Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: packages using cgo can cause arbitrary code execution on Windows #43783

Closed
rolandshoemaker opened this issue Jan 19, 2021 · 2 comments
Closed

cmd/go: packages using cgo can cause arbitrary code execution on Windows #43783

rolandshoemaker opened this issue Jan 19, 2021 · 2 comments
Labels
FrozenDueToAge GoCommand cmd/go NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone
Go1.16

Comments

@rolandshoemaker
Copy link
Member

The go command may execute arbitrary code at build time when using cgo on Windows. This can be triggered by running go get for a malicious package, or any other time the code is built.

This can be triggered by malicious packages which contain specifically named binaries which are executed when cgo is executed in the context of the malicious package directory. This is due to the path lookup behavior of os/exec.LookPath on Windows.

This will also affect Unix users who have “.” listed explicitly in their PATH and are running “go get” outside of a module or with module mode disabled.

This has been fixed by altering the usage of os/exec.LookPath by the go command to reject the usage of any binaries that reside in the current directory. If you are interested in understanding whether your own programs have a problem, we’ve written a blog post about the underlying issue: https://blog.golang.org/path-security.

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

This issue is CVE-2021-3115.
@rolandshoemaker rolandshoemaker added this to the Go1.16 milestone Jan 19, 2021
@andygabby andygabby mentioned this issue Jan 20, 2021
Merged
@dmitshur dmitshur added GoCommand cmd/go NeedsFix The path to resolution is known, but the work has not been done. release-blocker labels Jan 20, 2021
@gtardif gtardif mentioned this issue Jan 20, 2021
Closed
@gopherbot
Copy link

Change https://golang.org/cl/284780 mentions this issue: cmd/go: pass resolved CC, GCCGO to cgo

@gopherbot
Copy link

Change https://golang.org/cl/284783 mentions this issue: all: introduce and use internal/execabs

gopherbot pushed a commit that referenced this issue Jan 21, 2021
@rolandshoemaker
all: introduce and use internal/execabs
953d1fe 
Introduces a wrapper around os/exec, internal/execabs, for use in
all commands. This wrapper prevents exec.LookPath and exec.Command from
running executables in the current directory.

All imports of os/exec in non-test files in cmd/ are replaced with
imports of internal/execabs.

This issue was reported by RyotaK.

Fixes CVE-2021-3115
Fixes #43783

Change-Id: I0423451a6e27ec1e1d6f3fe929ab1ef69145c08f
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/955304
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/284783
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Trust: Roland Shoemaker <roland@golang.org>
@chancila chancila mentioned this issue Jul 22, 2021
Closed
@golang golang locked and limited conversation to collaborators Jan 21, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge GoCommand cmd/go NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Milestone
Go1.16
Development

No branches or pull requests
3 participants
@dmitshur @rolandshoemaker @gopherbot