[opensuse-bugs] [Bug 1178753] New: VUL-0: CVE-2020-28366: go cmd/go: arbitrary code can be injected into cgo generated files
http://bugzilla.opensuse.org/show_bug.cgi?id=1178753 Bug ID: 1178753 Summary: VUL-0: CVE-2020-28366: go cmd/go: arbitrary code can be injected into cgo generated files Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: jkowalczyk@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- CVE-2020-28366 The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious unquoted symbol names. This has been fixed by rejecting invalid symbols which may add a //go:cgo_ldflag directive to the generated file, and by ensuring that the go tool follows existing LDFLAG restrictions. Thanks to Chris Brown and Tempus Ex for reporting this issue. References: https://github.com/golang/go/issues/42559 https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com