From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Subject: Re: [Buildroot] [git commit] package/go: security bump to version 1.9.10
Date: Wed, 14 Jun 2023 15:51:45 +0200 [thread overview]
Message-ID: <87h6ranocu.fsf@48ers.dk> (raw)
In-Reply-To: <20230606195922.1BAED86D16@busybox.osuosl.org> (Peter Korsgaard's message of "Tue, 6 Jun 2023 21:56:00 +0200")
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> commit: https://git.buildroot.net/buildroot/commit/?id=620ce32227b0722c9c68c5d0cd42d8600a18ca6b
> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
> Fixes the following security issues:
> - cmd/go: cgo code injection
> The go command may generate unexpected code at build time when using cgo.
> This may result in unexpected behavior when running a go program which
> uses cgo.
> This may occur when running an untrusted module which contains directories
> with newline characters in their names. Modules which are retrieved using
> the go command, i.e. via "go get", are not affected (modules retrieved
> using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
> Thanks to Juho Nurminen of Mattermost for reporting this issue.
> This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
> - runtime: unexpected behavior of setuid/setgid binaries
> The Go runtime didn't act any differently when a binary had the
> setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was
> executed with standard I/O file descriptors closed, opening any files
> could result in unexpected content being read/written with elevated
> prilieges. Similarly if a setuid/setgid program was terminated, either
> via panic or signal, it could leak the contents of its registers.
> Thanks to Vincent Dehors from Synacktiv for reporting this issue.
> This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
> - cmd/go: improper sanitization of LDFLAGS
> The go command may execute arbitrary code at build time when using cgo.
> This may occur when running "go get" on a malicious module, or when
> running any other command which builds untrusted code. This is can by
> triggered by linker flags, specified via a "#cgo LDFLAGS" directive.
> Thanks to Juho Nurminen of Mattermost for reporting this issue.
> This is CVE-2023-29404 and CVE-2023-29405 and Go issues
> https://go.dev/issue/60305 and https://go.dev/issue/60306.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2023.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2023-06-14 13:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-06 19:56 [Buildroot] [git commit] package/go: security bump to version 1.9.10 Peter Korsgaard
2023-06-14 13:51 ` Peter Korsgaard [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h6ranocu.fsf@48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.