Arch Linux update for go

Published: 2018-12-18 12:16:29
Severity High
Patch available YES
Number of vulnerabilities 3
CVE ID CVE-2018-16873
CVE-2018-16874
CVE-2018-16875
CVSSv3 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CWE ID CWE-77
CWE-22
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software Arch Linux
Vulnerable software versions Arch Linux -
Vendor URL Arch Linux

Security Advisory

1) Command injection

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists in the go get command due to import path of a malicious Go package, or a package that imports it directly or indirectly. A remote unauthenticated attacker can use a vanity import path that ends with "/.git", use custom domains to arrange things so that a Git repository is cloned to a folder named ".git", trick the victim into considering the parent directory as a repository root, and run Git commands on it that will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, and execute arbitrary code on the system running "go get -u".

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Update the affected package go to version 2

External links

https://security.archlinux.org/advisory/ASA-201812-11

2) Path traversal

Description

The vulnerability allows a remote attacker to conduct a directory traversal attack on the target system.

The vulnerability exists in the go get command due to path traversal attack when the affected software executes the go get command with the import path of a Go package that contains curly braces. A remote unauthenticated attacker can execute the go get command, trick the victim into accessing a Go package that submits malicious input, conduct a directory traversal attack, which the attacker can use to execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Update the affected package go to version 2

External links

https://security.archlinux.org/advisory/ASA-201812-11

3) Improper input validation

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists on Go TLS servers accepting client certificates and TLS clients due to the crypto/x509 package does not limit the amount of work performed for each chain verification. A remote unauthenticated attacker can craft pathological inputs leading to a CPU denial of service.

Remediation

Update the affected package go to version 2

External links

https://security.archlinux.org/advisory/ASA-201812-11

Back to List