Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] [1.20 backport] #60514

Closed
gopherbot opened this issue May 30, 2023 · 5 comments
Closed

cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] [1.20 backport] #60514

gopherbot opened this issue May 30, 2023 · 5 comments
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Milestone
Go1.20.5

Comments

@gopherbot
Copy link

@rolandshoemaker requested issue #60306 to be considered for backport to the next 1.20 minor release.

@gopherbot please open backport issues.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label May 30, 2023
@gopherbot gopherbot mentioned this issue May 30, 2023
Closed
@gopherbot gopherbot added this to the Go1.20.5 milestone May 30, 2023
@gopherbot
Copy link
Author

Change https://go.dev/cl/501220 mentions this issue: [release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one line per flag

@gopherbot
Copy link
Author

Closed by merging fa60c38 to release-branch.go1.20.

gopherbot pushed a commit that referenced this issue Jun 6, 2023
@ianlancetaylor @gopherbot
[release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one line pe…
fa60c38 
…r flag

The flags that we recorded in _cgo_flags did not use any quoting,
so a flag containing embedded spaces was mishandled.
Change the _cgo_flags format to put each flag on a separate line.
That is a simple format that does not require any quoting.

As far as I can tell only cmd/go uses _cgo_flags, and it is only
used for gccgo. If this patch doesn't cause any trouble, then
in the next release we can change to only using _cgo_flags for gccgo.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

Updates #60306
Fixes #60514
Fixes CVE-2023-29405

Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228
Run-TryBot: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/501220
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: David Chase <drchase@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
@dr2chase dr2chase changed the title security: fix CVE-2023-29405 [1.20 backport] cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] [1.20 backport] Jun 6, 2023
@dmitshur dmitshur added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Jun 6, 2023
@dmitshur
Copy link
Contributor

dmitshur commented Jun 6, 2023

(This was approved earlier, the label needed to be updated.)

@gopherbot
Copy link
Author

Change https://go.dev/cl/501298 mentions this issue: [release-branch.go1.20] cmd/cgo: correct _cgo_flags output

gopherbot pushed a commit that referenced this issue Jun 6, 2023
@ianlancetaylor
[release-branch.go1.20] cmd/cgo: correct _cgo_flags output
1008486 
For #60306
For #60514

Change-Id: I3f5d14aee7d7195030e8872e42b1d97aa11d3582
Reviewed-on: https://go-review.googlesource.com/c/go/+/501298
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@gopherbot
Copy link
Author

Change https://go.dev/cl/505595 mentions this issue: [release-branch.go1.20] cmd/go: skip TestScript/gccgo_link_ldflags on aix/ppc64

gopherbot pushed a commit that referenced this issue Jun 24, 2023
@cuonglm @gopherbot
[release-branch.go1.20] cmd/go: skip TestScript/gccgo_link_ldflags on…
6509283 
… aix/ppc64

The gccgo on the builder is not updated to support runtime/cgo

For #60306.
For #60514.

Change-Id: If0fb1ccdf589cc9741f6a065bacfa4f06e64ec15
Reviewed-on: https://go-review.googlesource.com/c/go/+/501435
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Reviewed-by: Benny Siegert <bsiegert@gmail.com>
Auto-Submit: Cuong Manh Le <cuong.manhle.vn@gmail.com>
(cherry picked from commit 688d75b)
Reviewed-on: https://go-review.googlesource.com/c/go/+/505595
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Projects
None yet
Milestone
Go1.20.5
Development

No branches or pull requests
3 participants
@mknyszek @dmitshur @gopherbot