The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
MITRE
Status: PUBLISHED
Assigner: Go
Published: 2023-06-08T20:19:17.548Z
Updated: 2024-11-15T13:08:12.758Z
Reserved: 2023-04-05T19:36:35.043Z
Link: CVE-2023-29404
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-06-08T21:15:17.077
Modified: 2024-11-21T07:56:59.690
Link: CVE-2023-29404
Redhat