libgit2 is not directly affected by this vulnerability, because libgit2 does not directly invoke any executable. But we are providing these changes as a security release for any users that use libgit2 for repository discovery and then also use git on that repository. In this release, we will now validate that the user opening the repository is the same user that owns the on-disk repository. This is to match git's behavior.
In addition, we are providing several correctness fixes where invalid input can lead to a crash. These may prevent possible denial of service attacks. At this time there are not known exploits to these issues.
Full list of changes:
- Validate repository directory ownership (v1.4) by @ethomson in #6267
- midx: Fix an undefined behavior (left-shift signed overflow) by @lhchavez in #6260
- fetch: support OID refspec without dst by @ethomson in #6251
- Fix crash when regenerating a patch with unquoted spaces in filename by @jorio in #6244
All users of the v1.4 release line are recommended to upgrade.
Full Changelog: v1.4.2...v1.4.3
libgit2 is not directly affected by this vulnerability, because libgit2 does not directly invoke any executable. But we are providing these changes as a security release for any users that use libgit2 for repository discovery and then also use git on that repository. In this release, we will now validate that the user opening the repository is the same user that owns the on-disk repository. This is to match git's behavior.
In addition, we are providing several correctness fixes where invalid input can lead to a crash. These may prevent possible denial of service attacks. At this time there are not known exploits to these issues.
Full list of changes:
All users of the v1.3 release line are recommended to upgrade.
- xdiff: use xdl_free not free by @ethomson
- cmake: Fix package name for system http-parser by @mgorny
- Free parent and ref in lg2_commit before returning by @apnadkarni
All users of the v1.4 release line are recommended to upgrade.
Full Changelog: v1.4.0...v1.4.1
This is release v1.4.0, "Fisematenten". This release includes several new features and bugfixes, improves compatibility with git, and begins preparation for SHA256 support in a future release.
What's Changed
New features
- diff: update rename limit to 1000 to match git's behavior by @ethomson in #6092
- odb: support checking for object existence without refresh by @joshtriplett in #6107
- object: provide a low-level mechanism to validate whether a raw object is valid (
git_object_rawcontent_is_valid
) by @ethomson in #6128 - blob: provide a function to identify binary content by @ethomson in #6142
- status: add
rename_threshold
togit_status_options
. by @arroz in #6158 - remote: support
http.followRedirects
(false
andinitial
) and follow initial redirects by default by @ethomson in #6175 - remote: support scp style paths with ports (
[git@github.com:22]:libgit2/libgit2
) by @ethomson in #6167 - win32: update git for windows configuration file location compatibility by @csware in #6151 and @ethomson in #6180
- refs: speed up packed reference lookups when packed refs are sorted by @ccstolley in #6138
- merge: support zdiff3 conflict styles by @ethomson in #6195
- remote: support fetching by object id (using "+oid:ref" refspec syntax) by @ethomson in #6203
- merge: callers can specify virtual-base building behavior and to optionally accept conflict markers as a resolution by @boretrk in #6204
Deprecated APIs
git_index_checksum
is deprecated; this information is now internal to the library and there is no replacementgit_indexer_hash
is deprecated; callers should usegit_indexer_name
to retrieve the filenamegit_packbuilder_hash
is deprecated; callers should usegit_packbuilder_name
to retrieve the filename
ABI changes
git_fetch_options
now includes thefollow_redirects
valuegit_push_options
now includes thefollow_redirects
valuegit_status_options
now includes therename_threshold
valuegit_transport
contains several changed function pointer signatures
Bug fixes
- Fix a gcc 11 warning in src/threadstate.c by @lhchavez in #6115
- Fix a gcc 11 warning in src/thread.h by @lhchavez in #6116
- cmake: re-enable WinHTTP by @ethomson in #6120
- Fix repo init when template dir is non-existent by @ammgws in #6106
- cmake: use project-specific root variable instead of CMAKE_SOURCE_DIR by @Qix- in #6146
- Better revparse compatibility for at time notation by @yoichi in #6095
- remotes: fix insteadOf/pushInsteadOf handling by @mkhl in #6101
- git_commit_summary: ignore lines with spaces by @stforek in #6125
- Config parsing by @csware in #6124
- config: handle empty conditional in includeIf by @ethomson in #6165
- #6154 git_status_list_new case insensitive fix by @arroz in #6159
- futils_mktmp: don't use umask by @boretrk in #6178
- revparse: support bare '@' by @ethomson in #6196
- odb: check for write failures by @ethomson in #6206
- push: Prepare pack before sending pack header. by @ccstolley in #6205
- mktmp: improve our temp file creation by @ethomson in #6207
- diff_file: fix crash if size of diffed file changes in workdir by @jorio in #6208
- merge: comment conflicts lines in MERGE_MSG by @ethomson in #6197
- Fix crashes in example programs on Windows (sprintf_s not compatible with snprintf) by @apnadkarni in #6212
Code cleanups
- Introduce
git_remote_connect_options
by @ethomson in #6161 - hash: separate hashes and git_oid by @ethomson in #6082
git_buf
: now a public-only API (git_str
is our internal API) by @ethomson in #6078- cmake: cleanups and consistency by @ethomson in #6084
- path: refactor utility path functions by @ethomson in #6104
- str: git_str_free is never a function by @ethomson in #6111
- cmake refactorings by @ethomson in #6112
- Add missing-declarations warning globally by @ethomson in #6113
- cmake: further refactorings by @ethomson in #6114
- tag: set validity to 0 by default by @ethomson in #6119
- util: minor cleanup and refactoring to the date class by @ethomson in #6121
- Minor code cleanups by @ethomson in #6122
- Fix a long long that crept past by @NattyNarwhal in #6094
- remote: refactor insteadof application by @ethomson in #6147
- ntmlclient: fix linking with libressl by @boretrk in #6157
- c99: change single bit flags to unsigned by @boretrk in #6179
- Fix typos by @rex4539 in #6164
- diff_driver: split global_drivers array into separate elements by @boretrk in #6184
- cmake: disable some gnu extensions by @boretrk in #6185
- Disabling setting
CMAKE_FIND_LIBRARY_SUFFIXES
on Apple platforms. by @arroz in #6153 - C90: add inline macro to xdiff and mbedtls by @boretrk in #6200
- SHA256: early preparation by @ethomson in #6192
CI improvements
- tests: rename test runner to
libgit2_tests
, build option toBUILD_TESTS
. by @ethomson in #6083 - ci: only update docs on push by @ethomson in #6108
- Pedantic header test by @boretrk in #6086
- ci: build with ssh on nightly by @ethomson in #6148
- ci: improve the name in CI runs by @ethomson in #6198
Documentation improvements
- Document that
git_odb
is thread-safe by @joshtriplett in #6109 - Improve documentation by @punkymaniac in #6168
Other changes
- libgit2_clar is now libgit2_tests by @mkhl in #6100
- Remove PSGit from Language Bindings section of README by @cestrand in #6150
- COPYING: remove regex copyright, add PCRE copyright by @ethomson in #6187
- meta: add a release configuration file by @ethomson in #6211
New Contributors
- @mkhl made their first contribution in #6100
- @ammgws made their first contribution in #6106
- @yoichi made their first contribution in #6095
- @stforek made their first contribution in #6125
- @cestrand made their first contribution in #6150
- @rex4539 made their first contribution in #6164
- @jorio made their first contribution in #6208
Full Changelog: v1.3.0...v1.4.0
This is release v1.3.0, "Zugunruhe". This release includes several bugfixes, but only minor new features that will be helpful for users to have an orderly transition to the v2.0 lineage.
