Commit 2aa0bee
authored
chore(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] (open-component-model#2574)
This PR contains the following updates:
| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[github.com/go-git/go-git/v5](https://redirect.github.com/go-git/go-git)
| indirect | patch | `v5.19.0` → `v5.19.1` | [](https://securityscorecards.dev/viewer/?uri=github.com/go-git/go-git)
|
---
> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](..open-component-model/issues/331) for more information.
---
### go-git: Improper single-quote escaping in go-git SSH transport
[CVE-2026-45570](https://nvd.nist.gov/vuln/detail/CVE-2026-45570) /
[GHSA-m7cr-m3pv-hgrp](https://redirect.github.com/advisories/GHSA-m7cr-m3pv-hgrp)
<details>
<summary>More information</summary>
#### Details
##### Impact
`go-git`'s SSH transport constructs the remote exec command by wrapping
the repository path in single quotes without escaping single quotes
embedded inside the path. This diverges from canonical Git, which
shell-quotes the path through `sq_quote_buf` so that an embedded `'`
becomes the `'\''` close-escape-reopen sequence and the whole path
round-trips as a single quoted argument.
A repository path containing a single quote can therefore break out of
the quoted region in the exec command and be appended as additional
shell tokens. On SSH servers that evaluate the exec command through a
shell (for example a user account whose login shell is `/bin/sh` or
`/bin/bash`, or a `ForceCommand` wrapper that re-evaluates
`$SSH_ORIGINAL_COMMAND`), those additional tokens execute in that
account's command-execution context. SSH servers that tokenize the exec
command without shell evaluation, including the canonical `git-shell`
setup, are not affected.
The vulnerable behaviour is on the SSH server side, not in `go-git`: the
same bytes can be produced by any SSH client. The change in `go-git` is
defense-in-depth that restores parity with canonical Git's wire format
and prevents `go-git` from being a vehicle for reaching shell-evaluating
servers through attacker-influenced repository paths.
##### Patches
Users should upgrade to a patched version in order to mitigate this
issue. The fix ports `sq_quote_buf` from canonical Git into `go-git`'s
SSH transport so that the wire output is byte-identical to what `git`
itself would send for the same input.
Versions prior to `v5` are likely to be affected, users are recommended
to upgrade to a supported go-git version.
##### Credit
Thanks to @​N0zoM1z0 for reporting this to the `go-git` project.
:bow:
#### Severity
- CVSS Score: 2.3 / 10 (Low)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/go-git/go-git/security/advisories/GHSA-m7cr-m3pv-hgrp](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-m7cr-m3pv-hgrp)
-
[https://github.com/advisories/GHSA-m7cr-m3pv-hgrp](https://redirect.github.com/advisories/GHSA-m7cr-m3pv-hgrp)
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-m7cr-m3pv-hgrp)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### go-git: Crafted repositories may modify main and submodule .git
directories
[CVE-2026-45571](https://nvd.nist.gov/vuln/detail/CVE-2026-45571) /
[GHSA-crhj-59gh-8x96](https://redirect.github.com/advisories/GHSA-crhj-59gh-8x96)
<details>
<summary>More information</summary>
#### Details
##### Impact
A path validation issue in `go-git` could allow crafted repository data
to affect files outside the intended checkout target, including the
repository's `.git` directory.
These validations were introduced in upstream Git years ago, so the
vulnerability arose from go-git drifting from those checks. Some attack
vectors were platform-specific: certain payloads affected only Windows
users, others affected only macOS users, and some applied across all
supported platforms.
Using non-descendant `go-billy` filesystem instances, or different
filesystem types, for the `Storer` and `Worktree` may provide some
isolation against `.git` directory manipulation. For example, users that
store the `.git` directory through `memfs` while using `osfs` for the
worktree are not affected by this vulnerability in the main repository,
because repository metadata is not materialized inside the worktree
filesystem.
However, this isolation does not necessarily apply when the repository
contains submodules, since submodule dotgit directories may still be
represented or materialized within the worktree context.
It is important to note that exploitation requires a maliciously crafted
repository payload. Users should always exercise caution when
interacting with repositories or Git servers they do not trust.
##### Patches
Users should upgrade to a patched version in order to mitigate this
vulnerability. Versions prior to `v5` are likely to be affected, users
are recommended to upgrade to a supported go-git version.
