libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant
linkable library with a solid API, allowing you to write native speed custom Git applications
in any language that supports C bindings.
- CVE History:
* 14 CVEs, 11 of them are from the 2016-2018 period.
* Since 2018 the only 3 CVEs found are NFTS-related or certs-related.
* Only one in the last 3 years (cert-related)
* In some cases, fixes have been backported officially.
- Build-Depends?
* debhelper-compat (= 13), python3-minimal:any, pkg-config, ca-certificates, cmake, zlib1g-dev,
libssl-dev, libssh2-1-dev, libhttp-parser-dev, libpcre2-dev, libkrb5-dev
* It uses libssl, libssh, libhttp-parser, krb5.
- pre/post inst/rm scripts?
* None.
- init scripts?
* None.
- systemd units?
* None.
- dbus services?
* None.
- setuid binaries?
* None.
- binaries in PATH?
* None.
- sudo fragments?
* None.
- polkit files?
* None.
- udev rules?
* None.
- unit tests / autopkgtests?
* Autopkgtest test only checks if the library can be loaded and calls version retrieval.
* It has extensive unit tests, they are run at build time.
- cron jobs?
* None.
- Build logs:
* Warn/Error on build logs:
* Cmake warnings regarding unused variables.
* Build warning about uninitialized variables, deprecated SSH functions.
* Some lintian errors on examples (fixture binary).
- Processes spawned?
* The library does not spawn any processes.
- Memory management?
* Memory is handled with care, always performing checks and validating the
return values.
* Specific structs have been created to manage memory more safely, like
git_str.
* Specific macros/functions have been created to perform sensitive operations
in the safest way possible.
- File IO?
* File paths are recontstructed from the Git tree.
If someone can modify the .git tree files then they already have access.
No security issues.
* File contents are not sanitized, as expected.
* Files are created with the umask specified in the Git object.
- Logging?
* Yes, most of the output is handled by git_str_printf, which does it safely.
- Environment variable usage?
* They are not sanitized but they don't look like they could be abused.
* Main use case is reading specific Git env variables or getting the home directory.
- Use of privileged functions?
* None.
- Use of cryptography / random number sources etc?
* It relies on libssh2 to perform most of the ssh handling.
* It relies on openssl for https and sha functions.
* They do certificate check by default since CVE-2023-22742, but before it would be
possible to do it if specified.
* There is hostname checking against cert in verify_server_cert.
- Use of temp files?
* None.
- Use of networking?
* Network is used for sync with remote repositories.
* Input is not filtered/sanitized but that's expected.
- Use of WebKit?
* None.
- Use of PolicyKit?
* None.
- Any significant cppcheck results?
* Nothing significant regarding the library's code.
- Any significant Coverity results?
* Most of the issues are regarding tests.
* Nothing relevant to the library itself:
* Recursive inclusion warnings but it seems to work fine.
* Out of bounds but those are right, checking against ULONG_MAX, UINT_MAX, etc.
* Null dereferences properly handled by macros/other checks.
- Any significant shellcheck results?
* Nothing significant regarding the library's code.
- Any significant bandit results?
* Nothing significant regarding the library's code.
- Any significant govulncheck results?
* None.
* It has a security page: https://libgit2.org/security/
* This project is covered by the oss-fuzz platform: https://storage.googleapis.com/oss-fuzz-introspector/libgit2/inspector-report/20230608/fuzz_report.html
* Security policy (Security.md) in place.
* Code is programmed with security in mind:
* Macros like GIT_ERROR_CHECK_ALLOC, GIT_ASSERT
* Functions to handle pointers are used, like git_str_set, which do it safely.
* Special structures to better handle pointers like git_str.
* Properly documented.
* Actively developed.
* They run sanitizers (Memory, Undefined Behaviour and Thread) in their CI/CD pipelines.
* Manual testing doesn't show any issues with unknown/unexpected inputs.
Security team ACK for promoting libgit2 to main in mantic.
