阿里云漏洞库

漏洞描述

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://go.dev/cl/533215
https://go.dev/issue/63211
https://groups.google.com/g/golang-announce/c/XBa1oHDevAo
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://pkg.go.dev/vuln/GO-2023-2095
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20231020-0001/

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	golang	go	*		Up to (excluding) 1.20.9
	运行在以下环境
	应用	golang	go	*	From (including) 1.21.0	Up to (excluding) 1.21.2
	运行在以下环境
	系统	alpine_3.18	go	*		Up to (excluding) 1.20.9-r0
	运行在以下环境
	系统	alpine_3.19	go	*		Up to (excluding) 1.21.2-r0
	运行在以下环境
	系统	amazon_2	golang	*		Up to (excluding) 1.20.10-1.amzn2.0.1
	运行在以下环境
	系统	amazon_2023	golang	*		Up to (excluding) 1.20.10-1.amzn2023.0.1
	运行在以下环境
	系统	amazon_AMI	golang	*		Up to (excluding) 1.20.10-1.48.amzn1
	运行在以下环境
	系统	anolis_os_23	golang	*		Up to (excluding) 1.20.9-1
	运行在以下环境
	系统	fedora_37	golang	*		Up to (excluding) 1.20.10-3.fc37
	运行在以下环境
	系统	fedora_38	golang	*		Up to (excluding) 1.20.10-2.fc38
	运行在以下环境
	系统	fedora_39	golang	*		Up to (excluding) 1.21.3-1.fc39
	运行在以下环境
	系统	fedora_EPEL_7	golang	*		Up to (excluding) 1.20.10-3.el7
	运行在以下环境
	系统	kylinos_aarch64_V10	golang	*		Up to (excluding) 1.15.7-36.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP1	golang	*		Up to (excluding) 1.15.7-36.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP2	golang	*		Up to (excluding) 1.15.7-36.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP3	golang	*		Up to (excluding) 1.15.7-36.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP32309b	golang	*		Up to (excluding) 1.15.7-36.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP3	golang	*		Up to (excluding) 1.15.7-36.p01.a.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10	golang	*		Up to (excluding) 1.15.7-36.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP1	golang	*		Up to (excluding) 1.15.7-36.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP2	golang	*		Up to (excluding) 1.15.7-36.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP3	golang	*		Up to (excluding) 1.15.7-36.ky10
	运行在以下环境
	系统	opensuse_Leap_15.4	go1.21	*		Up to (excluding) 1.21.2-150000.1.9.1
	运行在以下环境
	系统	opensuse_Leap_15.5	go1.21	*		Up to (excluding) 1.21.2-150000.1.9.1
	运行在以下环境
	系统	ubuntu_20.04	golang-1.20	*		Up to (excluding) 1.20.3-1ubuntu0.1~20.04.1
	运行在以下环境
	系统	ubuntu_22.04	golang-1.20	*		Up to (excluding) 1.21.1-1~ubuntu22.04.2

攻击路径

远程
攻击复杂度

容易
权限要求

无需权限
影响范围

全局影响
EXP成熟度

未验证
补丁情况

官方补丁
数据保密性

无影响
数据完整性

无影响
服务器危害

无影响
全网数量

N/A

CWE-ID	漏洞类型
NVD-CWE-noinfo

中危 在构建期间通过 cmd/go 中的行指令执行任意代码 (CVE-2023-39323)

漏洞描述

解决建议

参考链接

受影响软件情况

中危在构建期间通过 cmd/go 中的行指令执行任意代码 (CVE-2023-39323)