Unrated severityNVD Advisory· Published Jun 8, 2023· Updated Feb 13, 2025
Unsafe behavior in setuid/setgid binaries in runtime
CVE-2023-29403
Description
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
37- osv-coords36 versionspkg:apk/chainguard/falcopkg:apk/chainguard/falco-devpkg:apk/chainguard/falco-srcpkg:apk/chainguard/kindpkg:apk/chainguard/policy-controllerpkg:apk/chainguard/policy-controller-testerpkg:apk/chainguard/policy-controller-webhookpkg:apk/wolfi/falcopkg:apk/wolfi/falco-devpkg:apk/wolfi/falco-srcpkg:apk/wolfi/kindpkg:apk/wolfi/policy-controllerpkg:apk/wolfi/policy-controller-testerpkg:apk/wolfi/policy-controller-webhookpkg:bitnami/golangpkg:rpm/almalinux/delvepkg:rpm/almalinux/golangpkg:rpm/almalinux/golang-binpkg:rpm/almalinux/golang-docspkg:rpm/almalinux/golang-miscpkg:rpm/almalinux/golang-racepkg:rpm/almalinux/golang-srcpkg:rpm/almalinux/golang-testspkg:rpm/almalinux/go-toolsetpkg:rpm/opensuse/go1.19&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/go1.19&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/go1.19&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go1.20&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/go1.20&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/go1.20&distro=openSUSE%20Tumbleweedpkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/go1.20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/go1.20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/go1.20&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3
< 0.37.1-r0+ 35 more
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.21.0-r0
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.21.0-r0
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 1.19.10
- (no CPE)range: < 1.9.1-1.module_el8.8.0+3471+a62632a0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-1.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-1.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- Go standard library/runtimev5Range: 0
Patches
Vulnerability mechanics
References
7- go.dev/cl/501223mitre
- go.dev/issue/60272mitre
- groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJmitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/mitre
- pkg.go.dev/vuln/GO-2023-1840mitre
- security.gentoo.org/glsa/202311-09mitre
News mentions
0No linked articles in our index yet.