Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: line directives allows arbitrary execution during build (CVE-2023-39323) #63211

Closed
rolandshoemaker opened this issue Sep 25, 2023 · 9 comments
Closed

cmd/go: line directives allows arbitrary execution during build (CVE-2023-39323) #63211

rolandshoemaker opened this issue Sep 25, 2023 · 9 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone
Go1.22

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Sep 25, 2023
edited by kevinburke

"//line" directives can be used to bypass the restrictions on "//go:cgo_"
directives, allowing blocked linker and compiler flags to be passed during
compilation. This can result in unexpected execution of arbitrary code when
running "go build". The line directive requires the absolute path of the file in
which the directive lives, which makes exploting this issue significantly more
complex.

This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.

This is a PRIVATE issue for CVE-2023-39323, tracked in http://b/296358534 and fixed by http://tg/2032884.

/cc @golang/security and @golang/release
@rolandshoemaker
Copy link
Member Author

@gopherbot please open backport issues.

This was referenced Sep 25, 2023
Closed
Closed
@gopherbot
Copy link

Backport issue(s) opened: #63213 (for 1.20), #63214 (for 1.21).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@thanm thanm added the NeedsFix The path to resolution is known, but the work has not been done. label Sep 25, 2023
@dmitshur dmitshur added this to the Go1.22 milestone Oct 1, 2023
@gopherbot
Copy link

Change https://go.dev/cl/533195 mentions this issue: [release-branch.go1.20] cmd/compile: use absolute file name in isCgo check

@gopherbot
Copy link

Change https://go.dev/cl/533215 mentions this issue: [release-branch.go1.21] cmd/compile: use absolute file name in isCgo check

gopherbot pushed a commit that referenced this issue Oct 5, 2023
@ianlancetaylor @gopherbot
[release-branch.go1.21] cmd/compile: use absolute file name in isCgo …
2ddfc04 
…check

For #23672
Updates #63211
Fixes #63214
Fixes CVE-2023-39323

Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037958
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/533215
Reviewed-by: Than McIntosh <thanm@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
gopherbot pushed a commit that referenced this issue Oct 5, 2023
@ianlancetaylor @prattmic
[release-branch.go1.20] cmd/compile: use absolute file name in isCgo …
31d5b60 
…check

For #23672
Updates #63211
Fixes #63213
Fixes CVE-2023-39323

Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/533195
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Bypass: Michael Pratt <mpratt@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
@prattmic prattmic changed the title security: fix CVE-2023-39323 cmd/go: line directives allows arbitrary execution during build (CVE-2023-39323) Oct 5, 2023
@kevinburke
Copy link
Contributor

kevinburke commented Oct 5, 2023
edited

Thank you for fixing this. Can you confirm which versions of Go are affected by this issue?

(My edit of the description just replaced "compliation" with "compilation".)

@ianlancetaylor
Copy link
Contributor

@kevinburke Unfortunately, I believe that this vulnerability was introduced very early on in Go 1.1. We fixed a large class of these bugs in Go 1.10 (see #23672) but we missed this one.

@yosifkit yosifkit mentioned this issue Oct 5, 2023
Merged
@dmitshur dmitshur self-assigned this Oct 11, 2023
@gopherbot
Copy link

Change https://go.dev/cl/534158 mentions this issue: cmd/compile: use absolute file name in isCgo check

@dmitshur dmitshur removed their assignment Oct 11, 2023
jdimatteo pushed a commit to jdimatteo/go that referenced this issue Oct 16, 2023
@ianlancetaylor @jdimatteo
[release-branch.go1.20] cmd/compile: use absolute file name in isCgo …
ad42210 
…check

For golang#23672
Updates golang#63211
Fixes golang#63213
Fixes CVE-2023-39323

Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/533195
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Bypass: Michael Pratt <mpratt@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
@jdimatteo jdimatteo mentioned this issue Oct 16, 2023
Closed
yunginnanet pushed a commit to yunginnanet/go that referenced this issue Oct 20, 2023
@ianlancetaylor @yunginnanet
cmd/compile: use absolute file name in isCgo check
5378df0 
For golang#23672
Fixes golang#63211
Fixes CVE-2023-39323

Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/534158
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
@szelenka szelenka mentioned this issue Oct 24, 2023
Closed
@ArchanaWind
Copy link

Hi,
Could you people please confirm Is go_1.17.13 affected, most of the removed functions are not present in this versio.

image

bytes.Cut is not present in go_1.17.13

image

trimFilename() func is also not present and it added later

@ArchanaWind
Copy link

Can you people please respond on it

rcrozean pushed a commit to rcrozean/go that referenced this issue Dec 7, 2023
@ianlancetaylor @rcrozean
cmd/compile: use absolute file name in isCgo check
59a4ba0 
# AWS EKS

Backported To: go-1.19.13-eks
Backported On: Tue, 10 Oct 2023
Backported By: rcrozean@amazon.com
Backported From: release-branch.go1.20
Source Commit: golang@31d5b60

# Original Information

For golang#23672
Updates golang#63211
Fixes golang#63213
Fixes CVE-2023-39323

Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/533195
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Bypass: Michael Pratt <mpratt@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Milestone
Go1.22
Development

No branches or pull requests
7 participants
@kevinburke @dmitshur @ianlancetaylor @rolandshoemaker @gopherbot @thanm @ArchanaWind