Vulnerability Report: GO-2023-1841

  • CVE-2023-29404
  • Affects: cmd/go
  • Published: Jun 08, 2023
  • Modified: May 20, 2024

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.

Affected Packages

  • Path
    Versions
    Symbols
  • cmd/go
    before go1.19.10, from go1.20.0-0 before go1.20.5
    all symbols

Aliases

References

Credits

  • Juho Nurminen of Mattermost

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.