Skip to content

Security: update git2 to fix undefined behavior#114

Merged
danielparks merged 2 commits into
mainfrom
rustsec
Jun 18, 2026
Merged

Security: update git2 to fix undefined behavior#114
danielparks merged 2 commits into
mainfrom
rustsec

Conversation

@danielparks

Copy link
Copy Markdown
Owner

This updates git2 to fix two security advisories that do not seem to
affect git-status-vars.

RUSTSEC-2026-0183

When calling Remote::list() for a remote of a git repository, when
that remote does not advertise any references, git2 passes a null
pointer to the unsafe function slice::from_raw_parts(). Based on the
safety section documentation of function, data must be non-null even
for slices of length zero. Thus, the use of a null pointer leads to
undefined behavior.

RUSTSEC-2026-0184

When a Blame is created via Blame::blame_buffer(), and a
BlameHunk is retrieved, the pointers to the original author,
original committer, final author, and final committer may be null if
unavailable. The corresponding BlameHunk methods then create
Signatures based on null pointers; attempting to access the data of
the Signatures leads to dereferencing null pointers.

This updates [git2] to fix two security advisories that do not seem to
affect git-status-vars.

### [RUSTSEC-2026-0183]

> When calling `Remote::list()` for a remote of a git repository, when
> that remote does not advertise any references, git2 passes a null
> pointer to the unsafe function `slice::from_raw_parts()`. Based on the
> safety section documentation of function, data must be non-null even
> for slices of length zero. Thus, the use of a null pointer leads to
> undefined behavior.

### [RUSTSEC-2026-0184]

> When a `Blame` is created via `Blame::blame_buffer()`, and a
> `BlameHunk` is retrieved, the pointers to the original author,
> original committer, final author, and final committer may be null if
> unavailable.  The corresponding `BlameHunk` methods then create
> `Signature`s based on null pointers; attempting to access the data of
> the `Signature`s leads to dereferencing null pointers.

[git2]: https://crates.io/crates/git2
[RUSTSEC-2026-0183]: https://rustsec.org/advisories/RUSTSEC-2026-0183
[RUSTSEC-2026-0184]: https://rustsec.org/advisories/RUSTSEC-2026-0184
Bump edition to 2024 at the same time, and fix a bunch of lints.
@danielparks danielparks merged commit 058e5ca into main Jun 18, 2026
12 checks passed
@danielparks danielparks deleted the rustsec branch June 18, 2026 22:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant