go-git Improper Parsing Vulnerability Leading to Signature Verification Issues

A vulnerability exists in go-git, a Git implementation library in Go, prior to versions 5.19.0 and 6.0.0-alpha.3. The issue arises from go-git’s handling of malformed Git objects, particularly in commit or tag headers, which can lead to a decoded representation that differs from upstream Git's interpretation. This discrepancy can cause problems in commit signing and verification, as go-git may process a commit payload that is not an exact byte-for-byte match with the original object in the repository. Consequently, a signature might be incorrectly validated for a commit whose metadata does not accurately reflect the intended signed object.

Impact

This vulnerability can lead to incorrect commit signature verification, allowing a signature to be deemed valid even when the associated metadata does not accurately represent the signed object.

Remediation

Users should upgrade to go-git versions 5.19.0 or 6.0.0-alpha.3 or later. Instructions for upgrading can be found in the go-git repository.