2217569 – (CVE-2023-29405) CVE-2023-29405 golang: cmd/cgo: Arbitrary code execution triggered by linker flags

Bug 2217569 (CVE-2023-29405) - CVE-2023-29405 golang: cmd/cgo: Arbitrary code execution triggered by linker flags

Summary: CVE-2023-29405 golang: cmd/cgo: Arbitrary code execution triggered by linker ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2023-29405
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2217570 2217571 2217615 2217616 2217617 2217618 2217619 2217620 2217621 2217622 2217623 2217624 2217625 2217626 2217627
Blocks:	2217573
TreeView+	depends on / blocked

Reported:	2023-06-26 17:58 UTC by Pedro Sampaio
Modified:	2024-03-19 10:26 UTC (History)
CC List:	16 users (show)
Fixed In Version:	go 1.20.5, go 1.19.10
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in golang. The go command may execute arbitrary code at build time when using cgo. This can occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This can be triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
Clone Of:
Environment:
Last Closed:	2023-06-29 14:19:42 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2023:3940	None	None	None	2023-06-29 13:45:52 UTC
Red Hat Product Errata	RHBA-2023:3941	None	None	None	2023-06-29 14:13:28 UTC
Red Hat Product Errata	RHBA-2023:3956	None	None	None	2023-06-30 02:50:34 UTC
Red Hat Product Errata	RHSA-2023:3920	None	None	None	2023-06-29 05:30:56 UTC
Red Hat Product Errata	RHSA-2023:3922	None	None	None	2023-06-29 09:07:26 UTC
Red Hat Product Errata	RHSA-2023:3923	None	None	None	2023-06-29 09:45:26 UTC

Description Pedro Sampaio 2023-06-26 17:58:06 UTC

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

https://go.dev/issue/60306
https://pkg.go.dev/vuln/GO-2023-1842
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
https://go.dev/cl/501224

Comment 1 Pedro Sampaio 2023-06-26 17:59:11 UTC

Created golang tracking bugs for this issue:

Affects: epel-all [bug 2217570]
Affects: fedora-all [bug 2217571]

Comment 3 errata-xmlrpc 2023-06-29 05:30:54 UTC

This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2023:3920 https://access.redhat.com/errata/RHSA-2023:3920

Comment 4 errata-xmlrpc 2023-06-29 09:07:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3922 https://access.redhat.com/errata/RHSA-2023:3922

Comment 5 errata-xmlrpc 2023-06-29 09:45:23 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3923 https://access.redhat.com/errata/RHSA-2023:3923

Comment 6 Product Security DevOps Team 2023-06-29 14:19:38 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-29405

Note You need to log in before you can comment on or make changes to this bug.