Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go
CVE-2023-29404

9.8CRITICAL

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 8 June 2023

🔔 Create Go Toolchain Vulnerability Alert

What is CVE-2023-29404?

A vulnerability exists in the Go command that may allow arbitrary code execution during build time when using cgo. This can occur when running commands like 'go get' on untrusted or malicious modules. The issue arises from the mishandling of linker flags indicated through the '#cgo LDFLAGS' directive. Several non-optional flags are incorrectly treated as optional, which opens the door for disallowed flags to bypass LDFLAGS sanitization, impacting both gc and gccgo compilers.

Affected Version(s)

cmd/go 0 < 1.19.10

cmd/go 1.20.0-0 < 1.20.5

References

https://go.dev/issue/60305

https://go.dev/cl/501225

https://groups.google.com/g/golang-announce/c/q5135a9d924...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2023
Vulnerability Reserved
Apr 5, 2023

Credit

Juho Nurminen of Mattermost