##### Credits
Thanks to @​kodareef5, @​AyushParkara and @​N0zoM1z0
for reporting this to the go-git project in three separate reports. 🙇
#### Severity
- CVSS Score: 5.4 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L`
#### References
-
[https://github.com/go-git/go-git/security/advisories/GHSA-crhj-59gh-8x96](https://redirect.github.com/go-git/go-git/security/advisories/GHSA-crhj-59gh-8x96)
-
[https://github.com/advisories/GHSA-crhj-59gh-8x96](https://redirect.github.com/advisories/GHSA-crhj-59gh-8x96)
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-crhj-59gh-8x96)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Release Notes
<details>
<summary>go-git/go-git (github.com/go-git/go-git/v5)</summary>
###
[`v5.19.1`](https://redirect.github.com/go-git/go-git/releases/tag/v5.19.1)
[Compare
Source](https://redirect.github.com/go-git/go-git/compare/v5.19.0...v5.19.1)
#### What's Changed
- v5: plumbing: transport/ssh, Shell-quote path by
[@​hiddeco](https://redirect.github.com/hiddeco) in
[#​2068](https://redirect.github.com/go-git/go-git/pull/2068)
- v5: git: submodule, Fix relative URL resolution by
[@​hiddeco](https://redirect.github.com/hiddeco) in
[#​2070](https://redirect.github.com/go-git/go-git/pull/2070)
- v5: git: submodule, canonical remote for relative URLs by
[@​hiddeco](https://redirect.github.com/hiddeco) in
[#​2074](https://redirect.github.com/go-git/go-git/pull/2074)
- v5: git: submodule, error on remote without URLs by
[@​hiddeco](https://redirect.github.com/hiddeco) in
[#​2078](https://redirect.github.com/go-git/go-git/pull/2078)
- v5: plumbing: format/idxfile, Validate offset64 indices by
[@​hiddeco](https://redirect.github.com/hiddeco) in
[#​2084](https://redirect.github.com/go-git/go-git/pull/2084)
- v5: \*: Reject malformed variable-length integers by
[@​hiddeco](https://redirect.github.com/hiddeco) in
[#​2092](https://redirect.github.com/go-git/go-git/pull/2092)
- v5: plumbing: format/packfile, Tighten delta validation by
[@​hiddeco](https://redirect.github.com/hiddeco) in
[#​2091](https://redirect.github.com/go-git/go-git/pull/2091)
- v5: Add `worktreeFilesystem` wrapper for worktree and hardening by
[@​hiddeco](https://redirect.github.com/hiddeco) in
[#​2100](https://redirect.github.com/go-git/go-git/pull/2100)
- v5: config: validate submodule names by
[@​hiddeco](https://redirect.github.com/hiddeco) in
[#​2082](https://redirect.github.com/go-git/go-git/pull/2082)
- build: Update module github.com/go-git/go-git/v5 to v5.19.0
\[SECURITY] (releases/v5.x) by
[@​go-git-renovate](https://redirect.github.com/go-git-renovate)\[bot]
in [#​2111](https://redirect.github.com/go-git/go-git/pull/2111)
- v5: git: Allow MkdirAll on worktree-root paths by
[@​hiddeco](https://redirect.github.com/hiddeco) in
[#​2117](https://redirect.github.com/go-git/go-git/pull/2117)
- v5: git: Stop validating symlink target paths by
[@​pjbgf](https://redirect.github.com/pjbgf) in
[#​2116](https://redirect.github.com/go-git/go-git/pull/2116)
- v5: plumbing: format decoder input bounds and contracts by
[@​hiddeco](https://redirect.github.com/hiddeco) in
[#​2125](https://redirect.github.com/go-git/go-git/pull/2125)
- plumbing: format/packfile, cap delta chain depth in parser by
[@​pjbgf](https://redirect.github.com/pjbgf) in
[#​2137](https://redirect.github.com/go-git/go-git/pull/2137)
**Full Changelog**:
<go-git/go-git@v5.19.0...v5.19.1>
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- ""
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODYuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4Ni4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: ocmbot[bot] <125909804+ocmbot[bot]@users.noreply.github.com>1 parent dea06d4 commit 2aa0bee
2 files changed
Lines changed: 3 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
134 | 134 | | |
135 | 135 | | |
136 | 136 | | |
137 | | - | |
| 137 | + | |
138 | 138 | | |
139 | 139 | | |
140 | 140 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
398 | 398 | | |
399 | 399 | | |
400 | 400 | | |
401 | | - | |
402 | | - | |
| 401 | + | |
| 402 | + | |
403 | 403 | | |
404 | 404 | | |
405 | 405 | | |
| |||
0 commit comments