Bug 1657564 (CVE-2018-16874) - CVE-2018-16874 golang: "go get" vulnerable to directory traversal via malicious package
Summary: CVE-2018-16874 golang: "go get" vulnerable to directory traversal via malicio...
Status: NEW
Alias: CVE-2018-16874
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20181213:2000,...
Keywords: Security
Depends On: 1659397 1659398 1659906 1663370 1663381 1659289 1660654 1660655 1664332
Blocks: 1657559
TreeView+ depends on / blocked
 
Reported: 2018-12-10 00:59 UTC by Sam Fowler
Modified: 2019-04-23 09:50 UTC (History)
26 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Sam Fowler 2018-12-10 00:59:49 UTC
Go before versions 1.10.6 and 1.11.3 is vulnerable to directory traversal.

Comment 2 Sam Fowler 2018-12-11 00:51:50 UTC
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.

Comment 3 Sam Fowler 2018-12-14 01:59:17 UTC
External Reference:

https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0


Upstream Issue:

https://golang.org/issue/29231

Comment 4 Sam Fowler 2018-12-14 01:59:20 UTC
Acknowledgments:

Name: Dmitri Shuralyov (the Go team)

Comment 5 Sam Fowler 2018-12-14 01:59:29 UTC
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 1659289]

Comment 12 Tomas Hoger 2019-01-08 13:38:20 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1664332]


Created golang:1.10/golang tracking bugs for this issue:

Affects: fedora-all [bug 1663381]

Comment 14 Huzaifa S. Sidhpurwala 2019-04-23 09:50:12 UTC
Statement:

This issue affects the version of golang package in Red Hat Enterprise Linux 7. The golang package, previously available in the Optional channel, will no longer receive updates in Red Hat Enterprise Linux 7. Developers are encouraged to use the Go Toolset instead, which is available through the Red Hat Developer program. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/chap-red_hat_enterprise_linux-7.6_release_notes-deprecated_functionality_in_rhel7#idm139716309923696


Note You need to log in before you can comment on or make changes to this bug.