cmd/go: arbitrary code execution during “go get” or “go get -d” [Go 1.9] #22131

rsc · 2017-10-04T15:44:04Z

See #22125 for details.

Fixed in Go 1.9.1 by CL 68022 (bc907974a35a).

dmitshur · 2017-10-05T00:21:56Z

Fixed in Go 1.9.1 by CL 68022 (bc907974a35a).

Can you please clarify what commit that is? I'm not able to find "bc907974a35a".

ianlancetaylor · 2017-10-05T00:30:54Z

dmitshur · 2017-10-05T00:33:31Z

Yes it does, but it says it was merged as a different commit, a39bcec. That's why I am puzzled about what "bc907974a35a" is.

ianlancetaylor · 2017-10-05T00:40:38Z

Ah. Perhaps a typo.

The change was committed three times that I know of, to different branches:

dmitshur · 2017-10-05T00:43:46Z

Ah. Perhaps a typo.

I see. Thank you for clarifying.

rsc added this to the Go1.9.1 milestone Oct 4, 2017

rsc changed the title ~~placeholder for security issue~~ cmd/go: arbitrary code execution during “go get” or “go get -d” [Go 1.9] Oct 4, 2017

rsc closed this as completed Oct 4, 2017

leonklingele mentioned this issue Oct 4, 2017

go 1.9.1 Homebrew/homebrew-core#19000

Closed

4 tasks

golang locked and limited conversation to collaborators Oct 5, 2018

gopherbot added the FrozenDueToAge label Oct 5, 2018

dvyukov added the Security label May 15, 2019

dmitshur added the CherryPickApproved Used during the release process for point releases label Dec 5, 2019

Provide feedback