Bug 1062085 – VUL-0: CVE-2017-15041: golang: arbitrary code execution during “go get” or “go get -d”

Bug 1062085 - (CVE-2017-15041) VUL-0: CVE-2017-15041: golang: arbitrary code execution during “go get” or “go get -d”

(CVE-2017-15041)
Summary:	VUL-0: CVE-2017-15041: golang: arbitrary code execution during “go get” or “g...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assigned To:	Thomas Hipp
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/192886/
Whiteboard:	CVSSv2:NVD:CVE-2017-15041:7.5:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-10-06 14:59 UTC by Alexander Bergmann
Modified:	2022-02-15 21:55 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2017-10-06 14:59:01 UTC

rh#1498870

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution.
Using custom domains, it is possible to arrange things so that example.com/pkg1
points to a Subversion repository but example.com/pkg1/pkg2 points to a Git
repository. If the Subversion repository includes a Git checkout in its pkg2
directory and some other work is done to ensure the proper ordering of
operations, "go get" can be tricked into reusing this Git checkout for the fetch
of code from pkg2. If the Subversion repository's Git checkout has malicious
commands in .git/hooks/, they will execute on the system running "go get."

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1498870
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15041
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15041.html
http://www.cvedetails.com/cve/CVE-2017-15041/
https://golang.org/cl/68190
https://golang.org/cl/68022
https://github.com/golang/go/issues/22125
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ

Comment 1 Flavio Castelli 2017-10-06 15:03:17 UTC

Reassigning to Thomas who is charge of go packages.

Comment 2 Aleksa Sarai 2017-10-07 07:01:24 UTC

Note that we don't ship go (the actual compiler) in SLE, so this is only of concern to openSUSE.

Comment 4 Swamp Workflow Management 2018-05-17 17:00:35 UTC

This is an autogenerated message for OBS integration:
This bug (1062085) was mentioned in
https://build.opensuse.org/request/show/610123 Factory / go1.10

Comment 12 Swamp Workflow Management 2018-12-15 08:40:40 UTC

This is an autogenerated message for OBS integration:
This bug (1062085) was mentioned in
https://build.opensuse.org/request/show/658307 Factory / go1.10
https://build.opensuse.org/request/show/658308 Factory / go1.11

Comment 14 Swamp Workflow Management 2018-12-17 15:41:02 UTC

This is an autogenerated message for OBS integration:
This bug (1062085) was mentioned in
https://build.opensuse.org/request/show/658934 15.0+42.3 / go1.11

Comment 15 Swamp Workflow Management 2019-02-27 11:00:39 UTC

This is an autogenerated message for OBS integration:
This bug (1062085) was mentioned in
https://build.opensuse.org/request/show/679777 Factory / go1.11

Comment 16 Swamp Workflow Management 2019-03-25 11:10:34 UTC

This is an autogenerated message for OBS integration:
This bug (1062085) was mentioned in
https://build.opensuse.org/request/show/688187 Factory / go1.12

Comment 20 Alexander Bergmann 2019-07-19 08:08:09 UTC

This was fixed with submission sr#192108 inside the go1.12 package.

Closing bug.