cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405]

[rolandshoemaker]

The go command may execute arbitrary code at build time when using cgo. This may
occur when running "go get" on a malicious module, or when running any other
command which builds untrusted code. This is can by triggered by linker flags,
specified via a "#cgo LDFLAGS" directive.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

There are two bugs for two CVEs for this otherwise similar bug text, this is bug TWO.

This is a PRIVATE issue for CVE-2023-29405, tracked in http://b/280805901 and fixed by http://tg/1875094.

/cc @golang/security and @golang/release

[rolandshoemaker]

@gopherbot please open backport issues.

[gopherbot]

Backport issue(s) opened: #60513 (for 1.19), #60514 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/501216 mentions this issue: [release-branch.go1.19] cmd/go,cmd/cgo: in _cgo_flags use one line per flag

[gopherbot]

Change https://go.dev/cl/501224 mentions this issue: cmd/go,cmd/cgo: in _cgo_flags use one line per flag

[gopherbot]

Change https://go.dev/cl/501220 mentions this issue: [release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one line per flag

[gopherbot]

Change https://go.dev/cl/501297 mentions this issue: [release-branch.go1.19] cmd/cgo: correct _cgo_flags output