Bug 1227338 (CVE-2023-24531)

Summary: VUL-0: CVE-2023-24531: go,go1.21,go1.22: command go env does not sanitize values and can execute its output as a shell script
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Jeff Kowalczyk <jkowalczyk>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: camila.matos, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412738/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-24531:5.3:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-03 11:27:16 UTC 
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad behaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24531
https://www.cve.org/CVERecord?id=CVE-2023-24531
https://go.dev/cl/488375
https://go.dev/cl/493535
https://go.dev/issue/58508
https://groups.google.com/g/golang-dev/c/ixHOFpSbajE/m/8EjlbKVWAwAJ
https://pkg.go.dev/vuln/GO-2024-2962