ASA-201802-2] go: arbitrary code execution
Jelle van der Waa
jelle at archlinux.org
Fri Feb 9 21:36:44 UTC 2018
Arch Linux Security Advisory ASA-201802-2
=========================================
Severity: High
Date : 2018-02-09
CVE-ID : CVE-2018-6574
Package : go
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-606
Summary
=======
The package go before version 1.9.4-1 is vulnerable to arbitrary code
execution.
Resolution
==========
Upgrade to 1.9.4-1.
# pacman -Syu "go>=1.9.4-1"
The problem has been fixed upstream in version 1.9.4.
Workaround
==========
None.
Description
===========
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before
Go 1.10rc2 allow "go get" remote command execution during source code
build, by leveraging the gcc or clang plugin feature, because -fplugin=
and -plugin= arguments were not blocked.
Impact
======
A remote attacker is able to trick the “go get” command into executing
arbitrary code by passing a maliciously-crafted flag to the gcc or
clang backends.
References
==========
https://github.com/golang/go/issues/23672
https://go.googlesource.com/go/+/867fb18b6d5bc73266b68c9a695558a04e060a8a
https://groups.google.com/forum/m/#!msg/golang-nuts/Gbhh1NxAjMU/dfW69X50AgAJ
https://security.archlinux.org/CVE-2018-6574
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20180209/90fd765d/attachment.asc>
More information about the arch-security
mailing list