delta/libgit2.git, branch v1.3.2 github.com: libgit2/libgit2.git meta: update changelog for v1.3.2 2022-07-12T17:09:15+00:00 Edward Thomson ethomson@edwardthomson.com 2022-07-12T17:09:15+00:00 a6c822e353e01f690728a082fe32f09b01b845c6 






meta: update version number to 1.3.2
2022-07-12T17:08:23+00:00

Edward Thomson
ethomson@edwardthomson.com

2022-07-12T17:08:23+00:00

351da8af77ff7ce03ebfb3b501e3abb02dce3413












zlib: Silence some warnings from Visual Studio C.
2022-07-07T04:27:03+00:00

Mark Adler
madler@alumni.caltech.edu

2022-03-28T17:50:16+00:00

d4e1ae3588feb1a1ef8170f06f35507326c01c8f












zlib: slide_hash: add MSAN annotation to suppress known read from uninitialised memory
2022-07-07T04:27:03+00:00

Andrzej Hunt
andrzej@ahunt.org

2021-06-04T16:25:19+00:00

c01435b848080fc56c641d9c67eee1083b22aea3

slide_hash knowingly reads (possibly) uninitialised memory, see comment
lower down about prev[n] potentially being garbage. In this case, the
result is never used - so we don't care about MSAN complaining about
this read.

By adding the no_sanitize("memory") attribute, clients of zlib won't
see this (unnecessary) error when building and running with
MemorySanitizer. An alternative approach is for clients to build zlib
with -fsanitize-ignorelist=... where the ignorelist contains something
like 'fun:slide_hash'. But that's more work and needs to be redone
for any and all CI systems running a given project with MSAN. Adding
this annotation to zlib's sources is overall more convenient - but
also won't affect non-MSAN builds.

This specific issue was found while running git's test suite, but has
also been reported by other clients, see e.g. #518.





slide_hash knowingly reads (possibly) uninitialised memory, see comment
lower down about prev[n] potentially being garbage. In this case, the
result is never used - so we don't care about MSAN complaining about
this read.

By adding the no_sanitize("memory") attribute, clients of zlib won't
see this (unnecessary) error when building and running with
MemorySanitizer. An alternative approach is for clients to build zlib
with -fsanitize-ignorelist=... where the ignorelist contains something
like 'fun:slide_hash'. But that's more work and needs to be redone
for any and all CI systems running a given project with MSAN. Adding
this annotation to zlib's sources is overall more convenient - but
also won't affect non-MSAN builds.

This specific issue was found while running git's test suite, but has
also been reported by other clients, see e.g. #518.







zlib: declare prototypes for new functions
2022-07-07T04:27:01+00:00

Edward Thomson
ethomson@edwardthomson.com

2022-07-06T13:52:22+00:00

b1cbb56e528ba066a1f49ecbb323b85e37e8a576

The `crc32_combine_gen64` missed a prototype in our define path.
Add one.





The `crc32_combine_gen64` missed a prototype in our define path.
Add one.







zlib: updated bundled zlib to v1.2.12
2022-07-07T04:26:12+00:00

Edward Thomson
ethomson@edwardthomson.com

2022-07-06T13:50:55+00:00

c25d1a1b2f346e9521cc05482d88c85be50cd14b












repo: allow users running with sudo to access their repositories
2022-07-07T04:26:12+00:00

Edward Thomson
ethomson@edwardthomson.com

2022-07-06T03:47:15+00:00

749f5fdbdc1a923ca3c49db328f448b613e75585

In the ownership checks implemented for CVE-2022-24765, we disallowed
users to access their own repositories when running with `sudo`.

Examine the `SUDO_UID` environment variable and allow users running
with `sudo`. This matches git's behavior.





In the ownership checks implemented for CVE-2022-24765, we disallowed
users to access their own repositories when running with `sudo`.

Examine the `SUDO_UID` environment variable and allow users running
with `sudo`. This matches git's behavior.







repo: validate gitdir and gitlink ownership
2022-07-07T04:26:12+00:00

Edward Thomson
ethomson@edwardthomson.com

2022-07-02T14:19:33+00:00

2e4ea7b7fb593dea0b96e3bca659c3594e7fe734

To match git's behavior with CVE 2022-29187, validate not only the
working directory, but also the gitdir and gitlink (if it exists). This
a follow up to CVE-2022-24765 that was fixed earlier.





To match git's behavior with CVE 2022-29187, validate not only the
working directory, but also the gitdir and gitlink (if it exists). This
a follow up to CVE-2022-24765 that was fixed earlier.







repo: allow admin owned configs by admin users
2022-07-07T04:26:12+00:00

Edward Thomson
ethomson@edwardthomson.com

2022-07-04T20:03:10+00:00

9e35f96e616300a04789b6572f874753dc5579af

Allow users in the administrator group to use git configs that are owned
by administrators.





Allow users in the administrator group to use git configs that are owned
by administrators.







fs: allow ownership match if user is in admin group
2022-07-07T04:02:19+00:00

Edward Thomson
ethomson@edwardthomson.com

2022-07-07T04:02:19+00:00

decffcf2efd67da717e1d8ff0cc757d076afe861

Allow the user ownership to match if the file is owned by the admin
group and the user is in the admin group, even if the current process is
not running as administrator directly.





Allow the user ownership to match if the file is owned by the admin
group and the user is in the admin group, even if the current process is
not running as administrator directly.