x/vulndb: potential Go vuln in runtime: CVE-2023-29403 #1840
Assignees
Labels
Comments
tatianab
changed the title
|
Change https://go.dev/cl/501837 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jun 8, 2023
Aliases: CVE-2023-29403 Updates #1840 Change-Id: I0c0829d98d1ec4ff5997245189958b4b7cc362d8 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/501837 Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Tatiana Bradley <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
|
Change https://go.dev/cl/501536 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Jun 8, 2023
Updates #1840 Change-Id: I26cf944bbf0f8f29dd2d413c3811e29088c40f43 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/501536 Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Tatiana Bradley <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE ID
No response
GHSA ID
No response
Additional information
runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the setuid/setgid
bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
I/O file descriptors closed, opening any files could result in unexpected
content being read/written with elevated prilieges. Similarly if a setuid/setgid
program was terminated, either via panic or signal, it could leak the contents
of its registers.
Thanks to Vincent Dehors from Synacktiv for reporting this issue.
This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
The text was updated successfully, but these errors were encountered: