Unrated severityNVD Advisory· Published Jun 8, 2023· Updated Jan 6, 2025

Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go

CVE-2023-29404

Description

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.

Affected products

osv-coords36 versions
pkg:apk/chainguard/falco pkg:apk/chainguard/falco-dev pkg:apk/chainguard/falco-src pkg:apk/chainguard/kind pkg:apk/chainguard/policy-controller pkg:apk/chainguard/policy-controller-tester pkg:apk/chainguard/policy-controller-webhook pkg:apk/wolfi/falco pkg:apk/wolfi/falco-dev pkg:apk/wolfi/falco-src pkg:apk/wolfi/kind pkg:apk/wolfi/policy-controller pkg:apk/wolfi/policy-controller-tester pkg:apk/wolfi/policy-controller-webhook pkg:bitnami/golang pkg:rpm/almalinux/delve pkg:rpm/almalinux/golang pkg:rpm/almalinux/golang-bin pkg:rpm/almalinux/golang-docs pkg:rpm/almalinux/golang-misc pkg:rpm/almalinux/golang-race pkg:rpm/almalinux/golang-src pkg:rpm/almalinux/golang-tests pkg:rpm/almalinux/go-toolset pkg:rpm/opensuse/go1.19&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/go1.19&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/go1.19&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/go1.20&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/go1.20&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/go1.20&distro=openSUSE%20Tumbleweed pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4 pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5 pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3 pkg:rpm/suse/go1.20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4 pkg:rpm/suse/go1.20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5 pkg:rpm/suse/go1.20&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3
< 0.37.1-r0+ 35 more
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.21.0-r0
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.21.0-r0
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 1.19.10
- (no CPE)range: < 1.9.1-1.module_el8.8.0+3471+a62632a0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-1.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-1.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-150000.1.14.1
Go toolchain/cmd/gov5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000