Bug 1657564 (CVE-2018-16874) - CVE-2018-16874 golang: "go get" vulnerable to directory traversal via malicious package
Summary: CVE-2018-16874 golang: "go get" vulnerable to directory traversal via malicio...
Alias: CVE-2018-16874
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1659289 1659397 1659398 1659906 1660654 1660655 1663370 1663381 1664332
Blocks: 1657559
TreeView+ depends on / blocked
Reported: 2018-12-10 00:59 UTC by Sam Fowler
Modified: 2022-03-13 16:25 UTC (History)
20 users (show)

Fixed In Version: golang 1.10.6, golang 1.11.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-27 03:20:49 UTC

Attachments (Terms of Use)

Description Sam Fowler 2018-12-10 00:59:49 UTC
Go before versions 1.10.6 and 1.11.3 is vulnerable to directory traversal.

Comment 2 Sam Fowler 2018-12-11 00:51:50 UTC
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.

Comment 3 Sam Fowler 2018-12-14 01:59:17 UTC
External Reference:


Upstream Issue:


Comment 4 Sam Fowler 2018-12-14 01:59:20 UTC

Name: Dmitri Shuralyov (the Go team)

Comment 5 Sam Fowler 2018-12-14 01:59:29 UTC
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 1659289]

Comment 12 Tomas Hoger 2019-01-08 13:38:20 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1664332]

Created golang:1.10/golang tracking bugs for this issue:

Affects: fedora-all [bug 1663381]

Comment 14 Huzaifa S. Sidhpurwala 2019-04-23 09:50:12 UTC

This issue affects the version of golang package in Red Hat Enterprise Linux 7. The golang package, previously available in the Optional channel, will no longer receive updates in Red Hat Enterprise Linux 7. Developers are encouraged to use the Go Toolset instead, which is available through the Red Hat Developer program. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/chap-red_hat_enterprise_linux-7.6_release_notes-deprecated_functionality_in_rhel7#idm139716309923696

Note You need to log in before you can comment on or make changes to this bug.