SB2018122116 - Gentoo update for Go 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018122116

SB2018122116 - Gentoo update for Go

Published: December 21, 2018

Security Bulletin ID SB2018122116
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Command injection (CVE-ID: CVE-2018-16873)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists in the go get command due to import path of a malicious Go package, or a package that imports it directly or indirectly. A remote unauthenticated attacker can use a vanity import path that ends with "/.git", use custom domains to arrange things so that a Git repository is cloned to a folder named ".git", trick the victim into considering the parent directory as a repository root, and run Git commands on it that will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, and execute arbitrary code on the system running "go get -u".

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Path traversal (CVE-ID: CVE-2018-16874)

The vulnerability allows a remote attacker to conduct a directory traversal attack on the target system.

The vulnerability exists in the go get command due to path traversal attack when the affected software executes the go get command with the import path of a Go package that contains curly braces. A remote unauthenticated attacker can execute the go get command, trick the victim into accessing a Go package that submits malicious input, conduct a directory traversal attack, which the attacker can use to execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Improper input validation (CVE-ID: CVE-2018-16875)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists on Go TLS servers accepting client certificates and TLS clients due to the crypto/x509 package does not limit the amount of work performed for each chain verification. A remote unauthenticated attacker can craft pathological inputs leading to a CPU denial of service.


Remediation

Install update from vendor's website.

References