vulndb/data/reports/GO-2022-0189.yaml

modules:
  - module: cmd
    versions:
      - fixed: 1.10.6
      - introduced: 1.11.0
        fixed: 1.11.3
    vulnerable_at: 1.11.2
    packages:
      - package: cmd/go/internal/get
        symbols:
          - downloadPackage
        skip_fix: 'TODO: revisit this reason (cant request explicit version v1.11.2
            of standard library package cmd/go/internal/get'
description: |
    The "go get" command is vulnerable to remote code execution when executed
    with the -u flag and the import path of a malicious Go package, or a
    package that imports it directly or indirectly.

    Specifically, it is only vulnerable in GOPATH mode, but not in module mode
    (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get).

    Using custom domains, it's possible to arrange things so that a Git
    repository is cloned to a folder named ".git" by using a vanity import path
    that ends with "/.git". If the Git repository root contains a "HEAD" file,
    a "config" file, an "objects" directory, a "refs" directory, with some work
    to ensure the proper ordering of operations, "go get -u" can be tricked
    into considering the parent directory as a repository root, and running Git
    commands on it. That will use the "config" file in the original Git
    repository root for its configuration, and if that config file contains
    malicious commands, they will execute on the system running "go get -u".

    Note that forbidding import paths with a .git element might not be
    sufficient to mitigate this issue, as on certain systems there can be other
    aliases for VCS state folders.    
published: 2022-08-04T21:30:35Z
cves:
  - CVE-2018-16873
credit: Etienne Stalmans of Heroku
references:
  - fix: https://go.dev/cl/154101
  - fix: https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3
  - report: https://go.dev/issue/29230
  - web: https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0