From 9af12b047ec2e3b2d04c760be18e2f5cbfb5d5d3 Mon Sep 17 00:00:00 2001 From: Libo Chen Date: Thu, 18 Dec 2025 15:18:18 +0800 Subject: [PATCH] go: Fix CVE-2023-39323 Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex. Made below changes for Go 1.17 backport: - drop the modifications of test codes References: https://nvd.nist.gov/vuln/detail/CVE-2023-39323 Upstream-patch: https://github.com/golang/go/commit/e7c142a19d8b3944c2f1b9ab7fd94c63d8d0c555 (From OE-Core rev: 62f4c3aec8f80a259472ce19104596d08741c101) Signed-off-by: Libo Chen Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.21/CVE-2023-39323.patch | 55 +++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index bb5e839950..47ef84c35a 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -73,6 +73,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ file://CVE-2025-58189.patch \ file://CVE-2025-61723.patch \ file://CVE-2025-61724.patch \ + file://CVE-2023-39323.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch new file mode 100644 index 0000000000..613c91706b --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch @@ -0,0 +1,55 @@ +From 5e0a62c44fbaff6443bffe67911370bc0ea25f6d Mon Sep 17 00:00:00 2001 +From: Ian Lance Taylor +Date: Wed, 20 Sep 2023 16:16:29 -0700 +Subject: [PATCH] cmd/compile: use absolute file name in isCgo check + +For #23672 +Fixes #63211 +Fixes CVE-2023-39323 + +Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884 +Reviewed-by: Matthew Dempsky +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/go/+/534158 +Reviewed-by: Dmitri Shuralyov +Reviewed-by: Ian Lance Taylor +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Ian Lance Taylor + +Upstream-Status: Backport +CVE: CVE-2023-39323 + +Reference to upstream patch: +https://github.com/golang/go/commit/e7c142a19d8b3944c2f1b9ab7fd94c63d8d0c555 + +Backport patch to fix CVE-2023-39323 and drop the modifications of test codes. + +Signed-off-by: Libo Chen +--- + src/cmd/compile/internal/noder/noder.go | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/cmd/compile/internal/noder/noder.go b/src/cmd/compile/internal/noder/noder.go +index 5fcad096c2..f35e065a31 100644 +--- a/src/cmd/compile/internal/noder/noder.go ++++ b/src/cmd/compile/internal/noder/noder.go +@@ -1690,8 +1690,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P + // contain cgo directives, and for security reasons + // (primarily misuse of linker flags), other files are not. + // See golang.org/issue/23672. ++// Note that cmd/go ignores files whose names start with underscore, ++// so the only _cgo_ files we will see from cmd/go are generated by cgo. ++// It's easy to bypass this check by calling the compiler directly; ++// we only protect against uses by cmd/go. + func isCgoGeneratedFile(pos syntax.Pos) bool { +- return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Filename()))), "_cgo_") ++ // We need the absolute file, independent of //line directives, ++ // so we call pos.Base().Pos().Base(). ++ return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Pos().Base().Filename()))), "_cgo_") + } + + // safeArg reports whether arg is a "safe" command-line argument, +-- +2.34.1 +