New Features
- Support custom git extensions by @ethomson in #6031
- Introduce
git_email_create
; deprecategit_diff_format_email
by @ethomson in #6061
Deprecated APIs
git_oidarray_free
is deprecated; callers should usegit_oidarray_dispose
Bug fixes
- #6028: Check if
threadstate->error_t.message
is notgit_buf__initbuf
before freeing. by @arroz in #6029 - remote: Mark
git_remote_name_is_valid
asGIT_EXTERN
by @lhchavez in #6032 - Fix config parsing for multiline with multiple quoted comment chars by @basile-henry in #6043
- indexer: Avoid one
mmap(2)
/munmap(2)
pair pergit_indexer_append
call by @lhchavez in #6039 - merge: Check file mode when resolving renames by @ccstolley in #6060
- Allow proxy options when connecting with a detached remote. by @lrm29 in #6058
- win32: allow empty environment variables by @ethomson in #6063
- Fixes for deprecated APIs by @ethomson in #6066
- filter: use a
git_oid
in filter options, not a pointer by @ethomson in #6067 - diff: update
GIT_DIFF_IGNORE_BLANK_LINES
by @ethomson in #6068 - Attribute lookups are always on relative paths by @ethomson in #6073
- Handle long paths when querying attributes by @ethomson in #6075
Code cleanups
- notes: use a buffer internally by @ethomson in #6047
- Fix coding style for pointer by @punkymaniac in #6045
- Use typeof GNUC keyword for ISO C compatibility by @duncanthomson in #6041
- Discover libssh2 without pkg-config by @stac47 in #6053
- Longpath filter bug by @lrm29 in #6055
- Add test to ensure empty proxy env behaves like unset env by @sathieu in #6052
- Stdint header condition has been reverted. by @lolgear in #6020
- buf:
common_prefix
takes a string array by @ethomson in #6077 - oidarray: introduce
git_oidarray_dispose
by @ethomson in #6076 - examples: Free the git_config and git_config_entry after use by @257 in #6071
CI Improvements
- ci: pull libssh2 from www.libssh2.org by @ethomson in #6064
Documentation changes
- Update README.md by @shijinglu in #6050
New Contributors
- @basile-henry made their first contribution in #6043
- @duncanthomson made their first contribution in #6041
- @stac47 made their first contribution in #6053
- @shijinglu made their first contribution in #6050
- @ccstolley made their first contribution in #6060
- @sathieu made their first contribution in #6052
- @257 made their first contribution in #6071
Full Changelog: v1.2.0...v1.3.0
This is release v1.2.0, "Absacker". This release includes many new features: in particular, support for commit graphs, multi-pack indexes, and core.longpaths
support.
This is meant to be the final minor release in the v1 lineage. v2.0 will be the next major release and will remove deprecated APIs and may include breaking changes.
New features
- winhttp: support optional client cert by @ianhattendorf in #5384
- Add support for additional SSH hostkey types. by @arroz in #5750
- Handle ipv6 addresses by @ethomson in #5741
- zlib: Add support for building with Chromium's zlib implementation by @lhchavez in #5748
- commit-graph: Introduce a parser for commit-graph files by @lhchavez in #5762
- patch: add owner accessor by @KOLANICH in #5731
- commit-graph: Support lookups of entries in a commit-graph by @lhchavez in #5763
- commit-graph: Introduce
git_commit_graph_needs_refresh()
by @lhchavez in #5764 - Working directory path validation by @ethomson in #5823
- Support
core.longpaths
on Windows by @ethomson in #5857 - git_reference_create_matching: Treat all-zero OID as "must be absent" by @novalis in #5842
- diff:add option to ignore blank line changes by @yuuri in #5853
- [Submodule] Git submodule dup by @lolgear in #5890
- commit-graph: Use the commit-graph in revwalks by @lhchavez in #5765
- commit-graph: Introduce
git_commit_list_generation_cmp
by @lhchavez in #5766 - graph: Create
git_graph_reachable_from_any()
by @lhchavez in #5767 - Support reading attributes from a specific commit by @ethomson in #5952
- [Branch] Branch upstream with format by @lolgear in #5861
- Dynamically load OpenSSL (optionally) by @ethomson in #5974
- Set refs/remotes/origin/HEAD to default branch when branch is specified by @A-Ovchinnikov-mx in #6010
- midx: Add a way to write multi-pack-index files by @lhchavez in #5404
- Use error code GIT_EAUTH for authentication failures by @josharian in #5395
- midx: Introduce git_odb_write_multi_pack_index() by @lhchavez in #5405
- Checkout dry-run by @J0Nes90 in #5841
- mbedTLS: Fix setting certificate directory by @mikezackles in #6004
- remote: introduce remote_ready_cb, deprecate resolve_url callback by @ethomson in #6012
- Introduce
create_commit_cb
, deprecatesigning_cb
by @ethomson in #6016 - commit-graph: Add a way to write commit-graph files by @lhchavez in #5778
- Add NO_PROXY env support by @sathieu in #5796
- Update proxy configuration by @ethomson in #6026
Bug fixes
- Define
git___load
when building with-DTHREADSAFE=OFF
by @lhchavez in #5664 - Make the Windows leak detection more robust by @lhchavez in #5661
- Refactor "global" state by @ethomson in #5546
- threadstate: rename tlsdata when building w/o threads by @ethomson in #5668
- Include
${MBEDTLS_INCLUDE_DIR}
when compilingcrypt_mbedtls.c
by @staticfloat in #5685 - Fix the
-DTHREADSAFE=OFF
build by @lhchavez in #5690 - Add missing worktree_dir check and test case by @rbmclean in #5692
- msvc crtdbg -> win32 leakcheck by @ethomson in #5580
- Introduce GIT_ASSERT macros by @ethomson in #5327
- Also add the raw hostkey to
git_cert_hostkey
by @lhchavez in #5704 - Make the odb race-free by @lhchavez in #5595
- Make the pack and mwindow implementations data-race-free by @lhchavez in #5593
- Thread-free implementation by @ethomson in #5719
- Thread-local storage: a generic internal library (with no allocations) by @ethomson in #5720
- Friendlier getting started in the lack of git_libgit2_init by @ethomson in #5578
- Make git__strntol64() ~70%* faster by @lhchavez in #5735
- Cache the parsed submodule config when diffing by @lhchavez in #5727
- pack: continue zlib while we can make progress by @ethomson in #5740
- Avoid using
__builtin_mul_overflow
with the clang+32-bit combo by @lhchavez in #5742 - repository: use intptr_t's in the config map cache by @ethomson in #5746
- Build with NO_MMAP by @0xdky in #5583
- Add documentation for git_blob_filter_options.version by @JoshuaS3 in #5759
- blob: fix name of
GIT_BLOB_FILTER_ATTRIBUTES_FROM_HEAD
by @ethomson in #5760 - Cope with empty default branch by @ethomson in #5770
- README: instructions for using libgit2 without compiling by @ethomson in #5772
- Use
p_pwrite
/p_pread
consistently throughout the codebase by @lhchavez in #5769 - midx: Fix a bug in
git_midx_needs_refresh()
by @lhchavez in #5768 - mwindow: Fix a bug in the LRU window finding code by @lhchavez in #5783
- refdb_fs: Check git_sortedcache wlock/rlock errors by @mamapanda in #5800
- index: Check git_vector_dup error in write_entries by @mamapanda in #5801
- Fix documentation formating on repository.h by @punkymaniac in #5806
- include: fix typos in comments by @tniessen in #5805
- Fix some typos by @aaronfranke in #5797
- Check git_signature_dup failure by @mamapanda in #5817
- merge: Check insert_head_ids error in create_virtual_base by @mamapanda in #5818
- winhttp: skip certificate check if unable to send request by @ianhattendorf in #5814
- Default to GIT_BRANCH_DEFAULT if init.defaultBranch is empty string by @ianhattendorf in #5832
- Fix diff_entrycount -> diff_num_deltas doc typo by @mjsir911 in #5838
- repo: specify init.defaultbranch is meant to be a branch name by @carlosmn in #5835
- repo: remove an inappropriate use of PASSTHROUGH by @carlosmn in #5834
- src: fix typos in header files by @tniessen in #5843
- test: clean up memory leaks by @ethomson in #5858
- buf: remove unnecessary buf_text namespace by @ethomson in #5860
- Fix bug in git_diff_find_similar. by @staktrace in #5839
- Fix issues with Proxy Authentication after httpclient refactor by @implausible in #5852
- tests: clean up memory leak, fail on leak for win32 by @ethomson in #5892
- Tolerate readlink size less than st_size by @dtolnay in #5900
- Define WINHTTP_NO_CLIENT_CERT_CONTEXT if needed by @jacquesg in #5929
- Update from regex to pcre licensing information in docs/contributing.md by @boretrk in #5916
- Consider files executable only if the user can execute them by @novalis in #5915
- git__timer: Limit ITimer usage to AmigaOS4 by @boretrk in #5936
- Fix memory leak in git_smart__connect by @punkymaniac in #5908
- config: fix included configs not refreshed more than once by @Batchyx in #5926
- Fix wrong time_t used in function by @NattyNarwhal in #5938
- fix check for ignoring of negate rules by @palmin in #5824
- Make
FIND_PACKAGE(PythonInterp)
preferpython3
by @lhchavez in #5913 - git__timer: Allow compilation on systems without CLOCK_MONOTONIC by @boretrk in #5945
- stdintification: use int64_t and INT64_C instead of long long by @NattyNarwhal in #5941
- Optional stricter allocation checking (for
malloc(0)
cases) by @ethomson in #5951 - Variadic arguments aren't in C89 by @NattyNarwhal in #5948
- Fix typo in general.c by @Crayon2000 in #5954
- common.h: use inline when compiling for C99 and later by @boretrk in #5953
- Fix one memory leak in master by @lhchavez in #5957
- tests: reset odb backend priority by @ethomson in #5961
- cmake: extended futimens checking on macOS by @ethomson in #5962
- amiga: use ';' as path list separator on AmigaOS by @boretrk in #5978
- Respect the force flag on refspecs in git_remote_fetch by @alexjg in #5854
- Fix LIBGIT2_FILENAME not being passed to the resource compiler by @jairbubbles in #5994
- sha1dc: remove conditional for <sys/types.h> by @boretrk in #5997
- openssl: don't fail when we can't customize allocators by @ethomson in #5999
- C11 warnings by @boretrk in #6005
- open: input validation for empty segments in path by @boretrk in #5950
- Introduce GIT_WARN_UNUSED_RESULT by @lhchavez in #5802
- GCC C11 warnings by @boretrk in #6006
- array: check dereference from void * type by @boretrk in #6007
- Homogenize semantics for atomic-related functions by @lhchavez in #5747
- git_array_alloc: return objects of correct type by @boretrk in #6008
- CMake. hash sha1 header has been added. by @lolgear in #6013
- tests: change comments to c89 style by @boretrk in #6015
- Set Host Header to match CONNECT authority target by @lollipopman in #6022
- Fix worktree iteration when repository has no common directory by @kcsaul in #5943
Deprecated APIs
- revspec: rename git_revparse_mode_t to git_revspec_t by @ethomson in #5786
- tree: deprecate
git_treebuilder_write_with_buffer
by @ethomson in #5815 - Deprecate
is_valid_name
functions; replace withname_is_valid
functions by @ethomson in #5659 - filter: stop taking git_buf as user input by @ethomson in #5859
- remote: introduce remote_ready_cb, deprecate resolve_url callback by @ethomson in #6012
- Introduce
create_commit_cb
, deprecatesigning_cb
by @ethomson in #6016 - filter: filter drivers stop taking git_buf as user input by @ethomson in #6011
- buf: deprecate public git_buf writing functions by @ethomson in #6017
Documentation improvements
- Update README.md for additional Delphi bindings by @todaysoftware in #5831
- Fix documentation formatting by @punkymaniac in #5850
- docs: fix incorrect comment marker by @tiennou in #5897
- Patch documentation by @punkymaniac in #5903
- Fix misleading doc for
git_index_find
by @arxanas in #5910 - docs: stop mentioning libgit2's "master" branch by @Batchyx in #5925
- docs: fix some missing includes that cause Docurium to error out by @tiennou in #5917
- Patch documentation by @punkymaniac in #5940
Development improvements
CI Improvements
- Add a ThreadSanitizer build by @lhchavez in #5597
- ci: more GitHub Actions by @ethomson in #5706
- ci: run coverity in the nightly builds by @ethomson in #5707
- ci: only report main branch in README status by @ethomson in #5708
- Fix the
ENABLE_WERROR=ON
build in Groovy Gorilla (gcc 10.2) by @lhchavez in #5715 - Re-enable the RC4 test by @carlosmn in #4418
- ci: run codeql by @ethomson in #5709
- github-actions: Also rename the main branch here by @lhchavez in #5771
- ci: don't use ninja on macOS by @ethomson in #5780
- ci: use GitHub for storing mingw-w64 build dependency by @ethomson in #5855
- docker: remove the entrypoint by @ethomson in #5980
- http: don't require a password by @ethomson in #5972
- ci: update nightly to use source path by @ethomson in #5989
- ci: add centos 7 and centos 8 by @ethomson in #5992
- ci: update centos builds by @ethomson in #5995
- ci: tag new containers with the latest tag by @ethomson in #6000
Dependency updates
- ntlm: ntlmclient is now v0.9.1
Full Changelog: v1.1.0...v1.2.0
-
Fixes a bug where decompressing packfiles could fail in rare instances.
