DEBIAN-CVE-2023-29405

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/DEBIAN-CVE-2023-29405

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-29405.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-29405

Upstream

CVE-2023-29405

Published

2023-06-08T21:15:17Z

Modified

2025-09-18T05:19:54Z

Summary

[none]

Details

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

References

https://security-tracker.debian.org/tracker/CVE-2023-29405

Affected packages

Debian:11 / golang-1.15

Package

Name: golang-1.15
Purl: pkg:deb/debian/golang-1.15?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / golang-1.19

Package

Name: golang-1.19
Purl: pkg:deb/debian/golang-1.19?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "not yet assigned"
}