/go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: directory traversal in "go get" via curly braces in import paths #29231

Closed
dmitshur opened this Issue Dec 13, 2018 · 3 comments

Comments

Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
  Go1.12
3 participants
@dmitshur @FiloSottile @gopherbot
@dmitshur
Copy link
Member

dmitshur commented Dec 13, 2018
edited by FiloSottile

go get downloads and builds source code. It is not supposed to allow arbitrary filesystem writes.

The go get command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both { and } characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.

Thanks to ztz of Tencent Security Platform for discovering and reporting this issue.

This issue is CVE-2018-16874.

@dmitshur dmitshur added the Security label Dec 13, 2018

@dmitshur dmitshur added this to the Go1.12 milestone Dec 13, 2018

This was referenced Dec 13, 2018

Closed
Closed
@FiloSottile

This comment has been minimized.

Sign in to view
Copy link
Member

FiloSottile commented Dec 13, 2018
edited

Fixed in Go 1.11.3 by 8954add.
Fixed in Go 1.10.6 by 90d609b.

@dmitshur dmitshur changed the title cmd/go: directory traversal via curly braces in import paths cmd/go: directory traversal in "go get" via curly braces in import paths Dec 13, 2018

thaJeztah added a commit to thaJeztah/docker that referenced this issue Dec 13, 2018

@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875) 
go1.11.1 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.1 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Verified
This commit was signed with a verified signature.
@thaJeztah thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C Learn about signing commits
fb6dc55

@thaJeztah thaJeztah referenced this issue Dec 13, 2018

Merged

Bump Golang 1.11.3 (CVE-2018-16875) #38369

thaJeztah added a commit to thaJeztah/docker that referenced this issue Dec 13, 2018

@thaJeztah
Bump Golang 1.10.6 (CVE-2018-16875) 
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Verified
This commit was signed with a verified signature.
@thaJeztah thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C Learn about signing commits
8afe9f4

thaJeztah added a commit to thaJeztah/docker that referenced this issue Dec 13, 2018

@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875) 
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Verified
This commit was signed with a verified signature.
@thaJeztah thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C Learn about signing commits
6b7c093
@gopherbot

This comment has been minimized.

Sign in to view
Copy link

gopherbot commented Dec 13, 2018

Change https://golang.org/cl/154101 mentions this issue: cmd/go: reject 'get' of paths containing leading dots or unsupported characters

@thaJeztah thaJeztah referenced this issue Dec 13, 2018

Merged

[18.09] Bump Golang 1.10.6 (CVE-2018-16875) #137

@gopherbot

This comment has been minimized.

Sign in to view
Copy link

gopherbot commented Dec 13, 2018

Change https://golang.org/cl/154103 mentions this issue: cmd/go/internal/get: use a strings.Replacer in expand

thaJeztah added a commit to thaJeztah/golang-cross that referenced this issue Dec 13, 2018

@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875) 
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Verified
This commit was signed with a verified signature.
@thaJeztah thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C Learn about signing commits
639c177

@thaJeztah thaJeztah referenced this issue Dec 13, 2018

Merged

Bump Golang 1.11.3 (CVE-2018-16875) #14

thaJeztah added a commit to thaJeztah/golang-cross that referenced this issue Dec 14, 2018

@thaJeztah
Bump Golang 1.10.6 (CVE-2018-16875) 
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Verified
This commit was signed with a verified signature.
@thaJeztah thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C Learn about signing commits
af3e6d2

@thaJeztah thaJeztah referenced this issue Dec 14, 2018

Merged

Bump Golang 1.10.6 (CVE-2018-16875) #15

thaJeztah added a commit to thaJeztah/cli that referenced this issue Dec 14, 2018

@thaJeztah
Bump Golang 1.10.6 (CVE-2018-16875) 
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Verified
This commit was signed with a verified signature.
@thaJeztah thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C Learn about signing commits
fced1ab

@thaJeztah thaJeztah referenced this issue Dec 14, 2018

Merged

[18.09] Bump Golang 1.10.6 (CVE-2018-16875) #1575

thaJeztah added a commit to thaJeztah/cli that referenced this issue Dec 14, 2018

@thaJeztah
Bump Golang 1.10.6 (CVE-2018-16875) 
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Verified
This commit was signed with a verified signature.
@thaJeztah thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C Learn about signing commits
6c3a10a

@gopherbot gopherbot closed this in bc82d7c Dec 14, 2018

gopherbot pushed a commit that referenced this issue Dec 14, 2018

@bcmills @dmitshur
cmd/go/internal/get: use a strings.Replacer in expand 
This should be a no-op, but produces deterministic (and more correct)
behavior if we have accidentally failed to sanitize one of the inputs.

