GO-2022-0201

See a problem?

Source

https://pkg.go.dev/vuln/GO-2022-0201

Import Source

https://vuln.go.dev/ID/GO-2022-0201.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0201

Aliases

CVE-2018-6574

Published

2022-08-09T18:15:41Z

Modified

2024-05-20T16:03:47Z

Summary

Remote command execution via "go get" command with cgo in cmd/go

Details

The "go get" command with cgo is vulnerable to remote command execution by leveraging the gcc or clang plugin feature.

When cgo is enabled, the build step during "go get" invokes the host C compiler, gcc or clang, adding compiler flags specified in the Go source files. Both gcc and clang support a plugin mechanism in which a shared-library plugin is loaded into the compiler, as directed by compiler flags. This means that a Go package repository can contain an attack.so file along with a Go source file that says (for example) "// #cgo CFLAGS: -fplugin=attack.so" causing the attack plugin to be loaded into the host C compiler during the build. Gcc and clang plugins are completely unrestricted in their access to the host system.

References

Credits

- Christopher Brown of Mattermost

Affected packages

Go / toolchain

Package

Name: toolchain; View open source insights on deps.dev
Purl: pkg:golang/toolchain

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.7

Introduced

1.9.0-0

Fixed

1.9.4

Ecosystem specific

{
    "imports": [
        {
            "path": "cmd/go"
        }
    ]
}