GO-2023-1839

Source
https://pkg.go.dev/vuln/GO-2023-1839
Import Source
https://vuln.go.dev/ID/GO-2023-1839.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2023-1839
Aliases
Related
Published
2023-06-08T20:16:16Z
Modified
2024-05-20T16:03:47Z
Summary
Code injection via go command with cgo in cmd/go
Details

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo.

This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2023-1839"
}
References
Credits
    • Juho Nurminen of Mattermost

Affected packages

Go / toolchain

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.19.10
Introduced
1.20.0-0
Fixed
1.20.5

Ecosystem specific

{
    "imports": [
        {
            "path": "cmd/go"
        }
    ]
}