go: fix CVE-2023-29405 - linux/poky.git - Mirror of git.yoctoproject.org/poky

diff options

author	Archana Polampalli <archana.polampalli@windriver.com>	2023-06-21 10:48:29 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-07-01 08:37:24 -1000
commit	92a46e5fff4c455c296c594b9563c46e90448bed (patch)
tree	6e370674f850f373ae84ce6db51a0bdc130bdcd2 /scripts/lib/devtool/export.py
parent	19cce6f2469acf1d55a91cf80cc8621e960e358b (diff)
download	poky-92a46e5fff4c455c296c594b9563c46e90448bed.tar.gz

go: fix CVE-2023-29405

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler. References: https://nvd.nist.gov/vuln/detail/CVE-2023-29405 Upstream patches: https://github.com/golang/go/commit/6d8af00a630aa51134e54f0f321658621c6410f0 (From OE-Core rev: 7ce6d0029effc06cff500271a124150f1a7db7b3) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>

Diffstat (limited to 'scripts/lib/devtool/export.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: