-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/go: remote command execution during "go get -u" #29230
Labels
Milestone
Comments
This was referenced Dec 13, 2018
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this issue
Dec 13, 2018
go1.10.6 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.10.6 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.10.6 Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this issue
Dec 13, 2018
go1.11.13 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]>
Change https://golang.org/cl/154101 mentions this issue: |
Change https://golang.org/cl/154104 mentions this issue: |
Change https://golang.org/cl/154102 mentions this issue: |
thaJeztah
added a commit
to thaJeztah/golang-cross
that referenced
this issue
Dec 13, 2018
go1.11.13 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/golang-cross
that referenced
this issue
Dec 14, 2018
go1.10.6 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.10.6 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.10.6 Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/cli
that referenced
this issue
Dec 14, 2018
go1.10.6 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.10.6 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.10.6 Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/cli
that referenced
this issue
Dec 14, 2018
go1.10.6 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.10.6 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.10.6 Signed-off-by: Sebastiaan van Stijn <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Dec 14, 2018
Updates #29230 Change-Id: Ia32d8ec1fc0c4e242f50d8871c0ef3ce315f3c65 Reviewed-on: https://team-review.git.corp.google.com/c/370571 Reviewed-by: Russ Cox <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/154102 Reviewed-by: Bryan C. Mills <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Dec 14, 2018
This fixes a regression of #18660 with the new path checks. Updates #29230 Change-Id: I2dd9adab999e7f810e0e746ad8b75ea9622f56e7 Reviewed-on: https://team-review.git.corp.google.com/c/370578 Reviewed-by: Russ Cox <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/154104 Reviewed-by: Bryan C. Mills <[email protected]>
thaJeztah
added a commit
to thaJeztah/docker-ce-packaging
that referenced
this issue
Dec 14, 2018
go1.11.13 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/docker-ce-packaging
that referenced
this issue
Dec 14, 2018
go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/docker-ce-packaging
that referenced
this issue
Dec 14, 2018
go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this issue
Dec 15, 2018
go1.10.6 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.10.6 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.10.6 Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: 8afe9f422dc0183ce48e1db09189ccbde634080a Component: engine
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this issue
Dec 15, 2018
go1.10.6 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.10.6 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.10.6 Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: 6c3a10aaede0cfc54cb5befbb70d6357d08d75b7 Component: cli
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this issue
Dec 17, 2018
go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: 517a30b Component: packaging
thaJeztah
added a commit
to thaJeztah/cli
that referenced
this issue
Dec 19, 2018
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker, runtime, documentation, go command, and the net/http and go/types packages. It includes a fix to a bug introduced in Go 1.11.3 that broke go get for import path patterns containing "...". See the Go 1.11.4 milestone for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this issue
Dec 19, 2018
go1.11.13 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: 6b7c093b0de21d574ce120aee891e60187749174 Component: engine
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this issue
Jan 8, 2019
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker, runtime, documentation, go command, and the net/http and go/types packages. It includes a fix to a bug introduced in Go 1.11.3 that broke go get for import path patterns containing "...". See the Go 1.11.4 milestone for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: deaf6e13ab067e6794d20ec980b4ae216b65d07c Component: cli
thaJeztah
added a commit
to thaJeztah/cli
that referenced
this issue
Mar 4, 2019
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker, runtime, documentation, go command, and the net/http and go/types packages. It includes a fix to a bug introduced in Go 1.11.3 that broke go get for import path patterns containing "...". See the Go 1.11.4 milestone for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit deaf6e1) Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/cli
that referenced
this issue
Mar 28, 2019
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker, runtime, documentation, go command, and the net/http and go/types packages. It includes a fix to a bug introduced in Go 1.11.3 that broke go get for import path patterns containing "...". See the Go 1.11.4 milestone for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit deaf6e1) Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/cli
that referenced
this issue
Mar 28, 2019
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker, runtime, documentation, go command, and the net/http and go/types packages. It includes a fix to a bug introduced in Go 1.11.3 that broke go get for import path patterns containing "...". See the Go 1.11.4 milestone for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit deaf6e1) Signed-off-by: Sebastiaan van Stijn <[email protected]>
adhulipa
pushed a commit
to adhulipa/docker
that referenced
this issue
Apr 11, 2019
go1.11.13 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/cli
that referenced
this issue
Apr 14, 2019
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker, runtime, documentation, go command, and the net/http and go/types packages. It includes a fix to a bug introduced in Go 1.11.3 that broke go get for import path patterns containing "...". See the Go 1.11.4 milestone for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit deaf6e1) Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/cli
that referenced
this issue
May 20, 2019
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker, runtime, documentation, go command, and the net/http and go/types packages. It includes a fix to a bug introduced in Go 1.11.3 that broke go get for import path patterns containing "...". See the Go 1.11.4 milestone for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit deaf6e1) Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/cli
that referenced
this issue
Jun 14, 2019
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker, runtime, documentation, go command, and the net/http and go/types packages. It includes a fix to a bug introduced in Go 1.11.3 that broke go get for import path patterns containing "...". See the Go 1.11.4 milestone for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit deaf6e1) Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this issue
Jun 20, 2019
go1.11.13 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 6b7c093) Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added a commit
to thaJeztah/docker-ce-packaging
that referenced
this issue
Jul 8, 2019
go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 517a30b) Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this issue
Jul 24, 2019
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker, runtime, documentation, go command, and the net/http and go/types packages. It includes a fix to a bug introduced in Go 1.11.3 that broke go get for import path patterns containing "...". See the Go 1.11.4 milestone for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit deaf6e13ab067e6794d20ec980b4ae216b65d07c) Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: a378a009541cf2377e6410c28183d7710ad37ed6 Component: cli
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this issue
Jul 24, 2019
go1.11.13 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 6b7c093b0de21d574ce120aee891e60187749174) Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: 19d37c9a337e82e0e8ce0ff28271739e8ec78e83 Component: engine
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this issue
Aug 7, 2019
go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 517a30b) Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: 17565b93d361b1b189962b3e98c431316a7cc628 Component: packaging
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
go get -u
downloads, updates, and builds source code. It is not supposed to execute arbitrary code.The
go get
command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it’s possible to arrange things so that a Git repository is cloned to a folder named.git
by using a vanity import path that ends with/.git
. If the Git repository root contains aHEAD
file, aconfig
file, anobjects
directory, arefs
directory, with some work to ensure the proper ordering of operations,go get -u
can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use theconfig
file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system runninggo get -u
.Note that forbidding import paths with a
.git
element might not be sufficient to mitigate this issue, as on certain systems there can be other aliases for VCS state folders.Thanks to Etienne Stalmans from the Heroku platform security team for discovering and reporting this issue.
This issue is CVE-2018-16873.
The text was updated successfully, but these errors were encountered: