x/vulndb: potential Go vuln in cmd/go: CVE-2023-29402 #1839
Assignees
Labels
Comments
|
Change https://go.dev/cl/501838 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jun 8, 2023
Aliases: CVE-2023-29402 Updates #1839 Change-Id: I4e963cfc7eebf092ffbffd56dddf1ac5f1ab61bb Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/501838 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE ID
No response
GHSA ID
No response
Additional information
cmd/go: cgo code injection
The go command may generate unexpected code at build time when using cgo. This
may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories with
newline characters in their names. Modules which are retrieved using the go command,
i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
GO111MODULE=off, may be affected).
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
The text was updated successfully, but these errors were encountered: