2-sys to 0.14 This will allow cargo to avoid vendored builds of git2 in up-to-date environments going forward, and brings in the [libgit2 1.4.4 CVE fix]. [libgit2 1.4.4 CVE fix]: https://github.com/libgit2/libgit2/releases/tag/v1.4.4 --- Cargo.toml | 6 +++--- crates/cargo-test-support/Cargo.toml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 4aa5f403ab5..24cd8e2a11e 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -28,8 +28,8 @@ pretty_env_logger = { version = "0.4", optional = true } anyhow = "1.0" filetime = "0.2.9" flate2 = { version = "1.0.3", default-features = false, features = ["zlib"] } -git2 = "0.14.2" -git2-curl = "0.15.0" +git2 = "0.15.0" +git2-curl = "0.16.0" glob = "0.3.0" hex = "0.4" home = "0.5" @@ -41,7 +41,7 @@ jobserver = "0.1.24" lazycell = "1.2.0" libc = "0.2" log = "0.4.6" -libgit2-sys = "0.13.2" +libgit2-sys = "0.14.0" memchr = "2.1.3" opener = "0.5" os_info = "3.5.0" diff --git a/crates/cargo-test-support/Cargo.toml b/crates/cargo-test-support/Cargo.toml index 81ef1bcb703..b211c47166f 100644 --- a/crates/cargo-test-support/Cargo.toml +++ b/crates/cargo-test-support/Cargo.toml @@ -14,7 +14,7 @@ cargo-util = { path = "../cargo-util" } snapbox = { version = "0.2.8", features = ["diff", "path"] } filetime = "0.2" flate2 = { version = "1.0", default-features = false, features = ["zlib"] } -git2 = "0.14.2" +git2 = "0.15.0" glob = "0.3" itertools = "0.10.0" lazy_static = "1.0" From 222e0e51ff30f4bf19a299505975d64ea7307a14 Mon Sep 17 00:00:00 2001 From: Jon Gjengset Date: Wed, 17 Aug 2022 23:46:27 +0000 Subject: [PATCH 2/2] Disable owner validation for Cargo-as-a-binary --- src/bin/cargo/main.rs | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/bin/cargo/main.rs b/src/bin/cargo/main.rs index a29b77b3cdf..1619b487b2f 100644 --- a/src/bin/cargo/main.rs +++ b/src/bin/cargo/main.rs @@ -255,4 +255,27 @@ fn init_git_transports(config: &Config) { unsafe { git2_curl::register(handle); } + + // Disabling the owner validation in git can, in theory, lead to code execution + // vulnerabilities. However, libgit2 does not launch executables, which is the foundation of + // the original security issue. Meanwhile, issues with refusing to load git repos in + // `CARGO_HOME` for example will likely be very frustrating for users. So, we disable the + // validation. + // + // For further discussion of Cargo's current interactions with git, see + // + // https://github.com/rust-lang/rfcs/pull/3279 + // + // and in particular the subsection on "Git support". + // + // Note that we only disable this when Cargo is run as a binary. If Cargo is used as a library, + // this code won't be invoked. Instead, developers will need to explicitly disable the + // validation in their code. This is inconvenient, but won't accidentally open consuming + // applications up to security issues if they use git2 to open repositories elsewhere in their + // code. + unsafe { + if git2::opts::set_verify_owner_validation(false).is_err() { + return; + } + } }