Bug 2242544 (CVE-2023-39323)

Summary: CVE-2023-39323 golang: cmd/go: line directives allows arbitrary execution during build
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abishop, ahanwate, dcadzow, dfreiber, dkenigsb, fdeutsch, jburrell, jwendell, oramraz, rcernich, rhos-maint, rogbas, smullick, twalsh, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.20.9, golang 1.21.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the golang cmd/go standard library. A line directive ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to pass during compilation. This can result in the unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2242547, 2242548, 2242549, 2243693, 2243694    
Bug Blocks: 2242542    

Description Patrick Del Bello 2023-10-06 19:57:06 UTC
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.

https://pkg.go.dev/vuln/GO-2023-2095
https://groups.google.com/g/golang-announce/c/XBa1oHDevAo
https://go.dev/cl/533215
https://go.dev/issue/63211

Comment 2 Avinash Hanwate 2023-10-12 16:26:26 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2243693]
Affects: fedora-all [bug 2243694]

Comment 3 Vipul Nair 2023-12-20 10:39:33 UTC
could you drop an email for the CVSS rescore to NVD