Auto merge of #11004 - jonhoo:bump-git2, r=weihanglo

bors · bors · commit e5ec3a8ff992 · 2022-08-27T09:22:12.000Z
Bump git2 to 0.15 and libgit2-sys to 0.14 This will allow cargo to avoid vendored builds of git2 in up-to-date environments going forward, and brings in the [libgit2 1.4.4 CVE fix]. [libgit2 1.4.4 CVE fix]: https://github.com/libgit2/libgit2/releases/tag/v1.4.4
diff --git a/Cargo.toml b/Cargo.toml
@@ -28,8 +28,8 @@ pretty_env_logger = { version = "0.4", optional = true }
 anyhow = "1.0"
 filetime = "0.2.9"
 flate2 = { version = "1.0.3", default-features = false, features = ["zlib"] }
-git2 = "0.14.2"
-git2-curl = "0.15.0"
+git2 = "0.15.0"
+git2-curl = "0.16.0"
 glob = "0.3.0"
 hex = "0.4"
 home = "0.5"
@@ -41,7 +41,7 @@ jobserver = "0.1.24"
 lazycell = "1.2.0"
 libc = "0.2"
 log = "0.4.6"
-libgit2-sys = "0.13.2"
+libgit2-sys = "0.14.0"
 memchr = "2.1.3"
 opener = "0.5"
 os_info = "3.5.0"
diff --git a/crates/cargo-test-support/Cargo.toml b/crates/cargo-test-support/Cargo.toml
@@ -14,7 +14,7 @@ cargo-util = { path = "../cargo-util" }
 snapbox = { version = "0.3.0", features = ["diff", "path"] }
 filetime = "0.2"
 flate2 = { version = "1.0", default-features = false, features = ["zlib"] }
-git2 = "0.14.2"
+git2 = "0.15.0"
 glob = "0.3"
 itertools = "0.10.0"
 lazy_static = "1.0"
diff --git a/src/bin/cargo/main.rs b/src/bin/cargo/main.rs
@@ -255,4 +255,27 @@ fn init_git_transports(config: &Config) {
     unsafe {
         git2_curl::register(handle);
     }
+
+    // Disabling the owner validation in git can, in theory, lead to code execution
+    // vulnerabilities. However, libgit2 does not launch executables, which is the foundation of
+    // the original security issue. Meanwhile, issues with refusing to load git repos in
+    // `CARGO_HOME` for example will likely be very frustrating for users. So, we disable the
+    // validation.
+    //
+    // For further discussion of Cargo's current interactions with git, see
+    //
+    //   https://github.com/rust-lang/rfcs/pull/3279
+    //
+    // and in particular the subsection on "Git support".
+    //
+    // Note that we only disable this when Cargo is run as a binary. If Cargo is used as a library,
+    // this code won't be invoked. Instead, developers will need to explicitly disable the
+    // validation in their code. This is inconvenient, but won't accidentally open consuming
+    // applications up to security issues if they use git2 to open repositories elsewhere in their
+    // code.
+    unsafe {
+        if git2::opts::set_verify_owner_validation(false).is_err() {
+            return;
+        }
+    }
 }
