Bug 1197232

Summary: libgit2 segfaults during cargo audit trying to fetch audit db
Product: [openSUSE] openSUSE Tumbleweed Reporter: Jan Zerebecki <jzerebecki>
Component: DevelopmentAssignee: William Brown <william.brown>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: alarrosa, aplanas, federico, sreeves, william.brown
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jan Zerebecki 2022-03-17 13:59:01 UTC 
libgit2 sagfaults during cargo audit trying to fetch audit db:

> > gdb cargo-audit
> (gdb) run audit
> Starting program: /usr/bin/cargo-audit audit
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib64/libthread_db.so.1".
>     Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
> 
> Program received signal SIGSEGV, Segmentation fault.
> validate_custom_headers (custom_headers=<optimized out>) at /usr/src/debug/libgit2-1.4.1-1.1.x86_64/src/remote.c:847
> Downloading 0.07 MB source file /usr/src/debug/libgit2-1.4.1-1.1.x86_64/src/remote.c
> 847                     if (is_malformed_http_header(custom_headers->strings[i])) {                                                                                                                               
> (gdb) bt
> #0  validate_custom_headers (custom_headers=<optimized out>) at /usr/src/debug/libgit2-1.4.1-1.1.x86_64/src/remote.c:847
> #1  git_remote_connect_options_normalize (dst=dst@entry=0x7fffffffc330, repo=0x555555b05e90, src=0x7fffffffc3f0) at /usr/src/debug/libgit2-1.4.1-1.1.x86_64/src/remote.c:914
> #2  0x00007ffff7f208aa in connect_opts_from_fetch_opts (remote=0x555555b07fa0, remote=0x555555b07fa0, fetch_opts=0x7fffffffc668, out=0x7fffffffc330) at /usr/src/debug/libgit2-1.4.1-1.1.x86_64/src/remote.c:1243
> #3  git_remote_fetch (remote=0x555555b07fa0, refspecs=0x7fffffffc580, opts=0x7fffffffc668, reflog_message=0x0) at /usr/src/debug/libgit2-1.4.1-1.1.x86_64/src/remote.c:1361
> #4  0x000055555560e48f in git2::remote::Remote::fetch<&str> (self=<optimized out>, refspecs=..., opts=..., reflog_msg=...)
>     at /usr/src/debug/cargo-audit-0.16.0~git0.625c965-2.1.x86_64/vendor/git2/src/remote.rs:286
> #5  0x0000555555612903 in rustsec::repository::git::repository::{impl#0}::fetch::{closure#0}<&std::path::PathBuf> (f=...)
>     at /usr/src/debug/cargo-audit-0.16.0~git0.625c965-2.1.x86_64/rustsec/src/repository/git/repository.rs:94
> #6  0x00005555556132a7 in rustsec::repository::git::authentication::with_authentication<(), rustsec::repository::git::repository::{impl#0}::fetch::{closure#0}> (url=..., cfg=0x7fffffffcf98, f=...)
>     at /usr/src/debug/cargo-audit-0.16.0~git0.625c965-2.1.x86_64/rustsec/src/repository/git/authentication.rs:48
> #7  0x000055555562a0b5 in rustsec::repository::git::repository::Repository::fetch<&std::path::PathBuf> (url=..., into_path=<optimized out>, ensure_fresh=<optimized out>)
>     at /usr/src/debug/cargo-audit-0.16.0~git0.625c965-2.1.x86_64/rustsec/src/repository/git/repository.rs:77
> #8  0x0000555555614521 in cargo_audit::auditor::Auditor::new (config=0x555555995220 <cargo_audit::application::APPLICATION+24>) at cargo-audit/src/auditor.rs:52
> #9  0x0000555555622405 in cargo_audit::commands::audit::AuditCommand::auditor (self=<optimized out>) at cargo-audit/src/commands/audit.rs:260
> #10 cargo_audit::commands::audit::{impl#2}::run (self=<optimized out>) at cargo-audit/src/commands/audit.rs:239
> #11 0x0000555555624dc7 in cargo_audit::commands::_DERIVE_Runnable_FOR_CargoAuditCommand::{impl#0}::run (self=0x7fffffffc240) at cargo-audit/src/commands.rs:16
> #12 0x00005555556033a9 in abscissa_core::command::entrypoint::{impl#1}::run<cargo_audit::commands::CargoAuditCommand> (self=0x7fffffffddd8)
>     at /usr/src/debug/cargo-audit-0.16.0~git0.625c965-2.1.x86_64/vendor/abscissa_core/src/command/entrypoint.rs:52
> #13 abscissa_core::application::Application::run<cargo_audit::application::CargoAuditApplication, std::env::Args> (app_cell=0x555555995208 <cargo_audit::application::APPLICATION>, args=...)
>     at /usr/src/debug/cargo-audit-0.16.0~git0.625c965-2.1.x86_64/vendor/abscissa_core/src/application.rs:64
> #14 0x000055555560071b in abscissa_core::application::boot<cargo_audit::application::CargoAuditApplication> (app_cell=0x555555995208 <cargo_audit::application::APPLICATION>)
>     at /usr/src/debug/cargo-audit-0.16.0~git0.625c965-2.1.x86_64/vendor/abscissa_core/src/application.rs:196
> #15 0x00005555555fdc0d in cargo_audit::main () at cargo-audit/src/bin/cargo-audit/main.rs:9
> (gdb)

Information for package libgit2-1_4:
------------------------------------
Repository     : tumbleweed-oss
Name           : libgit2-1_4
Version        : 1.4.1-1.1
Arch           : x86_64
Vendor         : openSUSE
Installed Size : 1,3 MiB
Installed      : Yes (automatically)
Status         : up-to-date
Source package : libgit2-1.4.1-1.1.src
Upstream URL   : https://libgit2.github.com/

Information for package cargo-audit:
------------------------------------
Repository     : tumbleweed-oss
Name           : cargo-audit
Version        : 0.16.0~git0.625c965-2.1
Arch           : x86_64
Vendor         : openSUSE
Installed Size : 4,3 MiB
Installed      : Yes (automatically)
Status         : up-to-date
Source package : cargo-audit-0.16.0~git0.625c965-2.1.src
Upstream URL   : https://github.com/RustSec/cargo-audit
Comment 1 Jan Zerebecki 2022-03-17 14:18:32 UTC 
Filed an upstream issue: https://github.com/libgit2/libgit2/issues/6247
Comment 2 William Brown 2022-03-17 23:40:31 UTC 
libgit2 has been a really problematic dependency for us in multiple rust related projects. I think it could be reasonable to have git2-rs marked with CARGO_FEATURE_VENDORED so that it always builds it's inline libgit2 copy which is known and tested to work with the corresponding rust features, as I don't think we can trust the packaged libgit2 in these cases since it causes spurious breakages like this.
Comment 3 William Brown 2022-03-21 23:03:02 UTC 
Resolved with update to cargo-audit.
Comment 4 Jan Zerebecki 2022-03-23 14:29:48 UTC 
I can not reproduce it with 0.16.0~git0.625c965-4.1 .
Neither revision 8, 7 or 6 of openSUSE:Factory/cargo-audit does look like it has any change that would fix this. Specifically a BuildRequires on libgit2 is not removed in those revisions and the new version does not have it. The vendored crates git2 and libgit2 did not change at all.
I can't find a working Tumbleweed archive to fetch the old rpm again.

How was this resolved?
Comment 5 William Brown 2022-03-23 21:39:13 UTC 
The fix likely hasn't gotten to factory yet.

It was resolved by setting the environment to force git2-sys to be vendored.