Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 650014 (CVE-2018-7187)

Summary: <dev-lang/go-1.10.1: Arbitrary code execution via "go get"
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: williamh
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/golang/go/issues/23867
Whiteboard: B2 [glsa+ cve]
Package list:
dev-lang/go-1.10.1
 Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-09 15:33:20 UTC 
CVE-2018-7187 (https://nvd.nist.gov/vuln/detail/CVE-2018-7187):
  The "go get" implementation in Go 1.9.4, when the -insecure command-line
  option is used, does not validate the import path (get/vcs.go only checks
  for "://" anywhere in the string), which allows remote attackers to execute
  arbitrary OS commands via a crafted web site.
Comment 1 William Hubbs gentoo-dev 2018-03-31 18:21:53 UTC 
This is fixed in go-1.10.1.
Arm team, please stabilize.
I have stabilized on amd64 and x86.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-31 21:36:06 UTC 
@arm please test and mark stable.
Comment 3 William Hubbs gentoo-dev 2018-04-07 23:45:28 UTC 
@arm team, what is the status of getting this stable?
Comment 4 Markus Meier gentoo-dev 2018-04-14 11:48:16 UTC 
arm stable, all arches done.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2018-04-14 16:22:56 UTC 
GLSA request filed

@maintainer, please drop the vulnerable versions.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2018-04-15 23:26:05 UTC 
This issue was resolved and addressed in
 GLSA 201804-12 at https://security.gentoo.org/glsa/201804-12
by GLSA coordinator Aaron Bauman (b-man).
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2018-04-15 23:27:10 UTC 
re-opened for cleanup
Comment 8 William Hubbs gentoo-dev 2018-04-17 16:27:38 UTC 
Vulnerable versions are removed.

Thanks,

William
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2018-04-17 17:10:09 UTC 
(In reply to William Hubbs from comment #8)
> Vulnerable versions are removed.
> 
> Thanks,
> 
> William

Thanks, William!