2242544 – (CVE-2023-39323) CVE-2023-39323 golang: cmd/go: line directives allows arbitrary execution during build

Bug 2242544 (CVE-2023-39323) - CVE-2023-39323 golang: cmd/go: line directives allows arbitrary execution during build

Summary: CVE-2023-39323 golang: cmd/go: line directives allows arbitrary execution dur...

Keywords:
Status:	NEW
Alias:	CVE-2023-39323
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2242547 2242548 2242549 2243693 2243694
Blocks:	2242542
TreeView+	depends on / blocked

Reported:	2023-10-06 19:57 UTC by Patrick Del Bello
Modified:	2024-01-22 15:57 UTC (History)
CC List:	15 users (show)
Fixed In Version:	golang 1.20.9, golang 1.21.2
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the golang cmd/go standard library. A line directive ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to pass during compilation. This can result in the unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2023-10-06 19:57:06 UTC

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.

https://pkg.go.dev/vuln/GO-2023-2095
https://groups.google.com/g/golang-announce/c/XBa1oHDevAo
https://go.dev/cl/533215
https://go.dev/issue/63211

Comment 2 Avinash Hanwate 2023-10-12 16:26:26 UTC

Created golang tracking bugs for this issue:

Affects: epel-all [bug 2243693]
Affects: fedora-all [bug 2243694]

Comment 3 Vipul Nair 2023-12-20 10:39:33 UTC

could you drop an email for the CVSS rescore to NVD

Note You need to log in before you can comment on or make changes to this bug.