go-git Improper Data Integrity Verification Vulnerability in Pack and Index Files

A vulnerability exists in go-git versions through 5.16.4, where the library fails to properly verify data integrity values for .pack and .idx files. This flaw can lead go-git to process corrupted files, potentially causing unexpected errors such as 'object not found'. The issue arises because clients do not correctly check the integrity of packfiles fetched from upstream Git servers, despite these files containing checksums for verification. The .idx files, which index the contents of the .pack files, are generated locally by go-git or the Git command-line interface when new .pack files are received. The lack of proper integrity verification can result in the consumption of corrupted data, disrupting normal operations.

Impact

Exploitation of this vulnerability can lead to go-git processing corrupted pack and index files, causing errors like 'object not found' during Git operations.

Remediation

Users should upgrade to go-git version 5.16.5 or the latest v6 pseudo-version. If an immediate upgrade is not possible, running 'git fsck' from the Git command-line interface can help check for data corruption in the repository.