-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/go: line directives allows arbitrary execution during build (CVE-2023-39323) #63211
Comments
@gopherbot please open backport issues. |
Backport issue(s) opened: #63213 (for 1.20), #63214 (for 1.21). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
Change https://go.dev/cl/533195 mentions this issue: |
Change https://go.dev/cl/533215 mentions this issue: |
…check For #23672 Updates #63211 Fixes #63214 Fixes CVE-2023-39323 Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884 Reviewed-by: Matthew Dempsky <mdempsky@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037958 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/533215 Reviewed-by: Than McIntosh <thanm@google.com> Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
…check For #23672 Updates #63211 Fixes #63213 Fixes CVE-2023-39323 Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884 Reviewed-by: Matthew Dempsky <mdempsky@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/533195 Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> TryBot-Bypass: Michael Pratt <mpratt@google.com> Reviewed-by: Than McIntosh <thanm@google.com>
Thank you for fixing this. Can you confirm which versions of Go are affected by this issue? (My edit of the description just replaced "compliation" with "compilation".) |
@kevinburke Unfortunately, I believe that this vulnerability was introduced very early on in Go 1.1. We fixed a large class of these bugs in Go 1.10 (see #23672) but we missed this one. |
Change https://go.dev/cl/534158 mentions this issue: |
…check For golang#23672 Updates golang#63211 Fixes golang#63213 Fixes CVE-2023-39323 Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884 Reviewed-by: Matthew Dempsky <mdempsky@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/533195 Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> TryBot-Bypass: Michael Pratt <mpratt@google.com> Reviewed-by: Than McIntosh <thanm@google.com>
For golang#23672 Fixes golang#63211 Fixes CVE-2023-39323 Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884 Reviewed-by: Matthew Dempsky <mdempsky@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/534158 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Ian Lance Taylor <iant@google.com>
Can you people please respond on it |
# AWS EKS Backported To: go-1.19.13-eks Backported On: Tue, 10 Oct 2023 Backported By: rcrozean@amazon.com Backported From: release-branch.go1.20 Source Commit: golang@31d5b60 # Original Information For golang#23672 Updates golang#63211 Fixes golang#63213 Fixes CVE-2023-39323 Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884 Reviewed-by: Matthew Dempsky <mdempsky@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/533195 Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> TryBot-Bypass: Michael Pratt <mpratt@google.com> Reviewed-by: Than McIntosh <thanm@google.com>
"//line" directives can be used to bypass the restrictions on "//go:cgo_"
directives, allowing blocked linker and compiler flags to be passed during
compilation. This can result in unexpected execution of arbitrary code when
running "go build". The line directive requires the absolute path of the file in
which the directive lives, which makes exploting this issue significantly more
complex.
This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.
This is a PRIVATE issue for CVE-2023-39323, tracked in http://b/296358534 and fixed by http://tg/2032884.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: