data/reports/GO-2022-0189.yaml - vulndb - Git at Google

 id: GO-2022-0189
 modules:
   - module: cmd
     versions:
       - fixed: 1.10.6
       - introduced: 1.11.0-0
         fixed: 1.11.3
     vulnerable_at: 1.11.2
     packages:
       - package: cmd/go/internal/get
         symbols:
           - downloadPackage
         skip_fix: 'TODO: revisit this reason (cant request explicit version v1.11.2
             of standard library package cmd/go/internal/get'
 summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
 description: |
     The "go get" command is vulnerable to remote code execution when executed
     with the -u flag and the import path of a malicious Go package, or a
     package that imports it directly or indirectly.

     Specifically, it is only vulnerable in GOPATH mode, but not in module mode
     (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get).

     Using custom domains, it's possible to arrange things so that a Git
     repository is cloned to a folder named ".git" by using a vanity import path
     that ends with "/.git". If the Git repository root contains a "HEAD" file,
     a "config" file, an "objects" directory, a "refs" directory, with some work
     to ensure the proper ordering of operations, "go get -u" can be tricked
     into considering the parent directory as a repository root, and running Git
     commands on it. That will use the "config" file in the original Git
     repository root for its configuration, and if that config file contains
     malicious commands, they will execute on the system running "go get -u".

     Note that forbidding import paths with a .git element might not be
     sufficient to mitigate this issue, as on certain systems there can be other
     aliases for VCS state folders.
 published: 2022-08-04T21:30:35Z
 cves:
   - CVE-2018-16873
 credits:
   - Etienne Stalmans of Heroku
 references:
   - fix: https://go.dev/cl/154101
   - fix: https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3
   - report: https://go.dev/issue/29230
   - web: https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0
	id: GO-2022-0189
	modules:
	- module: cmd
	versions:
	- fixed: 1.10.6
	- introduced: 1.11.0-0
	fixed: 1.11.3
	vulnerable_at: 1.11.2
	packages:
	- package: cmd/go/internal/get
	symbols:
	- downloadPackage
	skip_fix: 'TODO: revisit this reason (cant request explicit version v1.11.2
	of standard library package cmd/go/internal/get'
	summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
	description: \|
	The "go get" command is vulnerable to remote code execution when executed
	with the -u flag and the import path of a malicious Go package, or a
	package that imports it directly or indirectly.

	Specifically, it is only vulnerable in GOPATH mode, but not in module mode
	(the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get).

	Using custom domains, it's possible to arrange things so that a Git
	repository is cloned to a folder named ".git" by using a vanity import path
	that ends with "/.git". If the Git repository root contains a "HEAD" file,
	a "config" file, an "objects" directory, a "refs" directory, with some work
	to ensure the proper ordering of operations, "go get -u" can be tricked
	into considering the parent directory as a repository root, and running Git
	commands on it. That will use the "config" file in the original Git
	repository root for its configuration, and if that config file contains
	malicious commands, they will execute on the system running "go get -u".

	Note that forbidding import paths with a .git element might not be
	sufficient to mitigate this issue, as on certain systems there can be other
	aliases for VCS state folders.
	published: 2022-08-04T21:30:35Z
	cves:
	- CVE-2018-16873
	credits:
	- Etienne Stalmans of Heroku
	references:
	- fix: https://go.dev/cl/154101
	- fix: https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3
	- report: https://go.dev/issue/29230
	- web: https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0