PT-2023-6473 · Go+7 · Go+7

Rolandshoemaker

·

Published

2023-05-10

·

Updated

2025-06-12

·

CVE-2023-39323

CVSS v2.0

10

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Go versions prior to 1.21.2 Go versions prior to 1.20.9
Description The issue is related to the "//line" directive in the Go programming language, which can be exploited to bypass restrictions on "//go:cgo " directives. This allows blocked linker and compiler flags to be passed during compilation, potentially resulting in the unexpected execution of arbitrary code when running "go build". The exploitation of this issue is complex due to the requirement for the absolute path of the file in which the directive lives.
Recommendations For Go versions prior to 1.21.2, update to version 1.21.2 or later to resolve the issue. For Go versions prior to 1.20.9, update to version 1.20.9 or later to resolve the issue. As a temporary workaround, consider restricting the use of the "//line" directive until a patch is available.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

ALT-PU-2023-6169
ALT-PU-2023-6170
ALT-PU-2023-7050
ALT-PU-2023-7055
ALT-PU-2024-11872
ALT-PU-2024-1825
ALT-PU-2024-4847
AZL-31107
AZL-37358
AZL-37389
AZL-52845
AZL-78984
BDU:2023-07201
BIT-GOLANG-2023-39323
CVE-2023-39323
GO-2023-2095
OESA-2023-1789
OPENSUSE-SU-2023:0360-1
OPENSUSE-SU-2023_4017-1
OPENSUSE-SU-2023_4018-1
OPENSUSE-SU-2023_4469-1
OPENSUSE-SU-2023_4472-1
OPENSUSE-SU-2024:13306-1
OPENSUSE-SU-2024:13307-1
SUSE-SU-2023:4017-1
SUSE-SU-2023:4018-1
SUSE-SU-2023:4469-1
SUSE-SU-2023:4472-1
SUSE-SU-2023_4017-1
SUSE-SU-2023_4018-1
USN-6574-1
USN-7109-1
USN-7111-1

Affected Products

Alt Linux
Astra Linux
Debian
Go
Linuxmint
Red Os
Suse
Ubuntu