Updates #29231

Change-Id: I1271d0ffd01a691ec8c84906c4e02d9e2be19c72
Reviewed-on: https://team-review.git.corp.google.com/c/370575
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-on: https://go-review.googlesource.com/c/154103
Reviewed-by: Bryan C. Mills <bcmills@google.com>
73e862e

thaJeztah added a commit to thaJeztah/docker-ce-packaging that referenced this issue Dec 14, 2018

@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875) 
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Verified
This commit was signed with a verified signature.
@thaJeztah thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C Learn about signing commits
985d53d

@thaJeztah thaJeztah referenced this issue Dec 14, 2018

Merged

Bump Golang 1.11.3 (CVE-2018-16875) #283

thaJeztah added a commit to thaJeztah/docker-ce-packaging that referenced this issue Dec 14, 2018

@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875) 
go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Verified
This commit was signed with a verified signature.
@thaJeztah thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C Learn about signing commits
6b8b8fe

thaJeztah added a commit to thaJeztah/docker-ce-packaging that referenced this issue Dec 14, 2018

@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875) 
go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Verified
This commit was signed with a verified signature.
@thaJeztah thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C Learn about signing commits
517a30b

docker-jenkins pushed a commit to docker/docker-ce that referenced this issue Dec 15, 2018

@thaJeztah
Bump Golang 1.10.6 (CVE-2018-16875) 
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 8afe9f422dc0183ce48e1db09189ccbde634080a
Component: engine
3e10549

docker-jenkins pushed a commit to docker/docker-ce that referenced this issue Dec 15, 2018

@thaJeztah
Bump Golang 1.10.6 (CVE-2018-16875) 
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 6c3a10aaede0cfc54cb5befbb70d6357d08d75b7
Component: cli
c86a836

docker-jenkins pushed a commit to docker/docker-ce that referenced this issue Dec 17, 2018

@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875) 
go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 517a30b48d7b483e27eb3c3328356a8e83272988
Component: packaging
d77eaad

thaJeztah added a commit to thaJeztah/cli that referenced this issue Dec 19, 2018

@thaJeztah
Bump Golang 1.11.4 (includes fix for CVE-2018-16875) 
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker,
runtime, documentation, go command, and the net/http and go/types packages. It
includes a fix to a bug introduced in Go 1.11.3 that broke go get for import
path patterns containing "...".

See the Go 1.11.4 milestone for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved

go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Verified
This commit was signed with a verified signature.
@thaJeztah thaJeztah Sebastiaan van Stijn
GPG key ID: 76698F39D527CE8C Learn about signing commits
deaf6e1

@thaJeztah thaJeztah referenced this issue Dec 19, 2018

Merged

Bump Golang 1.11.4 (includes fix for CVE-2018-16875) #1585

docker-jenkins pushed a commit to docker/docker-ce that referenced this issue Dec 19, 2018

@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875) 
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 6b7c093b0de21d574ce120aee891e60187749174
Component: engine
8698a97

docker-jenkins pushed a commit to docker/docker-ce that referenced this issue Jan 8, 2019

@thaJeztah
Bump Golang 1.11.4 (includes fix for CVE-2018-16875) 
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker,
runtime, documentation, go command, and the net/http and go/types packages. It
includes a fix to a bug introduced in Go 1.11.3 that broke go get for import
path patterns containing "...".

See the Go 1.11.4 milestone for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved

go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: deaf6e13ab067e6794d20ec980b4ae216b65d07c
Component: cli
4254022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment