cmd/go: arbitrary command execution via VCS path #23867
Comments
|
Change https://golang.org/cl/94656 mentions this issue: |
|
@ianlancetaylor and I discussed this and we were thinking something like https://go-review.googlesource.com/c/go/+/94603 which is a little bit safer (in terms of not breaking people), compared to https://golang.org/cl/94656. Especially for so late in the Go 1.10 cycle. |
bradfitz
added
the
NeedsFix
|
@bradfitz @ianlancetaylor is this a release-blocker for Go1.10? |
|
Change https://golang.org/cl/94603 mentions this issue: |
|
After thinking about a bit more I'm not sure that it is a release blocker for 1.10. As far as we can tell it is only insecure if you explicitly say |
|
My inclination right now is to go with my CL (94603) for patch releases, including 1.10.1, but go with @Invizory 's CL (94656) for 1.11. That should give us plenty of time to find out whether full URL parsing will work, and back off if it won't. |
|
SGTM on both of the previous two comments. |
|
This has been assigned CVE-2018-7187. |
|
I've submitted my CL, setting up to backport to 1.10.1 and 1.9.4. @Invizory unfortunately you'll need to rebase your CL and fix the merge conflicts, then we can get that in for 1.11. Thanks. |
|
s/1.9.4/1.9.5/ ? |
|
The issue is fixed for 1.11, reopening for a backport to 1.10.1. |
@ianlancetaylor What about |
|
For golang.org/x we can use 94656 right away. Thanks. |
|
Change https://golang.org/cl/94899 mentions this issue: |
|
I've sent CL 94899 for golang.org/x. |
Apply same change as CL 94656 did for cmd/go/internal/get, but for golang.org/x/tools/go/vcs, to help keep them in sync. It indirectly includes changes from CL 94603, since CL 94656 was rebased on top of CL 94603. Updates golang/go#23867. Helps golang/go#11490. Change-Id: I33eca1aba19f47bbe3e83d4ef9f9cc9a9c9ae975 Reviewed-on: https://go-review.googlesource.com/94899 Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
Apply same change as CL 94656 did for cmd/go/internal/get, but for golang.org/x/tools/go/vcs, to help keep them in sync. It indirectly includes changes from CL 94603, since CL 94656 was rebased on top of CL 94603. Updates golang/go#23867. Helps golang/go#11490. Change-Id: I33eca1aba19f47bbe3e83d4ef9f9cc9a9c9ae975 Reviewed-on: https://go-review.googlesource.com/94899 Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
|
CL 94603 OK for Go 1.10.1 |
andybons
added
CherryPickApproved
|
Change https://golang.org/cl/102776 mentions this issue: |
|
Change https://golang.org/cl/102778 mentions this issue: |
Before this change, when using -insecure, we permitted any meta import repo root as long as it contained "://". When not using -insecure, we restrict meta import repo roots to be valid URLs. People may depend on that somehow, so permit meta import repo roots to be invalid URLs, but require them to have valid schemes per RFC 3986. Fixes #23867 Change-Id: Iac666dfc75ac321bf8639dda5b0dba7c8840922d Reviewed-on: https://go-review.googlesource.com/94603 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-on: https://go-review.googlesource.com/102776 Run-TryBot: Andrew Bonventre <andybons@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
Before this change, when using -insecure, we permitted any meta import repo root as long as it contained "://". When not using -insecure, we restrict meta import repo roots to be valid URLs. People may depend on that somehow, so permit meta import repo roots to be invalid URLs, but require them to have valid schemes per RFC 3986. Fixes #23867 Change-Id: Iac666dfc75ac321bf8639dda5b0dba7c8840922d Reviewed-on: https://go-review.googlesource.com/94603 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-on: https://go-review.googlesource.com/102778 Run-TryBot: Andrew Bonventre <andybons@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
This fixes a security issue (golang/go#23867). Also: These releases include fixes to the compiler, runtime, go command, and the archive/zip, crypto/tls, crypto/x509, encoding/json, net, net/http, and net/http/pprof packages. ok wiz@ for committing during freeze
I contacted security@golang.org about this and was allowed to create a public issue.
This has been assigned CVE-2018-7187.
What version of Go are you using (
go version)?go version go1.9.4 linux/amd64(earlier versions are also affected)Does this issue reproduce with the latest release?
Yes.
What did you do?
The
go getimplementation, when the-insecurecommand-line option is used, does not validate the import path, which allows remote attackers to execute arbitrary OS commands via a crafted website.For example, this command should execute
echo hello $USER:See https://khashaev.ru/go-vuln/index.html:
The proof of concept presented above is targeting Mercurial.
What did you expect to see?
What did you see instead?
The text was updated successfully, but these errors were encountered: