cmd/go: go.mod toolchain directive allows arbitrary execution (CVE-2023-39320) #1144
Comments
|
Mentioned in the upstream backport issue (golang/go#62393 (comment)) and in the issue description, this was introduced and only applies Go 1.21. Fixed in: #1154 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
execute scripts and binaries relative to the root of the module when the "go"
command was executed within the module. This applies to modules downloaded using
the "go" command from the module proxy, as well as modules downloaded directly
using VCS software.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.
This is a PRIVATE issue for CVE-2023-39320, tracked in http://b/296227674 and fixed by http://tg/1996318.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: