Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-29405

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

Published

2023-06-08T21:15:17.197

Last Modified

2025-01-06T20:15:26.233

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Primary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	golang	go	< 1.19.10	Yes
Application	golang	go	< 1.20.5	Yes
Operating System	fedoraproject	fedora	38	Yes

References

https://go.dev/cl/501224 Patch ([email protected])
https://go.dev/issue/60306 Issue Tracking ([email protected])
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/[email protected]/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/ ([email protected])
https://lists.fedoraproject.org/archives/list/[email protected]/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/ Mailing List ([email protected])
https://pkg.go.dev/vuln/GO-2023-1842 Vendor Advisory ([email protected])
https://security.gentoo.org/glsa/202311-09 ([email protected])
https://go.dev/cl/501224 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://go.dev/issue/60306 Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/ Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://pkg.go.dev/vuln/GO-2023-1842 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202311-09 (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20241206-0003/ (af854a3a-2127-422b-91ae-364da2661108)