mirror of
https://git.yoctoproject.org/poky
synced 2026-04-27 21:32:13 +02:00
19cce6f246
The go command may execute arbitrary code at build time when using cgo.
This may occur when running "go get" on a malicious module, or when running
any other command which builds untrusted code. This is can by triggered by
linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a
number of flags which are non-optional are incorrectly considered optional,
allowing disallowed flags to be smuggled through the LDFLAGS sanitization.
This affects usage of both the gc and gccgo compilers.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29404
Upstream patches:
bbeb55f5fa
(From OE-Core rev: 3e51122f8e2b4a7cd2a1c711175e6daf59b8368b)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>