1

My application use go-git library and I recently became aware of CVE-2022-23521 , CVE-2022-41903 issues about git.

I want to know if these issues affect go-git (https://github.com/go-git/go-git).

This is description of go-git.

go-git is a highly extensible git implementation library written in pure Go.

However I can not fully understand the meaning of 'git implementation'.

I think 1) git is VCS and 2) go-git implements functions of git as VCS and 3) CVE issues only pertains on git cli tool (https://github.com/git/git) not go-git.

My thinks are right?

alexmoon
  • 356
  • 1
  • 3
  • 10
  • 1
    You can think of "git" as both a specification and its default implementation. Except that the "specification" isn't really written down and is a function of what the default implementation does. But it's still reasonably stable, so multiple "git implementations" can usually interact quite well with each other. – Joachim Sauer Feb 09 '23 at 13:03

1 Answers1

2

While both CVE-2022-23521 and CVE-2022-41903 are specific to git/git (the original C implementation), it is a good idea to try and replicate the exploit scenario, to confirm the go-git one is not affected.

As go-git PR 620 illustrates ("Update dependencies to remove supply chain CVEs"), go-git is vulnerable to its own class of security issues, like known supply chain CVE.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250