summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArchana Polampalli <archana.polampalli@windriver.com>2023-06-21 10:48:29 +0000
committerSteve Sakoman <steve@sakoman.com>2023-07-01 08:37:24 -1000
commit92a46e5fff4c455c296c594b9563c46e90448bed (patch)
tree6e370674f850f373ae84ce6db51a0bdc130bdcd2
parent19cce6f2469acf1d55a91cf80cc8621e960e358b (diff)
downloadpoky-92a46e5fff4c455c296c594b9563c46e90448bed.tar.gz
go: fix CVE-2023-29405
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler. References: https://nvd.nist.gov/vuln/detail/CVE-2023-29405 Upstream patches: https://github.com/golang/go/commit/6d8af00a630aa51134e54f0f321658621c6410f0 (From OE-Core rev: 7ce6d0029effc06cff500271a124150f1a7db7b3) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-devtools/go/go-1.17.13.inc1
-rw-r--r--meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch109
2 files changed, 110 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 2c1febfe9c..9af9eb2752 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -33,6 +33,7 @@ SRC_URI += "\
33 file://CVE-2023-24540.patch \ 33 file://CVE-2023-24540.patch \
34 file://CVE-2023-24539.patch \ 34 file://CVE-2023-24539.patch \
35 file://CVE-2023-29404.patch \ 35 file://CVE-2023-29404.patch \
36 file://CVE-2023-29405.patch \
36" 37"
37SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" 38SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
38 39
diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch
new file mode 100644
index 0000000000..d806e1e67d
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch
@@ -0,0 +1,109 @@
1From 6d8af00a630aa51134e54f0f321658621c6410f0 Mon Sep 17 00:00:00 2001
2From: Ian Lance Taylor <iant@golang.org>
3Date: Thu, 4 May 2023 14:06:39 -0700
4Subject: [PATCH] cmd/go,cmd/cgo: in _cgo_flags use one line per flag
5
6The flags that we recorded in _cgo_flags did not use any quoting,
7so a flag containing embedded spaces was mishandled.
8Change the _cgo_flags format to put each flag on a separate line.
9That is a simple format that does not require any quoting.
10
11As far as I can tell only cmd/go uses _cgo_flags, and it is only
12used for gccgo. If this patch doesn't cause any trouble, then
13in the next release we can change to only using _cgo_flags for gccgo.
14
15Thanks to Juho Nurminen of Mattermost for reporting this issue.
16
17Fixes #60306
18Fixes CVE-2023-29405
19
20Change-Id: I81fb5337db8a22e1f4daca22ceff4b79b96d0b4f
21Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
22Reviewed-by: Damien Neil <dneil@google.com>
23Reviewed-by: Roland Shoemaker <bracewell@google.com>
24Reviewed-on: https://go-review.googlesource.com/c/go/+/501224
25Reviewed-by: Ian Lance Taylor <iant@google.com>
26Run-TryBot: David Chase <drchase@google.com>
27Reviewed-by: Michael Knyszek <mknyszek@google.com>
28Reviewed-by: Roland Shoemaker <roland@golang.org>
29TryBot-Result: Gopher Robot <gobot@golang.org>
30
31Upstream-Status: Backport [https://github.com/golang/go/commit/6d8af00a630aa51134e54f0f321658621c6410f0]
32CVE: CVE-2023-29405
33
34Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
35---
36 src/cmd/cgo/out.go | 4 +++-
37 src/cmd/go/internal/work/gccgo.go | 14 ++++++-------
38 .../go/testdata/script/gccgo_link_ldflags.txt | 20 +++++++++++++++++++
39 3 files changed, 29 insertions(+), 9 deletions(-)
40 create mode 100644 src/cmd/go/testdata/script/gccgo_link_ldflags.txt
41
42diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
43index 94152f4..62e6528 100644
44--- a/src/cmd/cgo/out.go
45+++ b/src/cmd/cgo/out.go
46@@ -47,7 +47,9 @@ func (p *Package) writeDefs() {
47
48 fflg := creat(*objDir + "_cgo_flags")
49 for k, v := range p.CgoFlags {
50- fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, strings.Join(v, " "))
51+ for _, arg := range v {
52+ fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, arg)
53+ }
54 if k == "LDFLAGS" && !*gccgo {
55 for _, arg := range v {
56 fmt.Fprintf(fgo2, "//go:cgo_ldflag %q\n", arg)
57diff --git a/src/cmd/go/internal/work/gccgo.go b/src/cmd/go/internal/work/gccgo.go
58index 1499536..bb4be2f 100644
59--- a/src/cmd/go/internal/work/gccgo.go
60+++ b/src/cmd/go/internal/work/gccgo.go
61@@ -283,14 +283,12 @@ func (tools gccgoToolchain) link(b *Builder, root *Action, out, importcfg string
62 const ldflagsPrefix = "_CGO_LDFLAGS="
63 for _, line := range strings.Split(string(flags), "\n") {
64 if strings.HasPrefix(line, ldflagsPrefix) {
65- newFlags := strings.Fields(line[len(ldflagsPrefix):])
66- for _, flag := range newFlags {
67- // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
68- // but they don't mean anything to the linker so filter
69- // them out.
70- if flag != "-g" && !strings.HasPrefix(flag, "-O") {
71- cgoldflags = append(cgoldflags, flag)
72- }
73+ flag := line[len(ldflagsPrefix):]
74+ // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
75+ // but they don't mean anything to the linker so filter
76+ // them out.
77+ if flag != "-g" && !strings.HasPrefix(flag, "-O") {
78+ cgoldflags = append(cgoldflags, flag)
79 }
80 }
81 }
82diff --git a/src/cmd/go/testdata/script/gccgo_link_ldflags.txt b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
83new file mode 100644
84index 0000000..4e91ae5
85--- /dev/null
86+++ b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
87@@ -0,0 +1,20 @@
88+# Test that #cgo LDFLAGS are properly quoted.
89+# The #cgo LDFLAGS below should pass a string with spaces to -L,
90+# as though searching a directory with a space in its name.
91+# It should not pass --nosuchoption to the external linker.
92+
93+[!cgo] skip
94+
95+go build
96+
97+[!exec:gccgo] skip
98+
99+go build -compiler gccgo
100+
101+-- go.mod --
102+module m
103+-- cgo.go --
104+package main
105+// #cgo LDFLAGS: -L "./ -Wl,--nosuchoption"
106+import "C"
107+func main() {}
108--
1092.40.0