On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ https://pkg.go.dev/vuln/GO-2023-1840 https://go.dev/cl/501223 https://go.dev/issue/60272
Created golang tracking bugs for this issue: Affects: epel-all [bug 2217560] Affects: fedora-all [bug 2217561]
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2023:3920 https://access.redhat.com/errata/RHSA-2023:3920
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3922 https://access.redhat.com/errata/RHSA-2023:3922
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3923 https://access.redhat.com/errata/RHSA-2023:3923
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-29403