cmd/go: arbitrary code execution during “go get” or “go get -d” [Go 1.9] #22131

Closed
rsc opened this Issue Oct 4, 2017 · 5 comments

Comments

Projects
None yet
3 participants
@rsc
Contributor

rsc commented Oct 4, 2017

See #22125 for details.

Fixed in Go 1.9.1 by CL 68022 (bc907974a35a).

@rsc rsc added this to the Go1.9.1 milestone Oct 4, 2017

@rsc rsc changed the title from placeholder for security issue to cmd/go: arbitrary code execution during “go get” or “go get -d” [Go 1.9] Oct 4, 2017

@rsc rsc closed this Oct 4, 2017

@leonklingele leonklingele referenced this issue in Homebrew/homebrew-core Oct 4, 2017

Closed

go 1.9.1 #19000

4 of 4 tasks complete
@shurcooL

This comment has been minimized.

Show comment
Hide comment
@shurcooL

shurcooL Oct 5, 2017

Member

Fixed in Go 1.9.1 by CL 68022 (bc907974a35a).

Can you please clarify what commit that is? I'm not able to find "bc907974a35a".

Member

shurcooL commented Oct 5, 2017

Fixed in Go 1.9.1 by CL 68022 (bc907974a35a).

Can you please clarify what commit that is? I'm not able to find "bc907974a35a".

@ianlancetaylor

This comment has been minimized.

Show comment
Hide comment
@ianlancetaylor

ianlancetaylor Oct 5, 2017

Contributor

@shurcooL Doesn't the CL link work for you? https://golang.org/cl/68022.

Contributor

ianlancetaylor commented Oct 5, 2017

@shurcooL Doesn't the CL link work for you? https://golang.org/cl/68022.

@shurcooL

This comment has been minimized.

Show comment
Hide comment
@shurcooL

shurcooL Oct 5, 2017

Member

Yes it does, but it says it was merged as a different commit, a39bcec. That's why I am puzzled about what "bc907974a35a" is.

Member

shurcooL commented Oct 5, 2017

Yes it does, but it says it was merged as a different commit, a39bcec. That's why I am puzzled about what "bc907974a35a" is.

@ianlancetaylor

This comment has been minimized.

Show comment
Hide comment
@ianlancetaylor

ianlancetaylor Oct 5, 2017

Contributor

Ah. Perhaps a typo.

The change was committed three times that I know of, to different branches:

Contributor

ianlancetaylor commented Oct 5, 2017

Ah. Perhaps a typo.

The change was committed three times that I know of, to different branches:

@shurcooL

This comment has been minimized.

Show comment
Hide comment
@shurcooL

shurcooL Oct 5, 2017

Member

Ah. Perhaps a typo.

I see. Thank you for clarifying.

Member

shurcooL commented Oct 5, 2017

Ah. Perhaps a typo.

I see. Thank you for clarifying.

@ericwestfall ericwestfall referenced this issue in elsevier-core-engineering/replicator Oct 5, 2017

Closed

Update Build To Track Latest 1.9 Release #229

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment