Bug ID | 1178752 |
---|---|
Summary | VUL-0: CVE-2020-28367: go cmd/go: improper validation of cgo flags can lead to remote code execution at build time |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | jkowalczyk@suse.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
CVE-2020-28367 The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by a malicious gcc flags specified via a #cgo directive. Thanks to Imre Rad for reporting this issue. References: https://github.com/golang/go/issues/42556 https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI