Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 647250 (CVE-2018-6574)

Summary: <dev-lang/go-1.9.4: arbitrary code execution during go get (CVE-2018-6574)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: williamh
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/golang/go/issues/23672
Whiteboard: B2 [glsa+ cve]
Package list:
dev-lang/go-1.9.4
 Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2018-02-10 20:31:54 UTC 
CVE-2018-6574 (https://nvd.nist.gov/vuln/detail/CVE-2018-6574):
  Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go
  1.10rc2 allow "go get" remote command execution during source code build, by
  leveraging the gcc or clang plugin feature, because -fplugin= and -plugin=
  arguments were not blocked.
Comment 1 William Hubbs gentoo-dev 2018-02-13 18:06:34 UTC 
dev-lang/go-1.9.4 is in the tree and stable on amd64.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-13 18:20:35 UTC 
@ Arches,

please test and mark stable: =dev-lang/go-1.9.4
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-14 12:59:37 UTC 
x86 stable
Comment 4 Markus Meier gentoo-dev 2018-03-06 19:38:34 UTC 
arm stable, all arches done.
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-06 19:44:27 UTC 
Thank you all, GLSA Request filed.

@Maintainer please proceed to clean up the tree.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-07 18:50:06 UTC 
@ Maintainer(s): Please cleanup and drop <dev-lang/go-1.9.4!
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2018-03-07 19:11:08 UTC 
This issue was resolved and addressed in
 GLSA 201803-03 at https://security.gentoo.org/glsa/201803-03
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-07 19:11:39 UTC 
Re-opening for pending cleanup.
Comment 9 Markus Meier gentoo-dev 2018-03-13 17:52:43 UTC 
arm stable, all arches done.
Comment 10 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-13 18:07:43 UTC 
@Maintainer proceed to remove vulnerable versions.

Thank you
Comment 11 William Hubbs gentoo-dev 2018-03-31 19:14:47 UTC 
All versions < 1.9.4 have been removed.