csaf_redhat - rhsa-2023

rhsa-2023_3923

Vulnerability from csaf_redhat

Published

2023-06-29 09:49

Modified

2024-09-18 05:01

Summary

Red Hat Security Advisory: go-toolset and golang security update

Notes

Topic

An update for go-toolset and golang is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fix(es): * golang: cmd/go: go command may generate unexpected code at build time when using cgo (CVE-2023-29402) * golang: cmd/go: go command may execute arbitrary code at build time when using cgo (CVE-2023-29404) * golang: cmd/cgo: Arbitratry code execution triggered by linker flags (CVE-2023-29405) * golang: runtime: unexpected behavior of setuid/setgid binaries (CVE-2023-29403) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Critical"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for go-toolset and golang is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \n\nThe golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* golang: cmd/go: go command may generate unexpected code at build time when using cgo (CVE-2023-29402)\n\n* golang: cmd/go: go command may execute arbitrary code at build time when using cgo (CVE-2023-29404)\n\n* golang: cmd/cgo: Arbitratry code execution triggered by linker flags (CVE-2023-29405)\n\n* golang: runtime: unexpected behavior of setuid/setgid binaries (CVE-2023-29403)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:3923",
        "url": "https://access.redhat.com/errata/RHSA-2023:3923"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#critical",
        "url": "https://access.redhat.com/security/updates/classification/#critical"
      },
      {
        "category": "external",
        "summary": "2216965",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216965"
      },
      {
        "category": "external",
        "summary": "2217562",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217562"
      },
      {
        "category": "external",
        "summary": "2217565",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217565"
      },
      {
        "category": "external",
        "summary": "2217569",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217569"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_3923.json"
      }
    ],
    "title": "Red Hat Security Advisory: go-toolset and golang security update",
    "tracking": {
      "current_release_date": "2024-09-18T05:01:23+00:00",
      "generator": {
        "date": "2024-09-18T05:01:23+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2023:3923",
      "initial_release_date": "2023-06-29T09:49:22+00:00",
      "revision_history": [
        {
          "date": "2023-06-29T09:49:22+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-06-29T09:49:22+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-18T05:01:23+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AppStream (v. 9)",
                "product": {
                  "name": "Red Hat Enterprise Linux AppStream (v. 9)",
                  "product_id": "AppStream-9.2.0.Z.MAIN.EUS",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-0:1.19.10-1.el9_2.src",
                "product": {
                  "name": "golang-0:1.19.10-1.el9_2.src",
                  "product_id": "golang-0:1.19.10-1.el9_2.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang@1.19.10-1.el9_2?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "go-toolset-0:1.19.10-1.el9_2.src",
                "product": {
                  "name": "go-toolset-0:1.19.10-1.el9_2.src",
                  "product_id": "go-toolset-0:1.19.10-1.el9_2.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/go-toolset@1.19.10-1.el9_2?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-0:1.19.10-1.el9_2.aarch64",
                "product": {
                  "name": "golang-0:1.19.10-1.el9_2.aarch64",
                  "product_id": "golang-0:1.19.10-1.el9_2.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang@1.19.10-1.el9_2?arch=aarch64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-bin-0:1.19.10-1.el9_2.aarch64",
                "product": {
                  "name": "golang-bin-0:1.19.10-1.el9_2.aarch64",
                  "product_id": "golang-bin-0:1.19.10-1.el9_2.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-bin@1.19.10-1.el9_2?arch=aarch64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "go-toolset-0:1.19.10-1.el9_2.aarch64",
                "product": {
                  "name": "go-toolset-0:1.19.10-1.el9_2.aarch64",
                  "product_id": "go-toolset-0:1.19.10-1.el9_2.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/go-toolset@1.19.10-1.el9_2?arch=aarch64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-0:1.19.10-1.el9_2.ppc64le",
                "product": {
                  "name": "golang-0:1.19.10-1.el9_2.ppc64le",
                  "product_id": "golang-0:1.19.10-1.el9_2.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang@1.19.10-1.el9_2?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-bin-0:1.19.10-1.el9_2.ppc64le",
                "product": {
                  "name": "golang-bin-0:1.19.10-1.el9_2.ppc64le",
                  "product_id": "golang-bin-0:1.19.10-1.el9_2.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-bin@1.19.10-1.el9_2?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "go-toolset-0:1.19.10-1.el9_2.ppc64le",
                "product": {
                  "name": "go-toolset-0:1.19.10-1.el9_2.ppc64le",
                  "product_id": "go-toolset-0:1.19.10-1.el9_2.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/go-toolset@1.19.10-1.el9_2?arch=ppc64le"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-0:1.19.10-1.el9_2.x86_64",
                "product": {
                  "name": "golang-0:1.19.10-1.el9_2.x86_64",
                  "product_id": "golang-0:1.19.10-1.el9_2.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang@1.19.10-1.el9_2?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-bin-0:1.19.10-1.el9_2.x86_64",
                "product": {
                  "name": "golang-bin-0:1.19.10-1.el9_2.x86_64",
                  "product_id": "golang-bin-0:1.19.10-1.el9_2.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-bin@1.19.10-1.el9_2?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-race-0:1.19.10-1.el9_2.x86_64",
                "product": {
                  "name": "golang-race-0:1.19.10-1.el9_2.x86_64",
                  "product_id": "golang-race-0:1.19.10-1.el9_2.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-race@1.19.10-1.el9_2?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "go-toolset-0:1.19.10-1.el9_2.x86_64",
                "product": {
                  "name": "go-toolset-0:1.19.10-1.el9_2.x86_64",
                  "product_id": "go-toolset-0:1.19.10-1.el9_2.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/go-toolset@1.19.10-1.el9_2?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-0:1.19.10-1.el9_2.s390x",
                "product": {
