Proposed RUSTSEC advisory for CVE-2022-46176 (git2-rs, cargo)

rust-lang / git2-rs

libgit2 bindings for Rust

https://docs.rs/git2

Apache License 2.0

1.67k stars 384 forks source link

Proposed RUSTSEC advisory for CVE-2022-46176 (git2-rs, cargo) #912

Closed ijackson closed 1 year ago

ijackson commented 1 year ago

Hi. When I read the Rust upstream reports about the cargo vuln, I was surprised and investigated what the underlying bug is. It appears to me to be in git2-rs, and I think other callers will be affected.

So I have filed https://github.com/rustsec/advisory-db/pull/1518.

I think it might be nice to publish a git2-rs version 0.15.1 which at least changes the default behaviour.

ehuss commented 1 year ago

Closing per the discussion at https://github.com/rustsec/advisory-db/pull/1520.