CVE-2023-29403: Unsafe behavior in setuid/setgid binaries in runtime

Reference Links

• https://go.dev/cl/501223
• https://go.dev/issue/60272
• https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
• https://pkg.go.dev/vuln/GO-2023-1840
• https://security.gentoo.org/glsa/202311-09
• https://exchange.xforce.ibmcloud.com/vulnerabilities/257653
• https://www.ibm.com/support/pages/node/7096482 (Advisory)

Parent vulnerabilities

(Appears in the following advisories)

• IBM-7096482

Frequently Asked Questions

• What is CVE-2023-29403?

  CVE-2023-29403 is a vulnerability in the Go programming language on Unix platforms, where the Go runtime does not behave differently when a binary is run with the setuid/setgid bits, which can be dangerous in certain cases.

• What is the severity of CVE-2023-29403?

  The severity of CVE-2023-29403 is high with a severity value of 7.8.

• Which software versions are affected by CVE-2023-29403?

  The affected software versions are Go up to version 1.19.10, Go versions 1.20.0 to 1.20.5, and Fedora version 38.

• How can CVE-2023-29403 be exploited?

  CVE-2023-29403 can be exploited by executing a setuid/setgid binary with standard I/O, allowing for dangerous actions like dumping memory state or assuming the status of standard I/O file descriptors.

• Are there any references available for CVE-2023-29403?

  Yes, you can find references for CVE-2023-29403 at the following links: [link1](https://go.dev/cl/501223), [link2](https://go.dev/issue/60272), [link3](https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ)