Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: go.mod toolchain directive allows arbitrary execution (CVE-2023-39320) [1.21 backport] #62394

Closed
gopherbot opened this issue Aug 31, 2023 · 2 comments
Closed

cmd/go: go.mod toolchain directive allows arbitrary execution (CVE-2023-39320) [1.21 backport] #62394

gopherbot opened this issue Aug 31, 2023 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Milestone
Go1.21.1

Comments

@gopherbot
Copy link

gopherbot commented Aug 31, 2023
edited by cherrymui

The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
execute scripts and binaries relative to the root of the module when the "go"
command was executed within the module. This applies to modules downloaded using
the "go" command from the module proxy, as well as modules downloaded directly
using VCS software.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.

@rolandshoemaker requested issue #62198 to be considered for backport to the next 1.21 minor release.

@gopherbot please open backport issues.
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Aug 31, 2023
@gopherbot gopherbot mentioned this issue Aug 31, 2023
Closed
@gopherbot gopherbot added this to the Go1.21.1 milestone Aug 31, 2023
@rolandshoemaker rolandshoemaker added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Aug 31, 2023
@gopherbot
Copy link
Author

Change https://go.dev/cl/526095 mentions this issue: [release-branch.go1.21] cmd/go: reject toolchain directives containing path separators

gopherbot pushed a commit that referenced this issue Sep 6, 2023
@cherrymui
[release-branch.go1.21] cmd/go: reject toolchain directives containin…
d25a935 
…g path separators

If GOTOOLCHAIN="path" or "auto", the go command uses exec.LookPath to
search for it in order to allow toolchains to refer to local-only
toolchain variants (such as toolchains built from enterprise- or
distro-patched source). However, those toolchains should only be
resolved from $PATH, not relative to the working directory of the
command.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

Fixes #62198.
Fixes #62394.
Fixes CVE-2023-39320.

Change-Id: I247c7acea95d737362dd0475e9fc8515430d0fcc
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1996318
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit e41c0a55d45e9a9acbc5d7c1143ea4fff8fb9283)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014013
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/526095
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Cherry Mui <cherryyz@google.com>
@gopherbot
Copy link
Author

Closed by merging d25a935 to release-branch.go1.21.

@cherrymui cherrymui changed the title security: fix CVE-2023-39320 [1.21 backport] cmd/go: go.mod toolchain directive allows arbitrary execution (CVE-2023-39320) [1.21 backport] Sep 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Projects
None yet
Milestone
Go1.21.1
Development

No branches or pull requests
3 participants
@dmitshur @rolandshoemaker @gopherbot