Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: cgo code injection [CVE-2023-29402] [1.20 backport] #60516

Closed
gopherbot opened this issue May 30, 2023 · 6 comments
Closed

cmd/go: cgo code injection [CVE-2023-29402] [1.20 backport] #60516

gopherbot opened this issue May 30, 2023 · 6 comments
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Milestone
Go1.20.5

Comments

@gopherbot
Copy link

@rolandshoemaker requested issue #60167 to be considered for backport to the next 1.20 minor release.

@gopherbot please open backport issues.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label May 30, 2023
@gopherbot gopherbot mentioned this issue May 30, 2023
Closed
@gopherbot gopherbot added this to the Go1.20.5 milestone May 30, 2023
@dr2chase dr2chase added the CherryPickApproved Used during the release process for point releases label Jun 6, 2023
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Jun 6, 2023
@gopherbot
Copy link
Author

Change https://go.dev/cl/501222 mentions this issue: [release-branch.go1.20] cmd/go: disallow package directories containing newlines

gopherbot pushed a commit that referenced this issue Jun 6, 2023
@gopherbot
[release-branch.go1.20] cmd/go: disallow package directories containi…
c0ed873 
…ng newlines

Directory or file paths containing newlines may cause tools (such as
cmd/cgo) that emit "//line" or "#line" -directives to write part of
the path into non-comment lines in generated source code. If those
lines contain valid Go code, it may be injected into the resulting
binary.

(Note that Go import paths and file paths within module zip files
already could not contain newlines.)

Thanks to Juho Nurminen of Mattermost for reporting this issue.

Updates #60167.
Fixes #60516.
Fixes CVE-2023-29402.

Change-Id: Ic3c7d8d1f6460993bd93a27035d61bff7dd68832
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1882606
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit 41f9046495564fc728d6f98384ab7276450ac7e2)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902230
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904347
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/501222
Run-TryBot: David Chase <drchase@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@gopherbot
Copy link
Author

Closed by merging c0ed873 to release-branch.go1.20.

@dr2chase dr2chase changed the title security: fix CVE-2023-29402 [1.20 backport] cmd/go: cgo code injection [CVE-2023-29402] [1.20 backport] Jun 6, 2023
@gopherbot
Copy link
Author

Change https://go.dev/cl/501816 mentions this issue: [release-branch.go1.20] cmd/go: fix TestScript/build_cwd_newline with CGO_ENABLED=0

@gopherbot
Copy link
Author

Change https://go.dev/cl/501817 mentions this issue: [release-branch.go1.20] cmd/cgo: error out if the source path used in line directives would contain a newline

@gopherbot
Copy link
Author

Change https://go.dev/cl/501818 mentions this issue: [release-branch.go1.20] cmd/cover: error out if a requested source file contains a newline

@gopherbot
Copy link
Author

Change https://go.dev/cl/501819 mentions this issue: [release-branch.go1.20] go/printer: error out of Fprint when it would write a '//line' directive with a multiline file path

gopherbot pushed a commit that referenced this issue Jun 20, 2023
@gopherbot
[release-branch.go1.20] cmd/go: fix TestScript/build_cwd_newline with…
6c606fc 
… CGO_ENABLED=0

Updates #60516.
Updates #60167.

Change-Id: I3792682e80a3c48d78a3b9e647cc968a1d5c8f2b
Reviewed-on: https://go-review.googlesource.com/c/go/+/501575
Auto-Submit: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Bryan Mills <bcmills@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
(cherry picked from commit e2b1c0b)
Reviewed-on: https://go-review.googlesource.com/c/go/+/501816
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
gopherbot pushed a commit that referenced this issue Jun 20, 2023
@gopherbot
[release-branch.go1.20] cmd/cgo: error out if the source path used in…
4719048 
… line directives would contain a newline

cmd/cgo uses '//line' directives to map generated source
files back to the original source file and line nmubers.

The line directives have no way to escape newline characters,
so cmd/cgo must not be used if the line directives would contain
such characters.

Updates #60516.
Updates #60167.

Change-Id: I8581cea74d6c08f82e86ed87127e81252e1bf78c
Reviewed-on: https://go-review.googlesource.com/c/go/+/501576
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Bryan Mills <bcmills@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Bryan Mills <bcmills@google.com>
(cherry picked from commit c482283)
Reviewed-on: https://go-review.googlesource.com/c/go/+/501817
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
gopherbot pushed a commit that referenced this issue Jun 20, 2023
@gopherbot
[release-branch.go1.20] cmd/cover: error out if a requested source fi…
4959424 
…le contains a newline

cmd/cover uses '//line' directives to map instrumented source files
back to the original source file and line numbers.
Line directives have no way to escape newline characters, so cmd/cover
must not be used with source file paths that contain such characters.

Updates #60516.
Updates #60167.

Change-Id: I6dc039392d59fc3a5a6121ef6ca97b0ab0da5288
Reviewed-on: https://go-review.googlesource.com/c/go/+/501577
Auto-Submit: Bryan Mills <bcmills@google.com>
Run-TryBot: Bryan Mills <bcmills@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit 3d78c73)
Reviewed-on: https://go-review.googlesource.com/c/go/+/501818
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
gopherbot pushed a commit that referenced this issue Jun 20, 2023
@gopherbot
[release-branch.go1.20] go/printer: error out of Fprint when it would…
d51e322 
… write a '//line' directive with a multiline file path

Line directives do not provide a way to escape newline characters, so
source file paths containing newlines must not be written in them.

Updates #60516.
Updates #60167.

Change-Id: I30f8b381cc7d1df6914c27591544edf424a4b634
Reviewed-on: https://go-review.googlesource.com/c/go/+/501578
Reviewed-by: Robert Griesemer <gri@google.com>
Auto-Submit: Bryan Mills <bcmills@google.com>
Run-TryBot: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit d1087efa42ea0b0f011283a87d7a732cba51e4ad)
Reviewed-on: https://go-review.googlesource.com/c/go/+/501819
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Projects
None yet
Milestone
Go1.20.5
Development

No branches or pull requests
4 participants
@mknyszek @dmitshur @dr2chase @gopherbot