-
Notifications
You must be signed in to change notification settings - Fork 17.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] #60306
Comments
@gopherbot please open backport issues. |
Backport issue(s) opened: #60513 (for 1.19), #60514 (for 1.20). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
Change https://go.dev/cl/501216 mentions this issue: |
Change https://go.dev/cl/501224 mentions this issue: |
Change https://go.dev/cl/501220 mentions this issue: |
…r flag The flags that we recorded in _cgo_flags did not use any quoting, so a flag containing embedded spaces was mishandled. Change the _cgo_flags format to put each flag on a separate line. That is a simple format that does not require any quoting. As far as I can tell only cmd/go uses _cgo_flags, and it is only used for gccgo. If this patch doesn't cause any trouble, then in the next release we can change to only using _cgo_flags for gccgo. Thanks to Juho Nurminen of Mattermost for reporting this issue. Updates #60306 Fixes #60514 Fixes CVE-2023-29405 Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> (cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228 Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Security TryBots <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345 Reviewed-by: Michael Knyszek <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/501220 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: David Chase <[email protected]> Auto-Submit: Michael Knyszek <[email protected]>
…r flag The flags that we recorded in _cgo_flags did not use any quoting, so a flag containing embedded spaces was mishandled. Change the _cgo_flags format to put each flag on a separate line. That is a simple format that does not require any quoting. As far as I can tell only cmd/go uses _cgo_flags, and it is only used for gccgo. If this patch doesn't cause any trouble, then in the next release we can change to only using _cgo_flags for gccgo. Thanks to Juho Nurminen of Mattermost for reporting this issue. Updates #60306 Fixes #60513 Fixes CVE-2023-29405 Change-Id: Id738a737ecae47babb34c4b4fc4d65336cf0c0f3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> (cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902227 Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904341 Reviewed-by: Michael Knyszek <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/501216 Auto-Submit: Michael Knyszek <[email protected]> Run-TryBot: David Chase <[email protected]> TryBot-Bypass: David Chase <[email protected]>
Change https://go.dev/cl/501297 mentions this issue: |
Change https://go.dev/cl/501298 mentions this issue: |
For #60306 For #60513 Change-Id: I8b37d74433456f3270c2ea465ecf406da6e5a578 Reviewed-on: https://go-review.googlesource.com/c/go/+/501297 Run-TryBot: Ian Lance Taylor <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: David Chase <[email protected]> TryBot-Bypass: Dmitri Shuralyov <[email protected]>
For #60306 For #60514 Change-Id: I3f5d14aee7d7195030e8872e42b1d97aa11d3582 Reviewed-on: https://go-review.googlesource.com/c/go/+/501298 Run-TryBot: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: David Chase <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
Change https://go.dev/cl/501435 mentions this issue: |
The gccgo on the builder is not updated to support runtime/cgo Updates #60306 Change-Id: If0fb1ccdf589cc9741f6a065bacfa4f06e64ec15 Reviewed-on: https://go-review.googlesource.com/c/go/+/501435 Reviewed-by: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Cuong Manh Le <[email protected]> Reviewed-by: Benny Siegert <[email protected]> Auto-Submit: Cuong Manh Le <[email protected]>
Change https://go.dev/cl/505595 mentions this issue: |
Change https://go.dev/cl/505596 mentions this issue: |
… aix/ppc64 The gccgo on the builder is not updated to support runtime/cgo For #60306. For #60514. Change-Id: If0fb1ccdf589cc9741f6a065bacfa4f06e64ec15 Reviewed-on: https://go-review.googlesource.com/c/go/+/501435 Reviewed-by: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Cuong Manh Le <[email protected]> Reviewed-by: Benny Siegert <[email protected]> Auto-Submit: Cuong Manh Le <[email protected]> (cherry picked from commit 688d75b) Reviewed-on: https://go-review.googlesource.com/c/go/+/505595 Reviewed-by: Dmitri Shuralyov <[email protected]> Auto-Submit: Dmitri Shuralyov <[email protected]> Reviewed-by: Than McIntosh <[email protected]> Run-TryBot: Dmitri Shuralyov <[email protected]>
… aix/ppc64 The gccgo on the builder is not updated to support runtime/cgo For #60306. For #60513. Change-Id: If0fb1ccdf589cc9741f6a065bacfa4f06e64ec15 Reviewed-on: https://go-review.googlesource.com/c/go/+/501435 Reviewed-by: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Cuong Manh Le <[email protected]> Reviewed-by: Benny Siegert <[email protected]> Auto-Submit: Cuong Manh Le <[email protected]> (cherry picked from commit 688d75b) Reviewed-on: https://go-review.googlesource.com/c/go/+/505596 Auto-Submit: Dmitri Shuralyov <[email protected]> Reviewed-by: Than McIntosh <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Dmitri Shuralyov <[email protected]>
The go command may execute arbitrary code at build time when using cgo. This may
occur when running "go get" on a malicious module, or when running any other
command which builds untrusted code. This is can by triggered by linker flags,
specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
There are two bugs for two CVEs for this otherwise similar bug text, this is bug TWO.
This is a PRIVATE issue for CVE-2023-29405, tracked in http://b/280805901 and fixed by http://tg/1875094.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: