Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is SourceTree for Windows 2.0.20.1 using out-of-date LibGit2 with known security issues?

Richard Taylor
Richard Taylor May 11, 2017

I believe SourceTree for windows is using LibGit2 v0.24.0 from March 2016 which has 5 subsequent versions that fix known security issues including 2 CVEs.

I'm basing this on "C:\Users\<users>\AppData\Local\SourceTree\app-2.0.20.1\NativeBinaries\amd64" containing the file "git2-785d8c4.dll".  The file properties say the version is 0.24.0, and the "785d8c4" matches the hash on that version. See https://github.com/libgit2/libgit2/releases/tag/v0.24.0

I looked into this because 2 of my repos crash SourceTree 2.20.0.1 in this dll (having upgraded from 1.19.x to this based on the security advisory).  I've tried building my own version of LibGit2 v0.24.6, but SourceTree fails to start with it.

I'm hoping that someone can tell me I'm wrong about this, as it seems like somewhat of an "out of the security frying pan, into the security fire" problem, with a bonus of it crashing and being unusable.

Answer
Watch
Like Todor Georgiev likes this
1044 views

1 answer

0 votes
minnsey
minnsey
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 11, 2017

Hi we are in the process of upgrading and testing these dependencies.

There is an existing Beta release, without those upgrades, which addresses a series of crashes related to libgit2's handling of repositories with possible data corruption, it can be downloaded here: https://downloads.atlassian.com/software/sourcetree/windows/beta/SourceTreeSetup-2.1.0-beta-002.exe

It is a beta, as such it will install alongside the GA/Production release and will not share data with the production release.

View More Comments
Richard Taylor
Richard Taylor May 11, 2017

Thanks Michael,

I've just tried it and unfortunately get the same crash in the same location with the same git repo folder.  To be honest this one crashed quicker than 2.0.20.1, though the timing is a bit variable so I wouldn't neccessarily say it's a different issue.

Like
Richard Taylor
Richard Taylor July 28, 2017

Hi Michael,

Is there any update on this?  It's now 2.5 months and several release later, and the same, vulnerable, LibGit2 dll is being used (in version 2.1.2.5, the current latest on your website).  This also means that my repos continue to crash in sourcetree.

I look forward to hearing some good news soon!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Sourcetree
Sourcetree
TAGS
AUG Leaders

Atlassian Community Events

    See all events