go: Fix CVE-2023-39323

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex. Made below changes for Go 1.17 backport: - drop the modifications of test codes References: https://nvd.nist.gov/vuln/detail/CVE-2023-39323 Upstream-patch: e7c142a19d (From OE-Core rev: 62f4c3aec8f80a259472ce19104596d08741c101) Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-01-01 13:58:04 +00:00 · 2025-12-18 15:18:18 +08:00 · 2025-12-18 15:18:18 +08:00 · 9af12b047e
commit 9af12b047e
parent 652e8fc3b9
2 changed files with 56 additions and 0 deletions
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@ -73,6 +73,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \
           file://CVE-2025-58189.patch \
           file://CVE-2025-61723.patch \
           file://CVE-2025-61724.patch \
+           file://CVE-2023-39323.patch \
           "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"

--- a/meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch
+++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch
@ -0,0 +1,55 @@
+From 5e0a62c44fbaff6443bffe67911370bc0ea25f6d Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Wed, 20 Sep 2023 16:16:29 -0700
+Subject: [PATCH] cmd/compile: use absolute file name in isCgo check
+
+For #23672
+Fixes #63211
+Fixes CVE-2023-39323
+
+Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/534158
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Ian Lance Taylor <iant@google.com>
+
+Upstream-Status: Backport
+CVE: CVE-2023-39323
+
+Reference to upstream patch:
+https://github.com/golang/go/commit/e7c142a19d8b3944c2f1b9ab7fd94c63d8d0c555
+
+Backport patch to fix CVE-2023-39323 and drop the modifications of test codes.
+
+Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
+---
+ src/cmd/compile/internal/noder/noder.go | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/cmd/compile/internal/noder/noder.go b/src/cmd/compile/internal/noder/noder.go
+index 5fcad096c2..f35e065a31 100644
+--- a/src/cmd/compile/internal/noder/noder.go
+++ b/src/cmd/compile/internal/noder/noder.go
+@@ -1690,8 +1690,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P
+ // contain cgo directives, and for security reasons
+ // (primarily misuse of linker flags), other files are not.
+ // See golang.org/issue/23672.
+// Note that cmd/go ignores files whose names start with underscore,
+// so the only _cgo_ files we will see from cmd/go are generated by cgo.
+// It's easy to bypass this check by calling the compiler directly;
+// we only protect against uses by cmd/go.
+ func isCgoGeneratedFile(pos syntax.Pos) bool {
+-	return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Filename()))), "_cgo_")
+	// We need the absolute file, independent of //line directives,
+	// so we call pos.Base().Pos().Base().
+	return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Pos().Base().Filename()))), "_cgo_")
+ }
+ 
+ // safeArg reports whether arg is a "safe" command-line argument,
+-- 
+2.34.1
+