• 公告ID (KylinSec-SA-2023-1989)

摘要:

golang security update

安全等级: Critical

公告ID: KylinSec-SA-2023-1989

发布日期: 2023年7月1日

关联CVE: CVE-2023-29402   CVE-2023-29404   CVE-2023-29405  

  • 详细介绍

1. 漏洞描述

   

The Go Programming Language.

Security Fix(es):

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).(CVE-2023-29402)

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.(CVE-2023-29404)

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.(CVE-2023-29405)

2. 影响范围

cve名称 产品 组件 是否受影响
CVE-2023-29402 KY3.4-4A golang Fixed
CVE-2023-29402 KY3.4-5A golang Fixed
CVE-2023-29402 KY3.5.1 golang Fixed
CVE-2023-29402 KY3.5.2 golang Fixed
CVE-2023-29404 KY3.4-4A golang Fixed
CVE-2023-29404 KY3.4-5A golang Fixed
CVE-2023-29404 KY3.5.1 golang Fixed
CVE-2023-29404 KY3.5.2 golang Fixed
CVE-2023-29405 KY3.4-4A golang Fixed
CVE-2023-29405 KY3.4-5A golang Fixed
CVE-2023-29405 KY3.5.1 golang Fixed
CVE-2023-29405 KY3.5.2 golang Fixed

3. 影响组件

    golang

4. 修复版本

   

KY3.5.1

软件名称 架构 版本号
golang-devel noarch 1.17.3-19.kb1.ky3_5
golang-help noarch 1.17.3-19.kb1.ky3_5
golang x86_64 1.17.3-19.kb1.ky3_5
golang aarch64 1.17.3-19.kb1.ky3_5

KY3.4-4A

软件名称 架构 版本号
golang-help noarch 1.15.7-31.kb1.ky3_4
golang-devel noarch 1.15.7-31.kb1.ky3_4
golang x86_64 1.15.7-31.kb1.ky3_4
golang aarch64 1.15.7-31.kb1.ky3_4

KY3.4-5A

软件名称 架构 版本号
golang-devel noarch 1.15.7-31.kb1.ky3_4
golang-help noarch 1.15.7-31.kb1.ky3_4
golang x86_64 1.15.7-31.kb1.ky3_4
golang aarch64 1.15.7-31.kb1.ky3_4

KY3.5.2

软件名称 架构 版本号
golang-devel noarch 1.17.3-25.ky3_5.kb5
golang-help noarch 1.17.3-25.ky3_5.kb5
golang x86_64 1.17.3-25.ky3_5.kb5
golang aarch64 1.17.3-25.ky3_5.kb5

5. 修复方法


方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm

方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名

6. 下载链接

   

KY3.5.1:

x86_64:

     golang-devel   

     golang-help   

     golang   

aarch64:

     golang-devel   

     golang-help   

     golang   

KY3.4-4A:

x86_64:

     golang-help   

     golang-devel   

     golang   

aarch64:

     golang-help   

     golang-devel   

     golang   

KY3.4-5A:

x86_64:

     golang-devel   

     golang-help   

     golang   

aarch64:

     golang-devel   

     golang-help   

     golang   

KY3.5.2:

x86_64:

     golang-devel   

     golang-help   

     golang   

aarch64:

     golang-devel   

     golang-help   

     golang   
上一篇:KylinSec-SA-2023-1987 下一篇:KylinSec-SA-2023-2191

产品中心

解决方案

技术支持

生态与合作

分支机构

全国统一服务热线

400-012-6606

微信公众号

Copyright © 湖南麒麟信安科技股份有限公司   版权所有   备案号:湘ICP备16010502号-1

技术支持:蒲公英长沙网站建设