go-toolset:rhel8 security update
エラータID: AXSA:2023-6206:01
リリース日:
2023/07/04 Tuesday - 02:17
題名:
go-toolset:rhel8 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Go の cgo 機能には、予期しないコードをビルドしてしまう問題が
あるため、リモートの攻撃者により、改行文字が含まれるディレクトリ
名を含む信頼できないモジュールの実行を介して、特定できない影響を
与える攻撃を可能とする脆弱性が存在します。(CVE-2023-29402)
- Go には、setuid/setgid ビットを設定した場合でも Go ランタイム
の動作が変化しない問題があるため、ローカルの攻撃者により、標準入力
や標準出力、標準エラー出力を閉じた状態でのファイルのオープン処理を
介して、特権での予期しないデータの読み書きを可能とする脆弱性が
存在します。(CVE-2023-29403)
- Go の cgo 機能には、オプションではない引数を誤ってオプションと
解釈してしまう問題があるため、リモートの攻撃者により、細工された
"#cgo LDFLAGS" ディレクティブの指定を介して、ビルド時に任意の
コードの実行を可能とする脆弱性が存在します。(CVE-2023-29404)
- Go の cgo 機能には、スペース文字を含む FLAGS の指定を誤って処理
してしまうため、リモートの攻撃者により、細工された "#cgo LDFLAGS"
ディレクティブの指定を介して、ビルド時に任意のコードの実行を可能
とする脆弱性が存在します。(CVE-2023-29405)
Modularity name: go-toolset
Stream name: rhel8
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-29402
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
CVE-2023-29403
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
CVE-2023-29404
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
CVE-2023-29405
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
追加情報:
N/A
ダウンロード:
SRPMS
- delve-1.9.1-1.module+el8+1639+069af970.src.rpm
MD5: 9dd5a303c5f567716629e3ac55bea92f
SHA-256: 40b31eb07598dfa3bf9a17b9401529c6a9f83615f6ec38d3936aa72a7c93e91d
Size: 8.69 MB - golang-1.19.10-1.module+el8+1639+069af970.src.rpm
MD5: f47e89ef3fbe3667687ffe34003968ee
SHA-256: c2c44df3e41d9b48e523529f01be74815057a139bd3bda77777d45ad2b6558cc
Size: 25.10 MB - go-toolset-1.19.10-1.module+el8+1639+069af970.src.rpm
MD5: 1b79f1a6d257d42015b8116e167ae71d
SHA-256: a8ea733f0f6bc78b743b31c14b33b2d9529bc3929ee8c68fc61a3ee4e73e9225
Size: 14.70 kB
Asianux Server 8 for x86_64
- delve-1.9.1-1.module+el8+1639+069af970.x86_64.rpm
MD5: 0313c476a2e11292b151bff91cd950f1
SHA-256: 03a09a922247afa280f235f54bf27cd7ab9a1e6690f23000709ffbda04098ffd
Size: 4.33 MB - delve-debugsource-1.9.1-1.module+el8+1639+069af970.x86_64.rpm
MD5: f217a005c6c0434ac5e8437076136907
SHA-256: a5eee7c1e1399db5746eeab8e7fdb1a1fc49be09b1e0483488098e9fcff8d9a0
Size: 0.99 MB - golang-1.19.10-1.module+el8+1639+069af970.x86_64.rpm
MD5: d1cf2738cf4fba6188d6bb68f9047f1f
SHA-256: 12266bd4a7204bccd9f70feef6f493f3e7a733185a95d3e356286570bcd45c8f
Size: 654.67 kB - golang-bin-1.19.10-1.module+el8+1639+069af970.x86_64.rpm
MD5: 9498520260479202cb63657e193e3c03
SHA-256: eedb486d6a659dca9531122aef55d154f245a10897c2e640d44d6afdbafbfaff
Size: 107.03 MB - golang-docs-1.19.10-1.module+el8+1639+069af970.noarch.rpm
MD5: 501e8ee79102a46602f2182d7026e769
SHA-256: 47ea2ddd619187b55a5f8c142f24ae75b782d241ea98a68062a9f91c39a461c1
Size: 117.23 kB - golang-misc-1.19.10-1.module+el8+1639+069af970.noarch.rpm
MD5: 0037a72db16d2f5a9723dcc3a8a4c8f4
SHA-256: de52643824ebefadc0b681b83b5f7136fa3b084ad1412410114183d3686ad7eb
Size: 235.94 kB - golang-race-1.19.10-1.module+el8+1639+069af970.x86_64.rpm
MD5: 783f7c840e0138dd3851e0024c623d75
SHA-256: df6b6561983a852501df913ad216d7beddec0034b4f9d2559e70f6fc6930e61d
Size: 21.44 MB - golang-src-1.19.10-1.module+el8+1639+069af970.noarch.rpm
MD5: 888f4762ff5bc135e3dfe953e38bdc0a
SHA-256: 0f66662b24a2a203499fb5d66efc4ae79ef9848f15ffeb2b37d275a5d5164e1a
Size: 12.31 MB - golang-tests-1.19.10-1.module+el8+1639+069af970.noarch.rpm
MD5: 0631e4921d14680707a6e67fc41cb319
SHA-256: ee074519a556be25e6a88c7856dd48db704fb227c7a9e1cddc58c5eabc12945f
Size: 8.12 MB - go-toolset-1.19.10-1.module+el8+1639+069af970.x86_64.rpm
MD5: 07b8fb1830861a0905bcf06d30e64e30
SHA-256: e6d5d102c471803ee1565e56a0df1a5f03224f08f1db40c19b6daefebfa32226
Size: 12.79 kB