Bug 2216965 (CVE-2023-29403)

Summary: CVE-2023-29403 golang: runtime: unexpected behavior of setuid/setgid binaries
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amctagga, anjoseph, aoconnor, asm, aveerama, bniver, bodavis, dbenoit, emachado, flucifre, gmeno, jprabhak, mbenjamin, mhackett, mnewsome, sipoyare, sostapov, tstellar, vereddy, wtam
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: go 1.20.5, go 1.19.10 Doc Type: If docs needed, set a value
Doc Text:
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state or assuming the status of standard I/O file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-29 14:16:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2217560, 2217561, 2217588, 2217590, 2217591, 2217592, 2217593, 2217594, 2217595, 2217596, 2217597, 2217598, 2217599, 2217600, 2217601    
Bug Blocks: 2217573    

Description Avinash Hanwate 2023-06-23 12:26:59 UTC 
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.

https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
https://pkg.go.dev/vuln/GO-2023-1840
https://go.dev/cl/501223
https://go.dev/issue/60272
Comment 1 Pedro Sampaio 2023-06-26 17:41:47 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2217560]
Affects: fedora-all [bug 2217561]
Comment 3 errata-xmlrpc 2023-06-29 05:30:49 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2023:3920 https://access.redhat.com/errata/RHSA-2023:3920
Comment 4 errata-xmlrpc 2023-06-29 09:07:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3922 https://access.redhat.com/errata/RHSA-2023:3922
Comment 5 errata-xmlrpc 2023-06-29 09:45:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3923 https://access.redhat.com/errata/RHSA-2023:3923
Comment 6 Product Security DevOps Team 2023-06-29 14:16:37 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29403