RUSTSEC-2024-0013: Memory corruption, denial of service, and arbitrary code execution in libgit2

[github-actions]

Memory corruption, denial of service, and arbitrary code execution in libgit2

Details
Package	libgit2-sys
Version	0.15.2+1.6.4
URL	rust-lang/git2-rs#1017
Date	2024-02-06
Patched versions	>=0.16.2

The libgit2 project fixed three security issues in the 1.7.2 release. These issues are:

• The git_revparse_single function can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in the git2 crate via the Repository::revparse_single method.
• The git_index_add function may cause heap corruption and possibly lead to arbitrary code execution. This function is exposed in the git2 crate via the Index::add method.
• The smart transport negotiation may experience an out-of-bounds read when a remote server did not advertise capabilities.

The libgit2-sys crate bundles libgit2, or optionally links to a system libgit2 library. In either case, versions of the libgit2 library less than 1.7.2 are vulnerable. The 0.16.2 release of libgit2-sys bundles the fixed version of 1.7.2, and requires a system libgit2 version of at least 1.7.2.

It is recommended that all users upgrade.

See advisory page for additional details.

[syphar]

libgit2 is used by rustwide:

$ cargo tree -i libgit2-sys                                                   
libgit2-sys v0.15.2+1.6.4
└── git2 v0.17.2
    └── rustwide v0.16.0
        └── docs-rs v0.6.0 (/Users/syphar/src/rust-lang/docs.rs)

and from what I see, the affected methods are not used.