Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] #60306

Closed
rolandshoemaker opened this issue May 19, 2023 · 10 comments
Closed

cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] #60306

rolandshoemaker opened this issue May 19, 2023 · 10 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented May 19, 2023

The go command may execute arbitrary code at build time when using cgo. This may
occur when running "go get" on a malicious module, or when running any other
command which builds untrusted code. This is can by triggered by linker flags,
specified via a "#cgo LDFLAGS" directive.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

There are two bugs for two CVEs for this otherwise similar bug text, this is bug TWO.

This is a PRIVATE issue for CVE-2023-29405, tracked in http://b/280805901 and fixed by http://tg/1875094.

/cc @golang/security and @golang/release

@rolandshoemaker rolandshoemaker added Security NeedsFix The path to resolution is known, but the work has not been done. release-blocker labels May 19, 2023
@rolandshoemaker rolandshoemaker added this to the Go1.21 milestone May 19, 2023
@rolandshoemaker
Copy link
Member Author

@gopherbot please open backport issues.

@gopherbot
Copy link

Backport issue(s) opened: #60513 (for 1.19), #60514 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot
Copy link

Change https://go.dev/cl/501216 mentions this issue: [release-branch.go1.19] cmd/go,cmd/cgo: in _cgo_flags use one line per flag

@gopherbot
Copy link

Change https://go.dev/cl/501224 mentions this issue: cmd/go,cmd/cgo: in _cgo_flags use one line per flag

@gopherbot
Copy link

Change https://go.dev/cl/501220 mentions this issue: [release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one line per flag

gopherbot pushed a commit that referenced this issue Jun 6, 2023
…r flag

The flags that we recorded in _cgo_flags did not use any quoting,
so a flag containing embedded spaces was mishandled.
Change the _cgo_flags format to put each flag on a separate line.
That is a simple format that does not require any quoting.

As far as I can tell only cmd/go uses _cgo_flags, and it is only
used for gccgo. If this patch doesn't cause any trouble, then
in the next release we can change to only using _cgo_flags for gccgo.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

Updates #60306
Fixes #60514
Fixes CVE-2023-29405

Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228
Run-TryBot: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/501220
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: David Chase <drchase@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
gopherbot pushed a commit that referenced this issue Jun 6, 2023
…r flag

The flags that we recorded in _cgo_flags did not use any quoting,
so a flag containing embedded spaces was mishandled.
Change the _cgo_flags format to put each flag on a separate line.
That is a simple format that does not require any quoting.

As far as I can tell only cmd/go uses _cgo_flags, and it is only
used for gccgo. If this patch doesn't cause any trouble, then
in the next release we can change to only using _cgo_flags for gccgo.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

Updates #60306
Fixes #60513
Fixes CVE-2023-29405

Change-Id: Id738a737ecae47babb34c4b4fc4d65336cf0c0f3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902227
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904341
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/501216
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Run-TryBot: David Chase <drchase@google.com>
TryBot-Bypass: David Chase <drchase@google.com>
@dr2chase dr2chase changed the title security: fix CVE-2023-29405 cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] Jun 6, 2023
@gopherbot
Copy link

Change https://go.dev/cl/501297 mentions this issue: [release-branch.go1.19] cmd/cgo: correct _cgo_flags output

@gopherbot
Copy link

Change https://go.dev/cl/501298 mentions this issue: [release-branch.go1.20] cmd/cgo: correct _cgo_flags output

gopherbot pushed a commit that referenced this issue Jun 6, 2023
For #60306
For #60513

Change-Id: I8b37d74433456f3270c2ea465ecf406da6e5a578
Reviewed-on: https://go-review.googlesource.com/c/go/+/501297
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: David Chase <drchase@google.com>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@golang.org>
gopherbot pushed a commit that referenced this issue Jun 6, 2023
For #60306
For #60514

Change-Id: I3f5d14aee7d7195030e8872e42b1d97aa11d3582
Reviewed-on: https://go-review.googlesource.com/c/go/+/501298
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@gopherbot
Copy link

Change https://go.dev/cl/501435 mentions this issue: cmd/go: skip TestScript/gccgo_link_ldflags on aix/ppc64

gopherbot pushed a commit that referenced this issue Jun 7, 2023
The gccgo on the builder is not updated to support runtime/cgo

Updates #60306

Change-Id: If0fb1ccdf589cc9741f6a065bacfa4f06e64ec15
Reviewed-on: https://go-review.googlesource.com/c/go/+/501435
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Reviewed-by: Benny Siegert <bsiegert@gmail.com>
Auto-Submit: Cuong Manh Le <cuong.manhle.vn@gmail.com>
@gopherbot
Copy link

Change https://go.dev/cl/505595 mentions this issue: [release-branch.go1.20] cmd/go: skip TestScript/gccgo_link_ldflags on aix/ppc64

@gopherbot
Copy link

Change https://go.dev/cl/505596 mentions this issue: [release-branch.go1.19] cmd/go: skip TestScript/gccgo_link_ldflags on aix/ppc64

gopherbot pushed a commit that referenced this issue Jun 24, 2023
… aix/ppc64

The gccgo on the builder is not updated to support runtime/cgo

For #60306.
For #60514.

Change-Id: If0fb1ccdf589cc9741f6a065bacfa4f06e64ec15
Reviewed-on: https://go-review.googlesource.com/c/go/+/501435
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Reviewed-by: Benny Siegert <bsiegert@gmail.com>
Auto-Submit: Cuong Manh Le <cuong.manhle.vn@gmail.com>
(cherry picked from commit 688d75b)
Reviewed-on: https://go-review.googlesource.com/c/go/+/505595
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
gopherbot pushed a commit that referenced this issue Jun 24, 2023
… aix/ppc64

The gccgo on the builder is not updated to support runtime/cgo

For #60306.
For #60513.

Change-Id: If0fb1ccdf589cc9741f6a065bacfa4f06e64ec15
Reviewed-on: https://go-review.googlesource.com/c/go/+/501435
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Reviewed-by: Benny Siegert <bsiegert@gmail.com>
Auto-Submit: Cuong Manh Le <cuong.manhle.vn@gmail.com>
(cherry picked from commit 688d75b)
Reviewed-on: https://go-review.googlesource.com/c/go/+/505596
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Development

No branches or pull requests

2 participants