You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A new field was added to git_fetch_options in v1.4.0 of libgit2, which makes this call unsound on the condition that any version of git2 below v0.14.0 is used and libgit2.so.1.4 is linked, which has happened already on bleeding edge distributions.
This has already happened to me and apparently a few others on killercup/cargo-edit#641, and in my investigation I found the issue to be due to a segfault in validate_custom_headers, as follow_redirects is incorrectly "initialized" with custom_headers's git_strarray while the actual custom_headers points to junk data past the end of the struct, causing git_strarray's count to be uninitialized memory/random junk, which causes the code to dereference strings which also points to random junk.
I'm not entirely sure how to fix this gracefully. Maybe issue an advisory to all crates using git2 to upgrade to 0.14.0? Wouldn't it cause the same issue in reverse to those who still use libgit2.so.1.3?