CVE-2018-6574 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Arbitrary code execution
Description	Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-606	go, go-pie	1.9.3-1	1.9.4-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
09 Feb 2018	ASA-201802-3	AVG-606	go-pie	High	arbitrary code execution
09 Feb 2018	ASA-201802-2	AVG-606	go	High	arbitrary code execution

References
https://github.com/golang/go/issues/23672 https://go.googlesource.com/go/+/867fb18b6d5bc73266b68c9a695558a04e060a8a https://groups.google.com/forum/m/#!msg/golang-nuts/Gbhh1NxAjMU/dfW69X50AgAJ