Early Access — Mondoo Vulnerability Intelligence is currently in preview.

UBUNTU-CVE-2023-29402 | Mondoo Vulnerability Intelligence

UBUNTU-CVE-2023-29402

CRITICAL9.8

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted modu

Published Jun 8, 2023

Modified 7 months ago

Fix available

Details

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

Affected Packages

Ubuntu:Pro:14.04:LTSgolang-1.10

Affected versions:

1.10.4-2ubuntu1~14.04.1

Ubuntu:Pro:16.04:LTSgolang-1.10

Affected versions:

1.10.4-2ubuntu1~16.04.11.10.4-2ubuntu1~16.04.2

Ubuntu:18.04:LTSgolang-1.10

Affected versions:

1.10-1ubuntu11.10.1-1ubuntu21.10.4-2ubuntu1~18.04.11.10.4-2ubuntu1~18.04.21.10~rc1-11.10~rc1-1ubuntu11.10~rc1-2ubuntu11.10~rc2-1ubuntu1

Ubuntu:16.04:LTSgolang-1.10

Affected versions:

1.10.4-2ubuntu1~16.04.11.10.4-2ubuntu1~16.04.2

Ubuntu:14.04:LTSgolang-1.10

Affected versions:

1.10.4-2ubuntu1~14.04.1

Ubuntu:Pro:18.04:LTSgolang-1.10

Affected versions:

1.10-1ubuntu11.10.1-1ubuntu21.10.4-2ubuntu1~18.04.11.10.4-2ubuntu1~18.04.21.10~rc1-11.10~rc1-1ubuntu11.10~rc1-2ubuntu11.10~rc2-1ubuntu1

Ubuntu:22.04:LTSgolang-1.13

Affected versions:

1.13.8-1ubuntu21.13.8-1ubuntu2.22.04.11.13.8-1ubuntu2.22.04.2

Ubuntu:Pro:16.04:LTSgolang-1.13

Affected versions:

1.13.8-1ubuntu1~16.04.21.13.8-1ubuntu1~16.04.31.13.8-1ubuntu1~16.04.3+esm21.13.8-1ubuntu1~16.04.3+esm3

Ubuntu:Pro:18.04:LTSgolang-1.13

Affected versions:

1.13.8-1ubuntu1~18.04.21.13.8-1ubuntu1~18.04.31.13.8-1ubuntu1~18.04.41.13.8-1ubuntu1~18.04.4+esm1

Ubuntu:Pro:20.04:LTSgolang-1.13

Affected versions:

1.13.1-1ubuntu11.13.3-1ubuntu11.13.4-1ubuntu11.13.5-1ubuntu11.13.6-1ubuntu11.13.6-2ubuntu11.13.7-1ubuntu11.13.8-1ubuntu11.13.8-1ubuntu1.11.13.8-1ubuntu1.2

Ubuntu:Pro:20.04:LTSgolang-1.14

Affected versions:

1.14-11.14.1-11.14.2-11.14.2-1ubuntu11.14.3-2ubuntu2~20.04.11.14.3-2ubuntu2~20.04.21.14~beta1-11.14~beta1-21.14~rc1-1

Ubuntu:Pro:18.04:LTSgolang-1.16

Affected versions:

1.16.2-0ubuntu1~18.04.21.16.2-0ubuntu1~18.04.2+esm1

Ubuntu:Pro:20.04:LTSgolang-1.16

Affected versions:

1.16.2-0ubuntu1~20.041.16.2-0ubuntu1~20.04.11.16.2-0ubuntu1~20.04.1+esm1

Ubuntu:22.04:LTSgolang-1.17

Affected versions:

1.17-1ubuntu21.17.13-3ubuntu11.17.3-1ubuntu11.17.3-1ubuntu2

Fixed in:

1.17.13-3ubuntu1.2

Ubuntu:20.04:LTSgolang-1.18

Affected versions:

1.18.1-1ubuntu1~20.04.11.18.1-1ubuntu1~20.04.2

Fixed in:

1.18.1-1ubuntu1~20.04.3

Ubuntu:22.04:LTSgolang-1.18

Affected versions:

1.18-1ubuntu11.18.1-1ubuntu11.18.1-1ubuntu1.11.18~beta1-0ubuntu11.18~beta2-1ubuntu11.18~beta2-1ubuntu21.18~rc1-1ubuntu1

Fixed in:

1.18.1-1ubuntu1.2

Ubuntu:Pro:16.04:LTSgolang-1.18

Affected versions:

1.18.1-1ubuntu1~16.04.6

Fixed in:

1.18.1-1ubuntu1~16.04.6+esm1

Ubuntu:Pro:18.04:LTSgolang-1.18

Affected versions:

1.18.1-1ubuntu1~18.04.31.18.1-1ubuntu1~18.04.4

Fixed in:

1.18.1-1ubuntu1~18.04.4+esm1

Ubuntu:22.04:LTSgolang-1.20

Affected versions:

1.20.3-1ubuntu0.1~22.041.20.3-1ubuntu0.1~22.04.1

Ubuntu:Pro:16.04:LTSgolang-1.6

Affected versions:

1.6-0ubuntu11.6-0ubuntu21.6-0ubuntu31.6-0ubuntu41.6-0ubuntu51.6.1-0ubuntu11.6.2-0ubuntu5~16.041.6.2-0ubuntu5~16.04.21.6.2-0ubuntu5~16.04.31.6.2-0ubuntu5~16.04.4

Ubuntu:Pro:18.04:LTSgolang-1.8

Affected versions:

1.8.3-2ubuntu11.8.3-2ubuntu1.18.04.1

Ubuntu:Pro:18.04:LTSgolang-1.9

Affected versions:

1.9.1-2ubuntu11.9.2-1ubuntu11.9.2-3ubuntu11.9.3-1ubuntu11.9.4-1ubuntu1

References

REPORThttps://github.com/golang/go/commit/c0ed873cd8259f16d0da67eee783fda49f45ef61 REPORThttps://github.com/golang/go/commit/c160b49b6d328c86bd76ca2fff9009a71347333f REPORThttps://github.com/golang/go/issues/60167 REPORThttps://groups.google.com/g/golang-announce/c/q5135a9d924 REPORThttps://ubuntu.com/security/CVE-2023-29402 REPORThttps://ubuntu.com/security/notices/USN-7061-1 REPORThttps://ubuntu.com/security/notices/USN-7109-1 REPORThttps://www.cve.org/CVERecord?id=CVE-2023-29402

CVSS Analysis

CVSS v3.1

9.8

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Related

CVE-2023-29402 USN-7061-1 USN-7109-1

Ecosystems

Ubuntu Pro 14.04 LTS Ubuntu Pro 16.04 LTS Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu Pro 18.04 LTS Ubuntu 22.04 LTS Ubuntu Pro 20.04 LTS Ubuntu 20.04 LTS

Timeline

PublishedJun 8, 2023

ModifiedJun 3, 2025