ASA-201802-3 generated external raw

[ASA-201802-3] go-pie: arbitrary code execution
Arch Linux Security Advisory ASA-201802-3 ========================================= Severity: High Date : 2018-02-09 CVE-ID : CVE-2018-6574 Package : go-pie Type : arbitrary code execution Remote : Yes Link : Summary ======= The package go-pie before version 1.9.4-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.9.4-1. # pacman -Syu "go-pie>=1.9.4-1" The problem has been fixed upstream in version 1.9.4. Workaround ========== None. Description =========== Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. Impact ====== A remote attacker is able to trick the “go get” command into executing arbitrary code by passing a maliciously-crafted flag to the gcc or clang backends. References ==========!msg/golang-nuts/Gbhh1NxAjMU/dfW69X50AgAJ