go

Last year I stumbled across a vulnerability in Go’s go get command, which could lead to code execution when a malicious Go package was downloaded. I reported this to the Go team and it was subsequently assigned CVE-2018-16873. The actual vulnerability was really interesting since it was solely a logic vulnerability, where I abused the order in which packages were cloned by the go get command and how these would be laid out on disk. This makes it one of my personal favourite bugs. ...