Bug 1897646 (CVE-2020-28367) - CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time
Summary: CVE-2020-28367 golang: improper validation of cgo flags can lead to code exec...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-28367
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1898651 1898652 1899186 1906664 1897647 1897648 1898822 1898834 1898838 1898957 1905305
Blocks: 1897653
TreeView+ depends on / blocked
 
Reported: 2020-11-13 17:12 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 18:55 UTC (History)
54 users (show)

See Also:
Fixed In Version: go 1.15.5, go 1.14.12
Doc Type: If docs needed, set a value
Doc Text:
An input validation vulnerability was found in go. If cgo is specified in a go file, it is possible to bypass the validation of arguments to the gcc compiler. An attacker could potentially use this flaw by creating a malicious repository which would execute arbitrary code when downloaded and run via `go get` or `go build` whilst building a go project.
Clone Of:
Environment:
Last Closed: 2020-12-15 22:19:25 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5333 0 None None None 2020-12-03 11:19:27 UTC
Red Hat Product Errata RHSA-2020:5493 0 None None None 2020-12-15 17:06:42 UTC
Red Hat Product Errata RHSA-2021:0145 0 None None None 2021-01-14 13:39:09 UTC
Red Hat Product Errata RHSA-2021:0146 0 None None None 2021-01-14 16:30:52 UTC

Description Guilherme de Almeida Suckevicz 2020-11-13 17:12:55 UTC
The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by a malicious gcc flags specified via a #cgo directive.

References:
https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ
https://github.com/golang/go/issues/42556

Comment 1 Guilherme de Almeida Suckevicz 2020-11-13 17:13:36 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1897648]
Affects: fedora-all [bug 1897647]

Comment 3 Mark Cooper 2020-11-19 01:49:33 UTC
External References:

https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ

Comment 9 Mark Cooper 2020-11-19 07:38:32 UTC
Mitigation:

If it's possible to confirm that the go project being built does not rely on any cgo code in the included dependencies, the env variable CGO_ENABLED=0 can be specified when using either `go get` or `go build`.  

For example:
    CGO_ENABLED=0 go get github.com/someproject

This will not stop the files being downloaded, but will stop any automatic complication of the cgo code, including inlined in the go file and separate .c files.  Of course this will only be effective if cgo is not relied upon in a given dependency and may not be appropriate in all scenarios.

Comment 10 errata-xmlrpc 2020-12-03 11:19:19 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2020:5333 https://access.redhat.com/errata/RHSA-2020:5333

Comment 13 amctagga 2020-12-08 22:49:09 UTC
Statement:

While OpenShift Container Platform (OCP), Red Hat OpenShift Jaeger (RHOSJ),  OpenShift Service Mesh (OSSM)  and OpenShift Virtualization all contain RPMs and containers which are compiled with a vulnerable version of Go, the vulnerability is specific to the building of Go code itself. Such as using `go get` or `go build` and as such the relevant components have been marked as not affected.

Additionally, only the main RPMs and containers for OCP, RHOSJ, OSSM and OpenShift Virtualization are represented due to the large volume of not affected components.

Red Hat Ceph Storage 3 ships the vulnerable version of go, and an attacker building go code on RHCS 3 could potentially exploit this vulnerability.

Comment 15 errata-xmlrpc 2020-12-15 17:06:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5493 https://access.redhat.com/errata/RHSA-2020:5493

Comment 16 Product Security DevOps Team 2020-12-15 22:19:25 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28367

Comment 17 errata-xmlrpc 2021-01-14 13:39:04 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:0145 https://access.redhat.com/errata/RHSA-2021:0145

Comment 18 errata-xmlrpc 2021-01-14 16:30:49 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.12

Via RHSA-2021:0146 https://access.redhat.com/errata/RHSA-2021:0146


Note You need to log in before you can comment on or make changes to this bug.