{"id":"GO-2023-1841","summary":"Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go","details":"The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive.\n\nThe arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.","aliases":["BIT-golang-2023-29404","CVE-2023-29404"],"modified":"2026-02-04T03:02:08.358489Z","published":"2023-06-08T20:15:47Z","related":["CGA-m8p4-8m29-gph3","RHSA-2023:3920","RHSA-2023:3922","RHSA-2023:3923"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2023-1841","review_status":"REVIEWED"},"references":[{"type":"REPORT","url":"https://go.dev/issue/60305"},{"type":"FIX","url":"https://go.dev/cl/501225"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"}],"affected":[{"package":{"name":"toolchain","ecosystem":"Go","purl":"pkg:golang/toolchain"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.19.10"},{"introduced":"1.20.0-0"},{"fixed":"1.20.5"}]}],"ecosystem_specific":{"imports":[{"path":"cmd/go"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-1841.json"}}],"schema_version":"1.7.3","credits":[{"name":"Juho Nurminen of Mattermost"}]}