GO-2023-1841

See a problem?

Source

https://pkg.go.dev/vuln/GO-2023-1841

Import Source

https://vuln.go.dev/ID/GO-2023-1841.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2023-1841

Aliases

Published

2023-06-08T20:15:47Z

Modified

2024-05-20T16:03:47Z

Summary

Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go

Details

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive.

The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.

References

Credits

- Juho Nurminen of Mattermost

Affected packages

Go / toolchain

Package

Name: toolchain; View open source insights on deps.dev
Purl: pkg:golang/toolchain

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.19.10

Introduced

1.20.0-0

Fixed

1.20.5

Ecosystem specific

{
    "imports": [
        {
            "path": "cmd/go"
        }
    ]
}