blob: 698551dd414f87c9fc804a819413b297ae9d9a05 [file] [log] [blame]
id: GO-2022-0189
modules:
- module: cmd
versions:
- fixed: 1.10.6
- introduced: 1.11.0-0
- fixed: 1.11.3
vulnerable_at: 1.11.2
packages:
- package: cmd/go/internal/get
symbols:
- downloadPackage
skip_fix: 'TODO: revisit this reason (cant request explicit version v1.11.2 of standard library package cmd/go/internal/get'
summary: Remote command execution via "go get" with "-u" flag in cmd/go
description: |-
The "go get" command is vulnerable to remote code execution when executed with
the -u flag and the import path of a malicious Go package, or a package that
imports it directly or indirectly.
Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the
distinction is documented at
https://golang.org/cmd/go/#hdr-Module_aware_go_get).
Using custom domains, it's possible to arrange things so that a Git repository
is cloned to a folder named ".git" by using a vanity import path that ends with
"/.git". If the Git repository root contains a "HEAD" file, a "config" file, an
"objects" directory, a "refs" directory, with some work to ensure the proper
ordering of operations, "go get -u" can be tricked into considering the parent
directory as a repository root, and running Git commands on it. That will use
the "config" file in the original Git repository root for its configuration, and
if that config file contains malicious commands, they will execute on the system
running "go get -u".
Note that forbidding import paths with a .git element might not be sufficient to
mitigate this issue, as on certain systems there can be other aliases for VCS
state folders.
published: 2022-08-04T21:30:35Z
cves:
- CVE-2018-16873
credits:
- Etienne Stalmans of Heroku
references:
- fix: https://go.dev/cl/154101
- fix: https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3
- report: https://go.dev/issue/29230
- web: https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0
review_status: REVIEWED