Vulnerability CVE-2023-29405: Information

Description

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-29405
Published: June 9, 2023
Modified: Nov. 25, 2023
Error type identifier: CWE-74

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
golangsisyphus1.20.5-alt11.22.4-alt1ALT-PU-2023-2086-1323799Fixed
golangsisyphus_riscv641.20.5-alt11.22.4-alt1ALT-PU-2023-4053-1-Fixed
golangp101.19.10-alt11.21.11-alt1ALT-PU-2023-2090-1323800Fixed
golangp91.19.12-alt11.15.15-alt1ALT-PU-2023-5153-1326713Testing
golangc10f11.19.10-alt11.21.10-alt1ALT-PU-2023-4099-1323910Fixed
golangc9f21.19.12-alt11.20.13-alt1ALT-PU-2023-4785-2323137Fixed
golangp111.20.5-alt11.22.4-alt1ALT-PU-2023-2086-1323799Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://go.dev/issue/60306
  • Issue Tracking
https://pkg.go.dev/vuln/GO-2023-1842
  • Vendor Advisory
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
  • Mailing List
  • Third Party Advisory
https://go.dev/cl/501224
  • Patch
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
  • Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
    https://security.gentoo.org/glsa/202311-09

        1. Configuration 1

          cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
          Start including
          1.20.0
          End excliding
          1.20.5
          cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
          End excliding
          1.19.10

          Configuration 2

          cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.5.3
      Back to top