Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: GOAUTH credential leak [CVE-2024-45340] #71249

Closed
rolandshoemaker opened this issue Jan 13, 2025 · 2 comments
Closed

cmd/go: GOAUTH credential leak [CVE-2024-45340] #71249

rolandshoemaker opened this issue Jan 13, 2025 · 2 comments
Labels
GoCommand cmd/go NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Jan 13, 2025

Credentials provided via the new GOAUTH feature were not being properly
segmented by domain, allowing a malicious server to request credentials they
should not have access to. By default, unless otherwise set, this only affected
credentials stored in the users .netrc file.

Thanks to Juho Forsén of Mattermost for reporting this issue.

This is CVE-2024-45340.

Tracked in http://b/385330440 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1781.

/cc @golang/security and @golang/release

@rolandshoemaker rolandshoemaker added NeedsFix The path to resolution is known, but the work has not been done. Security labels Jan 13, 2025
@gabyhelp gabyhelp added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jan 13, 2025
@rolandshoemaker rolandshoemaker removed the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jan 15, 2025
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/643101 mentions this issue: cmd/go: restore netrc preferences for GOAUTH and fix domain lookup

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/643097 mentions this issue: cmd/go: restore netrc preferences for GOAUTH and fix domain lookup

gopherbot pushed a commit that referenced this issue Jan 16, 2025
…and fix domain lookup

Store netrc lines into the credential map backward so that earlier lines
take priority over later lines. This matches Go 1.23 netrc lookup which
stopped at the first match it found.
Additionally, this fixes a security issue related to domain parsing
which could have allowed servers to read credentials belonging to other
servers. The fix was to switch from using path.Dir(currentPrefix) to
strings.Cut(currentPrefix, "/")

Thanks to Juho Forsén of Mattermost for reporting this issue.

Fixes #71249
Fixes CVE-2024-45340

Change-Id: I175a00d6d7f4d31c9e4d79b7cf1c2a0ad35b2781
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1781
Reviewed-by: Tatiana Bradley <[email protected]>
Commit-Queue: Roland Shoemaker <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
(cherry picked from commit 76833d221aa3ccc978b6f41bd24e26babf771375)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1840
Reviewed-on: https://go-review.googlesource.com/c/go/+/643101
Reviewed-by: Michael Pratt <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Michael Knyszek <[email protected]>
@mknyszek mknyszek changed the title security: fix CVE-2024-45340 cmd/go: GOAUTH credential leak [CVE-2024-45340] Jan 16, 2025
@dmitshur dmitshur added the GoCommand cmd/go label Jan 16, 2025
@dmitshur dmitshur added this to the Go1.24 milestone Jan 16, 2025
wyf9661 pushed a commit to wyf9661/go that referenced this issue Jan 21, 2025
…and fix domain lookup

Store netrc lines into the credential map backward so that earlier lines
take priority over later lines. This matches Go 1.23 netrc lookup which
stopped at the first match it found.
Additionally, this fixes a security issue related to domain parsing
which could have allowed servers to read credentials belonging to other
servers. The fix was to switch from using path.Dir(currentPrefix) to
strings.Cut(currentPrefix, "/")

Thanks to Juho Forsén of Mattermost for reporting this issue.

Fixes golang#71249
Fixes CVE-2024-45340

Change-Id: I175a00d6d7f4d31c9e4d79b7cf1c2a0ad35b2781
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1781
Reviewed-by: Tatiana Bradley <[email protected]>
Commit-Queue: Roland Shoemaker <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
(cherry picked from commit 76833d221aa3ccc978b6f41bd24e26babf771375)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1840
Reviewed-on: https://go-review.googlesource.com/c/go/+/643101
Reviewed-by: Michael Pratt <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Michael Knyszek <[email protected]>
Clement-Jean pushed a commit to Clement-Jean/go that referenced this issue Jan 31, 2025
Store netrc lines into the credential map backward so that earlier lines
take priority over later lines. This matches Go 1.23 netrc lookup which
stopped at the first match it found.
Additionally, this fixes a security issue related to domain parsing
which could have allowed servers to read credentials belonging to other
servers. The fix was to switch from using path.Dir(currentPrefix) to
strings.Cut(currentPrefix, "/")

Thanks to Juho Forsén of Mattermost for reporting this issue.

Fixes golang#71249
Fixes CVE-2024-45340

Change-Id: I175a00d6d7f4d31c9e4d79b7cf1c2a0ad35b2781
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1781
Reviewed-by: Tatiana Bradley <[email protected]>
Commit-Queue: Roland Shoemaker <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/643097
Reviewed-by: Michael Pratt <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Michael Knyszek <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
GoCommand cmd/go NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Development

No branches or pull requests

4 participants