cmd/go: go.mod toolchain directive allows arbitrary execution (CVE-2023-39320) #62198
Labels
GoCommand
cmd/go
NeedsFix
The path to resolution is known, but the work has not been done.
release-blocker
Security
Milestone
Comments
cagedmantis
added
the
NeedsFix
|
@gopherbot please open backport issues. |
|
Backport issue(s) opened: #62393 (for 1.20), #62394 (for 1.21). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Change https://go.dev/cl/526095 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Sep 6, 2023
…g path separators If GOTOOLCHAIN="path" or "auto", the go command uses exec.LookPath to search for it in order to allow toolchains to refer to local-only toolchain variants (such as toolchains built from enterprise- or distro-patched source). However, those toolchains should only be resolved from $PATH, not relative to the working directory of the command. Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes #62198. Fixes #62394. Fixes CVE-2023-39320. Change-Id: I247c7acea95d737362dd0475e9fc8515430d0fcc Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1996318 Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit e41c0a55d45e9a9acbc5d7c1143ea4fff8fb9283) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014013 Reviewed-by: Bryan Mills <bcmills@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/526095 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Cherry Mui <cherryyz@google.com>
cherrymui
changed the title
|
Change https://go.dev/cl/526158 mentions this issue: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
execute scripts and binaries relative to the root of the module when the "go"
command was executed within the module. This applies to modules downloaded using
the "go" command from the module proxy, as well as modules downloaded directly
using VCS software.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.
This is a PRIVATE issue for CVE-2023-39320, tracked in http://b/296227674 and fixed by http://tg/1996318.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: