golang-1.19.10-1.el9, go-toolset-1.19.10-1.el9
エラータID: AXSA:2023-6174:04
リリース日:
2023/06/30 Friday - 02:12
題名:
golang-1.19.10-1.el9, go-toolset-1.19.10-1.el9
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Go の cgo 機能には、予期しないコードをビルドしてしまう問題が
あるため、リモートの攻撃者により、改行文字が含まれるディレクトリ
名を含む信頼できないモジュールの実行を介して、特定できない影響を
与える攻撃を可能とする脆弱性が存在します。(CVE-2023-29402)
- Go には、setuid/setgid ビットを設定した場合でも Go ランタイムの
動作が変化しない問題があるため、ローカルの攻撃者により、標準入力
や標準出力、標準エラー出力を閉じた状態でのファイルのオープン処理
を介して、特権での予期しないデータの読み書きを可能とする脆弱性が
存在します。(CVE-2023-29403)
- Go の cgo 機能には、オプションではない引数を誤ってオプションと
解釈してしまう問題があるため、リモートの攻撃者により、細工された
"#cgo LDFLAGS" ディレクティブの指定を介して、ビルド時に任意の
コードの実行を可能とする脆弱性が存在します。(CVE-2023-29404)
- Go の cgo 機能には、スペース文字を含む FLAGS の指定を誤って
処理してしまうため、リモートの攻撃者により、細工された
"#cgo LDFLAGS" ディレクティブの指定を介して、ビルド時に任意の
コードの実行を可能とする脆弱性が存在します。(CVE-2023-29405)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-29402
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
CVE-2023-29403
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
CVE-2023-29404
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
CVE-2023-29405
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
追加情報:
N/A
ダウンロード:
SRPMS
- golang-1.19.10-1.el9.src.rpm
MD5: 540f3ac3909fd6378e52e3c772695908
SHA-256: 53d05dd472be672488ba1e2065004bc65e8f4089c14e18aba406d756996ab65f
Size: 25.08 MB - go-toolset-1.19.10-1.el9.src.rpm
MD5: 76760fef4045898c643f335200caa092
SHA-256: 665e162066873414bd7d0249b018dfae3eac50b43d2881400453bbf37af4a3e9
Size: 9.96 kB
Asianux Server 9 for x86_64
- golang-1.19.10-1.el9.x86_64.rpm
MD5: 0c1e1edf138c38557cacd434bf569488
SHA-256: 7abcbde6efef939d2c258f1587a562e52e9944aa84b54ab459894f30f996b7fa
Size: 574.62 kB - golang-bin-1.19.10-1.el9.x86_64.rpm
MD5: 7bb706781e2536a159675d57255e0953
SHA-256: b33777b9acb3a1a198099fd504c9882ea6e45b5a3533a4609427c62c073cb942
Size: 98.42 MB - golang-docs-1.19.10-1.el9.noarch.rpm
MD5: 1aa33c711d4ef8f3ccd11ab19d09c455
SHA-256: 64a231ba354be7a1fda00afbab59756514233201aed8a0250b2bc5c0e70f1820
Size: 89.91 kB - golang-misc-1.19.10-1.el9.noarch.rpm
MD5: b5b3d90ed543bbce3eccc154a4b80003
SHA-256: 6c232b7b1e1f334219aa6b72fc95f47dbbadfebb69cb4de56329be9ab36862aa
Size: 209.61 kB - golang-race-1.19.10-1.el9.x86_64.rpm
MD5: ec04dec58ad6ea6eb133abba56e51d4b
SHA-256: ae41f5b3716088271fba5f11ca949c1010009e5a70fb00f36ca8e5acfac94da3
Size: 20.29 MB - golang-src-1.19.10-1.el9.noarch.rpm
MD5: 21285d28827d6b0f9cd9a32ae2987b2d
SHA-256: 856e2eeb940b066b7cddee600d4c0cc8b53e26a93166761456e3178a3cf45b79
Size: 11.33 MB - golang-tests-1.19.10-1.el9.noarch.rpm
MD5: a68610687bb3a988163473e2e9772453
SHA-256: a438f7e6c357e6db661f1cf002fd0a6d700b84baf0b9a1dc2baaa0ef4b631c6a
Size: 7.69 MB - go-toolset-1.19.10-1.el9.x86_64.rpm
MD5: b2343e2e22c569926f870bb9ae7f4fa2
SHA-256: 561162352d19fd26eeae1fd7caea73953952c6d0a4cca75678b583d10bcc8e8a
Size: 7.94 kB
English