I reviewed libgit2 1.5.1+ds-1ubuntu1 as checked into mantic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
Upstream: https:/ /github. com/libgit2/ libgit2
libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant
linkable library with a solid API, allowing you to write native speed custom Git applications
in any language that supports C bindings.
- CVE History: minimal: any, pkg-config, ca-certificates, cmake, zlib1g-dev,
* 14 CVEs, 11 of them are from the 2016-2018 period.
* Since 2018 the only 3 CVEs found are NFTS-related or certs-related.
* Only one in the last 3 years (cert-related)
* In some cases, fixes have been backported officially.
- Build-Depends?
* debhelper-compat (= 13), python3-
libssl-dev, libssh2-1-dev, libhttp-parser-dev, libpcre2-dev, libkrb5-dev
* It uses libssl, libssh, libhttp-parser, krb5.
- pre/post inst/rm scripts?
* None.
- init scripts?
* None.
- systemd units?
* None.
- dbus services?
* None.
- setuid binaries?
* None.
- binaries in PATH?
* None.
- sudo fragments?
* None.
- polkit files?
* None.
- udev rules?
* None.
- unit tests / autopkgtests?
* Autopkgtest test only checks if the library can be loaded and calls version retrieval.
* It has extensive unit tests, they are run at build time.
- cron jobs?
* None.
- Build logs:
* Warn/Error on build logs:
* Cmake warnings regarding unused variables.
* Build warning about uninitialized variables, deprecated SSH functions.
* Some lintian errors on examples (fixture binary).
- Processes spawned?
* The library does not spawn any processes.
- Memory management?
* Memory is handled with care, always performing checks and validating the
return values.
* Specific structs have been created to manage memory more safely, like
git_str.
* Specific macros/functions have been created to perform sensitive operations
in the safest way possible.
- File IO?
* File paths are recontstructed from the Git tree.
If someone can modify the .git tree files then they already have access.
No security issues.
* File contents are not sanitized, as expected.
* Files are created with the umask specified in the Git object.
- Logging?
* Yes, most of the output is handled by git_str_printf, which does it safely.
- Environment variable usage?
* They are not sanitized but they don't look like they could be abused.
* Main use case is reading specific Git env variables or getting the home directory.
- Use of privileged functions?
* None.
- Use of cryptography / random number sources etc?
* It relies on libssh2 to perform most of the ssh handling.
* It relies on openssl for https and sha functions.
* They do certificate check by default since CVE-2023-22742, but before it would be
possible to do it if specified.
* There is hostname checking against cert in verify_server_cert.
- Use of temp files?
* None.
- Use of networking?
* Network is used for sync with remote repositories.
* Input is not filtered/sanitized but that's expected.
- Use of WebKit?
* None.
- Use of PolicyKit?
* None.
- Any significant cppcheck results?
* Nothing significant regarding the library's code.
- Any significant Coverity results?
* Most of the issues are regarding tests.
* Nothing relevant to the library itself:
* Recursive inclusion warnings but it seems to work fine.
* Out of bounds but those are right, checking against ULONG_MAX, UINT_MAX, etc.
* Null dereferences properly handled by macros/other checks.
- Any significant shellcheck results?
* Nothing significant regarding the library's code.
- Any significant bandit results?
* Nothing significant regarding the library's code.
- Any significant govulncheck results?
* None.
* It has a security page: https:/ /libgit2. org/security/ /storage. googleapis. com/oss- fuzz-introspect or/libgit2/ inspector- report/ 20230608/ fuzz_report. html CHECK_ALLOC, GIT_ASSERT
* This project is covered by the oss-fuzz platform: https:/
* Security policy (Security.md) in place.
* Code is programmed with security in mind:
* Macros like GIT_ERROR_
* Functions to handle pointers are used, like git_str_set, which do it safely.
* Special structures to better handle pointers like git_str.
* Properly documented.
* Actively developed.
* They run sanitizers (Memory, Undefined Behaviour and Thread) in their CI/CD pipelines.
* Manual testing doesn't show any issues with unknown/unexpected inputs.
Security team ACK for promoting libgit2 to main in mantic.