x/vulndb: potential Go vuln in github.com/siruspen/logrus

[AnomalRoil]

Acknowledgement

• The maintainer(s) of the affected project have already been made aware of this vulnerability.

Description

This is an old, well-known case of Go module "typosquatting", however the github.com/siruspen/logrus package is impersonating the official github.com/sirupsen/logrus package, notice how the p and the s in the middle of "sirupsen" are swapped for "siruspen" instead.

This is documented in public talks and in public blog posts for a long time already, e.g. https://michenriksen.com/archive/blog/finding-evil-go-packages/#githubcomsiruspenlogrus-

The problem is that the malicious package is fiddling with their init function. This can potentially lead to fully RCE on machine executing this code.

At the time of writing and as far as I know, the only malicious behaviour of that package is to print "INIT" during its init:

logger.go
func init() {
	fmt.Println("INIT!!!")
}

This malicious package is imported by a few projects:
https://pkg.go.dev/github.com/siruspen/logrus?tab=importedby

and is still being cached by the Go proxy and cache despite having been removed from github:
https://github.com/siruspen/logrus

Affected Modules, Packages, Versions and Symbols

Module: github.com/siruspen/logrus
Package: github.com/siruspen/logrus
Versions:
  - Introduced: 1.7.1

CVE/GHSA ID

No response

Fix Commit or Pull Request

No response

References

• https://michenriksen.com/archive/blog/finding-evil-go-packages
• https://www.youtube.com/watch?v=4opI0w0Xs5c

Additional information

This is not fixed since this is a malicious package doing typosquatting of a popular package.