Subject: [ASA-201802-3] go-pie: arbitrary code execution Arch Linux Security Advisory ASA-201802-3 ========================================= Severity: High Date : 2018-02-09 CVE-ID : CVE-2018-6574 Package : go-pie Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-606 Summary ======= The package go-pie before version 1.9.4-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.9.4-1. # pacman -Syu "go-pie>=1.9.4-1" The problem has been fixed upstream in version 1.9.4. Workaround ========== None. Description =========== Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. Impact ====== A remote attacker is able to trick the “go get” command into executing arbitrary code by passing a maliciously-crafted flag to the gcc or clang backends. References ========== https://github.com/golang/go/issues/23672 https://go.googlesource.com/go/+/867fb18b6d5bc73266b68c9a695558a04e060a8a https://groups.google.com/forum/m/#!msg/golang-nuts/Gbhh1NxAjMU/dfW69X50AgAJ https://security.archlinux.org/CVE-2018-6574