Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 650014 (CVE-2018-7187)

Summary: <dev-lang/go-1.10.1: Arbitrary code execution via "go get"
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: williamh
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-09 15:33:20 UTC
CVE-2018-7187 (
  The "go get" implementation in Go 1.9.4, when the -insecure command-line
  option is used, does not validate the import path (get/vcs.go only checks
  for "://" anywhere in the string), which allows remote attackers to execute
  arbitrary OS commands via a crafted web site.
Comment 1 William Hubbs gentoo-dev 2018-03-31 18:21:53 UTC
This is fixed in go-1.10.1.
Arm team, please stabilize.
I have stabilized on amd64 and x86.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-31 21:36:06 UTC
@arm please test and mark stable.
Comment 3 William Hubbs gentoo-dev 2018-04-07 23:45:28 UTC
@arm team, what is the status of getting this stable?
Comment 4 Markus Meier gentoo-dev 2018-04-14 11:48:16 UTC
arm stable, all arches done.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2018-04-14 16:22:56 UTC
GLSA request filed

@maintainer, please drop the vulnerable versions.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2018-04-15 23:26:05 UTC
This issue was resolved and addressed in
 GLSA 201804-12 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2018-04-15 23:27:10 UTC
re-opened for cleanup
Comment 8 William Hubbs gentoo-dev 2018-04-17 16:27:38 UTC
Vulnerable versions are removed.


Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2018-04-17 17:10:09 UTC
(In reply to William Hubbs from comment #8)
> Vulnerable versions are removed.
> Thanks,
> William

Thanks, William!