First published: Thu Oct 05 2023(Updated: )
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
Credit: security@golang.org security@golang.org security@golang.org
Affected Software | Affected Version | How to fix |
---|---|---|
Golang Go | <1.20.9 | |
Golang Go | >=1.21.0<1.21.2 | |
Fedoraproject Fedora | =37 | |
Fedoraproject Fedora | =38 | |
Fedoraproject Fedora | =39 | |
ubuntu/golang-1.20 | <1.20.3-1ubuntu0.1~20.04.1 | 1.20.3-1ubuntu0.1~20.04.1 |
ubuntu/golang-1.20 | <1.20.3-1ubuntu0.1~22.04.1 | 1.20.3-1ubuntu0.1~22.04.1 |
ubuntu/golang-1.20 | <1.20.3-1ubuntu0.2 | 1.20.3-1ubuntu0.2 |
ubuntu/golang-1.20 | <1.20.8-1ubuntu0.23.10.1 | 1.20.8-1ubuntu0.23.10.1 |
ubuntu/golang-1.20 | <1.20.9-1 | 1.20.9-1 |
ubuntu/golang-1.21 | <1.21.1-1~ubuntu20.04.2 | 1.21.1-1~ubuntu20.04.2 |
ubuntu/golang-1.21 | <1.21.1-1~ubuntu22.04.2 | 1.21.1-1~ubuntu22.04.2 |
ubuntu/golang-1.21 | <1.21.1-1~ubuntu23.04.2 | 1.21.1-1~ubuntu23.04.2 |
ubuntu/golang-1.21 | <1.21.1-1ubuntu0.23.10.1 | 1.21.1-1ubuntu0.23.10.1 |
ubuntu/golang-1.21 | <1.21.2-1 | 1.21.2-1 |
debian/golang-1.11 | <=1.11.6-1+deb10u4<=1.11.6-1+deb10u7 | |
debian/golang-1.15 | <=1.15.15-1~deb11u4 | |
debian/golang-1.19 | <=1.19.8-2 | |
debian/golang-1.21 | 1.21.10-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2023-39323.
CVE-2023-39323 has a severity level of critical.
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives by allowing blocked linker and compiler flags to be passed during compilation.
Golang Go versions up to and including 1.20.9, as well as version 1.21.0 up to but excluding 1.21.2, are affected by CVE-2023-39323.
To fix CVE-2023-39323, it is recommended to update Golang Go to a version that is not affected by the vulnerability.