Description
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
References (9)
Core 9
Core References
Patch
https://go.dev/cl/533215
Issue Tracking, Patch
https://go.dev/issue/63211
Mailing List, Release Notes
https://groups.google.com/g/golang-announce/c/XBa1oHDevAo
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
Vendor Advisory
https://pkg.go.dev/vuln/GO-2023-2095
Third Party Advisory
https://security.gentoo.org/glsa/202311-09
Third Party Advisory
https://security.netapp.com/advisory/ntap-20231020-0001/
Scores
CVSS v3
8.1
EPSS
0.0006
EPSS Percentile
18.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
Status
published
Products (4)
fedoraproject/fedora
37
fedoraproject/fedora
38
fedoraproject/fedora
39
golang/go
< 1.20.9
Published
Oct 05, 2023
Tracked Since
Feb 18, 2026