Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 650014 (CVE-2018-7187) - <dev-lang/go-1.10.1: Arbitrary code execution via "go get"
Summary: <dev-lang/go-1.10.1: Arbitrary code execution via "go get"
Status: RESOLVED FIXED
Alias: CVE-2018-7187
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-09 15:33 UTC by GLSAMaker/CVETool Bot
Modified: 2018-04-17 17:10 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/go-1.10.1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-09 15:33:20 UTC 
CVE-2018-7187 (https://nvd.nist.gov/vuln/detail/CVE-2018-7187):
  The "go get" implementation in Go 1.9.4, when the -insecure command-line
  option is used, does not validate the import path (get/vcs.go only checks
  for "://" anywhere in the string), which allows remote attackers to execute
  arbitrary OS commands via a crafted web site.
Comment 1 William Hubbs gentoo-dev 2018-03-31 18:21:53 UTC 
This is fixed in go-1.10.1.
Arm team, please stabilize.
I have stabilized on amd64 and x86.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-31 21:36:06 UTC 
@arm please test and mark stable.
Comment 3 William Hubbs gentoo-dev 2018-04-07 23:45:28 UTC 
@arm team, what is the status of getting this stable?
Comment 4 Markus Meier gentoo-dev 2018-04-14 11:48:16 UTC 
arm stable, all arches done.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2018-04-14 16:22:56 UTC 
GLSA request filed

@maintainer, please drop the vulnerable versions.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2018-04-15 23:26:05 UTC 
This issue was resolved and addressed in
 GLSA 201804-12 at https://security.gentoo.org/glsa/201804-12
by GLSA coordinator Aaron Bauman (b-man).
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2018-04-15 23:27:10 UTC 
re-opened for cleanup
Comment 8 William Hubbs gentoo-dev 2018-04-17 16:27:38 UTC 
Vulnerable versions are removed.

Thanks,

William
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2018-04-17 17:10:09 UTC 
(In reply to William Hubbs from comment #8)
> Vulnerable versions are removed.
> 
> Thanks,
> 
> William

Thanks, William!