Package: libgit2-27
Version: 0.27.7+dfsg.1-0.2
Severity: important
Tags: upstream
Steps to reproduce:
* Build the libgit2 rev-parse example:
* Install libgit2-dev
* Copy the contents of /usr/share/doc/libgit2-dev/examples
to a fresh directory and change into it
* gunzip common.c.gz
* gcc -lgit2 rev-list.c common.c
This will produce a file `./a.out`
* Make or have a git tree (repository with working tree) which is not
accessible to some users. In my configuration:
drwxrws--- 133 ian ian 77824 Jun 16 18:35 /home/ian/work/xsa.git/
* As a user who cannot access the repository, run something like
./a.out --git-dir=/home/ian/work/xsa.git refs/heads/master
Expected behaviour:
Could not open repository from '/home/ian/work/xsa.git [-1] - failed to
resolve path '/home/ian/work/xsa.git/.git': Permission denied
Actual behaviour:
Could not open repository from '/home/ian/work/xsa.git' [-3] - could not find
repository from '/home/ian/work/xsa.git'
Note that this rune:
./a.out --git-dir=/home/ian/work/xsa.git/.git refs/heads/master
DTRT.
I was tempted by severity "serious" since falsely claiming that a
repository does not exist could result in data loss, in some
situations.
Thanks for your attention.
Ian.
FYI here's the tail of the strace showing it persisting after getting
several EACCES including one on a `.git`, which ought to terminate the
search with an error.
brk(0x557ddd28c000) = 0x557ddd28c000
munmap(0x7fe42d258000, 217088) = 0
futex(0x7fe42d2419e4, FUTEX_WAKE_PRIVATE, 2147483647) = 0
lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/home/ian", {st_mode=S_IFDIR|0755, st_size=20480, ...}) = 0
lstat("/home/ian/work", {st_mode=S_IFDIR|0775, st_size=12288, ...}) = 0
lstat("/home/ian/work/xsa.git", {st_mode=S_IFDIR|S_ISGID|0770, st_size=77824,
...}) = 0
stat("/home/ian/work/xsa.git/.git", 0x7ffce9c17950) = -1 EACCES (Permission
denied)
stat("/home/ian/work/xsa.git", {st_mode=S_IFDIR|S_ISGID|0770, st_size=77824,
...}) = 0
stat("/home/ian/work/xsa.git/commondir", 0x7ffce9c17750) = -1 EACCES
(Permission denied)
stat("/home/ian/work/xsa.git/HEAD", 0x7ffce9c17750) = -1 EACCES (Permission
denied)
stat("/home/ian/work/.git", 0x7ffce9c17950) = -1 ENOENT (No such file or
directory)
stat("/home/ian/work", {st_mode=S_IFDIR|0775, st_size=12288, ...}) = 0
stat("/home/ian/work/commondir", 0x7ffce9c17750) = -1 ENOENT (No such file or
directory)
stat("/home/ian/work/HEAD", 0x7ffce9c17750) = -1 ENOENT (No such file or
directory)
stat("/home/ian/.git", 0x7ffce9c17950) = -1 ENOENT (No such file or directory)
stat("/home/ian", {st_mode=S_IFDIR|0755, st_size=20480, ...}) = 0
stat("/home/ian/commondir", 0x7ffce9c17750) = -1 ENOENT (No such file or
directory)
stat("/home/ian/HEAD", 0x7ffce9c17750) = -1 ENOENT (No such file or directory)
stat("/home/.git", 0x7ffce9c17950) = -1 ENOENT (No such file or directory)
stat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/home/commondir", 0x7ffce9c17750) = -1 ENOENT (No such file or directory)
stat("/home/HEAD", 0x7ffce9c17750) = -1 ENOENT (No such file or directory)
write(2, "Could not open repository from '"..., 119Could not open repository
from '/home/ian/work/xsa.git' [-3] - could not find repository from
'/home/ian/work/xsa.git'
) = 119
exit_group(1) = ?
+++ exited with 1 +++
-- System Information:
Debian Release: 10.9
APT prefers stable-debug
APT policy: (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf
Kernel: Linux 5.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages libgit2-27 depends on:
ii libc6 2.28-10
ii libcom-err2 1.44.5-1+deb10u3
ii libgssapi-krb5-2 1.17-3+deb10u1
ii libhttp-parser2.8 2.8.1-1
ii libk5crypto3 1.17-3+deb10u1
ii libkrb5-3 1.17-3+deb10u1
ii libmbedcrypto3 2.16.0-1
ii libmbedtls12 2.16.0-1
ii libmbedx509-0 2.16.0-1
ii libssh2-1 1.8.0-2.1
ii zlib1g 1:1.2.11.dfsg-1
libgit2-27 recommends no packages.
libgit2-27 suggests no packages.
-- no debconf information
