Giters

aws / eks-distro-build-tooling

This repository contains tooling used to build the EKS Distro, and all the projects contained in https://github.com/aws/eks-distro.

Home Page:https://distro.eks.amazonaws.com/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

cmd/go: go.mod toolchain directive allows arbitrary execution (CVE-2023-39320)

eks-distro-pr-bot opened this issue · comments

commented

The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
execute scripts and binaries relative to the root of the module when the "go"
command was executed within the module. This applies to modules downloaded using
the "go" command from the module proxy, as well as modules downloaded directly
using VCS software.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.

This is a PRIVATE issue for CVE-2023-39320, tracked in http://b/296227674 and fixed by http://tg/1996318.

/cc @golang/security and @golang/release

commented

Mentioned in the upstream backport issue (golang/go#62393 (comment)) and in the issue description, this was introduced and only applies Go 1.21. Fixed in: #1154