Bug 1212074 (CVE-2023-29403) - VUL-0: CVE-2023-29403: go1.19,go1.20: runtime: unexpected behavior of setuid/setgid binaries
Summary: VUL-0: CVE-2023-29403: go1.19,go1.20: runtime: unexpected behavior of setuid/...
Status: RESOLVED FIXED
Alias: CVE-2023-29403
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-06 21:22 UTC by Jeff Kowalczyk
Modified: 2024-03-27 14:41 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2023-06-06 21:22:16 UTC 
The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers.

Thanks to Vincent Dehors from Synacktiv for reporting this issue.

This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
Comment 2 OBSbugzilla Bot 2023-06-07 00:35:11 UTC 
This is an autogenerated message for OBS integration:
This bug (1212074) was mentioned in
https://build.opensuse.org/request/show/1091159 Factory / go1.19
https://build.opensuse.org/request/show/1091160 Factory / go1.20
Comment 4 Maintenance Automation 2023-06-16 16:30:04 UTC 
SUSE-SU-2023:2526-1: An update that solves four vulnerabilities and has one fix can now be installed.

Category: security (moderate)
Bug References: 1206346, 1212073, 1212074, 1212075, 1212076
CVE References: CVE-2023-29402, CVE-2023-29403, CVE-2023-29404, CVE-2023-29405
Sources used:
openSUSE Leap 15.4 (src): go1.20-1.20.5-150000.1.14.1
openSUSE Leap 15.5 (src): go1.20-1.20.5-150000.1.14.1
Development Tools Module 15-SP4 (src): go1.20-1.20.5-150000.1.14.1
Development Tools Module 15-SP5 (src): go1.20-1.20.5-150000.1.14.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.20-1.20.5-150000.1.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2023-06-16 16:30:06 UTC 
SUSE-SU-2023:2525-1: An update that solves four vulnerabilities and has one fix can now be installed.

Category: security (moderate)
Bug References: 1200441, 1212073, 1212074, 1212075, 1212076
CVE References: CVE-2023-29402, CVE-2023-29403, CVE-2023-29404, CVE-2023-29405
Sources used:
openSUSE Leap 15.4 (src): go1.19-1.19.10-150000.1.34.1
openSUSE Leap 15.5 (src): go1.19-1.19.10-150000.1.34.1
Development Tools Module 15-SP4 (src): go1.19-1.19.10-150000.1.34.1
Development Tools Module 15-SP5 (src): go1.19-1.19.10-150000.1.34.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.19-1.19.10-150000.1.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Marcus Meissner 2023-10-06 12:57:30 UTC 
done