Early Access — Mondoo Vulnerability Intelligence is currently in preview.

UBUNTU-CVE-2023-29403 | Mondoo Vulnerability Intelligence

UBUNTU-CVE-2023-29403

HIGH7.8

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming t

Published Jun 8, 2023

Modified 7 months ago

Fix available

Details

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.

Affected Packages

Ubuntu:Pro:14.04:LTSgolang-1.10

Affected versions:

1.10.4-2ubuntu1~14.04.1

Ubuntu:Pro:16.04:LTSgolang-1.10

Affected versions:

1.10.4-2ubuntu1~16.04.11.10.4-2ubuntu1~16.04.2

Ubuntu:18.04:LTSgolang-1.10

Affected versions:

1.10-1ubuntu11.10.1-1ubuntu21.10.4-2ubuntu1~18.04.11.10.4-2ubuntu1~18.04.21.10~rc1-11.10~rc1-1ubuntu11.10~rc1-2ubuntu11.10~rc2-1ubuntu1

Ubuntu:16.04:LTSgolang-1.10

Affected versions:

1.10.4-2ubuntu1~16.04.11.10.4-2ubuntu1~16.04.2

Ubuntu:14.04:LTSgolang-1.10

Affected versions:

1.10.4-2ubuntu1~14.04.1

Ubuntu:Pro:18.04:LTSgolang-1.10

Affected versions:

1.10-1ubuntu11.10.1-1ubuntu21.10.4-2ubuntu1~18.04.11.10.4-2ubuntu1~18.04.21.10~rc1-11.10~rc1-1ubuntu11.10~rc1-2ubuntu11.10~rc2-1ubuntu1

Ubuntu:22.04:LTSgolang-1.13

Affected versions:

1.13.8-1ubuntu21.13.8-1ubuntu2.22.04.11.13.8-1ubuntu2.22.04.2

Ubuntu:Pro:16.04:LTSgolang-1.13

Affected versions:

1.13.8-1ubuntu1~16.04.21.13.8-1ubuntu1~16.04.31.13.8-1ubuntu1~16.04.3+esm21.13.8-1ubuntu1~16.04.3+esm3

Ubuntu:Pro:18.04:LTSgolang-1.13

Affected versions:

1.13.8-1ubuntu1~18.04.21.13.8-1ubuntu1~18.04.31.13.8-1ubuntu1~18.04.41.13.8-1ubuntu1~18.04.4+esm1

Ubuntu:Pro:20.04:LTSgolang-1.13

Affected versions:

1.13.1-1ubuntu11.13.3-1ubuntu11.13.4-1ubuntu11.13.5-1ubuntu11.13.6-1ubuntu11.13.6-2ubuntu11.13.7-1ubuntu11.13.8-1ubuntu11.13.8-1ubuntu1.11.13.8-1ubuntu1.2

Ubuntu:Pro:20.04:LTSgolang-1.14

Affected versions:

1.14-11.14.1-11.14.2-11.14.2-1ubuntu11.14.3-2ubuntu2~20.04.11.14.3-2ubuntu2~20.04.21.14~beta1-11.14~beta1-21.14~rc1-1

Ubuntu:Pro:18.04:LTSgolang-1.16

Affected versions:

1.16.2-0ubuntu1~18.04.21.16.2-0ubuntu1~18.04.2+esm1

Ubuntu:Pro:20.04:LTSgolang-1.16

Affected versions:

1.16.2-0ubuntu1~20.041.16.2-0ubuntu1~20.04.11.16.2-0ubuntu1~20.04.1+esm1

Ubuntu:22.04:LTSgolang-1.17

Affected versions:

1.17-1ubuntu21.17.13-3ubuntu11.17.3-1ubuntu11.17.3-1ubuntu2

Fixed in:

1.17.13-3ubuntu1.2

Ubuntu:20.04:LTSgolang-1.18

Affected versions:

1.18.1-1ubuntu1~20.04.11.18.1-1ubuntu1~20.04.2

Fixed in:

1.18.1-1ubuntu1~20.04.3

Ubuntu:22.04:LTSgolang-1.18

Affected versions:

1.18-1ubuntu11.18.1-1ubuntu11.18.1-1ubuntu1.11.18~beta1-0ubuntu11.18~beta2-1ubuntu11.18~beta2-1ubuntu21.18~rc1-1ubuntu1

Fixed in:

1.18.1-1ubuntu1.2

Ubuntu:Pro:16.04:LTSgolang-1.18

Affected versions:

1.18.1-1ubuntu1~16.04.6

Fixed in:

1.18.1-1ubuntu1~16.04.6+esm1

Ubuntu:Pro:18.04:LTSgolang-1.18

Affected versions:

1.18.1-1ubuntu1~18.04.31.18.1-1ubuntu1~18.04.4

Fixed in:

1.18.1-1ubuntu1~18.04.4+esm1

Ubuntu:22.04:LTSgolang-1.20

Affected versions:

1.20.3-1ubuntu0.1~22.041.20.3-1ubuntu0.1~22.04.1

Ubuntu:Pro:16.04:LTSgolang-1.6

Affected versions:

1.6-0ubuntu11.6-0ubuntu21.6-0ubuntu31.6-0ubuntu41.6-0ubuntu51.6.1-0ubuntu11.6.2-0ubuntu5~16.041.6.2-0ubuntu5~16.04.21.6.2-0ubuntu5~16.04.31.6.2-0ubuntu5~16.04.4

Ubuntu:Pro:18.04:LTSgolang-1.8

Affected versions:

1.8.3-2ubuntu11.8.3-2ubuntu1.18.04.1

Ubuntu:Pro:18.04:LTSgolang-1.9

Affected versions:

1.9.1-2ubuntu11.9.2-1ubuntu11.9.2-3ubuntu11.9.3-1ubuntu11.9.4-1ubuntu1

References

REPORThttps://github.com/golang/go/commit/36144ba429ef2650940c72e7a0b932af3612d420 REPORThttps://github.com/golang/go/commit/a7b1cd452ddc69a6606c2f35ac5786dc892e62cb REPORThttps://github.com/golang/go/issues/60272 REPORThttps://groups.google.com/g/golang-announce/c/q5135a9d924 REPORThttps://ubuntu.com/security/CVE-2023-29403 REPORThttps://ubuntu.com/security/notices/USN-7061-1 REPORThttps://ubuntu.com/security/notices/USN-7109-1 REPORThttps://www.cve.org/CVERecord?id=CVE-2023-29403

CVSS Analysis

CVSS v3.1

7.8

Exploitability

Attack Vector

LocalAV:L

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

RequiredUI:R

Scope

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Related

CVE-2023-29403 USN-7061-1 USN-7109-1

Ecosystems

Ubuntu Pro 14.04 LTS Ubuntu Pro 16.04 LTS Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu Pro 18.04 LTS Ubuntu 22.04 LTS Ubuntu Pro 20.04 LTS Ubuntu 20.04 LTS

Timeline

PublishedJun 8, 2023

ModifiedJun 3, 2025