[security] Go 1.20.5 and Go 1.19.10 are released

[anno...@golang.org]

Hello gophers,

We have just released Go versions 1.20.5 and 1.19.10, minor point releases.

These minor releases include 3 security fixes following the security policy:

• cmd/go: cgo code injection

  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories with
  newline characters in their names. Modules which are retrieved using the go command,
  i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

• runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
  I/O file descriptors closed, opening any files could result in unexpected
  content being read/written with elevated prilieges. Similarly if a setuid/setgid
  program was terminated, either via panic or signal, it could leak the contents
  of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

• cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This may
  occur when running "go get" on a malicious module, or when running any other
  command which builds untrusted code. This is can by triggered by linker flags,
  specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.5

You can download binary and source distributions from the Go website:
https://go.dev/dl/

To compile from source using a Git clone, update to the release with
git checkout go1.20.5 and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
David and Michael for the Go team

[Jérôme LAFORGE]

Hello,

So unless I am wrong, something doesn't seem backward compatible with Go 1.20.5:

with go version go1.20.4 linux/amd64:

go list -u -m -json all > /dev/null

echo $?
0

with go version go1.20.5 linux/amd64:

go list -u -m -json all > /dev/null
go: updates to go.sum needed, disabled by -mod=readonly

echo $?
1

[Bryan C. Mills]

On Mon, Jun 12, 2023 at 2:47 AM Jérôme LAFORGE <jerome....@gmail.com> wrote:

Hello,

So unless I am wrong, something doesn't seem backward compatible with Go 1.20.5:

with go version go1.20.4 linux/amd64:

go list -u -m -json all > /dev/null

echo $?
0

with go version go1.20.5 linux/amd64:

go list -u -m -json all > /dev/null
go: updates to go.sum needed, disabled by -mod=readonly

echo $?
1

That was an unintended regression (https://go.dev/issue/60667).

It should be fixed in the next patch releases.

 

--
You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-dev/3557eccc-bc55-460c-b4fc-af12caa7fdd5n%40googlegroups.com.

[Jérôme LAFORGE]

> It should be fixed in the next patch releases.

Is it planned to release this next patch release? or do you wait for security fix in order to release it?

Thanks for the support.

[Bryan C. Mills]

Patch releases are usually cut around once a month, regardless of whether any security fixes are slated for inclusion.

To view this discussion on the web visit https://groups.google.com/d/msgid/golang-dev/162c750b-6f8c-4f3a-9c7d-b546e216bab5n%40googlegroups.com.