2 min read

Yesterday, the Go team released Go 1.11.3 and Go 1.10.6.  The Go team recommends all users to update to one of these releases. If you’re not sure which one to update to, choose Go 1.11.3. These releases have addressed the following security issues:

cmd/go: Remote command execution during “go get -u”

The go get -u  command downloads, updates, and builds source code and is not supposed to execute arbitrary code. With the help of custom domains, it’s possible to get a Git repository cloned to a folder named .git by using a vanity import path that ends with /.git.

If the Git repository root contains a HEAD file, an object directory, a config file, a refsdirectory, then go get -u can be used for considering the parent directory as a repository root, and running Git commands on it. This will help in using the config file in the original Git repository root for its configuration. In case, the config file contains malicious commands, they will execute on the system running go get -u.

cmd/go: Directory traversal in “go get” via curly braces in import paths

The go get command downloads and builds source code. It is strictly not supposed to allow arbitrary filesystem writes. The go get command becomes vulnerable to remote code execution when it is executed with -u flag or with the import path of a malicious Go package, which contains curly braces (both { and } characters). It is only vulnerable in GOPATH mode and not in module mode. The attacker can create an arbitrary filesystem write, which can further lead to code execution.

crypto/x509: CPU denial of service in chain validation

Package crypto/x509 parses and also validates X.509 encoded keys and certificates. It should handle certificate chains which are provided by an attacker with reasonable resource use. This package does not limit the work performed for each chain verification and might help attackers to craft pathological inputs, further leading to a CPU denial of service. The Go TLS servers that accept client certificates and the TLS clients that verify certificates get affected.

The functionality regression in “go get” when executed in GOPATH mode on an import path pattern containing “…”  is not present in the GOPATH workspace. This issue will be resolved in the next releases, Go 1.11.4 and Go 1.10.7.

This update has received a mixed reaction from the users. As few users think that if the Go team should have used context. WithTimeout or even TLSHandshakeTimeout for safety on the old Go. Other users have appreciated the efforts taken by the Go team.

To know more about this release, check out the official announcement.

Read Next

The Golang team has started working on Go 2 proposals

TypeScript 3.2 released with configuration inheritance and more

Haskell is moving to GitLab due to issues with Phabricator