Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go
CVE-2023-29404

9.8CRITICAL

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 8 June 2023

What is CVE-2023-29404?

A vulnerability exists in the Go command that may allow arbitrary code execution during build time when using cgo. This can occur when running commands like 'go get' on untrusted or malicious modules. The issue arises from the mishandling of linker flags indicated through the '#cgo LDFLAGS' directive. Several non-optional flags are incorrectly treated as optional, which opens the door for disallowed flags to bypass LDFLAGS sanitization, impacting both gc and gccgo compilers.

Affected Version(s)

cmd/go 0 < 1.19.10

cmd/go 1.20.0-0 < 1.20.5

References

https://go.dev/issue/60305

https://go.dev/cl/501225

https://groups.google.com/g/golang-announce/c/q5135a9d924...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 8, 2023
Vulnerability Reserved
Apr 5, 2023

Credit

Juho Nurminen of Mattermost

Go Toolchain

What is CVE-2023-29404?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit