Bug 2217565 (CVE-2023-29404)

Summary: CVE-2023-29404 golang: cmd/go: go command may execute arbitrary code at build time when using cgo
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amctagga, aoconnor, asm, bniver, bodavis, dbenoit, emachado, flucifre, gmeno, mbenjamin, mhackett, mnewsome, sipoyare, sostapov, tstellar, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: go 1.20.5, go 1.19.10 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang. The go command may execute arbitrary code at build time when using cgo. This can occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This can be triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-29 14:18:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2217566, 2217567, 2217602, 2217603, 2217604, 2217605, 2217606, 2217607, 2217608, 2217609, 2217610, 2217611, 2217612, 2217613, 2217614    
Bug Blocks: 2217573    

Description Pedro Sampaio 2023-06-26 17:54:29 UTC 
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.

https://go.dev/issue/60305
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
https://pkg.go.dev/vuln/GO-2023-1841
https://go.dev/cl/501225
Comment 1 Pedro Sampaio 2023-06-26 17:54:55 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2217566]
Affects: fedora-all [bug 2217567]
Comment 3 errata-xmlrpc 2023-06-29 05:30:53 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2023:3920 https://access.redhat.com/errata/RHSA-2023:3920
Comment 4 errata-xmlrpc 2023-06-29 09:07:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3922 https://access.redhat.com/errata/RHSA-2023:3922
Comment 5 errata-xmlrpc 2023-06-29 09:45:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3923 https://access.redhat.com/errata/RHSA-2023:3923
Comment 6 Product Security DevOps Team 2023-06-29 14:18:37 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29404