runtime: unexpected behavior of setuid/setgid binaries [CVE-2023-29403]

[rolandshoemaker]

The Go runtime didn't act any differently when a binary had the setuid/setgid
bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
I/O file descriptors closed, opening any files could result in unexpected
content being read/written with elevated prilieges. Similarly if a setuid/setgid
program was terminated, either via panic or signal, it could leak the contents
of its registers.

Thanks to Vincent Dehors from Synacktiv for reporting this issue.

This is a PRIVATE issue for CVE-2023-29403, tracked in http://b/280870635 and fixed by http://tg/1878434

/cc @golang/security and @golang/release

[mitar]

This is not a private issues, btw. :-)

[rolandshoemaker]

PRIVATE refers to the Go Security policy track for this issue.

[rolandshoemaker]

@gopherbot please open backport issues.

[gopherbot]

Backport issue(s) opened: #60517 (for 1.19), #60518 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/501215 mentions this issue: [release-branch.go1.19] runtime: implement SUID/SGID protections

[gopherbot]

Change https://go.dev/cl/501219 mentions this issue: [release-branch.go1.20] runtime: implement SUID/SGID protections

[gopherbot]

Change https://go.dev/cl/501223 mentions this issue: runtime: implement SUID/SGID protections

[gopherbot]

Change https://go.dev/cl/501227 mentions this issue: [release-branch.go1.20] runtime: implement SUID/SGID protections

[gopherbot]

Change https://go.dev/cl/501228 mentions this issue: [release-branch.go1.19] runtime: implement SUID/SGID protections