PT-2023-3868 · Go+11 · Go+11

Juho Nurminen

·

Published

2023-05-19

·

Updated

2026-02-18

·

CVE-2023-29405

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Go (affected versions not specified)
Description The issue is related to the Go programming language's cgo extension, which may execute arbitrary code at build time when using cgo. This can occur when running "go get" on a malicious module or when running any other command that builds untrusted code. The problem is triggered by linker flags specified via a "#cgo LDFLAGS" directive. Flags with embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler. Exploitation of the issue may allow a remote attacker to execute arbitrary code.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Special Elements Injection

Argument Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-88

Related Identifiers

ALSA-2023:3922
ALSA-2023:3923
ALT-PU-2023-2086
ALT-PU-2023-2090
ALT-PU-2023-4099
ALT-PU-2023-4736
ALT-PU-2023-4785
ALT-PU-2023-5492
ALT-PU-2023-7055
AZL-27110
AZL-27123
AZL-37347
AZL-37499
AZL-52827
AZL-79012
BDU:2023-04160
BIT-GOLANG-2023-29405
CESA-2023_3922
CVE-2023-29405
GO-2023-1842
MGASA-2023-0227
OESA-2023-1386
OESA-2023-1499
OPENSUSE-SU-2024:12987-1
OPENSUSE-SU-2024:12988-1
RHSA-2023:3920
RHSA-2023:3922
RHSA-2023:3923
RHSA-2023_3922
RHSA-2023_3923
RLSA-2023:3923
SUSE-SU-2023:2525-1
SUSE-SU-2023:2526-1
USN-7061-1
USN-7109-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Go
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu