Bug 1062085 - (CVE-2017-15041) VUL-0: CVE-2017-15041: golang: arbitrary code execution during “go get” or “go get -d”
(CVE-2017-15041)
VUL-0: CVE-2017-15041: golang: arbitrary code execution during “go get” or “g...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Thomas Hipp
Security Team bot
https://smash.suse.de/issue/192886/
CVSSv2:NVD:CVE-2017-15041:7.5:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-06 14:59 UTC by Alexander Bergmann
Modified: 2022-02-15 21:55 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2017-10-06 14:59:01 UTC
rh#1498870

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution.
Using custom domains, it is possible to arrange things so that example.com/pkg1
points to a Subversion repository but example.com/pkg1/pkg2 points to a Git
repository. If the Subversion repository includes a Git checkout in its pkg2
directory and some other work is done to ensure the proper ordering of
operations, "go get" can be tricked into reusing this Git checkout for the fetch
of code from pkg2. If the Subversion repository's Git checkout has malicious
commands in .git/hooks/, they will execute on the system running "go get."

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1498870
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15041
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15041.html
http://www.cvedetails.com/cve/CVE-2017-15041/
https://golang.org/cl/68190
https://golang.org/cl/68022
https://github.com/golang/go/issues/22125
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
Comment 1 Flavio Castelli 2017-10-06 15:03:17 UTC
Reassigning to Thomas who is charge of go packages.
Comment 2 Aleksa Sarai 2017-10-07 07:01:24 UTC
Note that we don't ship go (the actual compiler) in SLE, so this is only of concern to openSUSE.
Comment 4 Swamp Workflow Management 2018-05-17 17:00:35 UTC
This is an autogenerated message for OBS integration:
This bug (1062085) was mentioned in
https://build.opensuse.org/request/show/610123 Factory / go1.10
Comment 12 Swamp Workflow Management 2018-12-15 08:40:40 UTC
This is an autogenerated message for OBS integration:
This bug (1062085) was mentioned in
https://build.opensuse.org/request/show/658307 Factory / go1.10
https://build.opensuse.org/request/show/658308 Factory / go1.11
Comment 14 Swamp Workflow Management 2018-12-17 15:41:02 UTC
This is an autogenerated message for OBS integration:
This bug (1062085) was mentioned in
https://build.opensuse.org/request/show/658934 15.0+42.3 / go1.11
Comment 15 Swamp Workflow Management 2019-02-27 11:00:39 UTC
This is an autogenerated message for OBS integration:
This bug (1062085) was mentioned in
https://build.opensuse.org/request/show/679777 Factory / go1.11
Comment 16 Swamp Workflow Management 2019-03-25 11:10:34 UTC
This is an autogenerated message for OBS integration:
This bug (1062085) was mentioned in
https://build.opensuse.org/request/show/688187 Factory / go1.12
Comment 20 Alexander Bergmann 2019-07-19 08:08:09 UTC
This was fixed with submission sr#192108 inside the go1.12 package.

Closing bug.