                  "name": "golang-0:1.19.10-1.el9_2.s390x",
                  "product_id": "golang-0:1.19.10-1.el9_2.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang@1.19.10-1.el9_2?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-bin-0:1.19.10-1.el9_2.s390x",
                "product": {
                  "name": "golang-bin-0:1.19.10-1.el9_2.s390x",
                  "product_id": "golang-bin-0:1.19.10-1.el9_2.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-bin@1.19.10-1.el9_2?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "go-toolset-0:1.19.10-1.el9_2.s390x",
                "product": {
                  "name": "go-toolset-0:1.19.10-1.el9_2.s390x",
                  "product_id": "go-toolset-0:1.19.10-1.el9_2.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/go-toolset@1.19.10-1.el9_2?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-docs-0:1.19.10-1.el9_2.noarch",
                "product": {
                  "name": "golang-docs-0:1.19.10-1.el9_2.noarch",
                  "product_id": "golang-docs-0:1.19.10-1.el9_2.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-docs@1.19.10-1.el9_2?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-misc-0:1.19.10-1.el9_2.noarch",
                "product": {
                  "name": "golang-misc-0:1.19.10-1.el9_2.noarch",
                  "product_id": "golang-misc-0:1.19.10-1.el9_2.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-misc@1.19.10-1.el9_2?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-src-0:1.19.10-1.el9_2.noarch",
                "product": {
                  "name": "golang-src-0:1.19.10-1.el9_2.noarch",
                  "product_id": "golang-src-0:1.19.10-1.el9_2.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-src@1.19.10-1.el9_2?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "golang-tests-0:1.19.10-1.el9_2.noarch",
                "product": {
                  "name": "golang-tests-0:1.19.10-1.el9_2.noarch",
                  "product_id": "golang-tests-0:1.19.10-1.el9_2.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/golang-tests@1.19.10-1.el9_2?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go-toolset-0:1.19.10-1.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.aarch64"
        },
        "product_reference": "go-toolset-0:1.19.10-1.el9_2.aarch64",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go-toolset-0:1.19.10-1.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.ppc64le"
        },
        "product_reference": "go-toolset-0:1.19.10-1.el9_2.ppc64le",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go-toolset-0:1.19.10-1.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.s390x"
        },
        "product_reference": "go-toolset-0:1.19.10-1.el9_2.s390x",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go-toolset-0:1.19.10-1.el9_2.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.src"
        },
        "product_reference": "go-toolset-0:1.19.10-1.el9_2.src",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "go-toolset-0:1.19.10-1.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.x86_64"
        },
        "product_reference": "go-toolset-0:1.19.10-1.el9_2.x86_64",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-0:1.19.10-1.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.aarch64"
        },
        "product_reference": "golang-0:1.19.10-1.el9_2.aarch64",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-0:1.19.10-1.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.ppc64le"
        },
        "product_reference": "golang-0:1.19.10-1.el9_2.ppc64le",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-0:1.19.10-1.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.s390x"
        },
        "product_reference": "golang-0:1.19.10-1.el9_2.s390x",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-0:1.19.10-1.el9_2.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.src"
        },
        "product_reference": "golang-0:1.19.10-1.el9_2.src",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-0:1.19.10-1.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.x86_64"
        },
        "product_reference": "golang-0:1.19.10-1.el9_2.x86_64",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-bin-0:1.19.10-1.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.aarch64"
        },
        "product_reference": "golang-bin-0:1.19.10-1.el9_2.aarch64",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-bin-0:1.19.10-1.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.ppc64le"
        },
        "product_reference": "golang-bin-0:1.19.10-1.el9_2.ppc64le",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-bin-0:1.19.10-1.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.s390x"
        },
        "product_reference": "golang-bin-0:1.19.10-1.el9_2.s390x",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-bin-0:1.19.10-1.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.x86_64"
        },
        "product_reference": "golang-bin-0:1.19.10-1.el9_2.x86_64",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-docs-0:1.19.10-1.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:golang-docs-0:1.19.10-1.el9_2.noarch"
        },
        "product_reference": "golang-docs-0:1.19.10-1.el9_2.noarch",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-misc-0:1.19.10-1.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:golang-misc-0:1.19.10-1.el9_2.noarch"
        },
        "product_reference": "golang-misc-0:1.19.10-1.el9_2.noarch",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-race-0:1.19.10-1.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:golang-race-0:1.19.10-1.el9_2.x86_64"
        },
        "product_reference": "golang-race-0:1.19.10-1.el9_2.x86_64",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-src-0:1.19.10-1.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:golang-src-0:1.19.10-1.el9_2.noarch"
        },
        "product_reference": "golang-src-0:1.19.10-1.el9_2.noarch",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-tests-0:1.19.10-1.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.2.0.Z.MAIN.EUS:golang-tests-0:1.19.10-1.el9_2.noarch"
        },
        "product_reference": "golang-tests-0:1.19.10-1.el9_2.noarch",
        "relates_to_product_reference": "AppStream-9.2.0.Z.MAIN.EUS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-29402",
      "cwe": {
        "id": "CWE-94",
        "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
      },
      "discovery_date": "2023-06-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2217562"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in golang. The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program that uses cgo. This can occur when running an untrusted module that contains directories with newline characters in their names. Modules that are retrieved using the go command, for example, via \"go get\", are not affected. Modules retrieved using GOPATH-mode, for example, GO111MODULE=off may be affected.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: cmd/go: go command may generate unexpected code at build time when using cgo",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is only applicable to customer use of the go compiler and not any pre-compiled golang binaries shipped by Red Hat.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.aarch64",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.ppc64le",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.s390x",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.src",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.aarch64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.ppc64le",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.s390x",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.src",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.aarch64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.ppc64le",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.s390x",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-docs-0:1.19.10-1.el9_2.noarch",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-misc-0:1.19.10-1.el9_2.noarch",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-race-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-src-0:1.19.10-1.el9_2.noarch",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-tests-0:1.19.10-1.el9_2.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-29402"
        },
        {
          "category": "external",
          "summary": "RHBZ#2217562",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217562"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-29402",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-29402"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-29402",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29402"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/501226",
          "url": "https://go.dev/cl/501226"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/60167",
          "url": "https://go.dev/issue/60167"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ",
          "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-1839",
          "url": "https://pkg.go.dev/vuln/GO-2023-1839"
        }
      ],
      "release_date": "2023-06-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-docs-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-misc-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-race-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-src-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-tests-0:1.19.10-1.el9_2.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3923"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.0,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-docs-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-misc-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-race-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-src-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-tests-0:1.19.10-1.el9_2.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: cmd/go: go command may generate unexpected code at build time when using cgo"
    },
    {
      "cve": "CVE-2023-29403",
      "cwe": {
        "id": "CWE-668",
        "name": "Exposure of Resource to Wrong Sphere"
      },
      "discovery_date": "2023-06-23T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2216965"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state or assuming the status of standard I/O file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: runtime: unexpected behavior of setuid/setgid binaries",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.aarch64",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.ppc64le",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.s390x",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.src",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.aarch64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.ppc64le",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.s390x",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.src",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.aarch64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.ppc64le",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.s390x",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-docs-0:1.19.10-1.el9_2.noarch",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-misc-0:1.19.10-1.el9_2.noarch",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-race-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-src-0:1.19.10-1.el9_2.noarch",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-tests-0:1.19.10-1.el9_2.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-29403"
        },
        {
          "category": "external",
          "summary": "RHBZ#2216965",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216965"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-29403",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-29403"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-29403",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29403"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/501223",
          "url": "https://go.dev/cl/501223"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/60272",
          "url": "https://go.dev/issue/60272"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ",
          "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-1840",
          "url": "https://pkg.go.dev/vuln/GO-2023-1840"
        }
      ],
      "release_date": "2023-06-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-docs-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-misc-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-race-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-src-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-tests-0:1.19.10-1.el9_2.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3923"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-docs-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-misc-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-race-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-src-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-tests-0:1.19.10-1.el9_2.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang: runtime: unexpected behavior of setuid/setgid binaries"
    },
    {
      "cve": "CVE-2023-29404",
      "cwe": {
        "id": "CWE-94",
        "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
      },
      "discovery_date": "2023-06-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2217565"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in golang. The go command may execute arbitrary code at build time when using cgo. This can occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This can be triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: cmd/go: go command may execute arbitrary code at build time when using cgo",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is only applicable to customer use of the GC \u0026 GCCGO compiler and not any pre-compiled golang binaries shipped by Red Hat.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.aarch64",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.ppc64le",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.s390x",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.src",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.aarch64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.ppc64le",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.s390x",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.src",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.aarch64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.ppc64le",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.s390x",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-docs-0:1.19.10-1.el9_2.noarch",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-misc-0:1.19.10-1.el9_2.noarch",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-race-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-src-0:1.19.10-1.el9_2.noarch",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-tests-0:1.19.10-1.el9_2.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-29404"
        },
        {
          "category": "external",
          "summary": "RHBZ#2217565",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217565"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-29404",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-29404"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-29404",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29404"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/501225",
          "url": "https://go.dev/cl/501225"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/60305",
          "url": "https://go.dev/issue/60305"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ",
          "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-1841",
          "url": "https://pkg.go.dev/vuln/GO-2023-1841"
        }
      ],
      "release_date": "2023-06-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-docs-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-misc-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-race-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-src-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-tests-0:1.19.10-1.el9_2.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3923"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-docs-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-misc-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-race-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-src-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-tests-0:1.19.10-1.el9_2.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang: cmd/go: go command may execute arbitrary code at build time when using cgo"
    },
    {
      "cve": "CVE-2023-29405",
      "cwe": {
        "id": "CWE-74",
        "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
      },
      "discovery_date": "2023-06-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2217569"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in golang. The go command may execute arbitrary code at build time when using cgo. This can occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This can be triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: cmd/cgo: Arbitrary code execution triggered by linker flags",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is only applicable to customer use of the GCCGO compiler and not any pre-compiled golang binaries shipped by Red Hat.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.aarch64",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.ppc64le",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.s390x",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.src",
          "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.aarch64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.ppc64le",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.s390x",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.src",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.aarch64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.ppc64le",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.s390x",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-docs-0:1.19.10-1.el9_2.noarch",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-misc-0:1.19.10-1.el9_2.noarch",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-race-0:1.19.10-1.el9_2.x86_64",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-src-0:1.19.10-1.el9_2.noarch",
          "AppStream-9.2.0.Z.MAIN.EUS:golang-tests-0:1.19.10-1.el9_2.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-29405"
        },
        {
          "category": "external",
          "summary": "RHBZ#2217569",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217569"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-29405",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-29405"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-29405",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29405"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/501224",
          "url": "https://go.dev/cl/501224"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/60306",
          "url": "https://go.dev/issue/60306"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ",
          "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-1842",
          "url": "https://pkg.go.dev/vuln/GO-2023-1842"
        }
      ],
      "release_date": "2023-06-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-docs-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-misc-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-race-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-src-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-tests-0:1.19.10-1.el9_2.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3923"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:go-toolset-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.src",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.aarch64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.ppc64le",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.s390x",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-bin-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-docs-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-misc-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-race-0:1.19.10-1.el9_2.x86_64",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-src-0:1.19.10-1.el9_2.noarch",
            "AppStream-9.2.0.Z.MAIN.EUS:golang-tests-0:1.19.10-1.el9_2.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang: cmd/cgo: Arbitrary code execution triggered by linker flags"
    }
  ]
}

cve-2023-29403

Vulnerability from cvelistv5

Published

2023-06-08 20:19

Modified

2024-08-02 14:07

Severity

Summary

Unsafe behavior in setuid/setgid binaries in runtime

References

URL	Tags
https://go.dev/issue/60272
https://go.dev/cl/501223
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
https://pkg.go.dev/vuln/GO-2023-1840
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://security.gentoo.org/glsa/202311-09

Impacted products

Vendor	Product
Go standard library	runtime

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:07:46.027Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/60272"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/501223"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-1840"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "runtime",
          "product": "runtime",
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.19.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.20.5",
              "status": "affected",
              "version": "1.20.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Vincent Dehors from Synacktiv"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-642: External Control of Critical State Data",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-12T19:08:37.846Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/60272"
        },
        {
          "url": "https://go.dev/cl/501223"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-1840"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"
        },
        {
          "url": "https://security.gentoo.org/glsa/202311-09"
        }
      ],
      "title": "Unsafe behavior in setuid/setgid binaries in runtime"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2023-29403",
    "datePublished": "2023-06-08T20:19:13.222Z",
    "dateReserved": "2023-04-05T19:36:35.042Z",
    "dateUpdated": "2024-08-02T14:07:46.027Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-29405

Vulnerability from cvelistv5

Published

2023-06-08 20:19

Modified

2024-08-02 14:07

Severity

Summary

Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go

References

URL	Tags
https://go.dev/issue/60306
https://go.dev/cl/501224
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
https://pkg.go.dev/vuln/GO-2023-1842
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://security.gentoo.org/glsa/202311-09

Impacted products

Vendor	Product
Go toolchain	cmd/go
Go toolchain	cmd/cgo

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:07:45.814Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/60306"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/501224"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-1842"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/go",
          "product": "cmd/go",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.19.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.20.5",
              "status": "affected",
              "version": "1.20.0-0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/cgo",
          "product": "cmd/cgo",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.19.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.20.5",
              "status": "affected",
              "version": "1.20.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Juho Nurminen of Mattermost"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-04T18:09:23.809Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/60306"
        },
        {
          "url": "https://go.dev/cl/501224"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-1842"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"
        },
        {
          "url": "https://security.gentoo.org/glsa/202311-09"
        }
      ],
      "title": "Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2023-29405",
    "datePublished": "2023-06-08T20:19:19.267Z",
    "dateReserved": "2023-04-05T19:36:35.043Z",
    "dateUpdated": "2024-08-02T14:07:45.814Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-29402

Vulnerability from cvelistv5

Published

2023-06-08 20:19

Modified

2024-08-02 14:07

Severity

Summary

Code injection via go command with cgo in cmd/go

References

URL	Tags
https://go.dev/issue/60167
https://go.dev/cl/501226
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
https://pkg.go.dev/vuln/GO-2023-1839
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://security.gentoo.org/glsa/202311-09

Impacted products

Vendor	Product
Go toolchain	cmd/go

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:07:46.220Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/60167"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/501226"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-1839"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/go",
          "product": "cmd/go",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.19.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.20.5",
              "status": "affected",
              "version": "1.20.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Juho Nurminen of Mattermost"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via \"go get\", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-12T19:08:33.331Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/60167"
        },
        {
          "url": "https://go.dev/cl/501226"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-1839"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"
        },
        {
          "url": "https://security.gentoo.org/glsa/202311-09"
        }
      ],
      "title": "Code injection via go command with cgo in cmd/go"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2023-29402",
    "datePublished": "2023-06-08T20:19:04.483Z",
    "dateReserved": "2023-04-05T19:36:35.042Z",
    "dateUpdated": "2024-08-02T14:07:46.220Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-29404

Vulnerability from cvelistv5

Published

2023-06-08 20:19

Modified

2024-08-02 14:07

Severity

Summary

Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go

References

URL	Tags
https://go.dev/issue/60305
https://go.dev/cl/501225
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
https://pkg.go.dev/vuln/GO-2023-1841
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://security.gentoo.org/glsa/202311-09

Impacted products

Vendor	Product
Go toolchain	cmd/go

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:07:45.919Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/60305"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/501225"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-1841"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "cmd/go",
          "product": "cmd/go",
          "vendor": "Go toolchain",
          "versions": [
            {
              "lessThan": "1.19.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.20.5",
              "status": "affected",
              "version": "1.20.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Juho Nurminen of Mattermost"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-94: Improper Control of Generation of Code (\"Code Injection\")",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-04T18:09:18.646Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/60305"
        },
        {
          "url": "https://go.dev/cl/501225"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-1841"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"
        },
        {
          "url": "https://security.gentoo.org/glsa/202311-09"
        }
      ],
      "title": "Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2023-29404",
    "datePublished": "2023-06-08T20:19:17.548Z",
    "dateReserved": "2023-04-05T19:36:35.043Z",
    "dateUpdated": "2024-08-02T14:07:45.919Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

rhsa-2023_3923

Vulnerability from csaf_redhat

cve-2023-29403

Vulnerability from cvelistv5

cve-2023-29405

Vulnerability from cvelistv5

cve-2023-29402

Vulnerability from cvelistv5

cve-2023-29404

Vulnerability from cvelistv5

Tags