CVE-2023-29402

Name
CVE-2023-29402
Description
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
MISC https://pkg.go.dev/vuln/GO-2023-1839
MISC https://go.dev/issue/60167
MISC https://go.dev/cl/501226
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://security.gentoo.org/glsa/202311-09
af854a3a-2127-422b-91ae-364da2661108 https://security.netapp.com/advisory/ntap-20241213-0004/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= 1.20.0 < 1.20.5
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= None < 1.19.10

Vulnerable and fixed packages

Source package Branch Version Maintainer Status