-
Ensure worktree paths are validated in more cases.
-
Builds without thread-safety (
THREADSAFE=OFF
) are supported again. -
Builds without mmap (
NO_MMAP
) are supported again. -
mbedTLS is supported in non-default locations.
-
Malformed branch names or missing branches on remotes are ignored.
-
Use compiler intrinsics to detect arithmetic overflows in more cases.
-
The configuration cache functions properly on systems with strict alignment.
-
A missing options initializer function (
git_blob_filter_options_init
) was added forgit_blob_filter_options
. -
Several documentation fixes.
This is release v1.1, "Fernweh".
Changes or improvements
-
Our bundled PCRE dependency has been updated to 8.44.
-
The
refs/remotes/origin/HEAD
file will be created at clone time to
point to the origin's default branch. -
libgit2 now uses the
__atomic_
intrinsics instead of__sync_
intrinsics on supported gcc and clang versions. -
The
init.defaultBranch
setting is now respected andmaster
is
no longer the hardcoded as the default branch name. -
Patch files that do not contain an
index
line can now be parsed. -
Configuration files with multi-line values can now contain quotes
split across multiple lines. -
Windows clients now attempt to use TLS1.3 when available.
-
Servers that request an upgrade to a newer HTTP version are
silently ignored instead of erroneously failing. -
Users can pass
NULL
to the options argument to
git_describe_commit
. -
Clones and fetches of very large packfiles now succeeds on 32-bit
platforms. -
Custom reference database backends can now handle the repository's
HEAD
correctly. -
Repositories with a large number of packfiles no longer exhaust the
number of file descriptors. -
The test framework now supports TAP output when the
-t
flag is
specified. -
The test framework can now specify an exact match to a test
function using a trailing$
. -
All checkout types support
GIT_CHECKOUT_DISABLE_PATHSPEC_MATCH
. -
git_blame
now can ignore whitespace changes using the option
GIT_BLAME_IGNORE_WHITESPACE
. -
Several new examples have been created, including an examples for
commit, add and push. -
Mode changes during rename are now supported in patch application.
-
git_checkout_head
now correctly removes untracked files in a
subdirectory when theFORCE | REMOVE_UNTRACKED
options are specified.
This is a bugfix release with the following changes:
-
Calculating information about renamed files during merges is more
efficient because dissimilarity about files is now being cached and
no longer needs to be recomputed. -
The
git_worktree_prune_init_options
has been correctly restored for
backward compatibility. In v1.0 it was incorrectly deprecated with a
typo. -
The optional ntlmclient dependency now supports NetBSD.
-
A bug where attempting to stash on a bare repository may have failed
has been fixed. -
Configuration files that are unreadable due to permissions are now
silently ignored, and treated as if they do not exist. This matches
git's behavior; previously this case would have been an error. -
v4 index files are now correctly written; previously we would read
them correctly but would not write the prefix-compression accurately,
causing corruption. -
A bug where the smart HTTP transport could not read large data packets
has been fixed. Previously, fetching from servers like Gerrit, that
sent large data packets, would error.