The libgit2 project fixed three security issues in the 1.7.2 release. These issues are:
The git_revparse_single function can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in the git2 crate via the Repository::revparse_single method.
The git_index_add function may cause heap corruption and possibly lead to arbitrary code execution. This function is exposed in the git2 crate via the Index::add method.
The smart transport negotiation may experience an out-of-bounds read when a remote server did not advertise capabilities.
The libgit2-sys crate bundles libgit2, or optionally links to a system libgit2 library. In either case, versions of the libgit2 library less than 1.7.2 are vulnerable. The 0.16.2 release of libgit2-sys bundles the fixed version of 1.7.2, and requires a system libgit2 version of at least 1.7.2.
libgit2-sys0.15.2+1.6.4>=0.16.2The libgit2 project fixed three security issues in the 1.7.2 release. These issues are:
git_revparse_singlefunction can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in thegit2crate via theRepository::revparse_singlemethod.git_index_addfunction may cause heap corruption and possibly lead to arbitrary code execution. This function is exposed in thegit2crate via theIndex::addmethod.The
libgit2-syscrate bundles libgit2, or optionally links to a system libgit2 library. In either case, versions of the libgit2 library less than 1.7.2 are vulnerable. The 0.16.2 release oflibgit2-sysbundles the fixed version of 1.7.2, and requires a system libgit2 version of at least 1.7.2.It is recommended that all users upgrade.
See advisory page for additional details.