Go 1.8.7, 1.9.4, 1.10rc2 がリリース(セキュリティ・アップデート)


Go 1.8.7, 1.9.4, 1.10rc2 がリリースされた。脆弱性 CVE-2018-6574 の修正を含む。

cgo 周りのインシデントのようだ。

When cgo is enabled, the build step during “go get” invokes the host C compiler, gcc or clang, adding compiler flags specified in the Go source files. Both gcc and clang support a plugin mechanism in which a shared-library plugin is loaded into the compiler, as directed by compiler flags. This means that a Go package repository can contain an attack.so file along with a Go source file that says (for example) // #cgo CFLAGS: -fplugin=attack.so, causing the attack plugin to be loaded into the host C compiler during the build. Gcc and clang plugins are completely unrestricted in their access to the host system.


The fix changes “go build” (used during “go get” and “go install”) to limit the flags that can appear in Go source file #cgo directives to a list of allowed compiler flags; -fplugin= and other variants are not on the allowed list. The same restrictions are applied to compiler flags obtained from pkg-config. Flags obtained from the environment variables $CGO_CFLAGS and so on are not restricted, since those variables can only be set by the user running the build. To change the set of allowed compiler flags, new environment variables $CGO_CFLAGS_ALLOW and $CGO_CFLAGS_DISALLOW can set to regular expressions matching additional allowed and disallowed flags.

影響度(CVSS)に関する情報は見当たらない。そのうち Red Hat あたりで出るかな。