Makefile: Update libgit2 to v1.3.2 (!4705) · Merge requests · GitLab.org / gitaly

Patrick Steinhardt requested to merge pks-libgit2-v1.3.2 into master Jul 13, 2022

Update libgit2 to v1.3.2. This release contains fixes to both CVE-2022-24765 and CVE-2022-29187, both of which relate to opening repositories owned by a user different to the current one that may lead to privilege escalation.

While libgit2 itself is not affected by these vulnerabilities, the upgrade brings it in line with what Git is doing. Most notably, libgit2 will now refuse to open repositories which are owned by a different user. This should theoretically not make much of a difference for Gitaly given that it is expected that all repositories are typically owned by the same user as the one we're executing as.

Also note that this upgrade does not plug a known vulnerability in Gitaly itself, but is rather done as a precaution and to not be put in a position to argue whether we are or aren't susceptible to these CVEs.

Edited Jul 13, 2022 by Patrick Steinhardt

Makefile: Update libgit2 to v1.3.2

Merge request reports