CVE-2021-3115 - log back

CVE-2021-3115 edited at 20 Jan 2021 09:42:46
Description
- The go command may execute arbitrary code at build time when using cgo on Windows. This can be triggered by running go get for a malicious package, or any other time the code is built. This can be triggered by malicious packages which contain specifically named binaries which are executed when cgo is executed in the context of the malicious package directory. This is due to the path lookup behavior of os/exec.LookPath on Windows. This will also affect Unix users who have “.” listed explicitly in their PATH and are running “go get” outside of a module or with module mode disabled. This has been fixed by altering the usage of os/exec.LookPath by the go command to reject the usage of any binaries that reside in the current directory.
+ A security issue was found in Go and fixed in versions 1.15.7 and 1.14.14. The go command may execute arbitrary code at build time when using cgo on Windows. This can be triggered by running go get for a malicious package, or any other time the code is built. This can be triggered by malicious packages which contain specifically named binaries which are executed when cgo is executed in the context of the malicious package directory. This is due to the path lookup behavior of os/exec.LookPath on Windows. This will also affect Unix users who have “.” listed explicitly in their PATH and are running “go get” outside of a module or with module mode disabled. This has been fixed by altering the usage of os/exec.LookPath by the go command to reject the usage of any binaries that reside in the current directory.
References
+ https://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ
https://blog.golang.org/path-security
https://github.com/golang/go/issues/43785
https://github.com/golang/go/commit/e8e7facfaa47bf21007c0a1c679debba52ec3ea0
https://github.com/golang/go/commit/07e3195293ec510171d7d43ec8ac2bcb9cf00df4
CVE-2021-3115 edited at 20 Jan 2021 09:40:54
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Local
Type
- Unknown
+ Arbitrary command execution
Description
+ The go command may execute arbitrary code at build time when using cgo on Windows. This can be triggered by running go get for a malicious package, or any other time the code is built. This can be triggered by malicious packages which contain specifically named binaries which are executed when cgo is executed in the context of the malicious package directory. This is due to the path lookup behavior of os/exec.LookPath on Windows. This will also affect Unix users who have “.” listed explicitly in their PATH and are running “go get” outside of a module or with module mode disabled. This has been fixed by altering the usage of os/exec.LookPath by the go command to reject the usage of any binaries that reside in the current directory.
References
+ https://blog.golang.org/path-security
+ https://github.com/golang/go/issues/43785
+ https://github.com/golang/go/commit/e8e7facfaa47bf21007c0a1c679debba52ec3ea0
+ https://github.com/golang/go/commit/07e3195293ec510171d7d43ec8ac2bcb9cf00df4
Notes
CVE-2021-3115 created at 20 Jan 2021 09:34:37