GO-2023-1839

See a problem?

Source

https://pkg.go.dev/vuln/GO-2023-1839

Import Source

https://vuln.go.dev/ID/GO-2023-1839.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2023-1839

Aliases

Published

2023-06-08T20:16:16Z

Modified

2024-05-20T16:03:47Z

Summary

Code injection via go command with cgo in cmd/go

Details

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo.

This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

References

Credits

- Juho Nurminen of Mattermost

Affected packages

Go / toolchain

Package

Name: toolchain; View open source insights on deps.dev
Purl: pkg:golang/toolchain

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.19.10

Introduced

1.20.0-0

Fixed

1.20.5

Ecosystem specific

{
    "imports": [
        {
            "path": "cmd/go"
        }
    ]
}