GO-2023-1841

Source
https://pkg.go.dev/vuln/GO-2023-1841
Import Source
https://vuln.go.dev/ID/GO-2023-1841.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2023-1841
Aliases
Related
Published
2023-06-08T20:15:47Z
Modified
2024-05-20T16:03:47Z
Summary
Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go
Details

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive.

The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2023-1841"
}
References
Credits
    • Juho Nurminen of Mattermost

Affected packages

Go / toolchain

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.19.10
Introduced
1.20.0-0
Fixed
1.20.5

Ecosystem specific

{
    "imports": [
        {
            "path": "cmd/go"
        }
    ]
}