Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: line directives allows arbitrary execution during build (CVE-2023-39323) #63211

Closed
rolandshoemaker opened this issue Sep 25, 2023 · 9 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Sep 25, 2023

"//line" directives can be used to bypass the restrictions on "//go:cgo_"
directives, allowing blocked linker and compiler flags to be passed during
compilation. This can result in unexpected execution of arbitrary code when
running "go build". The line directive requires the absolute path of the file in
which the directive lives, which makes exploting this issue significantly more
complex.

This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.


This is a PRIVATE issue for CVE-2023-39323, tracked in http://b/296358534 and fixed by http://tg/2032884.

/cc @golang/security and @golang/release

@rolandshoemaker
Copy link
Member Author

@gopherbot please open backport issues.

@gopherbot
Copy link
Contributor

Backport issue(s) opened: #63213 (for 1.20), #63214 (for 1.21).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@thanm thanm added the NeedsFix The path to resolution is known, but the work has not been done. label Sep 25, 2023
@dmitshur dmitshur added this to the Go1.22 milestone Oct 1, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/533195 mentions this issue: [release-branch.go1.20] cmd/compile: use absolute file name in isCgo check

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/533215 mentions this issue: [release-branch.go1.21] cmd/compile: use absolute file name in isCgo check

gopherbot pushed a commit that referenced this issue Oct 5, 2023
…check

For #23672
Updates #63211
Fixes #63214
Fixes CVE-2023-39323

Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
Reviewed-by: Matthew Dempsky <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037958
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/533215
Reviewed-by: Than McIntosh <[email protected]>
Auto-Submit: Michael Pratt <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
gopherbot pushed a commit that referenced this issue Oct 5, 2023
…check

For #23672
Updates #63211
Fixes #63213
Fixes CVE-2023-39323

Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
Reviewed-by: Matthew Dempsky <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629
Reviewed-by: Tatiana Bradley <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/533195
Auto-Submit: Michael Pratt <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
TryBot-Bypass: Michael Pratt <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
@prattmic prattmic changed the title security: fix CVE-2023-39323 cmd/go: line directives allows arbitrary execution during build (CVE-2023-39323) Oct 5, 2023
@kevinburke
Copy link
Contributor

kevinburke commented Oct 5, 2023

Thank you for fixing this. Can you confirm which versions of Go are affected by this issue?

(My edit of the description just replaced "compliation" with "compilation".)

@ianlancetaylor
Copy link
Member

@kevinburke Unfortunately, I believe that this vulnerability was introduced very early on in Go 1.1. We fixed a large class of these bugs in Go 1.10 (see #23672) but we missed this one.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/534158 mentions this issue: cmd/compile: use absolute file name in isCgo check

@dmitshur dmitshur removed their assignment Oct 11, 2023
jdimatteo pushed a commit to jdimatteo/go that referenced this issue Oct 16, 2023
…check

For golang#23672
Updates golang#63211
Fixes golang#63213
Fixes CVE-2023-39323

Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
Reviewed-by: Matthew Dempsky <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629
Reviewed-by: Tatiana Bradley <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/533195
Auto-Submit: Michael Pratt <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
TryBot-Bypass: Michael Pratt <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
yunginnanet pushed a commit to yunginnanet/go that referenced this issue Oct 20, 2023
For golang#23672
Fixes golang#63211
Fixes CVE-2023-39323

Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
Reviewed-by: Matthew Dempsky <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/534158
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Ian Lance Taylor <[email protected]>
@ArchanaWind
Copy link

Hi,
Could you people please confirm Is go_1.17.13 affected, most of the removed functions are not present in this versio.

image

bytes.Cut is not present in go_1.17.13

image

trimFilename() func is also not present and it added later

@ArchanaWind
Copy link

Can you people please respond on it

rcrozean pushed a commit to rcrozean/go that referenced this issue Dec 7, 2023
# AWS EKS

Backported To: go-1.19.13-eks
Backported On: Tue, 10 Oct 2023
Backported By: [email protected]
Backported From: release-branch.go1.20
Source Commit: golang@31d5b60

# Original Information

For golang#23672
Updates golang#63211
Fixes golang#63213
Fixes CVE-2023-39323

Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
Reviewed-by: Matthew Dempsky <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629
Reviewed-by: Tatiana Bradley <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/533195
Auto-Submit: Michael Pratt <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
TryBot-Bypass: Michael Pratt <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
@golang golang locked and limited conversation to collaborators Dec 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Development

No branches or pull requests

7 participants