Headline
CVE-2023-29405: cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] · Issue #60306 · golang/go
The go command may execute arbitrary code at build time when using cgo. This may occur when running “go get” on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a “#cgo LDFLAGS” directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
This was referenced
May 30, 2023
gopherbot pushed a commit that referenced this issue
Jun 6, 2023
…r flag
The flags that we recorded in _cgo_flags did not use any quoting, so a flag containing embedded spaces was mishandled. Change the _cgo_flags format to put each flag on a separate line. That is a simple format that does not require any quoting.
As far as I can tell only cmd/go uses _cgo_flags, and it is only used for gccgo. If this patch doesn’t cause any trouble, then in the next release we can change to only using _cgo_flags for gccgo.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
Updates #60306 Fixes #60514 Fixes CVE-2023-29405
Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094 Reviewed-by: Damien Neil [email protected] Reviewed-by: Roland Shoemaker [email protected] (cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228 Run-TryBot: Roland Shoemaker [email protected] TryBot-Result: Security TryBots [email protected] Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345 Reviewed-by: Michael Knyszek [email protected] Reviewed-on: https://go-review.googlesource.com/c/go/+/501220 TryBot-Result: Gopher Robot [email protected] Run-TryBot: David Chase [email protected] Auto-Submit: Michael Knyszek [email protected]
gopherbot pushed a commit that referenced this issue
Jun 6, 2023
…r flag
The flags that we recorded in _cgo_flags did not use any quoting, so a flag containing embedded spaces was mishandled. Change the _cgo_flags format to put each flag on a separate line. That is a simple format that does not require any quoting.
As far as I can tell only cmd/go uses _cgo_flags, and it is only used for gccgo. If this patch doesn’t cause any trouble, then in the next release we can change to only using _cgo_flags for gccgo.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
Updates #60306 Fixes #60513 Fixes CVE-2023-29405
Change-Id: Id738a737ecae47babb34c4b4fc4d65336cf0c0f3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094 Reviewed-by: Damien Neil [email protected] Reviewed-by: Roland Shoemaker [email protected] (cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902227 Run-TryBot: Roland Shoemaker [email protected] Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904341 Reviewed-by: Michael Knyszek [email protected] Reviewed-on: https://go-review.googlesource.com/c/go/+/501216 Auto-Submit: Michael Knyszek [email protected] Run-TryBot: David Chase [email protected] TryBot-Bypass: David Chase [email protected]
dr2chase changed the title security: fix CVE-2023-29405 cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405]
Jun 6, 2023
gopherbot pushed a commit that referenced this issue
Jun 6, 2023
For #60306 For #60513
Change-Id: I8b37d74433456f3270c2ea465ecf406da6e5a578 Reviewed-on: https://go-review.googlesource.com/c/go/+/501297 Run-TryBot: Ian Lance Taylor [email protected] Reviewed-by: Dmitri Shuralyov [email protected] Reviewed-by: Dmitri Shuralyov [email protected] Reviewed-by: David Chase [email protected] TryBot-Bypass: Dmitri Shuralyov [email protected]
gopherbot pushed a commit that referenced this issue
Jun 6, 2023
For #60306 For #60514
Change-Id: I3f5d14aee7d7195030e8872e42b1d97aa11d3582 Reviewed-on: https://go-review.googlesource.com/c/go/+/501298 Run-TryBot: Ian Lance Taylor [email protected] TryBot-Result: Gopher Robot [email protected] Reviewed-by: Dmitri Shuralyov [email protected] Reviewed-by: David Chase [email protected] Reviewed-by: Dmitri Shuralyov [email protected]
gopherbot pushed a commit that referenced this issue
Jun 7, 2023
The gccgo on the builder is not updated to support runtime/cgo
Updates #60306
Change-Id: If0fb1ccdf589cc9741f6a065bacfa4f06e64ec15 Reviewed-on: https://go-review.googlesource.com/c/go/+/501435 Reviewed-by: Ian Lance Taylor [email protected] TryBot-Result: Gopher Robot [email protected] Run-TryBot: Cuong Manh Le [email protected] Reviewed-by: Benny Siegert [email protected] Auto-Submit: Cuong Manh Le [email protected]
Related news
Ubuntu Security Notice 7109-1 - Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2 streams. An attacker could possibly use this issue to cause a denial of service. Marten Seemann discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting in a denial of service. Ameya Darshan and Jakob Ackermann discovered that Go did not properly validate the amount of memory and disk files ReadForm can consume. An attacker could possibly use this issue to cause a panic resulting in a denial of service.
Ubuntu Security Notice 7061-1 - Hunter Wittenborn discovered that Go incorrectly handled the sanitization of environment variables. An attacker could possibly use this issue to run arbitrary commands. Sohom Datta discovered that Go did not properly validate backticks as Javascript string delimiters, and did not escape them as expected. An attacker could possibly use this issue to inject arbitrary Javascript code into the Go template.
Red Hat Security Advisory 2024-4119-03 - Updated rhceph-5.3 container image is now available in the Red Hat Ecosystem Catalog. Issues addressed include a code execution vulnerability.
Gentoo Linux Security Advisory 202311-9 - Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution. Versions greater than or equal to 1.20.10 are affected.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
An update for go-toolset and golang is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29402: The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go g...
An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29402: The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via...
An update for go-toolset-1.19 and go-toolset-1.19-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29402: The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go comma...
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.