[Medium] Patch packer for CVE-2026-45570 and CVE-2026-45571

[v-aaditya]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

• Patch packer for CVE-2026-45571

  • The github.com/go-git/go-git/v5 vendor package has been upgraded from v5.13.0 => v5.19.1.
  • The github.com/go-git/go-billy/v5 vendor package has been upgraded from v5.6.0 => v5.9.0, which was needed for compilation of upgraded github.com/go-git/go-git/v5.
  • go.mod and vendor/module.txt files have modified to change the version of go module to 1.22, which was required for compilation of upgraded github.com/go-git/go-git/v5.
  • BuildRequires: golang >= 1.21 has been updated to 1.22.
  • Upstream Patch reference: https://github.com/go-git/go-git/releases/tag/v5.19.1

• This patch also fixes CVE-2026-45570

Change Log

• new file: SPECS/packer/CVE-2026-45570-and-CVE-2026-45571.patch
• modified: SPECS/packer/packer.spec

Does this affect the toolchain?

NO

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-45570
• https://nvd.nist.gov/vuln/detail/CVE-2026-45571

Test Methodology

• Local build was successful.
• Patch applies cleanly
• License check script shows no warning.
• Installation and Uninstallation on docker image was successful.

[v-aaditya]

Buddy Build has been triggered and it has passed.

[mfrw]

LGTM ✅ — clean vendor bump to go-git/v5 v5.19.1 + go-billy/v5 v5.9.0.

• Spec hygiene clean: Release: 15→16, Patch34 ordered correctly, %changelog entry matches, BuildRequires: golang >= 1.21 → 1.22 aligned with the go.mod / vendor/modules.txt bump to go 1.22.
• Vendor delta matches upstream v5.13.0..v5.19.1 (go-git) and v5.6.0..v5.9.0 (go-billy) — spot-checked the pathutil.ValidTreePath gate in worktree.doAddFileToIndex, the new worktreeFilesystem wrapper, and the SSH shell-quote fix.
• Buddy build green on both arches: buildId=1131745.
• PR checklist ticked, no failing PR checks.

CVE → upstream fix mapping (both land in v5.19.1):

CVE	GHSA	Severity	Upstream PR
CVE-2026-45571	GHSA-crhj-59gh-8x96	Medium	#2100 (worktreeFilesystem) + submodule hardening #2070 #2074 #2078 #2082
CVE-2026-45570	GHSA-m7cr-m3pv-hgrp	Low	#2068 (transport/ssh shell-quote)

Nit (non-blocking): patch file is named CVE-2026-45571.patch but it also carries the CVE-2026-45570 fix — might be worth a rename or a comment header in the patch noting both CVE IDs. Same for the PR title. Up to you, not blocking.

Signed-Off By: @mfrw

[v-aaditya]

LGTM ✅ — clean vendor bump to go-git/v5 v5.19.1 + go-billy/v5 v5.9.0.

• Spec hygiene clean: Release: 15→16, Patch34 ordered correctly, %changelog entry matches, BuildRequires: golang >= 1.21 → 1.22 aligned with the go.mod / vendor/modules.txt bump to go 1.22.
• Vendor delta matches upstream v5.13.0..v5.19.1 (go-git) and v5.6.0..v5.9.0 (go-billy) — spot-checked the pathutil.ValidTreePath gate in worktree.doAddFileToIndex, the new worktreeFilesystem wrapper, and the SSH shell-quote fix.
• Buddy build green on both arches: buildId=1131745.
• PR checklist ticked, no failing PR checks.

CVE → upstream fix mapping (both land in v5.19.1):

CVE GHSA Severity Upstream PR
CVE-2026-45571 GHSA-crhj-59gh-8x96 Medium #2100 (worktreeFilesystem) + submodule hardening #2070 #2074 #2078 #2082
CVE-2026-45570 GHSA-m7cr-m3pv-hgrp Low #2068 (transport/ssh shell-quote)
Nit (non-blocking): patch file is named CVE-2026-45571.patch but it also carries the CVE-2026-45570 fix — might be worth a rename or a comment header in the patch noting both CVE IDs. Same for the PR title. Up to you, not blocking.

Signed-Off By: @mfrw

Updated Patch header and name to add info for CVE-2026-45570.
Re-triggered the Buddy Build and it has passed !
I have also updated the PR title.

[v-aaditya]

Re-triggered Buddy Build and it has passed.

[kgodara912]

PR is too big to carry. Instead of doing package upgrade this way, ideally, we should upgrade vendor tarball itself. But before that, we should search for a patch availability, we need to search for the CVEs and see if any patch could address the core issue of vulnerability.

[kgodara912]

The other files should go as no patch, so your CVE files should go as CVE-2026-45570.patch and CVE-2026-45571.nopatch, you need not to include nopatch file in spec itself.

[v-aaditya]

Updated patch file name and added .nopatch file for CVE-2026-45570.

[v-aaditya]

PR is too big to carry. Instead of doing package upgrade this way, ideally, we should upgrade vendor tarball itself. But before that, we should search for a patch availability, we need to search for the CVEs and see if any patch could address the core issue of vulnerability.

I am checking on this !