cmd/go: improper sanitization of LDFLAGS [CVE-2023-29404] #60305
Labels
Milestone
Comments
rolandshoemaker
added
Security
NeedsFix
|
@gopherbot please open backport issues. |
|
Backport issue(s) opened: #60511 (for 1.19), #60512 (for 1.20). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Change https://go.dev/cl/501217 mentions this issue: |
|
Change https://go.dev/cl/501225 mentions this issue: |
|
Change https://go.dev/cl/501221 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jun 6, 2023
…ents Enforce that linker flags which expect arguments get them, otherwise it may be possible to smuggle unexpected flags through as the linker can consume what looks like a flag as an argument to a preceding flag (i.e. "-Wl,-O -Wl,-R,-bad-flag" is interpreted as "-O=-R -bad-flag"). Also be somewhat more restrictive in the general format of some flags. Thanks to Juho Nurminen of Mattermost for reporting this issue. Updates #60305 Fixes #60512 Fixes CVE-2023-29404 Change-Id: I5989f68d21a8851d8edd47f08550850524ee9180 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1876275 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 896779503cf754cbdac24b61d4cc953b50fe2dde) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902226 TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904346 Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/501221 Run-TryBot: David Chase <drchase@google.com> Auto-Submit: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot
pushed a commit
that referenced
this issue
Jun 6, 2023
…ents Enforce that linker flags which expect arguments get them, otherwise it may be possible to smuggle unexpected flags through as the linker can consume what looks like a flag as an argument to a preceding flag (i.e. "-Wl,-O -Wl,-R,-bad-flag" is interpreted as "-O=-R -bad-flag"). Also be somewhat more restrictive in the general format of some flags. Thanks to Juho Nurminen of Mattermost for reporting this issue. Updates #60305 Fixes #60511 Fixes CVE-2023-29404 Change-Id: Icdffef2c0f644da50261cace6f43742783931cff Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1876275 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 896779503cf754cbdac24b61d4cc953b50fe2dde) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902225 Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904342 Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/501217 Auto-Submit: Michael Knyszek <mknyszek@google.com> Run-TryBot: David Chase <drchase@google.com> TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
dr2chase
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The go command may execute arbitrary code at build time when using cgo. This may
occur when running "go get" on a malicious module, or when running any other
command which builds untrusted code. This is can by triggered by linker flags,
specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
There are two bugs for two CVEs for this otherwise similar bug text, this is bug ONE.
This is a PRIVATE issue for CVE-2023-29404, tracked in http://b/280597157 and fixed by http://tg/1876275.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: