data/reports: add GO-2023-1839.yaml

tatianab · tatianab · commit 7a88f6bd781e · 2023-06-08T20:16:16.000Z
Aliases: CVE-2023-29402 Updates #1839 Change-Id: I4e963cfc7eebf092ffbffd56dddf1ac5f1ab61bb Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/501838 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/data/cve/v5/GO-2023-1839.json b/data/cve/v5/GO-2023-1839.json
@@ -0,0 +1,73 @@
+{
+  "dataType": "CVE_RECORD",
+  "dataVersion": "5.0",
+  "cveMetadata": {
+    "cveId": "CVE-2023-29402"
+  },
+  "containers": {
+    "cna": {
+      "providerMetadata": {
+        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+      },
+      "descriptions": [
+        {
+          "lang": "en",
+          "value": "The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via \"go get\", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected)."
+        }
+      ],
+      "affected": [
+        {
+          "vendor": "Go toolchain",
+          "product": "cmd/go",
+          "collectionURL": "https://pkg.go.dev",
+          "packageName": "cmd/go",
+          "versions": [
+            {
+              "version": "0",
+              "lessThan": "1.19.10",
+              "status": "affected",
+              "versionType": "semver"
+            },
+            {
+              "version": "1.20.0-0",
+              "lessThan": "1.20.5",
+              "status": "affected",
+              "versionType": "semver"
+            }
+          ],
+          "defaultStatus": "unaffected"
+        }
+      ],
+      "problemTypes": [
+        {
+          "descriptions": [
+            {
+              "lang": "en",
+              "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+            }
+          ]
+        }
+      ],
+      "references": [
+        {
+          "url": "https://go.dev/issue/60167"
+        },
+        {
+          "url": "https://go.dev/cl/501226"
+        },
+        {
+          "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
+        },
+        {
+          "url": "https://pkg.go.dev/vuln/GO-2023-1839"
+        }
+      ],
+      "credits": [
+        {
+          "lang": "en",
+          "value": "Juho Nurminen of Mattermost"
+        }
+      ]
+    }
+  }
+}
diff --git a/data/osv/GO-2023-1839.json b/data/osv/GO-2023-1839.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2023-1839",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2023-29402"
+  ],
+  "details": "The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo.\n\nThis may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via \"go get\", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).",
+  "affected": [
+    {
+      "package": {
+        "name": "toolchain",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.19.10"
+            },
+            {
+              "introduced": "1.20.0-0"
+            },
+            {
+              "fixed": "1.20.5"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "cmd/go"
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "REPORT",
+      "url": "https://go.dev/issue/60167"
+    },
+    {
+      "type": "FIX",
+      "url": "https://go.dev/cl/501226"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Juho Nurminen of Mattermost"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2023-1839"
+  }
+}
diff --git a/data/reports/GO-2023-1839.yaml b/data/reports/GO-2023-1839.yaml
@@ -0,0 +1,29 @@
+id: GO-2023-1839
+modules:
+    - module: cmd
+      versions:
+        - fixed: 1.19.10
+        - introduced: 1.20.0-0
+          fixed: 1.20.5
+      vulnerable_at: 1.20.4
+      packages:
+        - package: cmd/go
+summary: Code injection via go command with cgo in cmd/go
+description: |
+    The go command may generate unexpected code at build time when using cgo.
+    This may result in unexpected behavior when running a go program which uses
+    cgo.
+
+    This may occur when running an untrusted module which contains directories
+    with newline characters in their names. Modules which are retrieved using
+    the go command, i.e. via "go get", are not affected (modules retrieved
+    using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
+credits:
+    - Juho Nurminen of Mattermost
+references:
+    - report: https://go.dev/issue/60167
+    - fix: https://go.dev/cl/501226
+    - web: https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
+cve_metadata:
+    id: CVE-2023-29402
+    cwe: 'CWE-94: Improper Control of Generation of Code (''Code Injection'')'
