cmd/go: line directives allows arbitrary execution during build (CVE-2023-39323)

[rolandshoemaker]

"//line" directives can be used to bypass the restrictions on "//go:cgo_"
directives, allowing blocked linker and compiler flags to be passed during
compilation. This can result in unexpected execution of arbitrary code when
running "go build". The line directive requires the absolute path of the file in
which the directive lives, which makes exploting this issue significantly more
complex.

This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.

---

This is a PRIVATE issue for CVE-2023-39323, tracked in http://b/296358534 and fixed by http://tg/2032884.

/cc @golang/security and @golang/release

[rolandshoemaker]

@gopherbot please open backport issues.

[gopherbot]

Backport issue(s) opened: #63213 (for 1.20), #63214 (for 1.21).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/533195 mentions this issue: [release-branch.go1.20] cmd/compile: use absolute file name in isCgo check

[gopherbot]

Change https://go.dev/cl/533215 mentions this issue: [release-branch.go1.21] cmd/compile: use absolute file name in isCgo check

[kevinburke]

Thank you for fixing this. Can you confirm which versions of Go are affected by this issue?

(My edit of the description just replaced "compliation" with "compilation".)

[ianlancetaylor]

@kevinburke Unfortunately, I believe that this vulnerability was introduced very early on in Go 1.1. We fixed a large class of these bugs in Go 1.10 (see #23672) but we missed this one.