go-toolset:rhel8 security update

エラータID: AXSA:2023-6206:01

Release date: 
Tuesday, July 4, 2023 - 02:17
Subject: 
go-toolset:rhel8 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.

Security Fix(es):

* golang: cmd/go: go command may generate unexpected code at build time when using cgo (CVE-2023-29402)
* golang: cmd/go: go command may execute arbitrary code at build time when using cgo (CVE-2023-29404)
* golang: cmd/cgo: Arbitratry code execution triggered by linker flags (CVE-2023-29405)
* golang: runtime: unexpected behavior of setuid/setgid binaries (CVE-2023-29403)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-29402
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
CVE-2023-29403
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
CVE-2023-29404
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
CVE-2023-29405
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

Modularity name: go-toolset
Stream name: rhel8

Solution: 

Update packages.

CVEs: 
CVE-2023-29402
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
CVE-2023-29403
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
CVE-2023-29404
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
CVE-2023-29405
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
Additional Info: 

N/A

Download: 

SRPMS
  1. delve-1.9.1-1.module+el8+1639+069af970.src.rpm
    MD5: 9dd5a303c5f567716629e3ac55bea92f
    SHA-256: 40b31eb07598dfa3bf9a17b9401529c6a9f83615f6ec38d3936aa72a7c93e91d
    Size: 8.69 MB
  2. golang-1.19.10-1.module+el8+1639+069af970.src.rpm
    MD5: f47e89ef3fbe3667687ffe34003968ee
    SHA-256: c2c44df3e41d9b48e523529f01be74815057a139bd3bda77777d45ad2b6558cc
    Size: 25.10 MB
  3. go-toolset-1.19.10-1.module+el8+1639+069af970.src.rpm
    MD5: 1b79f1a6d257d42015b8116e167ae71d
    SHA-256: a8ea733f0f6bc78b743b31c14b33b2d9529bc3929ee8c68fc61a3ee4e73e9225
    Size: 14.70 kB

Asianux Server 8 for x86_64
  1. delve-1.9.1-1.module+el8+1639+069af970.x86_64.rpm
    MD5: 0313c476a2e11292b151bff91cd950f1
    SHA-256: 03a09a922247afa280f235f54bf27cd7ab9a1e6690f23000709ffbda04098ffd
    Size: 4.33 MB
  2. delve-debugsource-1.9.1-1.module+el8+1639+069af970.x86_64.rpm
    MD5: f217a005c6c0434ac5e8437076136907
    SHA-256: a5eee7c1e1399db5746eeab8e7fdb1a1fc49be09b1e0483488098e9fcff8d9a0
    Size: 0.99 MB
  3. golang-1.19.10-1.module+el8+1639+069af970.x86_64.rpm
    MD5: d1cf2738cf4fba6188d6bb68f9047f1f
    SHA-256: 12266bd4a7204bccd9f70feef6f493f3e7a733185a95d3e356286570bcd45c8f
    Size: 654.67 kB
  4. golang-bin-1.19.10-1.module+el8+1639+069af970.x86_64.rpm
    MD5: 9498520260479202cb63657e193e3c03
    SHA-256: eedb486d6a659dca9531122aef55d154f245a10897c2e640d44d6afdbafbfaff
    Size: 107.03 MB
  5. golang-docs-1.19.10-1.module+el8+1639+069af970.noarch.rpm
    MD5: 501e8ee79102a46602f2182d7026e769
    SHA-256: 47ea2ddd619187b55a5f8c142f24ae75b782d241ea98a68062a9f91c39a461c1
    Size: 117.23 kB
  6. golang-misc-1.19.10-1.module+el8+1639+069af970.noarch.rpm
    MD5: 0037a72db16d2f5a9723dcc3a8a4c8f4
    SHA-256: de52643824ebefadc0b681b83b5f7136fa3b084ad1412410114183d3686ad7eb
    Size: 235.94 kB
  7. golang-race-1.19.10-1.module+el8+1639+069af970.x86_64.rpm
    MD5: 783f7c840e0138dd3851e0024c623d75
    SHA-256: df6b6561983a852501df913ad216d7beddec0034b4f9d2559e70f6fc6930e61d
    Size: 21.44 MB
  8. golang-src-1.19.10-1.module+el8+1639+069af970.noarch.rpm
    MD5: 888f4762ff5bc135e3dfe953e38bdc0a
    SHA-256: 0f66662b24a2a203499fb5d66efc4ae79ef9848f15ffeb2b37d275a5d5164e1a
    Size: 12.31 MB
  9. golang-tests-1.19.10-1.module+el8+1639+069af970.noarch.rpm
    MD5: 0631e4921d14680707a6e67fc41cb319
    SHA-256: ee074519a556be25e6a88c7856dd48db704fb227c7a9e1cddc58c5eabc12945f
    Size: 8.12 MB
  10. go-toolset-1.19.10-1.module+el8+1639+069af970.x86_64.rpm
    MD5: 07b8fb1830861a0905bcf06d30e64e30
    SHA-256: e6d5d102c471803ee1565e56a0df1a5f03224f08f1db40c19b6daefebfa32226
    Size: 12.79 kB