CVE-2023-39323: Arbitrary code execution during build via line directives in cmd/go
First published: Thu Oct 05 2023(Updated: )
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
Credit: security@golang.org security@golang.org security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Golang Go | <1.20.9 | |
| Golang Go | >=1.21.0<1.21.2 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| Fedoraproject Fedora | =39 | |
| ubuntu/golang-1.20 | <1.20.3-1ubuntu0.1~20.04.1 | 1.20.3-1ubuntu0.1~20.04.1 |
| ubuntu/golang-1.20 | <1.20.3-1ubuntu0.1~22.04.1 | 1.20.3-1ubuntu0.1~22.04.1 |
| ubuntu/golang-1.20 | <1.20.3-1ubuntu0.2 | 1.20.3-1ubuntu0.2 |
| ubuntu/golang-1.20 | <1.20.8-1ubuntu0.23.10.1 | 1.20.8-1ubuntu0.23.10.1 |
| ubuntu/golang-1.20 | <1.20.9-1 | 1.20.9-1 |
| ubuntu/golang-1.21 | <1.21.1-1~ubuntu20.04.2 | 1.21.1-1~ubuntu20.04.2 |
| ubuntu/golang-1.21 | <1.21.1-1~ubuntu22.04.2 | 1.21.1-1~ubuntu22.04.2 |
| ubuntu/golang-1.21 | <1.21.1-1~ubuntu23.04.2 | 1.21.1-1~ubuntu23.04.2 |
| ubuntu/golang-1.21 | <1.21.1-1ubuntu0.23.10.1 | 1.21.1-1ubuntu0.23.10.1 |
| ubuntu/golang-1.21 | <1.21.2-1 | 1.21.2-1 |
| debian/golang-1.11 | <=1.11.6-1+deb10u4<=1.11.6-1+deb10u7 | |
| debian/golang-1.15 | <=1.15.15-1~deb11u4 | |
| debian/golang-1.19 | <=1.19.8-2 | |
| debian/golang-1.21 | 1.21.10-1 |
Remedy
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://go.dev/cl/533215
- https://go.dev/issue/63211
- https://groups.google.com/g/golang-announce/c/XBa1oHDevAo
- https://pkg.go.dev/vuln/GO-2023-2095
- https://security.netapp.com/advisory/ntap-20231020-0001/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
- https://security.gentoo.org/glsa/202311-09
- https://launchpad.net/bugs/cve/CVE-2023-39323
- https://github.com/golang/go/commit/2ddfc04d12da7028334ab4f8effbc3a78b92d9d2
- https://github.com/golang/go/commit/31d5b604ac0adb58aec4870ac1b974c08312fd49
- https://security-tracker.debian.org/tracker/CVE-2023-39323
- https://github.com/golang/go/commit/2ddfc04d12da7028334ab4f8effbc3a78b92d9d2 (go1.21.2)
- https://github.com/golang/go/commit/31d5b604ac0adb58aec4870ac1b974c08312fd49 (go1.20.9)
- https://ubuntu.com/security/notices/USN-6574-1
- https://www.cve.org/CVERecord?id=CVE-2023-39323
- https://nvd.nist.gov/vuln/detail/CVE-2023-39323
- https://ubuntu.com/security/CVE-2023-39323
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2023-39323.
What is the severity level of CVE-2023-39323?
CVE-2023-39323 has a severity level of critical.
How can line directives be used to bypass restrictions on go:cgo_ directives?
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives by allowing blocked linker and compiler flags to be passed during compilation.
What software is affected by CVE-2023-39323?
Golang Go versions up to and including 1.20.9, as well as version 1.21.0 up to but excluding 1.21.2, are affected by CVE-2023-39323.
How can I fix CVE-2023-39323?
To fix CVE-2023-39323, it is recommended to update Golang Go to a version that is not affected by the vulnerability.
- collector/nvd-index
- collector/mitre-cve
- agent/type
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- agent/last-modified-date
- agent/first-publish-date
- agent/weakness
- agent/title
- agent/references
- agent/author
- agent/severity
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-cve
- agent/event
- agent/description
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/golang
- canonical/golang go
- version/golang go/1.21.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- version/fedoraproject fedora/39
- package-manager/debian
- package-manager/ubuntu