From 30fe22b260668815ee5e69d551c6707920feac07 Mon Sep 17 00:00:00 2001
From: Jon Gjengset <jongje@amazon.com>
Date: Wed, 17 Aug 2022 21:55:13 +0000
Subject: [PATCH 1/2] Bump git2 to 0.15 and libgit2-sys to 0.14

This will allow cargo to avoid vendored builds of git2 in up-to-date
environments going forward, and brings in the [libgit2 1.4.4 CVE fix].

[libgit2 1.4.4 CVE fix]: https://github.com/libgit2/libgit2/releases/tag/v1.4.4
---
 Cargo.toml                           | 6 +++---
 crates/cargo-test-support/Cargo.toml | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 4aa5f403a..24cd8e2a1 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -28,8 +28,8 @@ pretty_env_logger = { version = "0.4", optional = true }
 anyhow = "1.0"
 filetime = "0.2.9"
 flate2 = { version = "1.0.3", default-features = false, features = ["zlib"] }
-git2 = "0.14.2"
-git2-curl = "0.15.0"
+git2 = "0.15.0"
+git2-curl = "0.16.0"
 glob = "0.3.0"
 hex = "0.4"
 home = "0.5"
@@ -41,7 +41,7 @@ jobserver = "0.1.24"
 lazycell = "1.2.0"
 libc = "0.2"
 log = "0.4.6"
-libgit2-sys = "0.13.2"
+libgit2-sys = "0.14.0"
 memchr = "2.1.3"
 opener = "0.5"
 os_info = "3.5.0"
diff --git a/crates/cargo-test-support/Cargo.toml b/crates/cargo-test-support/Cargo.toml
index 81ef1bcb7..b211c4716 100644
--- a/crates/cargo-test-support/Cargo.toml
+++ b/crates/cargo-test-support/Cargo.toml
@@ -14,7 +14,7 @@ cargo-util = { path = "../cargo-util" }
 snapbox = { version = "0.2.8", features = ["diff", "path"] }
 filetime = "0.2"
 flate2 = { version = "1.0", default-features = false, features = ["zlib"] }
-git2 = "0.14.2"
+git2 = "0.15.0"
 glob = "0.3"
 itertools = "0.10.0"
 lazy_static = "1.0"

From 222e0e51ff30f4bf19a299505975d64ea7307a14 Mon Sep 17 00:00:00 2001
From: Jon Gjengset <jongje@amazon.com>
Date: Wed, 17 Aug 2022 23:46:27 +0000
Subject: [PATCH 2/2] Disable owner validation for Cargo-as-a-binary

---
 src/bin/cargo/main.rs | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/bin/cargo/main.rs b/src/bin/cargo/main.rs
index a29b77b3c..1619b487b 100644
--- a/src/bin/cargo/main.rs
+++ b/src/bin/cargo/main.rs
@@ -255,4 +255,27 @@ fn init_git_transports(config: &Config) {
     unsafe {
         git2_curl::register(handle);
     }
+
+    // Disabling the owner validation in git can, in theory, lead to code execution
+    // vulnerabilities. However, libgit2 does not launch executables, which is the foundation of
+    // the original security issue. Meanwhile, issues with refusing to load git repos in
+    // `CARGO_HOME` for example will likely be very frustrating for users. So, we disable the
+    // validation.
+    //
+    // For further discussion of Cargo's current interactions with git, see
+    //
+    //   https://github.com/rust-lang/rfcs/pull/3279
+    //
+    // and in particular the subsection on "Git support".
+    //
+    // Note that we only disable this when Cargo is run as a binary. If Cargo is used as a library,
+    // this code won't be invoked. Instead, developers will need to explicitly disable the
+    // validation in their code. This is inconvenient, but won't accidentally open consuming
+    // applications up to security issues if they use git2 to open repositories elsewhere in their
+    // code.
+    unsafe {
+        if git2::opts::set_verify_owner_validation(false).is_err() {
+            return;
+        }
+    }
 }