CVE-2023-29402: Code injection via go command with cgo in cmd/go

Reference Links

• https://go.dev/cl/501226
• https://go.dev/issue/60167
• https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
• https://pkg.go.dev/vuln/GO-2023-1839
• https://security.gentoo.org/glsa/202311-09
• https://exchange.xforce.ibmcloud.com/vulnerabilities/257652
• https://www.ibm.com/support/pages/node/7096482 (Advisory)

Parent vulnerabilities

(Appears in the following advisories)

• IBM-7096482

Frequently Asked Questions

• What is CVE-2023-29402?

  CVE-2023-29402 is a vulnerability in the go command that may generate unexpected code at build time when using cgo, resulting in unexpected behavior when running a go program.

• How does CVE-2023-29402 impact go programs?

  CVE-2023-29402 may cause unexpected behavior in go programs that use cgo.

• Which versions of Go are affected by CVE-2023-29402?

  Go versions up to 1.19.10 and versions 1.20.0 to 1.20.5 are affected by CVE-2023-29402.

• Are there any known fixes for CVE-2023-29402?

  Applying the latest security updates for Go is recommended to mitigate CVE-2023-29402.

• Where can I find more information about CVE-2023-29402?

  You can find more information about CVE-2023-29402 on the following links: [link1](https://go.dev/cl/501226), [link2](https://go.dev/issue/60167), [link3](https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ).