Skip to content

Conversation

lhchavez
Copy link
Contributor

🔒 This is a security release to provide compatibility with git's
changes to address CVE
2022-24765
.

libgit2 (and by extension git2go) are not directly affected by this
vulnerability, because libgit2 does not directly invoke any executable.
But we are providing these changes as a security release for any users
that use libgit2 for repository discovery and then also use git on that
repository. In this release, we will now validate that the user opening
the repository is the same user that owns the on-disk repository. This
is to match git's behavior.

In addition, we are providing several correctness fixes where invalid
input can lead to a crash. These may prevent possible denial of service
attacks. At this time there are not known exploits to these issues.

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
🔒 This is a security release to provide compatibility with git's
changes to address [CVE
2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/).

libgit2 (and by extension git2go) are not directly affected by this
vulnerability, because libgit2 does not directly invoke any executable.
But we are providing these changes as a security release for any users
that use libgit2 for repository discovery and then also use git on that
repository. In this release, we will now validate that the user opening
the repository is the same user that owns the on-disk repository. This
is to match git's behavior.

In addition, we are providing several correctness fixes where invalid
input can lead to a crash. These may prevent possible denial of service
attacks. At this time there are not known exploits to these issues.
@lhchavez lhchavez merged commit 7bff4ca into libgit2:main Apr 14, 2022
@lhchavez lhchavez deleted the v1.3.1 branch April 14, 2022 14:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant