[opensuse-bugs] [Bug 1178752] New: VUL-0: CVE-2020-28367: go cmd/go: improper validation of cgo flags can lead to remote code execution at build time
http://bugzilla.opensuse.org/show_bug.cgi?id=1178752 Bug ID: 1178752 Summary: VUL-0: CVE-2020-28367: go cmd/go: improper validation of cgo flags can lead to remote code execution at build time Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: jkowalczyk@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- CVE-2020-28367 The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by a malicious gcc flags specified via a #cgo directive. Thanks to Imre Rad for reporting this issue. References: https://github.com/golang/go/issues/42556 https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com