Go: User-assisted execution of arbitrary code — GLSA 201803-03

A vulnerability in Go might allow remote attackers to execute arbitrary commands during source code build.

Affected Packages

dev-lang/go on all architectures
Affected versions < 1.9.4
Unaffected versions >= 1.9.4

Background

Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.

Description

A command injection flaw was discovered in the source code build phase because of the “go get” command, which does not block -fplugin= and -plugin arguments.

Impact

A remote attacker could entice a user to process a repository containing maliciously-crafted build instructions using “go get”, resulting in the execution of arbitrary code with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All Go users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-lang/go-1.9.4"
 

References

Release Date
March 07, 2018

Latest Revision
March 07, 2018: 1

Severity
high

Exploitable
remote

Bugzilla entries