Go 1.8.7, 1.9.4, 1.10rc2 がリリースされた。脆弱性 CVE-2018-6574 の修正を含む。
When cgo is enabled, the build step during “go get” invokes the host C compiler, gcc or clang, adding compiler flags specified in the Go source files. Both gcc and clang support a plugin mechanism in which a shared-library plugin is loaded into the compiler, as directed by compiler flags. This means that a Go package repository can contain an attack.so file along with a Go source file that says (for example)
// #cgo CFLAGS: -fplugin=attack.so, causing the attack plugin to be loaded into the host C compiler during the build. Gcc and clang plugins are completely unrestricted in their access to the host system.
The fix changes “go build” (used during “go get” and “go install”) to limit the flags that can appear in Go source file
#cgodirectives to a list of allowed compiler flags;
-fplugin=and other variants are not on the allowed list. The same restrictions are applied to compiler flags obtained from pkg-config. Flags obtained from the environment variables
$CGO_CFLAGSand so on are not restricted, since those variables can only be set by the user running the build. To change the set of allowed compiler flags, new environment variables
$CGO_CFLAGS_DISALLOWcan set to regular expressions matching additional allowed and disallowed flags.
影響度（CVSS）に関する情報は見当たらない。そのうち Red Hat あたりで出るかな。