Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Switch to upstream go-git. Fixes CVE-2023-49569 #12515

Merged
merged 1 commit into from
Jan 14, 2024
Merged

fix: Switch to upstream go-git. Fixes CVE-2023-49569 #12515

merged 1 commit into from
Jan 14, 2024

Conversation

terrytangyuan
Copy link
Member

This fixes a critical severity vulnerability https://www.cve.org/CVERecord?id=CVE-2023-49569. We cannot use the existing fork anymore. Security is always the highest priority.


✗ Critical severity vulnerability found in github.com/go-git/go-git/v5
  Description: Path Traversal
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5-6150754
  Introduced through: github.com/go-git/go-git/v5@5.4.7
  From: github.com/go-git/go-git/v5@5.4.7
  Fixed in: 5.11.0

@terrytangyuan
fix: Switch to upstream go-git. Fixes CVE-2023-49569
77898bc 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
@terrytangyuan terrytangyuan added the prioritized-review For members of the Sustainability Effort label Jan 14, 2024
@terrytangyuan terrytangyuan enabled auto-merge (squash) January 14, 2024 01:48
@terrytangyuan terrytangyuan merged commit 2bdd7f3 into main Jan 14, 2024
27 checks passed
@terrytangyuan terrytangyuan deleted the fix-go-git branch January 14, 2024 02:09
@terrytangyuan terrytangyuan mentioned this pull request Jan 14, 2024
Merged
@agilgur5 agilgur5 added type/security Security related type/dependencies PRs and issues specific to updating dependencies go Pull requests that update Go dependencies labels Jan 14, 2024
This was referenced Jan 14, 2024
Closed
Closed
@terrytangyuan terrytangyuan mentioned this pull request Jan 14, 2024
Open
@agilgur5 agilgur5 added the area/artifacts S3/GCP/OSS/Git/HDFS etc label Jan 14, 2024
@terrytangyuan terrytangyuan mentioned this pull request Jan 14, 2024
Open
@agilgur5
Copy link
Member

We cannot use the existing fork anymore. Security is always the highest priority.

It seems like we were planning on this anyway in #11483 and #11149, in particular since upstream go-git had become maintained again and Argo CD was using upstream as well. I wasn't involved then though, so I don't know the full context.

@agilgur5
Copy link
Member

agilgur5 commented Jan 14, 2024
edited

This fixes a critical severity vulnerability https://www.cve.org/CVERecord?id=CVE-2023-49569.

For reference, the details:

Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients

So this only has impact if you have an untrusted Git server. For the principles of zero trust, this is definitely still very important to fix (especially as trusted Git servers can be hacked or supply chain attacked too), but most people will probably not be impacted by this as they use a trusted enterprise vendor

terrytangyuan added a commit that referenced this pull request Jan 14, 2024
@terrytangyuan
fix: Switch to upstream go-git. Fixes CVE-2023-49569 (#12515)
65befde 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
terrytangyuan added a commit that referenced this pull request Jan 14, 2024
@terrytangyuan
fix: Switch to upstream go-git. Fixes CVE-2023-49569 (#12515)
f5fee56 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
@agilgur5 agilgur5 mentioned this pull request Jan 18, 2024
Closed
@agilgur5 agilgur5 mentioned this pull request Apr 9, 2024
Merged
dpadhiar pushed a commit to dpadhiar/argo-workflows that referenced this pull request May 9, 2024
@terrytangyuan @dpadhiar
fix: Switch to upstream go-git. Fixes CVE-2023-49569 (argoproj#12515)
c3031f1 
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
Signed-off-by: Dillen Padhiar <dillen_padhiar@intuit.com>
@agilgur5 agilgur5 mentioned this pull request May 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliev0 juliev0 juliev0 approved these changes

Assignees
No one assigned
Labels
area/artifacts S3/GCP/OSS/Git/HDFS etc go Pull requests that update Go dependencies prioritized-review For members of the Sustainability Effort type/dependencies PRs and issues specific to updating dependencies type/security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@terrytangyuan @agilgur5 @juliev0