{"id":"MGASA-2021-0018","summary":"Updated golang packages fix security vulnerabilities","details":"An input validation vulnerability was found in go. From a generated go file\n(from the cgo tool) it is possible to modify symbols within that object file\nand specify code instead. An attacker could potentially use this flaw by\ncreating a repository which included malicious pre-built object files that\ncould execute arbitrary code when downloaded and run via \"go get\" or \"go build\"\nwhilst building a go project (CVE-2020-28366).\n\nAn input validation vulnerability was found in go. If cgo is specified in a go\nfile, it is possible to bypass the validation of arguments to the gcc compiler.\nAn attacker could potentially use this flaw by creating a malicious repository\nwhich would execute arbitrary code when downloaded and run via \"go get\" or \n\"go build\" whilst building a go project (CVE-2020-28367).\n","modified":"2026-02-04T02:33:51.869852Z","published":"2021-01-10T19:46:12Z","related":["CVE-2020-28366","CVE-2020-28367"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0018.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27650"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F3ZSHGNTJWCWYAKY5OLZS2XQQYHSXSUO/"}],"affected":[{"package":{"name":"golang","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/golang?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.13.15-3.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0018.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}