Bug 22646

Updated packages uploaded by Bruno.

Advisory:
========================

Updated golang packages fix security vulnerabilities:

Go before 1.9.4 allows "go get" remote command execution during source code
build, by leveraging the gcc or clang plugin feature, because -fplugin= and
-plugin= arguments were not blocked (CVE-2018-6574).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6574
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4TOPVSIULS5EMGKZ6OHC6LNDR7QA7W3/
========================

Updated packages in core/updates_testing:
========================
golang-1.9.4-3.mga6
golang-docs-1.9.4-3.mga6
golang-misc-1.9.4-3.mga6
golang-tests-1.9.4-3.mga6
golang-src-1.9.4-3.mga6
golang-bin-1.9.4-3.mga6
golang-shared-1.9.4-3.mga6

from golang-1.9.4-3.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
CC: (none) => bruno
Assignee: bruno => qa-bugs

As usual, you can build the docker package to test this.

Keywords: (none) => has_procedure

This is becoming a regular customer.  Testing this on Mageia 6 :: x86_64 and 
referring back to bugs #21103 and #21857.  Not attempting to follow up the security problem but going straight for the update.

[lcl@vega golang]$ mgarepo co -d 6 docker
$ bm -ls
creating package list
processing package docker-%{dist_version}-%mkrel 4
building source package
Wrote: /home/lcl/qa/golang/docker/SRPMS/docker-17.03.1-4.mga6.src.rpm
succeeded!
$ bm -l
creating package list
processing package docker-%{dist_version}-%mkrel 4
building source and binary packages
error: Failed build dependencies:
	btrfs-devel is needed by docker-17.03.1-4.mga6.x86_64
	device-mapper-devel is needed by docker-17.03.1-4.mga6.x86_64
	go-md2man is needed by docker-17.03.1-4.mga6.x86_64
	golang-net-devel is needed by docker-17.03.1-4.mga6.x86_64
	libsqlite3-devel is needed by docker-17.03.1-4.mga6.x86_64
error: failed!

Installed missing docker dependencies including:
    $MIRRORLIST: media/core/release/go-md2man-1.0.2-4.mga6.x86_64.rpm
    $MIRRORLIST: media/core/release/golang-net-devel-0.1.git84a4013f96e0-8.mga6.x86_64.rpm

$ bm -l
........................
+ /usr/bin/rm -rf /home/lcl/qa/golang/docker/BUILDROOT/docker-17.03.1-4.mga6.x86_64
+ exit 0
succeeded!

Are those versions of go-md2man and golang-net-devel likely to be a problem?

Shall run the mickey-mouse program after tea.

CC: (none) => tarazed25

Testing go compilation on a HelloWorld program using the recommended file structure for user files.

$ cat hello.go
package main
import "fmt"
import "stringutil"
func main() {
    fmt.Printf("Good morning QA\n")
    fmt.Printf(stringutil.Reverse("\nGood morning QA!"))
}

$ export GOPATH=/home/$USER/go/
$ cd
$ cd $GOPATH/src/
$ go run hello.go
Good morning QA
!AQ gninrom dooG
$ go build hello.go
$ mv hello ../bin/
$ ../bin/hello
Good morning QA
!AQ gninrom dooG
$ tree
.
├── bin
│   └── hello
└── src
    ├── hello_1.go
    ├── hello.go
    └── stringutil
        └── reverse.go

Good for X86_64.

Not sure if docker can be built for 32-bit systems but it may be important to test golang on i586.  This simple program could be used.  Comments?

Whiteboard: (none) => MGA6-64-OK

(In reply to Len Lawrence from comment #4)
> Not sure if docker can be built for 32-bit systems but it may be important
> to test golang on i586.  This simple program could be used.  Comments?

One arch testing is ok for golang, as it's not critical like kernels etc.
For docker, like other virtual machine systems, only x86_64 should be tested.

CC: (none) => davidwhodgins

Thanks Dave.  Validating this.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

advisory uploaded

Keywords: (none) => advisory

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0144.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED