Fluid Attacks Database

Description

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
go	toolchain	>=0 <1.20.9	1.20.9
rpm rhel8	go-toolset	<0:sha256:1438b41a97337f91f08a7f4d6b859cc5232f1defb6067873a0dfe20970774015	0:sha256:1438b41a97337f91f08a7f4d6b859cc5232f1defb6067873a0dfe20970774015
rpm rhel9	golang	-	-

Aliases

1. CVE-2023-393232. NVD-2023-393233. OSV-DEBIAN-2023-393234. OSV-2023-393235. OSV-GO-2023-20956. GCVE-2023-393237. SECURITY-TRACKER-CVE-2023-39323

References

1. https://go.dev/issue/632112. https://go.dev/cl/5332153. https://groups.google.com/g/golang-announce/c/XBa1oHDevAo

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.