Headline
RHSA-2023:3920: Red Hat Security Advisory: go-toolset-1.19 and go-toolset-1.19-golang security update
An update for go-toolset-1.19 and go-toolset-1.19-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-29402: The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
- CVE-2023-29403: On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
- CVE-2023-29404: The go command may execute arbitrary code at build time when using cgo. This may occur when running “go get” on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a “#cgo LDFLAGS” directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
- CVE-2023-29405: The go command may execute arbitrary code at build time when using cgo. This may occur when running “go get” on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a “#cgo LDFLAGS” directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-06-29
Updated:
2023-06-29
RHSA-2023:3920 - Security Advisory
- Overview
- Updated Packages
Synopsis
Critical: go-toolset-1.19 and go-toolset-1.19-golang security update
Type/Severity
Security Advisory: Critical
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for go-toolset-1.19 and go-toolset-1.19-golang is now available for Red Hat Developer Tools.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Security Fix(es):
- golang: cmd/go: go command may generate unexpected code at build time when using cgo (CVE-2023-29402)
- golang: cmd/go: go command may execute arbitrary code at build time when using cgo (CVE-2023-29404)
- golang: cmd/cgo: Arbitratry code execution triggered by linker flags (CVE-2023-29405)
- golang: runtime: unexpected behavior of setuid/setgid binaries (CVE-2023-29403)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Developer Tools (for RHEL Workstation) 1 x86_64
- Red Hat Developer Tools (for RHEL Server) 1 x86_64
- Red Hat Developer Tools (for RHEL Server for System Z) 1 s390x
- Red Hat Developer Tools (for RHEL Server for IBM Power LE) 1 ppc64le
Fixes
- BZ - 2216965 - CVE-2023-29403 golang: runtime: unexpected behavior of setuid/setgid binaries
- BZ - 2217562 - CVE-2023-29402 golang: cmd/go: go command may generate unexpected code at build time when using cgo
- BZ - 2217565 - CVE-2023-29404 golang: cmd/go: go command may execute arbitrary code at build time when using cgo
- BZ - 2217569 - CVE-2023-29405 golang: cmd/cgo: Arbitratry code execution triggered by linker flags
CVEs
- CVE-2023-29402
- CVE-2023-29403
- CVE-2023-29404
- CVE-2023-29405
Red Hat Developer Tools (for RHEL Workstation) 1
SRPM
go-toolset-1.19-1.19.10-1.el7_9.src.rpm
SHA-256: 001d45dfc8c15c3409f595f7d03780569465339f4706d6a89f200be4e8376479
go-toolset-1.19-golang-1.19.10-1.el7_9.src.rpm
SHA-256: ae9d5f144e1b8ea81b9dabaa1f193e761eda7401818fbb6a113a2314531c2303
x86_64
go-toolset-1.19-1.19.10-1.el7_9.x86_64.rpm
SHA-256: a154009fd196b1b925700cb8893e9d04d355f8d787d788c4aa2151c35e22580a
go-toolset-1.19-build-1.19.10-1.el7_9.x86_64.rpm
SHA-256: 2aeb0bc651766a22c369597d2f2880456b15e4be8a413691fbaf2d8fa5f6573a
go-toolset-1.19-golang-1.19.10-1.el7_9.x86_64.rpm
SHA-256: 6bb079e691524f9ad0837ade78691c3f0a359a66d3afa7ee1e714069a93a8a20
go-toolset-1.19-golang-bin-1.19.10-1.el7_9.x86_64.rpm
SHA-256: 0b0f2fd35986deb99c54c23bb04da28d8da6db7afeab3f45d06493f893c45031
go-toolset-1.19-golang-docs-1.19.10-1.el7_9.noarch.rpm
SHA-256: 1e753db936feb146df9e99657c23d76f076bab18e6b4384bec351e4a04620acd
