Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 647250 (CVE-2018-6574) - <dev-lang/go-1.9.4: arbitrary code execution during go get (CVE-2018-6574)
Summary: <dev-lang/go-1.9.4: arbitrary code execution during go get (CVE-2018-6574)
Status: RESOLVED FIXED
Alias: CVE-2018-6574
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/golang/go/issues/2...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-10 20:31 UTC by GLSAMaker/CVETool Bot
Modified: 2018-03-31 21:42 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/go-1.9.4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-02-10 20:31:54 UTC
CVE-2018-6574 (https://nvd.nist.gov/vuln/detail/CVE-2018-6574):
  Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go
  1.10rc2 allow "go get" remote command execution during source code build, by
  leveraging the gcc or clang plugin feature, because -fplugin= and -plugin=
  arguments were not blocked.
Comment 1 William Hubbs gentoo-dev 2018-02-13 18:06:34 UTC
dev-lang/go-1.9.4 is in the tree and stable on amd64.
Comment 2 Thomas Deutschmann gentoo-dev Security 2018-02-13 18:20:35 UTC
@ Arches,

please test and mark stable: =dev-lang/go-1.9.4
Comment 3 Thomas Deutschmann gentoo-dev Security 2018-02-14 12:59:37 UTC
x86 stable
Comment 4 Markus Meier gentoo-dev 2018-03-06 19:38:34 UTC
arm stable, all arches done.
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-06 19:44:27 UTC
Thank you all, GLSA Request filed.

@Maintainer please proceed to clean up the tree.
Comment 6 Thomas Deutschmann gentoo-dev Security 2018-03-07 18:50:06 UTC
@ Maintainer(s): Please cleanup and drop <dev-lang/go-1.9.4!
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2018-03-07 19:11:08 UTC
This issue was resolved and addressed in
 GLSA 201803-03 at https://security.gentoo.org/glsa/201803-03
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 8 Thomas Deutschmann gentoo-dev Security 2018-03-07 19:11:39 UTC
Re-opening for pending cleanup.
Comment 9 Markus Meier gentoo-dev 2018-03-13 17:52:43 UTC
arm stable, all arches done.
Comment 10 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-13 18:07:43 UTC
@Maintainer proceed to remove vulnerable versions.

Thank you
Comment 11 William Hubbs gentoo-dev 2018-03-31 19:14:47 UTC
All versions < 1.9.4 have been removed.