golang / vulndb

[mirror] The Go Vulnerability Database
Other
562 stars 61 forks source link

x/vulndb: potential Go vuln in github.com/hashicorp/go-getter #1608

Closed rudolphjacksonm closed 1 year ago

rudolphjacksonm commented 1 year ago

Description

Hi,

I tried to download go-getter v1.7.0 today as part of initializing the dev environment for Hashicorp's AWS Terraform provider. The md5 hash of the zip returns some worrying results on VirusTotal, and was blocked by my employer's antivirus before I could download it: https://www.virustotal.com/gui/file/868bd0a1e97d2782dad2d80beec056e99b298ebb4f5d5f2f2f5f035537cfdfaa/detection.

Can someone take a look at this please? Apologies if I've not entered any of the fields correctly, I've not raised an issue in this community before!

Affected Modules, Packages, Versions and Symbols

Package: github.com/hashicorp/go-getter v1.7.0

Does this vulnerability already have an associated CVE ID?

No

CVE ID

No response

Credit

No response

CWE ID

No response

Pull Request

No response

Commit

No response

References

No response

Additional information

Output from when trying to run go install shows the URL the package is retrieved from:

> make tools
cd .ci/providerlint && go install .
cd .ci/tools && go install github.com/bflad/tfproviderdocs
cd .ci/tools && go install github.com/client9/misspell/cmd/misspell
cd .ci/tools && go install github.com/golangci/golangci-lint/cmd/golangci-lint
cd .ci/tools && go install github.com/katbyte/terrafmt
cd .ci/tools && go install github.com/terraform-linters/tflint
go: downloading github.com/hashicorp/go-getter v1.7.0
/Users/jackmo/go/pkg/mod/github.com/terraform-linters/tflint-ruleset-terraform@v0.2.2/rules/terraform_module_pinned_source.go:10:2: github.com/hashicorp/go-getter@v1.7.0: reading https://proxy.golang.org/github.com/hashicorp/go-getter/@v/v1.7.0.zip: 403 Forbidden
rudolphjacksonm commented 1 year ago

From looking around I'm fairly confident the culprit is a false positive and related to this: https://github.com/hashicorp/go-getter/issues/419

picatz commented 1 year ago

👋 Hello! This is a false positive related to https://github.com/hashicorp/go-getter/issues/407 (CVE-2023-0821, attributed to Nomad GHSA because CVEs are objectively confusing).

The detected zip bomb detected by your company's anti-virus is an artifact related to a test that will not run without a special environment variable set.

We plan to address this in the near future, tracked in https://github.com/hashicorp/go-getter/issues/419

rolandshoemaker commented 1 year ago

Sounds like this can be closed out since it will not relate in a vulndb entry (at least not right now). Let me know if you think this is incorrect.