go-git v5.17.1 regression blocks CVE remediation (CVE-2026-33762, CVE-2026-34165) #1040
Description
Context
Two open Dependabot alerts reference go-git vulnerabilities that are patched in v5.17.1:
| Alert | CVE | GHSA | Severity | Summary |
|---|---|---|---|---|
| #197 | CVE-2026-33762 | GHSA-gm2x-2g9h-ccm8 | Low | Missing validation decoding Index v4 files leads to panic (DoS) |
| #198 | CVE-2026-34165 | GHSA-jhf3-xxhw-2wpp | Medium | Maliciously crafted .idx file causes asymmetric memory consumption (DoS) |
Both require write access to the local .git directory to exploit and result in denial-of-service only (no RCE). We attempted to upgrade to v5.17.1 in PR #1039, but had to revert to v5.16.5 due to a regression.
The regression in v5.17.1
v5.17.1 introduced fixPermissions() in storage/filesystem/dotgit/writers_unix.go, which sets .idx and .pack files to 0o444 (read-only) after writing them. Combined with go-billy being upgraded from v5.6.2 → v5.8.0 (which added Chmod support to ChrootHelper, making the chmod actually execute), this causes mod installs to fail on the second run with:
could not commit shadow directory 'github.com': open .../.git/objects/pack/pack-<HASH>.idx: permission denied
Root cause chain
- go-git clones a mod into a temporary shadow directory
fixPermissions()sets the shadow's.idx/.packfiles to0o444pipe-fittings'commitShadowusesgithub.com/otiai10/copyto copy the shadow to the persistent mods directory — preserving the0o444permissions- On any subsequent install of the same mod,
copy.Copycallsos.Create(dest)(which isopen(O_RDWR|O_CREATE|O_TRUNC)) on an existing0o444file →EACCES→ permission denied
This is a two-step failure: the first install succeeds but poisons the destination with read-only permissions; the second install fails.
We have filed an upstream issue: go-git/go-git#1942
Current state
- We are pinned to
go-git v5.16.5(which does not have the CVEs patched) - The CVEs are DoS-only and require local write access to
.git, so the exposure risk is low - We will upgrade once go-git releases a patch that fixes the regression (expected
v5.17.2or later)
Acceptance criteria
- go-git releases a version that fixes the
fixPermissionsregression (tracked in v5.17.1 regression: fixPermissions sets pack files to 0444, breaking subsequent installs into the same directory go-git/go-git#1942) - Upgrade go-git to that version and close Dependabot alerts Log sink #197 and Verify mod existence for those commands which need mods #198