cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] #60306
Labels
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
release-blocker
Security
Milestone
Comments
rolandshoemaker
added
Security
NeedsFix
|
@gopherbot please open backport issues. |
This was referenced May 30, 2023
|
Backport issue(s) opened: #60513 (for 1.19), #60514 (for 1.20). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Change https://go.dev/cl/501216 mentions this issue: |
|
Change https://go.dev/cl/501224 mentions this issue: |
|
Change https://go.dev/cl/501220 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jun 6, 2023
…r flag The flags that we recorded in _cgo_flags did not use any quoting, so a flag containing embedded spaces was mishandled. Change the _cgo_flags format to put each flag on a separate line. That is a simple format that does not require any quoting. As far as I can tell only cmd/go uses _cgo_flags, and it is only used for gccgo. If this patch doesn't cause any trouble, then in the next release we can change to only using _cgo_flags for gccgo. Thanks to Juho Nurminen of Mattermost for reporting this issue. Updates #60306 Fixes #60514 Fixes CVE-2023-29405 Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228 Run-TryBot: Roland Shoemaker <bracewell@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345 Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/501220 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: David Chase <drchase@google.com> Auto-Submit: Michael Knyszek <mknyszek@google.com>
gopherbot
pushed a commit
that referenced
this issue
Jun 6, 2023
…r flag The flags that we recorded in _cgo_flags did not use any quoting, so a flag containing embedded spaces was mishandled. Change the _cgo_flags format to put each flag on a separate line. That is a simple format that does not require any quoting. As far as I can tell only cmd/go uses _cgo_flags, and it is only used for gccgo. If this patch doesn't cause any trouble, then in the next release we can change to only using _cgo_flags for gccgo. Thanks to Juho Nurminen of Mattermost for reporting this issue. Updates #60306 Fixes #60513 Fixes CVE-2023-29405 Change-Id: Id738a737ecae47babb34c4b4fc4d65336cf0c0f3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902227 Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904341 Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/501216 Auto-Submit: Michael Knyszek <mknyszek@google.com> Run-TryBot: David Chase <drchase@google.com> TryBot-Bypass: David Chase <drchase@google.com>
dr2chase
changed the title
|
Change https://go.dev/cl/501297 mentions this issue: |
|
Change https://go.dev/cl/501298 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jun 6, 2023
For #60306 For #60513 Change-Id: I8b37d74433456f3270c2ea465ecf406da6e5a578 Reviewed-on: https://go-review.googlesource.com/c/go/+/501297 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: David Chase <drchase@google.com> TryBot-Bypass: Dmitri Shuralyov <dmitshur@golang.org>
gopherbot
pushed a commit
that referenced
this issue
Jun 6, 2023
For #60306 For #60514 Change-Id: I3f5d14aee7d7195030e8872e42b1d97aa11d3582 Reviewed-on: https://go-review.googlesource.com/c/go/+/501298 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
|
Change https://go.dev/cl/501435 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jun 7, 2023
The gccgo on the builder is not updated to support runtime/cgo Updates #60306 Change-Id: If0fb1ccdf589cc9741f6a065bacfa4f06e64ec15 Reviewed-on: https://go-review.googlesource.com/c/go/+/501435 Reviewed-by: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Cuong Manh Le <cuong.manhle.vn@gmail.com> Reviewed-by: Benny Siegert <bsiegert@gmail.com> Auto-Submit: Cuong Manh Le <cuong.manhle.vn@gmail.com>
|
Change https://go.dev/cl/505595 mentions this issue: |
|
Change https://go.dev/cl/505596 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jun 24, 2023
… aix/ppc64 The gccgo on the builder is not updated to support runtime/cgo For #60306. For #60514. Change-Id: If0fb1ccdf589cc9741f6a065bacfa4f06e64ec15 Reviewed-on: https://go-review.googlesource.com/c/go/+/501435 Reviewed-by: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Cuong Manh Le <cuong.manhle.vn@gmail.com> Reviewed-by: Benny Siegert <bsiegert@gmail.com> Auto-Submit: Cuong Manh Le <cuong.manhle.vn@gmail.com> (cherry picked from commit 688d75b) Reviewed-on: https://go-review.googlesource.com/c/go/+/505595 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Than McIntosh <thanm@google.com> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
gopherbot
pushed a commit
that referenced
this issue
Jun 24, 2023
… aix/ppc64 The gccgo on the builder is not updated to support runtime/cgo For #60306. For #60513. Change-Id: If0fb1ccdf589cc9741f6a065bacfa4f06e64ec15 Reviewed-on: https://go-review.googlesource.com/c/go/+/501435 Reviewed-by: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Cuong Manh Le <cuong.manhle.vn@gmail.com> Reviewed-by: Benny Siegert <bsiegert@gmail.com> Auto-Submit: Cuong Manh Le <cuong.manhle.vn@gmail.com> (cherry picked from commit 688d75b) Reviewed-on: https://go-review.googlesource.com/c/go/+/505596 Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Than McIntosh <thanm@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The go command may execute arbitrary code at build time when using cgo. This may
occur when running "go get" on a malicious module, or when running any other
command which builds untrusted code. This is can by triggered by linker flags,
specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
There are two bugs for two CVEs for this otherwise similar bug text, this is bug TWO.
This is a PRIVATE issue for CVE-2023-29405, tracked in http://b/280805901 and fixed by http://tg/1875094.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: