cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] #60306

rolandshoemaker · 2023-05-19T17:06:36Z

The go command may execute arbitrary code at build time when using cgo. This may
occur when running "go get" on a malicious module, or when running any other
command which builds untrusted code. This is can by triggered by linker flags,
specified via a "#cgo LDFLAGS" directive.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

There are two bugs for two CVEs for this otherwise similar bug text, this is bug TWO.

This is a PRIVATE issue for CVE-2023-29405, tracked in http://b/280805901 and fixed by http://tg/1875094.

/cc @golang/security and @golang/release

rolandshoemaker · 2023-05-30T16:39:51Z

@gopherbot please open backport issues.

gopherbot · 2023-05-30T16:40:07Z

Backport issue(s) opened: #60513 (for 1.19), #60514 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

gopherbot · 2023-06-06T16:29:25Z

Change https://go.dev/cl/501216 mentions this issue: [release-branch.go1.19] cmd/go,cmd/cgo: in _cgo_flags use one line per flag

gopherbot · 2023-06-06T16:29:57Z

Change https://go.dev/cl/501224 mentions this issue: cmd/go,cmd/cgo: in _cgo_flags use one line per flag

gopherbot · 2023-06-06T16:30:00Z

Change https://go.dev/cl/501220 mentions this issue: [release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one line per flag

…r flag The flags that we recorded in _cgo_flags did not use any quoting, so a flag containing embedded spaces was mishandled. Change the _cgo_flags format to put each flag on a separate line. That is a simple format that does not require any quoting. As far as I can tell only cmd/go uses _cgo_flags, and it is only used for gccgo. If this patch doesn't cause any trouble, then in the next release we can change to only using _cgo_flags for gccgo. Thanks to Juho Nurminen of Mattermost for reporting this issue. Updates #60306 Fixes #60514 Fixes CVE-2023-29405 Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> (cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228 Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Security TryBots <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345 Reviewed-by: Michael Knyszek <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/501220 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: David Chase <[email protected]> Auto-Submit: Michael Knyszek <[email protected]>

…r flag The flags that we recorded in _cgo_flags did not use any quoting, so a flag containing embedded spaces was mishandled. Change the _cgo_flags format to put each flag on a separate line. That is a simple format that does not require any quoting. As far as I can tell only cmd/go uses _cgo_flags, and it is only used for gccgo. If this patch doesn't cause any trouble, then in the next release we can change to only using _cgo_flags for gccgo. Thanks to Juho Nurminen of Mattermost for reporting this issue. Updates #60306 Fixes #60513 Fixes CVE-2023-29405 Change-Id: Id738a737ecae47babb34c4b4fc4d65336cf0c0f3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> (cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902227 Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904341 Reviewed-by: Michael Knyszek <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/501216 Auto-Submit: Michael Knyszek <[email protected]> Run-TryBot: David Chase <[email protected]> TryBot-Bypass: David Chase <[email protected]>

gopherbot · 2023-06-06T19:51:43Z

Change https://go.dev/cl/501297 mentions this issue: [release-branch.go1.19] cmd/cgo: correct _cgo_flags output

gopherbot · 2023-06-06T19:52:29Z

Change https://go.dev/cl/501298 mentions this issue: [release-branch.go1.20] cmd/cgo: correct _cgo_flags output

For #60306 For #60513 Change-Id: I8b37d74433456f3270c2ea465ecf406da6e5a578 Reviewed-on: https://go-review.googlesource.com/c/go/+/501297 Run-TryBot: Ian Lance Taylor <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: David Chase <[email protected]> TryBot-Bypass: Dmitri Shuralyov <[email protected]>

For #60306 For #60514 Change-Id: I3f5d14aee7d7195030e8872e42b1d97aa11d3582 Reviewed-on: https://go-review.googlesource.com/c/go/+/501298 Run-TryBot: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: David Chase <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>

gopherbot · 2023-06-07T03:20:23Z

Change https://go.dev/cl/501435 mentions this issue: cmd/go: skip TestScript/gccgo_link_ldflags on aix/ppc64

The gccgo on the builder is not updated to support runtime/cgo Updates #60306 Change-Id: If0fb1ccdf589cc9741f6a065bacfa4f06e64ec15 Reviewed-on: https://go-review.googlesource.com/c/go/+/501435 Reviewed-by: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Cuong Manh Le <[email protected]> Reviewed-by: Benny Siegert <[email protected]> Auto-Submit: Cuong Manh Le <[email protected]>

gopherbot · 2023-06-23T13:46:54Z

Change https://go.dev/cl/505595 mentions this issue: [release-branch.go1.20] cmd/go: skip TestScript/gccgo_link_ldflags on aix/ppc64

gopherbot · 2023-06-23T13:49:44Z

Change https://go.dev/cl/505596 mentions this issue: [release-branch.go1.19] cmd/go: skip TestScript/gccgo_link_ldflags on aix/ppc64

… aix/ppc64 The gccgo on the builder is not updated to support runtime/cgo For #60306. For #60514. Change-Id: If0fb1ccdf589cc9741f6a065bacfa4f06e64ec15 Reviewed-on: https://go-review.googlesource.com/c/go/+/501435 Reviewed-by: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Cuong Manh Le <[email protected]> Reviewed-by: Benny Siegert <[email protected]> Auto-Submit: Cuong Manh Le <[email protected]> (cherry picked from commit 688d75b) Reviewed-on: https://go-review.googlesource.com/c/go/+/505595 Reviewed-by: Dmitri Shuralyov <[email protected]> Auto-Submit: Dmitri Shuralyov <[email protected]> Reviewed-by: Than McIntosh <[email protected]> Run-TryBot: Dmitri Shuralyov <[email protected]>

… aix/ppc64 The gccgo on the builder is not updated to support runtime/cgo For #60306. For #60513. Change-Id: If0fb1ccdf589cc9741f6a065bacfa4f06e64ec15 Reviewed-on: https://go-review.googlesource.com/c/go/+/501435 Reviewed-by: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Cuong Manh Le <[email protected]> Reviewed-by: Benny Siegert <[email protected]> Auto-Submit: Cuong Manh Le <[email protected]> (cherry picked from commit 688d75b) Reviewed-on: https://go-review.googlesource.com/c/go/+/505596 Auto-Submit: Dmitri Shuralyov <[email protected]> Reviewed-by: Than McIntosh <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Dmitri Shuralyov <[email protected]>

rolandshoemaker added Security NeedsFix The path to resolution is known, but the work has not been done. release-blocker labels May 19, 2023

rolandshoemaker added this to the Go1.21 milestone May 19, 2023

This was referenced May 30, 2023

cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] [1.19 backport] #60513

Closed

cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] [1.20 backport] #60514

Closed

dr2chase changed the title ~~security: fix CVE-2023-29405~~ cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] Jun 6, 2023

gopherbot closed this as completed in 6d8af00 Jun 6, 2023

Kinbaum mentioned this issue Jul 7, 2023

build(security): bump version of go vercel/turbo#5478

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] #60306

cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] #60306

rolandshoemaker commented May 19, 2023 •

edited by dr2chase

rolandshoemaker commented May 30, 2023

gopherbot commented May 30, 2023

gopherbot commented Jun 6, 2023

gopherbot commented Jun 6, 2023

gopherbot commented Jun 6, 2023

gopherbot commented Jun 6, 2023

gopherbot commented Jun 6, 2023

gopherbot commented Jun 7, 2023

gopherbot commented Jun 23, 2023

gopherbot commented Jun 23, 2023

cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] #60306

cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] #60306

Comments

rolandshoemaker commented May 19, 2023 • edited by dr2chase

rolandshoemaker commented May 30, 2023

gopherbot commented May 30, 2023

gopherbot commented Jun 6, 2023

gopherbot commented Jun 6, 2023

gopherbot commented Jun 6, 2023

gopherbot commented Jun 6, 2023

gopherbot commented Jun 6, 2023

gopherbot commented Jun 7, 2023

gopherbot commented Jun 23, 2023

gopherbot commented Jun 23, 2023

rolandshoemaker commented May 19, 2023 •

edited by dr2chase