The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
{ "availability": "No subscription required", "ubuntu_priority": "low", "binaries": [ { "binary_version": "1.17.13-3ubuntu1.2", "binary_name": "golang-1.17" }, { "binary_version": "1.17.13-3ubuntu1.2", "binary_name": "golang-1.17-doc" }, { "binary_version": "1.17.13-3ubuntu1.2", "binary_name": "golang-1.17-go" }, { "binary_version": "1.17.13-3ubuntu1.2", "binary_name": "golang-1.17-go-dbgsym" }, { "binary_version": "1.17.13-3ubuntu1.2", "binary_name": "golang-1.17-src" } ] }