Skip to content

update: go #1200

New issue
New issue
Closed
flatcar/scripts
#1230
Closed
update: go#1200
flatcar/scripts
#1230
Labels
advisorysecurity advisorycvss/CRITICAL>= 9 assessed CVSSsecuritysecurity concerns
@dongsupark

Description

@dongsupark
dongsupark
opened on Oct 6, 2023

Name: go
CVEs: CVE-2023-39323
CVSSs: 9.8
Action Needed: update to >= 1.20.9

Summary: cmd/go: line directives allows arbitrary execution during build. "//line" directives can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compliation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploting this issue significantly more complex.

See also https://groups.google.com/g/golang-announce/c/XBa1oHDevAo.

refmap.gentoo: TBD

Metadata

Metadata

Assignees

No one assigned

    Labels

    advisorysecurity advisorycvss/CRITICAL>= 9 assessed CVSSsecuritysecurity concerns

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions