[security] Severe vulnerability in github.com/golang/gddo
1,316 views
Skip to first unread message
Filippo Valsorda
Jul 3, 2018, 2:40:24 PM7/3/18
to golang-...@googlegroups.com
Hello gophers,
A vulnerability was recently reported in github.com/golang/gddo (Go Doc Dot Org), the software that runs godoc.org. Note that this is a separate program from golang.org/x/tools/cmd/godoc, which is unaffected.
godoc.org is patched, and this only affects you if you run your own instance of gddo.
An attacker could use specially crafted <go-import> tags in packages being fetched by gddo to cause a directory traversal and remote code execution.
The fix is available on the master branch: https://github.com/golang/gddo/commit/daffe1f90ec57f8ed69464f9094753fc6452e983
This was assigned CVE-2018-12976.
We’d like to thank ztz of Tencent Security Platform for discovering and reporting this issue.
Cheers,
Filippo for the Go team
Reply all
Reply to author
Forward
0 new messages