CVE-2018-16873

Priority
Description
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is
vulnerable to remote code execution when executed with the -u flag and the
import path of a malicious Go package, or a package that imports it
directly or indirectly. Specifically, it is only vulnerable in GOPATH mode,
but not in module mode (the distinction is documented at
https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains,
it's possible to arrange things so that a Git repository is cloned to a
folder named ".git" by using a vanity import path that ends with "/.git".
If the Git repository root contains a "HEAD" file, a "config" file, an
"objects" directory, a "refs" directory, with some work to ensure the
proper ordering of operations, "go get -u" can be tricked into considering
the parent directory as a repository root, and running Git commands on it.
That will use the "config" file in the original Git repository root for its
configuration, and if that config file contains malicious commands, they
will execute on the system running "go get -u".
Notes
 mdeslaur> Packages built using golang need to be rebuilt once the
 mdeslaur> vulnerability has been fixed. This CVE entry does not
 mdeslaur> list packages that need rebuilding outside of the main
 mdeslaur> repository or the Ubuntu variants with PPA overlays.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Package
Upstream:released (1.10.6-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 18.10 (Cosmic Cuttlefish):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):DNE
Patches:
Upstream:https://github.com/golang/go/commit/90d609ba6156299642d08afc06d85ab770a03972 (1.10.6)
Upstream:https://github.com/golang/go/commit/7ef6ee2c5727f0d11206b4d1866c18e6ab4785be (1.10.6)
Package
Upstream:released (1.11.3-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):not-affected (1.11.5-1ubuntu1)
Ubuntu 19.10 (Eoan):not-affected (1.11.5-1ubuntu1)
Patches:
Upstream:https://github.com/golang/go/commit/8954addb3294a5e664a9833354bafa58f163fe8f (1.11.3)
Upstream:https://github.com/golang/go/commit/5aedc8af94c0a8ffc58cbd09993192dea9b238db (1.11.3)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):needs-triage
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 18.10 (Cosmic Cuttlefish):needs-triage
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 18.10 (Cosmic Cuttlefish):needs-triage
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
More Information

Updated: 2019-05-15 17:17:35 UTC (commit 2d71aefac924bf16479c12958688c37878e881eb)