-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/go: cgo code injection [CVE-2023-29402] [1.20 backport] #60516
Comments
Change https://go.dev/cl/501222 mentions this issue: |
…ng newlines Directory or file paths containing newlines may cause tools (such as cmd/cgo) that emit "//line" or "#line" -directives to write part of the path into non-comment lines in generated source code. If those lines contain valid Go code, it may be injected into the resulting binary. (Note that Go import paths and file paths within module zip files already could not contain newlines.) Thanks to Juho Nurminen of Mattermost for reporting this issue. Updates #60167. Fixes #60516. Fixes CVE-2023-29402. Change-Id: Ic3c7d8d1f6460993bd93a27035d61bff7dd68832 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1882606 Reviewed-by: Roland Shoemaker <bracewell@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 41f9046495564fc728d6f98384ab7276450ac7e2) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902230 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904347 Reviewed-by: Bryan Mills <bcmills@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/501222 Run-TryBot: David Chase <drchase@google.com> Auto-Submit: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
Closed by merging c0ed873 to release-branch.go1.20. |
Change https://go.dev/cl/501816 mentions this issue: |
Change https://go.dev/cl/501817 mentions this issue: |
Change https://go.dev/cl/501818 mentions this issue: |
Change https://go.dev/cl/501819 mentions this issue: |
… CGO_ENABLED=0 Updates #60516. Updates #60167. Change-Id: I3792682e80a3c48d78a3b9e647cc968a1d5c8f2b Reviewed-on: https://go-review.googlesource.com/c/go/+/501575 Auto-Submit: Bryan Mills <bcmills@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Bryan Mills <bcmills@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> (cherry picked from commit e2b1c0b) Reviewed-on: https://go-review.googlesource.com/c/go/+/501816 Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
… line directives would contain a newline cmd/cgo uses '//line' directives to map generated source files back to the original source file and line nmubers. The line directives have no way to escape newline characters, so cmd/cgo must not be used if the line directives would contain such characters. Updates #60516. Updates #60167. Change-Id: I8581cea74d6c08f82e86ed87127e81252e1bf78c Reviewed-on: https://go-review.googlesource.com/c/go/+/501576 TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Bryan Mills <bcmills@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> Run-TryBot: Bryan Mills <bcmills@google.com> (cherry picked from commit c482283) Reviewed-on: https://go-review.googlesource.com/c/go/+/501817 Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
…le contains a newline cmd/cover uses '//line' directives to map instrumented source files back to the original source file and line numbers. Line directives have no way to escape newline characters, so cmd/cover must not be used with source file paths that contain such characters. Updates #60516. Updates #60167. Change-Id: I6dc039392d59fc3a5a6121ef6ca97b0ab0da5288 Reviewed-on: https://go-review.googlesource.com/c/go/+/501577 Auto-Submit: Bryan Mills <bcmills@google.com> Run-TryBot: Bryan Mills <bcmills@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit 3d78c73) Reviewed-on: https://go-review.googlesource.com/c/go/+/501818 Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
… write a '//line' directive with a multiline file path Line directives do not provide a way to escape newline characters, so source file paths containing newlines must not be written in them. Updates #60516. Updates #60167. Change-Id: I30f8b381cc7d1df6914c27591544edf424a4b634 Reviewed-on: https://go-review.googlesource.com/c/go/+/501578 Reviewed-by: Robert Griesemer <gri@google.com> Auto-Submit: Bryan Mills <bcmills@google.com> Run-TryBot: Bryan Mills <bcmills@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit d1087efa42ea0b0f011283a87d7a732cba51e4ad) Reviewed-on: https://go-review.googlesource.com/c/go/+/501819 Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com>
@rolandshoemaker requested issue #60167 to be considered for backport to the next 1.20 minor release.
The text was updated successfully, but these errors were encountered: