ASA-201802-2] go: arbitrary code execution
Jelle van der Waa
jelle at archlinux.org
Fri Feb 9 21:36:44 UTC 2018
Arch Linux Security Advisory ASA-201802-2
Date : 2018-02-09
CVE-ID : CVE-2018-6574
Package : go
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-606
The package go before version 1.9.4-1 is vulnerable to arbitrary code
Upgrade to 1.9.4-1.
# pacman -Syu "go>=1.9.4-1"
The problem has been fixed upstream in version 1.9.4.
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before
Go 1.10rc2 allow "go get" remote command execution during source code
build, by leveraging the gcc or clang plugin feature, because -fplugin=
and -plugin= arguments were not blocked.
A remote attacker is able to trick the “go get” command into executing
arbitrary code by passing a maliciously-crafted flag to the gcc or
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: not available
More information about the arch-security