CVE-2023-29402

Published: Jun 8, 2023Modified: Jan 6, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

Affected (3)

Products: Golang: Go · Fedoraproject: Fedora

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.19.10
Golang Go	From 1.20.0 to 1.20.5

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 38

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (15)

https://go.dev/cl/501226

Source: security@golang.org

Patch

https://go.dev/issue/60167

Source: security@golang.org

Issue Tracking

https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ

Source: security@golang.org

Mailing ListRelease Notes

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/

Source: security@golang.org

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/

Source: security@golang.org

Mailing List

https://pkg.go.dev/vuln/GO-2023-1839

Source: security@golang.org

Vendor Advisory

https://security.gentoo.org/glsa/202311-09

Source: security@golang.org

https://go.dev/cl/501226

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://go.dev/issue/60167

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListRelease Notes

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

https://pkg.go.dev/vuln/GO-2023-1839

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://security.gentoo.org/glsa/202311-09

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20241213-0004/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.