Fedora has issued an advisory on March 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BZKVEAK5ZG3B4FJLZVMX3HIQ73RHC4VW/ The issue will be fixed upstream in 1.11. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Fedora has issued an advisory for this on March 30: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FMNKGQPT5QQSRDYNGXR7657KUVSGFKHC/
Status comment: (none) => Patch available from Fedora
version 1.10.2 which has CVE fixes has now been pushed to cauldron
Status: NEW => ASSIGNED
version 1.9.4-4 submitted to updates_testing for Mageia 6 (addition of the Fedora patch to the build)
Assignee: bruno => qa-bugs
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6CC: (none) => tmb
Mageia 6, x86_64 Installed mercurial before updates and tried the reproducer at https://github.com/golang/go/issues/23867 $ go get -insecure khashaev.ru/go-vuln # cd .; hg clone -U --config=hooks.pre-clone=echo${IFS}hello${IFS}$USER;echo${IFS}https://>/dev/null /home/lcl/go/src/khashaev.ru/go-vuln hello lcl abort: repository /home/lcl/go/src/khashaev.ru/go-vuln not found! package khashaev.ru/go-vuln: exit status 255 This output resembles that posted on the link above. Installed these packages: golang-bin-1.9.4-4.mga6 golang-tests-1.9.4-4.mga6 golang-shared-1.9.4-4.mga6 golang-misc-1.9.4-4.mga6 golang-src-1.9.4-4.mga6 golang-docs-1.9.4-4.mga6 golang-1.9.4-4.mga6 Tried the reproducer again: $ go get -insecure khashaev.ru/go-vuln package khashaev.ru/go-vuln: unrecognized import path "khashaev.ru/go-vuln" (https://khashaev.ru/go-vuln?go-get=1: invalid repo root "--config=hooks.pre-clone=echo${IFS}hello${IFS}$USER;echo${IFS}https://>/dev/null": invalid scheme) That is what is expected I think, which confirms the fix. Building docker is usually regarded as a good test of golang but I no longer have access to SVN. $ mgarepo co -d 6 docker no such identity: /home/lcl/.ssh/mageia: No such file or directory Permission denied (publickey). svn: E170013: Unable to connect to a repository at URL 'svn+ssh://svn.mageia.org/svn/packages/updates/6/docker/current' svn: E210002: To better debug SSH connection problems, remove the -q option from 'ssh' in the [tunnels] section of your Subversion configuration file. svn: E210002: Network connection closed unexpectedly No idea what any of that means. There is certainly no file called 'mageia' in .ssh. May have to skip the build and look for other ways to test.
CC: (none) => tarazed25
Back to Hello World! Set up go directory structure in user directory with a beginner's script and a downloaded utility package. $ export GOPATH=/home/$USER/go/ $ cd $ cd $GOPATH/src/ $ cat hello.go package main import "fmt" import "stringutil" func main() { fmt.Printf("Good morning QA\n") fmt.Printf(stringutil.Reverse("\nGood morning QA!")) } $ go run hello.go Good morning QA !AQ gninrom dooG So far so good.
Copied the mageia* files from .ssh on a machine on which mgarepo had always worked before (belexeuli) but even so reading from SVN failed. Moved to belexeuli and installed the golang updates and tried again. $ mgarepo co -d 6 docker Warning: Permanently added 'svn.mageia.org,212.85.158.153' (ECDSA) to the list of known hosts. Permission denied (publickey). svn: E170013: Unable to connect to a repository at URL 'svn+ssh://svn.mageia.org/svn/packages/updates/6/docker/current' svn: E210002: To better debug SSH connection problems, remove the -q option from 'ssh' in the [tunnels] section of your Subversion configuration file. svn: E210002: Network connection closed unexpectedly No idea what this tunnels business is about - certainly no mention of tunnelling in .ssh/config. I have never had a Subversion configuration file but mgarepo used to work. ??
Len, I guess you didn't see my e-mail on the qa-discuss list. You're not a packager so svn+ssh won't work for you. You have to use svn. Check if you have a ~/.mgarepo/config file, and if not, copy one there from /etc/mgarepo.conf and uncomment the mirror line.
Sorry David, if I did see your email I might not have understood its implications. Many thanks anyway - the config file suggestion worked like a charm. There was no local .mgarepo - not a path trodden before, which makes me think that I must have had something like unearned packagers rights before. I do remember that a sysadmin had to give me access without my having to do anything at my end. mgarepo worked, 'bm -ls' also but 'bm -l' revealed missing dependencies. Installed those and the build went to completion. ..................... Wrote: /home/lcl/dev/docker/docker/RPMS/x86_64/docker-zsh-completion-17.03.1-4.mga6.x86_64.rpm Executing(%clean): /bin/sh -e /home/lcl/dev/docker/docker/BUILDROOT/rpm-tmp.aJP4t4 + umask 022 + cd /home/lcl/dev/docker/docker/BUILD + cd moby-17.03.1-ce + /usr/bin/rm -rf /home/lcl/dev/docker/docker/BUILDROOT/docker-17.03.1-4.mga6.x86_64 + exit 0 succeeded! Looks like golang is in good shape.
Whiteboard: (none) => MGA6-64-OK
Advisory: ======================== Updated golang packages fix security vulnerability: A flaw was found in Go Lang. The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site (CVE-2018-7187). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7187 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BZKVEAK5ZG3B4FJLZVMX3HIQ73RHC4VW/ ======================== Updated packages in core/updates_testing: ======================== golang-1.9.4-4.mga6 golang-docs-1.9.4-4.mga6 golang-misc-1.9.4-4.mga6 golang-tests-1.9.4-4.mga6 golang-src-1.9.4-4.mga6 golang-bin-1.9.4-4.mga6 golang-shared-1.9.4-4.mga6 from golang-1.9.4-4.mga6.src.rpm
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0238.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
mga6, x86_64 Checked the CVEs and other links; nothing for QA to do. Set up go directory tree for user at ~/go and defined GOPATH. $ export GOPATH=/home/$USER/go/ $ tree go go ├── bin └── src ├── hello_1.go ├── hello.go └── stringutil └── reverse.go Compiled hello.go and tested it. Checked out docker revision 1363318 from mga6 repository. Updated golang from updates-testing. - golang-1.11.5-1.mga6.x86_64 - golang-bin-1.11.5-1.mga6.x86_64 - golang-docs-1.11.5-1.mga6.noarch - golang-misc-1.11.5-1.mga6.noarch - golang-shared-1.11.5-1.mga6.x86_64 - golang-src-1.11.5-1.mga6.noarch From go src directory: $ go run hello.go Good morning QA !AQ gninrom dooG $ go build hello.go $ ls hello* hello.go stringutil/ $ ./hello Good morning QA !AQ gninrom dooG Basic compilation and running is fine. Building docker has generally been recommended as a test of golang. $ mgarepo co -d 6 docker Using the svn mirror. [...] Checked out revision 1363406. [...] 2019-02-05 15:19:21 (618 KB/s) - ‘docker/SOURCES/tini-fec3683.tar.gz’ saved [32156/32156] $ cd docker $ bm -ls creating package list processing package docker-%{dist_version}-%mkrel 1 building source package Wrote: /home/lcl/dev/docker/docker/SRPMS/docker-18.06.1-1.2.mga6.src.rpm succeeded! $ ls BUILD/ BUILDROOT/ RPMS/ SOURCES/ SPECS/ SRPMS/ $ bm -l creating package list processing package docker-%{dist_version}-%mkrel 1 building source and binary packages error: Failed build dependencies: btrfs-devel is needed by docker-18.06.1-1.2.mga6.x86_64 glibc-static-devel is needed by docker-18.06.1-1.2.mga6.x86_64 go-md2man is needed by docker-18.06.1-1.2.mga6.x86_64 golang-net-devel is needed by docker-18.06.1-1.2.mga6.x86_64 pkgconfig(devmapper) is needed by docker-18.06.1-1.2.mga6.x86_64 error: failed! Installed the dependencies but did not know how to interpret the last one pkgconfig(devmapper). pkgconfig is already installed. $ bm -l creating package list processing package docker-%{dist_version}-%mkrel 1 building source and binary packages error: Failed build dependencies: pkgconfig(devmapper) is needed by docker-18.06.1-1.2.mga6.x86_64 error: failed!