[security] Go 1.20.5 and Go 1.19.10 are released

4,548 views
Skip to first unread message

anno...@golang.org

unread,
Jun 6, 2023, 2:14:07 PM6/6/23
to golan...@googlegroups.com

Hello gophers,

We have just released Go versions 1.20.5 and 1.19.10, minor point releases.

These minor releases include 3 security fixes following the security policy:

  • cmd/go: cgo code injection

    The go command may generate unexpected code at build time when using cgo. This
    may result in unexpected behavior when running a go program which uses cgo.

    This may occur when running an untrusted module which contains directories with
    newline characters in their names. Modules which are retrieved using the go command,
    i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
    GO111MODULE=off, may be affected).

    Thanks to Juho Nurminen of Mattermost for reporting this issue.

    This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

  • runtime: unexpected behavior of setuid/setgid binaries

    The Go runtime didn't act any differently when a binary had the setuid/setgid
    bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
    I/O file descriptors closed, opening any files could result in unexpected
    content being read/written with elevated prilieges. Similarly if a setuid/setgid
    program was terminated, either via panic or signal, it could leak the contents
    of its registers.

    Thanks to Vincent Dehors from Synacktiv for reporting this issue.

    This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

  • cmd/go: improper sanitization of LDFLAGS

    The go command may execute arbitrary code at build time when using cgo. This may
    occur when running "go get" on a malicious module, or when running any other
    command which builds untrusted code. This is can by triggered by linker flags,
    specified via a "#cgo LDFLAGS" directive.

    Thanks to Juho Nurminen of Mattermost for reporting this issue.

    This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.5

You can download binary and source distributions from the Go website:
https://go.dev/dl/

To compile from source using a Git clone, update to the release with
git checkout go1.20.5 and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
David and Michael for the Go team

Ian Lance Taylor

unread,
Jun 6, 2023, 4:00:13 PM6/6/23
to golan...@googlegroups.com
On Tue, Jun 6, 2023 at 11:12 AM <anno...@golang.org> wrote:
>
> cmd/go: improper sanitization of LDFLAGS
>
> The go command may execute arbitrary code at build time when using cgo. This may
> occur when running "go get" on a malicious module, or when running any other
> command which builds untrusted code. This is can by triggered by linker flags,
> specified via a "#cgo LDFLAGS" directive.

Due to an unfortunate mistake, this change will break the use of "#cgo
LDFLAGS" directives when using -compiler=gccgo. Most people using
gccgo or GoLLVM use the cmd/go that is distributed with those tools,
and that is unaffected. Therefore, we will fix this in the next minor
release. The current minor releases 1.20.5 and 1.19.10 are
unfortunately broken for some cases when using gccgo or GoLLVM. Our
apologies for the mishap. Thanks to Jeffrey Tolar for spotting the
problem.

Ian
Reply all
Reply to author
Forward
0 new messages