CVE-2023-29404

Published: Jun 8, 2023Modified: Jan 6, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.

Affected (3)

Products: Golang: Go · Fedoraproject: Fedora

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.19.10
Golang Go	From 1.20.0 to 1.20.5

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 38

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (15)

https://go.dev/cl/501225

Source: security@golang.org

Patch

https://go.dev/issue/60305

Source: security@golang.org

Issue Tracking

https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ

Source: security@golang.org

Mailing ListRelease Notes

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/

Source: security@golang.org

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/

Source: security@golang.org

Mailing List

https://pkg.go.dev/vuln/GO-2023-1841

Source: security@golang.org

Vendor Advisory

https://security.gentoo.org/glsa/202311-09

Source: security@golang.org

https://go.dev/cl/501225

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://go.dev/issue/60305

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListRelease Notes

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

https://pkg.go.dev/vuln/GO-2023-1841

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://security.gentoo.org/glsa/202311-09

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20241115-0009/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.