diff options
| author | Libo Chen <libo.chen.cn@windriver.com> | 2025-12-18 15:18:18 +0800 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-12-31 07:24:54 -0800 |
| commit | 9af12b047ec2e3b2d04c760be18e2f5cbfb5d5d3 (patch) | |
| tree | ce1db61dd7d3ef5eb24a37fd6ed0d1a3bd694c9e | |
| parent | 652e8fc3b9d5c586ba291041c3d15d362c24b6ea (diff) | |
| download | poky-9af12b047ec2e3b2d04c760be18e2f5cbfb5d5d3.tar.gz | |
go: Fix CVE-2023-39323
Line directives ("//line") can be used to bypass the restrictions on
"//go:cgo_" directives, allowing blocked linker and compiler flags to
be passed during compilation. This can result in unexpected execution
of arbitrary code when running "go build". The line directive requires
the absolute path of the file in which the directive lives, which makes
exploiting this issue significantly more complex.
Made below changes for Go 1.17 backport:
- drop the modifications of test codes
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39323
Upstream-patch:
https://github.com/golang/go/commit/e7c142a19d8b3944c2f1b9ab7fd94c63d8d0c555
(From OE-Core rev: 62f4c3aec8f80a259472ce19104596d08741c101)
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-devtools/go/go-1.17.13.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch | 55 |
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index bb5e839950..47ef84c35a 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc | |||
| @@ -73,6 +73,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ | |||
| 73 | file://CVE-2025-58189.patch \ | 73 | file://CVE-2025-58189.patch \ |
| 74 | file://CVE-2025-61723.patch \ | 74 | file://CVE-2025-61723.patch \ |
| 75 | file://CVE-2025-61724.patch \ | 75 | file://CVE-2025-61724.patch \ |
| 76 | file://CVE-2023-39323.patch \ | ||
| 76 | " | 77 | " |
| 77 | SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" | 78 | SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" |
| 78 | 79 | ||
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch new file mode 100644 index 0000000000..613c91706b --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch | |||
| @@ -0,0 +1,55 @@ | |||
| 1 | From 5e0a62c44fbaff6443bffe67911370bc0ea25f6d Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Ian Lance Taylor <iant@golang.org> | ||
| 3 | Date: Wed, 20 Sep 2023 16:16:29 -0700 | ||
| 4 | Subject: [PATCH] cmd/compile: use absolute file name in isCgo check | ||
| 5 | |||
| 6 | For #23672 | ||
| 7 | Fixes #63211 | ||
| 8 | Fixes CVE-2023-39323 | ||
| 9 | |||
| 10 | Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352 | ||
| 11 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884 | ||
| 12 | Reviewed-by: Matthew Dempsky <mdempsky@google.com> | ||
| 13 | Reviewed-by: Roland Shoemaker <bracewell@google.com> | ||
| 14 | Reviewed-on: https://go-review.googlesource.com/c/go/+/534158 | ||
| 15 | Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> | ||
| 16 | Reviewed-by: Ian Lance Taylor <iant@google.com> | ||
| 17 | LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> | ||
| 18 | Auto-Submit: Ian Lance Taylor <iant@google.com> | ||
| 19 | |||
| 20 | Upstream-Status: Backport | ||
| 21 | CVE: CVE-2023-39323 | ||
| 22 | |||
| 23 | Reference to upstream patch: | ||
| 24 | https://github.com/golang/go/commit/e7c142a19d8b3944c2f1b9ab7fd94c63d8d0c555 | ||
| 25 | |||
| 26 | Backport patch to fix CVE-2023-39323 and drop the modifications of test codes. | ||
| 27 | |||
| 28 | Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> | ||
| 29 | --- | ||
| 30 | src/cmd/compile/internal/noder/noder.go | 8 +++++++- | ||
| 31 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
| 32 | |||
| 33 | diff --git a/src/cmd/compile/internal/noder/noder.go b/src/cmd/compile/internal/noder/noder.go | ||
| 34 | index 5fcad096c2..f35e065a31 100644 | ||
| 35 | --- a/src/cmd/compile/internal/noder/noder.go | ||
| 36 | +++ b/src/cmd/compile/internal/noder/noder.go | ||
| 37 | @@ -1690,8 +1690,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P | ||
| 38 | // contain cgo directives, and for security reasons | ||
| 39 | // (primarily misuse of linker flags), other files are not. | ||
| 40 | // See golang.org/issue/23672. | ||
| 41 | +// Note that cmd/go ignores files whose names start with underscore, | ||
| 42 | +// so the only _cgo_ files we will see from cmd/go are generated by cgo. | ||
| 43 | +// It's easy to bypass this check by calling the compiler directly; | ||
| 44 | +// we only protect against uses by cmd/go. | ||
| 45 | func isCgoGeneratedFile(pos syntax.Pos) bool { | ||
| 46 | - return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Filename()))), "_cgo_") | ||
| 47 | + // We need the absolute file, independent of //line directives, | ||
| 48 | + // so we call pos.Base().Pos().Base(). | ||
| 49 | + return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Pos().Base().Filename()))), "_cgo_") | ||
| 50 | } | ||
| 51 | |||
| 52 | // safeArg reports whether arg is a "safe" command-line argument, | ||
| 53 | -- | ||
| 54 | 2.34.1 | ||
| 55 | |||