| Bug ID | 1178752 |
|---|---|
| Summary | VUL-0: CVE-2020-28367: go cmd/go: improper validation of cgo flags can lead to remote code execution at build time |
| Classification | openSUSE |
| Product | openSUSE Tumbleweed |
| Version | Current |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | security-team@suse.de |
| Reporter | jkowalczyk@suse.com |
| QA Contact | qa-bugs@suse.de |
| Found By | --- |
| Blocker | --- |
CVE-2020-28367 The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by a malicious gcc flags specified via a #cgo directive. Thanks to Imre Rad for reporting this issue. References: https://github.com/golang/go/issues/42556 https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI