cmd/go: GOAUTH credential leak [CVE-2024-45340] #71249
Labels
Milestone
Comments
rolandshoemaker
added
NeedsFix
rolandshoemaker
removed
the
vulncheck or vulndb
|
Change https://go.dev/cl/643101 mentions this issue: |
|
Change https://go.dev/cl/643097 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jan 16, 2025
…and fix domain lookup Store netrc lines into the credential map backward so that earlier lines take priority over later lines. This matches Go 1.23 netrc lookup which stopped at the first match it found. Additionally, this fixes a security issue related to domain parsing which could have allowed servers to read credentials belonging to other servers. The fix was to switch from using path.Dir(currentPrefix) to strings.Cut(currentPrefix, "/") Thanks to Juho Forsén of Mattermost for reporting this issue. Fixes #71249 Fixes CVE-2024-45340 Change-Id: I175a00d6d7f4d31c9e4d79b7cf1c2a0ad35b2781 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1781 Reviewed-by: Tatiana Bradley <[email protected]> Commit-Queue: Roland Shoemaker <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> (cherry picked from commit 76833d221aa3ccc978b6f41bd24e26babf771375) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1840 Reviewed-on: https://go-review.googlesource.com/c/go/+/643101 Reviewed-by: Michael Pratt <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Michael Knyszek <[email protected]>
mknyszek
changed the title
wyf9661
pushed a commit
to wyf9661/go
that referenced
this issue
Jan 21, 2025
…and fix domain lookup Store netrc lines into the credential map backward so that earlier lines take priority over later lines. This matches Go 1.23 netrc lookup which stopped at the first match it found. Additionally, this fixes a security issue related to domain parsing which could have allowed servers to read credentials belonging to other servers. The fix was to switch from using path.Dir(currentPrefix) to strings.Cut(currentPrefix, "/") Thanks to Juho Forsén of Mattermost for reporting this issue. Fixes golang#71249 Fixes CVE-2024-45340 Change-Id: I175a00d6d7f4d31c9e4d79b7cf1c2a0ad35b2781 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1781 Reviewed-by: Tatiana Bradley <[email protected]> Commit-Queue: Roland Shoemaker <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> (cherry picked from commit 76833d221aa3ccc978b6f41bd24e26babf771375) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1840 Reviewed-on: https://go-review.googlesource.com/c/go/+/643101 Reviewed-by: Michael Pratt <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Michael Knyszek <[email protected]>
Clement-Jean
pushed a commit
to Clement-Jean/go
that referenced
this issue
Jan 31, 2025
Store netrc lines into the credential map backward so that earlier lines take priority over later lines. This matches Go 1.23 netrc lookup which stopped at the first match it found. Additionally, this fixes a security issue related to domain parsing which could have allowed servers to read credentials belonging to other servers. The fix was to switch from using path.Dir(currentPrefix) to strings.Cut(currentPrefix, "/") Thanks to Juho Forsén of Mattermost for reporting this issue. Fixes golang#71249 Fixes CVE-2024-45340 Change-Id: I175a00d6d7f4d31c9e4d79b7cf1c2a0ad35b2781 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1781 Reviewed-by: Tatiana Bradley <[email protected]> Commit-Queue: Roland Shoemaker <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/643097 Reviewed-by: Michael Pratt <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Michael Knyszek <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Credentials provided via the new GOAUTH feature were not being properly
segmented by domain, allowing a malicious server to request credentials they
should not have access to. By default, unless otherwise set, this only affected
credentials stored in the users .netrc file.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2024-45340.
Tracked in http://b/385330440 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1781.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: