10 matches found
CVE-2025-22867
A vulnerability was found in the cmd/go golang package. On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld due to usage of the @executablepath, @loaderpath, or @rpath special values in a "cgo LDFLAGS" directive. Mitigation No...
CVE-2025-22867 Arbitrary code execution during build on darwin in cmd/go
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executablepath, @loaderpath, or @rpath special values in a "cgo LDFLAGS" directive. This issue only affected go1.24rc2...
BIT-GOLANG-2023-29404 Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "cgo LDFLAGS" directive. The arguments for a...
BIT-GOLANG-2023-29405 Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "cgo LDFLAGS" directive. Flags containing...
CVE-2023-29405
A flaw was found in golang. The go command may execute arbitrary code at build time when using cgo. This can occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This can be triggered by linker flags, specified via a "cgo LDFLAGS"...
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.19 (SUSE-SU-2023:2525-1)
The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2525-1 advisory. Update to go1.19.10 bsc1200441: - CVE-2023-29402: cmd/go: Fixed cgo code injection bsc1212073. -...
CVE-2023-29404
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "cgo LDFLAGS" directive. The arguments for a...
CVE-2023-29405
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "cgo LDFLAGS" directive. Flags containing...
CVE-2023-29404
The CVE-2023-29404 description is corroborated by connected advisories: it concerns the go command executing code at build time when using cgo, triggered by LDFLAGS in a #cgo LDFLAGS directive, affecting gc and gccgo. The root cause is improper handling of certain linker flags, allowing disallowe...
CVE-2023-29404 Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "cgo LDFLAGS" directive. The arguments for a...