Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 14 Dec 2018 13:06:44 -0500
From: Dmitri Shuralyov <dmitshur@...ang.org>
To: oss-security@...ts.openwall.com
Cc: Security Officer <security@...ang.org>, Filippo Valsorda <filippo@...ang.org>
Subject: Go security releases 1.11.3 and 1.10.6

Hello,

We have released Go 1.11.3 and Go 1.10.6 to address three recently
reported security issues. You can see an announcement at
https://groups.google.com/d/msg/golang-announce/Kw31K8G7Fi0/z2olKn-QCAAJ.

We are making this posting to oss-security list now that the security
issues are public to follow the policy described at
https://oss-security.openwall.org/wiki/mailing-lists/distros. We
recommend subscribing to the golang-announce list at
https://groups.google.com/d/forum/golang-announce to guarantee
receiving notifications about future Go security releases.

There are three vulnerabilities being addressed by the security release:

• cmd/go: remote command execution during "go get -u"

The "go get" command is vulnerable to remote code execution when
executed with the -u flag and the import path of a malicious Go
package, or a package that imports it directly or indirectly.
Specifically, it is only vulnerable in GOPATH mode, but not in module
mode (the distinction is documented at
https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom
domains, it’s possible to arrange things so that a Git repository is
cloned to a folder named .git by using a vanity import path that ends
with "/.git". If the Git repository root contains a HEAD file, a
config file, an objects directory, a refs directory, with some work to
ensure the proper ordering of operations, "go get -u" can be tricked
into considering the parent directory as a repository root, and
running Git commands on it. That will use the config file in the
original Git repository root for its configuration, and if that config
file contains malicious commands, they will execute on the system
running "go get -u".

The issue is CVE-2018-16873 and Go issue https://golang.org/issue/29230.

Thanks to Etienne Stalmans from the Heroku platform security team for
discovering and reporting this issue.

• cmd/go: directory traversal in "go get" via curly braces in import paths

The "go get" command is vulnerable to directory traversal when
executed with the import path of a malicious Go package which contains
curly braces (both '{' and '}' characters). Specifically, it is only
vulnerable in GOPATH mode, but not in module mode (the distinction is
documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The
attacker can cause an arbitrary filesystem write, which can lead to
code execution.

The issue is CVE-2018-16874 and Go issue https://golang.org/issue/29231.

Thanks to ztz of Tencent Security Platform for discovering and
reporting this issue.

• crypto/x509: CPU denial of service in chain validation

The crypto/x509 package does not limit the amount of work performed
for each chain verification, which might allow attackers to craft
pathological inputs leading to a CPU denial of service. Go TLS servers
accepting client certificates and TLS clients verifying certificates
are affected.

The issue is CVE-2018-16875 and Go issue https://golang.org/issue/29233.

Thanks to Netflix for discovering and reporting this issue.

All three vulnerabilities affect Go before 1.10.6, and 1.11.x before 1.11.3.

Thank you,
Dmitri on behalf of the Go team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.