[3.7] go: arbitrary code execution during go get (CVE-2018-6574)
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before
Go 1.10rc2 allow “go get” remote command execution during
source code build, by leveraging the gcc or clang plugin feature,
because -fplugin= and -plugin= arguments were not blocked.
References:
https://github.com/golang/go/issues/23672
https://nvd.nist.gov/vuln/detail/CVE-2018-6574
Patches:
https://go.googlesource.com/go/+/44821583bc16ff2508664fab94360bb856e9e9d6
https://go.googlesource.com/go/+/867fb18b6d5bc73266b68c9a695558a04e060a8a
(from redmine: issue id 8539, created on 2018-02-22, closed on 2018-02-23)
- Changesets:
- Revision 484ebc3a by Natanael Copa on 2018-02-22T22:15:45Z:
community/go: security upgrade to 1.9.4 (CVE-2018-6574)
fixes #8539