It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Is SourceTree for Windows 2.0.20.1 using out-of-date LibGit2 with known security issues?

I believe SourceTree for windows is using LibGit2 v0.24.0 from March 2016 which has 5 subsequent versions that fix known security issues including 2 CVEs.

I'm basing this on "C:\Users\<users>\AppData\Local\SourceTree\app-2.0.20.1\NativeBinaries\amd64" containing the file "git2-785d8c4.dll".  The file properties say the version is 0.24.0, and the "785d8c4" matches the hash on that version. See https://github.com/libgit2/libgit2/releases/tag/v0.24.0

I looked into this because 2 of my repos crash SourceTree 2.20.0.1 in this dll (having upgraded from 1.19.x to this based on the security advisory).  I've tried building my own version of LibGit2 v0.24.6, but SourceTree fails to start with it.

I'm hoping that someone can tell me I'm wrong about this, as it seems like somewhat of an "out of the security frying pan, into the security fire" problem, with a bonus of it crashing and being unusable.

1 answer

0 votes
minnsey Atlassian Team May 11, 2017

Hi we are in the process of upgrading and testing these dependencies.

There is an existing Beta release, without those upgrades, which addresses a series of crashes related to libgit2's handling of repositories with possible data corruption, it can be downloaded here: https://downloads.atlassian.com/software/sourcetree/windows/beta/SourceTreeSetup-2.1.0-beta-002.exe

It is a beta, as such it will install alongside the GA/Production release and will not share data with the production release.

Thanks Michael,

I've just tried it and unfortunately get the same crash in the same location with the same git repo folder.  To be honest this one crashed quicker than 2.0.20.1, though the timing is a bit variable so I wouldn't neccessarily say it's a different issue.

Hi Michael,

Is there any update on this?  It's now 2.5 months and several release later, and the same, vulnerable, LibGit2 dll is being used (in version 2.1.2.5, the current latest on your website).  This also means that my repos continue to crash in sourcetree.

I look forward to hearing some good news soon!

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Sourcetree

Sourcetree for Windows - CVE-2019-11582 - Remote Code Execution vulnerability

A vulnerability has been published today in regards to Sourcetree for Windows.  The goal of this article is to give you a summary of information we have gathered from Atlassian Community as a st...

4,999 views 0 12
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you