CVE-2023-39323

Published: Oct 5, 2023Modified: Jun 12, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.

Affected (5)

Products: Golang: Go · Fedoraproject: Fedora

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.20.9
Golang Go	From 1.21.0 to 1.21.2

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 37
Fedoraproject Fedora	Version 38
Fedoraproject Fedora	Version 39

References (18)

https://go.dev/cl/533215

Source: security@golang.org

Patch

https://go.dev/issue/63211

Source: security@golang.org

Issue TrackingPatch

https://groups.google.com/g/golang-announce/c/XBa1oHDevAo

Source: security@golang.org

Mailing ListRelease Notes

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/

Source: security@golang.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/

Source: security@golang.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/

Source: security@golang.org

Mailing ListThird Party Advisory

https://pkg.go.dev/vuln/GO-2023-2095

Source: security@golang.org

Vendor Advisory

https://security.gentoo.org/glsa/202311-09

Source: security@golang.org

Third Party Advisory

https://security.netapp.com/advisory/ntap-20231020-0001/

Source: security@golang.org

Third Party Advisory

https://go.dev/cl/533215

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://go.dev/issue/63211

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatch

https://groups.google.com/g/golang-announce/c/XBa1oHDevAo

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListRelease Notes

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://pkg.go.dev/vuln/GO-2023-2095

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://security.gentoo.org/glsa/202311-09

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.netapp.com/advisory/ntap-20231020-0001/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.