Skip to content

Add advisory for git2: DiffBinaryFile::data() for empty data triggers UB#2981

Open
DanielEScherzer wants to merge 1 commit into
rustsec:mainfrom
DanielEScherzer:git2-DiffBinaryFile-data
Open

Add advisory for git2: DiffBinaryFile::data() for empty data triggers UB#2981
DanielEScherzer wants to merge 1 commit into
rustsec:mainfrom
DanielEScherzer:git2-DiffBinaryFile-data

Conversation

@DanielEScherzer

@DanielEScherzer DanielEScherzer commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Affected crate(s)

  • git2

Links to upstream issue(s) or PR(s)

rust-lang/git2-rs#1278, rust-lang/git2-rs#1279

Severity

Low? Potential UB from misuse of an unsafe function

Checklist

  • Advisory filename(s) starts with RUSTSEC-0000-0000 as the ID
  • date field is set to the public disclosure date
  • Contains a concise and descriptive title after advisory metadata
  • Asked maintainer(s) if publishing an advisory is appropriate

@DanielEScherzer

DanielEScherzer commented Jun 17, 2026

Copy link
Copy Markdown
Contributor Author

Date is set as the date of the PR to fix the issue being created

Filed pre-emptively with versions > 0.21.0, will update once a new version has been released

CC @weihanglo for maintainer sign off

@DanielEScherzer DanielEScherzer force-pushed the git2-DiffBinaryFile-data branch from 8a4f177 to 97dcca8 Compare June 17, 2026 17:23
@DanielEScherzer

DanielEScherzer commented Jun 17, 2026

Copy link
Copy Markdown
Contributor Author 
error: RustSec error: git operation failed: unexpected file extension: ./crates/git2/RUSTSEC-0000-0000.md‎
Caused by:
  -> git operation failed: unexpected file extension: ./crates/git2/RUSTSEC-0000-0000.md‎

locally cloned:

$ git show HEAD~0
commit 8a4f177b2a88c6986c993a8691478659aebacaf0 (HEAD -> git2-DiffBinaryFile-data, origin/git2-DiffBinaryFile-data)
Author: Daniel Scherzer <daniel.e.scherzer@gmail.com>
Date:   Wed Jun 17 10:14:47 2026 -0700

    Add advisory for git2: DiffBinaryFile::data() for empty data triggers UB

diff --git "a/crates/git2/RUSTSEC-0000-0000.md\342\200\216" "b/crates/git2/RUSTSEC-0000-0000.md\342\200\216"
new file mode 100644
index 00000000..5aad2a0f
--- /dev/null
+++ "b/crates/git2/RUSTSEC-0000-0000.md\342\200\216"
@@ -0,0 +1,16 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "git2"

somehow I got some weird characters for the .md???

@djc

djc commented Jun 18, 2026

Copy link
Copy Markdown
Member

@weihanglo are you planning to release this soon? If so, would prefer to hold off publishing this until a fix has been published.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DanielEScherzer @djc