Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: improper sanitization of LDFLAGS [CVE-2023-29404] #60305

Closed
rolandshoemaker opened this issue May 19, 2023 · 5 comments
Closed

cmd/go: improper sanitization of LDFLAGS [CVE-2023-29404] #60305

rolandshoemaker opened this issue May 19, 2023 · 5 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone
Go1.21

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented May 19, 2023
edited by dr2chase
Loading

The go command may execute arbitrary code at build time when using cgo. This may
occur when running "go get" on a malicious module, or when running any other
command which builds untrusted code. This is can by triggered by linker flags,
specified via a "#cgo LDFLAGS" directive.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

There are two bugs for two CVEs for this otherwise similar bug text, this is bug ONE.

This is a PRIVATE issue for CVE-2023-29404, tracked in http://b/280597157 and fixed by http://tg/1876275.

/cc @golang/security and @golang/release
@rolandshoemaker rolandshoemaker added Security NeedsFix The path to resolution is known, but the work has not been done. release-blocker labels May 19, 2023
@rolandshoemaker rolandshoemaker added this to the Go1.21 milestone May 19, 2023
@rolandshoemaker
Copy link
Member Author

@gopherbot please open backport issues.

@gopherbot gopherbot mentioned this issue May 30, 2023
Closed
@gopherbot
Copy link
Contributor

Backport issue(s) opened: #60511 (for 1.19), #60512 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot gopherbot mentioned this issue May 30, 2023
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/501217 mentions this issue: [release-branch.go1.19] cmd/go: enforce flags with non-optional arguments

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/501225 mentions this issue: cmd/go: enforce flags with non-optional arguments

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/501221 mentions this issue: [release-branch.go1.20] cmd/go: enforce flags with non-optional arguments

gopherbot pushed a commit that referenced this issue Jun 6, 2023
@rolandshoemaker @gopherbot
[release-branch.go1.20] cmd/go: enforce flags with non-optional argum…
356a419 
…ents

Enforce that linker flags which expect arguments get them, otherwise it
may be possible to smuggle unexpected flags through as the linker can
consume what looks like a flag as an argument to a preceding flag (i.e.
"-Wl,-O -Wl,-R,-bad-flag" is interpreted as "-O=-R -bad-flag"). Also be
somewhat more restrictive in the general format of some flags.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

Updates #60305
Fixes #60512
Fixes CVE-2023-29404

Change-Id: I5989f68d21a8851d8edd47f08550850524ee9180
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1876275
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit 896779503cf754cbdac24b61d4cc953b50fe2dde)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902226
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904346
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/501221
Run-TryBot: David Chase <drchase@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot pushed a commit that referenced this issue Jun 6, 2023
@rolandshoemaker @gopherbot
[release-branch.go1.19] cmd/go: enforce flags with non-optional argum…
bf3c8ce 
…ents

Enforce that linker flags which expect arguments get them, otherwise it
may be possible to smuggle unexpected flags through as the linker can
consume what looks like a flag as an argument to a preceding flag (i.e.
"-Wl,-O -Wl,-R,-bad-flag" is interpreted as "-O=-R -bad-flag"). Also be
somewhat more restrictive in the general format of some flags.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

Updates #60305
Fixes #60511
Fixes CVE-2023-29404

Change-Id: Icdffef2c0f644da50261cace6f43742783931cff
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1876275
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit 896779503cf754cbdac24b61d4cc953b50fe2dde)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902225
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904342
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/501217
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Run-TryBot: David Chase <drchase@google.com>
TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
@dr2chase dr2chase changed the title security: fix CVE-2023-29404 cmd/go: improper sanitization of LDFLAGS [CVE-2023-29404] Jun 6, 2023
@Kinbaum Kinbaum mentioned this issue Jul 7, 2023
Closed
@golang golang locked and limited conversation to collaborators Jun 5, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Milestone
Go1.21
Development

No branches or pull requests
2 participants
@rolandshoemaker @gopherbot