go-toolset-1.19-golang-misc-1.19.10-1.el7_9.x86_64.rpm
SHA-256: 69bb3fa1aa259c33c1a9935b024979363cb1686437c9d2c142bdce826ec4afc0
go-toolset-1.19-golang-race-1.19.10-1.el7_9.x86_64.rpm
SHA-256: 79d86d8661ed25bc061305f9481fd89af875d00a0b0b5816a3452ce43d33e6e6
go-toolset-1.19-golang-src-1.19.10-1.el7_9.x86_64.rpm
SHA-256: 0004f8425db3cd1c9020578bc095ea08bb6101d91ab10f42d2f7d0bd60298865
go-toolset-1.19-golang-tests-1.19.10-1.el7_9.x86_64.rpm
SHA-256: bd1ba9769f1e461ccb4fea50e75ba415a2b3b8d57ba8dc41d1fa2c46124b450b
go-toolset-1.19-runtime-1.19.10-1.el7_9.x86_64.rpm
SHA-256: dbf18b8895132735f5c8ea4917fb3102fccffe3c784598cdbc1f59484035744e
go-toolset-1.19-scldevel-1.19.10-1.el7_9.x86_64.rpm
SHA-256: c8e2f1c30587ea32a83113230d9accc040a6c73bfd5c83907c412d9ca3e40d07
Red Hat Developer Tools (for RHEL Server) 1
SRPM
go-toolset-1.19-1.19.10-1.el7_9.src.rpm
SHA-256: 001d45dfc8c15c3409f595f7d03780569465339f4706d6a89f200be4e8376479
go-toolset-1.19-golang-1.19.10-1.el7_9.src.rpm
SHA-256: ae9d5f144e1b8ea81b9dabaa1f193e761eda7401818fbb6a113a2314531c2303
x86_64
go-toolset-1.19-1.19.10-1.el7_9.x86_64.rpm
SHA-256: a154009fd196b1b925700cb8893e9d04d355f8d787d788c4aa2151c35e22580a
go-toolset-1.19-build-1.19.10-1.el7_9.x86_64.rpm
SHA-256: 2aeb0bc651766a22c369597d2f2880456b15e4be8a413691fbaf2d8fa5f6573a
go-toolset-1.19-golang-1.19.10-1.el7_9.x86_64.rpm
SHA-256: 6bb079e691524f9ad0837ade78691c3f0a359a66d3afa7ee1e714069a93a8a20
go-toolset-1.19-golang-bin-1.19.10-1.el7_9.x86_64.rpm
SHA-256: 0b0f2fd35986deb99c54c23bb04da28d8da6db7afeab3f45d06493f893c45031
go-toolset-1.19-golang-docs-1.19.10-1.el7_9.noarch.rpm
SHA-256: 1e753db936feb146df9e99657c23d76f076bab18e6b4384bec351e4a04620acd
go-toolset-1.19-golang-misc-1.19.10-1.el7_9.x86_64.rpm
SHA-256: 69bb3fa1aa259c33c1a9935b024979363cb1686437c9d2c142bdce826ec4afc0
go-toolset-1.19-golang-race-1.19.10-1.el7_9.x86_64.rpm
SHA-256: 79d86d8661ed25bc061305f9481fd89af875d00a0b0b5816a3452ce43d33e6e6
go-toolset-1.19-golang-src-1.19.10-1.el7_9.x86_64.rpm
SHA-256: 0004f8425db3cd1c9020578bc095ea08bb6101d91ab10f42d2f7d0bd60298865
go-toolset-1.19-golang-tests-1.19.10-1.el7_9.x86_64.rpm
SHA-256: bd1ba9769f1e461ccb4fea50e75ba415a2b3b8d57ba8dc41d1fa2c46124b450b
go-toolset-1.19-runtime-1.19.10-1.el7_9.x86_64.rpm
SHA-256: dbf18b8895132735f5c8ea4917fb3102fccffe3c784598cdbc1f59484035744e
go-toolset-1.19-scldevel-1.19.10-1.el7_9.x86_64.rpm
SHA-256: c8e2f1c30587ea32a83113230d9accc040a6c73bfd5c83907c412d9ca3e40d07
Red Hat Developer Tools (for RHEL Server for System Z) 1
SRPM
go-toolset-1.19-1.19.10-1.el7_9.src.rpm
SHA-256: 001d45dfc8c15c3409f595f7d03780569465339f4706d6a89f200be4e8376479
go-toolset-1.19-golang-1.19.10-1.el7_9.src.rpm
SHA-256: ae9d5f144e1b8ea81b9dabaa1f193e761eda7401818fbb6a113a2314531c2303
s390x
go-toolset-1.19-1.19.10-1.el7_9.s390x.rpm
SHA-256: 48b617f0ea5c5c0ac0bb3838a017c84510938cd0e79447a5e37a5cac6a08a94b
go-toolset-1.19-build-1.19.10-1.el7_9.s390x.rpm
SHA-256: 4028a294860f331bee4492ac0b5ea197024c435407e1910527e8e13bd1cc069d
go-toolset-1.19-golang-1.19.10-1.el7_9.s390x.rpm
SHA-256: 38d000109e9b4d9134e4f53acd65429e712a3986506ff726d70ad68b50bfad95
go-toolset-1.19-golang-bin-1.19.10-1.el7_9.s390x.rpm
SHA-256: 419f899017aa129fc67aae758f9a4281374420bd7ccde7851c37c1854bf976f3
go-toolset-1.19-golang-docs-1.19.10-1.el7_9.noarch.rpm
SHA-256: 1e753db936feb146df9e99657c23d76f076bab18e6b4384bec351e4a04620acd
go-toolset-1.19-golang-misc-1.19.10-1.el7_9.s390x.rpm
SHA-256: 9625d92ec1efabe41fe46186685dc07119630df98b231b2f2a0393614911d9a4
go-toolset-1.19-golang-src-1.19.10-1.el7_9.s390x.rpm
SHA-256: b268a72e24f656ae21feb3176c012acf9e7e8096f0da5b902ed1262c4396b5a4
go-toolset-1.19-golang-tests-1.19.10-1.el7_9.s390x.rpm
SHA-256: 43972fd59fc743fcfd8d8fc54a4e449ec4c665aa80813481ca7e644e91912a09
go-toolset-1.19-runtime-1.19.10-1.el7_9.s390x.rpm
SHA-256: c0b9d0696f9834c802093a9f2fb581f4fbe43b4ffbff375ea36b6b8aa7dc8b63
go-toolset-1.19-scldevel-1.19.10-1.el7_9.s390x.rpm
SHA-256: 2a50a4092cb6d86a7f85b4724ec5ceb75ff37529a03894c9b24dd927a24eaf1c
Red Hat Developer Tools (for RHEL Server for IBM Power LE) 1
SRPM
go-toolset-1.19-1.19.10-1.el7_9.src.rpm
SHA-256: 001d45dfc8c15c3409f595f7d03780569465339f4706d6a89f200be4e8376479
go-toolset-1.19-golang-1.19.10-1.el7_9.src.rpm
SHA-256: ae9d5f144e1b8ea81b9dabaa1f193e761eda7401818fbb6a113a2314531c2303
ppc64le
go-toolset-1.19-1.19.10-1.el7_9.ppc64le.rpm
SHA-256: aae3c43b4b67e0a27d2d7a80dacd52ff2a4e583fb855d04eff0aaf424ab15d2f
go-toolset-1.19-build-1.19.10-1.el7_9.ppc64le.rpm
SHA-256: e630f70118e2c0679868f21c000b3ae6b74799ad095f41a8da0bac65b2a74dd8
go-toolset-1.19-golang-1.19.10-1.el7_9.ppc64le.rpm
SHA-256: 114a085428e80dc0e9421bed9cf0aa7c0e5d193c622a1ad7e240f8499a34bef8
go-toolset-1.19-golang-bin-1.19.10-1.el7_9.ppc64le.rpm
SHA-256: 459834a75037c0cbd4c8af39e720b9c18eeb0044a1d6d5216cf97f8f5b878f1d
go-toolset-1.19-golang-docs-1.19.10-1.el7_9.noarch.rpm
SHA-256: 1e753db936feb146df9e99657c23d76f076bab18e6b4384bec351e4a04620acd
go-toolset-1.19-golang-misc-1.19.10-1.el7_9.ppc64le.rpm
SHA-256: 5c5d547ba5fca7aa0d03325eee00ac780d2cb181687258bee755748c23189593
go-toolset-1.19-golang-src-1.19.10-1.el7_9.ppc64le.rpm
SHA-256: 639842f8c16ce268c8a1e1640421f059c636be74f2f874c91845d5d21076e831
go-toolset-1.19-golang-tests-1.19.10-1.el7_9.ppc64le.rpm
SHA-256: 0001f607a1f8fe3d044e607580546b9bd1026b6f6e269bc5de88d1266dc65417
go-toolset-1.19-runtime-1.19.10-1.el7_9.ppc64le.rpm
SHA-256: db2ef0198b7729a69751efdda384b4f767b1f80868f6149e82221f94d5b52576
go-toolset-1.19-scldevel-1.19.10-1.el7_9.ppc64le.rpm
SHA-256: e5185b0a04c8cfaf9521df564c89c1df8457cafaba35dde3ddc03cde68412380
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2024-4119-03 - Updated rhceph-5.3 container image is now available in the Red Hat Ecosystem Catalog. Issues addressed include a code execution vulnerability.
Gentoo Linux Security Advisory 202311-9 - Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution. Versions greater than or equal to 1.20.10 are affected.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
An update for go-toolset and golang is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29402: The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go g...
An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29402: The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via...
An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29402: The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via...
An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29402: The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via...
An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29402: The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via...
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.