Bug 1215985 (CVE-2023-39323)

Summary: VUL-0: CVE-2023-39323: go1.20,go1.21: cmd/go: line directives allows arbitrary execution during build
Product: [Novell Products] SUSE Security Incidents Reporter: Jeff Kowalczyk <jkowalczyk>
Component: IncidentsAssignee: Jeff Kowalczyk <jkowalczyk>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3.1:SUSE:CVE-2023-39323:7.8:(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jeff Kowalczyk 2023-10-05 22:14:26 UTC 
"//line" directives can be used to bypass the restrictions on "//go:cgo_"
directives, allowing blocked linker and compiler flags to be passed during
compliation. This can result in unexpected execution of arbitrary code when
running "go build". The line directive requires the absolute path of the file in
which the directive lives, which makes exploting this issue significantly more
complex.

This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.
Comment 1 OBSbugzilla Bot 2023-10-06 00:34:12 UTC 
This is an autogenerated message for OBS integration:
This bug (1215985) was mentioned in
https://build.opensuse.org/request/show/1115933 Factory / go1.20
https://build.opensuse.org/request/show/1115934 Factory / go1.21
Comment 3 Maintenance Automation 2023-10-09 20:28:49 UTC 
SUSE-SU-2023:4018-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1206346, 1215985
CVE References: CVE-2023-39323
Sources used:
openSUSE Leap 15.4 (src): go1.20-1.20.9-150000.1.26.1
openSUSE Leap 15.5 (src): go1.20-1.20.9-150000.1.26.1
Development Tools Module 15-SP4 (src): go1.20-1.20.9-150000.1.26.1
Development Tools Module 15-SP5 (src): go1.20-1.20.9-150000.1.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Maintenance Automation 2023-10-09 20:28:51 UTC 
SUSE-SU-2023:4017-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1212475, 1215985
CVE References: CVE-2023-39323
Sources used:
openSUSE Leap 15.4 (src): go1.21-1.21.2-150000.1.9.1
openSUSE Leap 15.5 (src): go1.21-1.21.2-150000.1.9.1
Development Tools Module 15-SP4 (src): go1.21-1.21.2-150000.1.9.1
Development Tools Module 15-SP5 (src): go1.21-1.21.2-150000.1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 OBSbugzilla Bot 2023-10-31 15:35:23 UTC 
This is an autogenerated message for OBS integration:
This bug (1215985) was mentioned in
https://build.opensuse.org/request/show/1121461 Backports:SLE-12 / go1.21
Comment 8 Marcus Meissner 2023-11-09 14:05:22 UTC 
openSUSE-SU-2023:0360-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1212475,1212667,1212669,1215084,1215085,1215086,1215087,1215090,1215985,1216109
CVE References: CVE-2023-39318,CVE-2023-39319,CVE-2023-39320,CVE-2023-39321,CVE-2023-39322,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    go-1.21-41.1, go1.21-1.21.3-2.1
Comment 10 Maintenance Automation 2023-11-16 20:30:01 UTC 
SUSE-SU-2023:4472-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1206346, 1215985, 1216109, 1216943, 1216944
CVE References: CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284
Sources used:
openSUSE Leap 15.4 (src): go1.20-openssl-1.20.11.1-150000.1.14.1
openSUSE Leap 15.5 (src): go1.20-openssl-1.20.11.1-150000.1.14.1
Development Tools Module 15-SP4 (src): go1.20-openssl-1.20.11.1-150000.1.14.1
Development Tools Module 15-SP5 (src): go1.20-openssl-1.20.11.1-150000.1.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-11-16 20:30:11 UTC 
SUSE-SU-2023:4469-1: An update that solves 10 vulnerabilities, contains one feature and has two security fixes can now be installed.

Category: security (moderate)
Bug References: 1212475, 1212667, 1212669, 1215084, 1215085, 1215086, 1215087, 1215090, 1215985, 1216109, 1216943, 1216944
CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322, CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284
Jira References: SLE-18320
Sources used:
openSUSE Leap 15.4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
openSUSE Leap 15.5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Marcus Meissner 2024-05-16 12:47:18 UTC 
done