Re-sync libgit2 overlay admin-owner patch with merged upstream (bump to 1.9.4)#2041
Merged
tyrielv merged 1 commit intoJul 6, 2026
Conversation
The `non-elevated-admin-owner.diff` overlay patch was copied verbatim from libgit2 PR #7200. That PR version had four bugs that maintainers fixed before merging to libgit2 `main`: - `linked_token` HANDLE from TokenLinkedToken was never CloseHandle'd, leaking a handle in the long-lived GVFS mount service (SYSTEM). - `current_user_sid` used `static HANDLE linked_token` — not thread-safe and retained a stale handle across calls; replaced with a per-call local initialized to NULL by the caller. - The TokenLinkedToken failure path nulled the local pointer parameter (`linked_token = NULL`) instead of `*linked_token = NULL` (+CloseHandle). - `current_user_sid()` was only invoked in the CURRENT_USER branch, but the admin-membership branch also reads `linked_token`; a caller passing only USER_IS_ADMINISTRATOR would read an uninitialized handle. It is now called unconditionally before either branch. Regenerate the patch so that, applied to the pinned libgit2 source, it produces the same corrected `src/util/fs_path.c` as upstream `main` (commits cc477ee + f9f36a6 + 44c05e5, merge e805a16, merged 2026-06-07). The patch is not yet in any libgit2 release, so the overlay remains necessary. Also bump the pinned libgit2 version 1.9.3 -> 1.9.4 (matching the official vcpkg port). fs_path.c is byte-identical between 1.9.3 and 1.9.4, so the patched region is unaffected and the diff applies cleanly to both. Verified: Build.bat Debug rebuilds libgit2 for both x64-windows-static-aot and x64-windows-dynamic triplets, applying non-elevated-admin-owner.diff with no hunk failures, and the full solution builds to an installer. Complements microsoft#2039 (the GVFS-side AP clone-ownership fix). Work item: AB#62918022. Assisted-by: Claude Opus 4.8 Signed-off-by: Tyrie Vella <tyrielv@gmail.com>
KeithIsSleeping
approved these changes
Jul 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Re-syncs the VFSForGit libgit2 vcpkg overlay patch
non-elevated-admin-owner.diffwith the version that was actually merged to libgit2main, replacing the buggy version that was copied verbatim from libgit2/libgit2#7200. Also bumps the pinned libgit2 version1.9.3→1.9.4and refreshes the overlay README provenance/release notes.Why
The overlay carried the raw PR #7200 diff, which had four bugs that libgit2 maintainers fixed before/at merge:
linked_tokenHANDLE fromGetTokenInformation(TokenLinkedToken)was neverCloseHandle'd. Matters for the long-lived GVFS mount service running as SYSTEM.static HANDLE linked_tokeningit_fs_path_owner_is— not thread-safe and retained a stale handle across calls. Now a per-call local initialized toNULLby the caller.TokenLinkedTokenfailure the code didlinked_token = NULL(nulling the local pointer parameter) instead of*linked_token = NULL(+CloseHandle).current_user_sid()only called in theCURRENT_USERbranch — but the admin-membership branch also readslinked_token, so a caller passing onlyUSER_IS_ADMINISTRATORwould read an uninitialized handle. It is now called unconditionally before either branch.What merged upstream
PR #7200 was manually merged to
mainon 2026-06-07. Relevant commits (all touch onlysrc/util/fs_path.c):cc477ee— "Support non-elevated admin user check on Windows"f9f36a6— "Extend Win32 safe.directory admin-owner check to also cover non-elevated processes" (the four bug fixes)44c05e5— "fs: removed unused variable"e805a16— merge commitThe regenerated diff reproduces the net effect of
cc477ee + f9f36a6 + 44c05e5on top of the pinned libgit2 source.Version bump: 1.9.3 → 1.9.4
src/util/fs_path.cis byte-identical between v1.9.3 and v1.9.4, so the patched region is unaffected and the diff applies cleanly to both.vcpkg.jsonversion-semverand theportfile.cmakeSHA512.Release status
The patch is not yet in any libgit2 release (latest is v1.9.4, which predates the merge). It is expected to ship upstream in v2.0 (no ETA); v1.9.x is stated to be the last of the 1.x line. The overlay patch remains necessary until the pinned port moves to a libgit2 that includes it.
Verification
src\scripts\Build.bat Debugrebuilds libgit2 for bothx64-windows-static-aotandx64-windows-dynamictriplets:No hunk failures; libgit2 compiles and the full solution builds to an installer. The patched
fs_path.chasHANDLE linked_token = NULL;(nostatic), aCloseHandlein thedone:cleanup,CloseHandle(*linked_token); *linked_token = NULL;in the failure path, andcurrent_user_sid()called unconditionally.