The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler. https://go.dev/issue/60306 https://pkg.go.dev/vuln/GO-2023-1842 https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ https://go.dev/cl/501224
Created golang tracking bugs for this issue: Affects: epel-all [bug 2217570] Affects: fedora-all [bug 2217571]
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2023:3920 https://access.redhat.com/errata/RHSA-2023:3920
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3922 https://access.redhat.com/errata/RHSA-2023:3922
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3923 https://access.redhat.com/errata/RHSA-2023:3923
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-29405