go: fix CVE-2023-29404 - linux/poky.git - Mirror of git.yoctoproject.org/poky

diff options

author	Archana Polampalli <archana.polampalli@windriver.com>	2023-06-21 10:48:28 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-07-01 08:37:24 -1000
commit	19cce6f2469acf1d55a91cf80cc8621e960e358b (patch)
tree	972a8677da61b2eb422d72b564a35f97b52c84f9 /scripts/lib/devtool/export.py
parent	fc697fe87412b9b179ae3a68d266ace85bb1fcc6 (diff)
download	poky-19cce6f2469acf1d55a91cf80cc8621e960e358b.tar.gz

go: fix CVE-2023-29404

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. References: https://nvd.nist.gov/vuln/detail/CVE-2023-29404 Upstream patches: https://github.com/golang/go/commit/bbeb55f5faf93659e1cfd6ab073ab3c9d126d195 (From OE-Core rev: 3e51122f8e2b4a7cd2a1c711175e6daf59b8368b) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>

Diffstat (limited to 'scripts/lib/devtool/export.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: