data/reports: add GO-2023-1840.yaml
Aliases: CVE-2023-29403
Updates golang/vulndb#1840
Change-Id: I0c0829d98d1ec4ff5997245189958b4b7cc362d8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/501837
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/data/cve/v5/GO-2023-1840.json b/data/cve/v5/GO-2023-1840.json
new file mode 100644
index 0000000..791fbf9
--- /dev/null
+++ b/data/cve/v5/GO-2023-1840.json
@@ -0,0 +1,73 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2023-29403"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "Go toolchain",
+ "product": "cmd/go",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "cmd/go",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.19.10",
+ "status": "affected",
+ "versionType": "semver"
+ },
+ {
+ "version": "1.20.0-0",
+ "lessThan": "1.20.5",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-642: External Control of Critical State Data"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/issue/60272"
+ },
+ {
+ "url": "https://go.dev/cl/501223"
+ },
+ {
+ "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
+ },
+ {
+ "url": "https://pkg.go.dev/vuln/GO-2023-1840"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Vincent Dehors from Synacktiv"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2023-1840.json b/data/osv/GO-2023-1840.json
new file mode 100644
index 0000000..a532601
--- /dev/null
+++ b/data/osv/GO-2023-1840.json
@@ -0,0 +1,66 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2023-1840",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2023-29403"
+ ],
+ "details": "On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors.\n\nIf a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.",
+ "affected": [
+ {
+ "package": {
+ "name": "toolchain",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.19.10"
+ },
+ {
+ "introduced": "1.20.0-0"
+ },
+ {
+ "fixed": "1.20.5"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "cmd/go"
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "REPORT",
+ "url": "https://go.dev/issue/60272"
+ },
+ {
+ "type": "FIX",
+ "url": "https://go.dev/cl/501223"
+ },
+ {
+ "type": "WEB",
+ "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"
+ }
+ ],
+ "credits": [
+ {
+ "name": "Vincent Dehors from Synacktiv"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2023-1840"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2023-1840.yaml b/data/reports/GO-2023-1840.yaml
new file mode 100644
index 0000000..e6c7d39
--- /dev/null
+++ b/data/reports/GO-2023-1840.yaml
@@ -0,0 +1,31 @@
+id: GO-2023-1840
+modules:
+ - module: cmd
+ versions:
+ - fixed: 1.19.10
+ - introduced: 1.20.0-0
+ fixed: 1.20.5
+ vulnerable_at: 1.20.4
+ packages:
+ - package: cmd/go
+summary: Unsafe behavior in setuid/setgid binaries in Go runtime
+description: |
+ On Unix platforms, the Go runtime does not behave differently when a binary
+ is run with the setuid/setgid bits. This can be dangerous in certain
+ cases, such as when dumping memory state, or assuming the status of
+ standard i/o file descriptors.
+
+ If a setuid/setgid binary is executed with standard I/O file descriptors
+ closed, opening any files can result in unexpected content being read
+ or written with elevated privileges. Similarly, if a setuid/setgid program
+ is terminated, either via panic or signal, it may leak the contents of its
+ registers.
+credits:
+ - Vincent Dehors from Synacktiv
+references:
+ - report: https://go.dev/issue/60272
+ - fix: https://go.dev/cl/501223
+ - web: https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
+cve_metadata:
+ id: CVE-2023-29403
+ cwe: 'CWE-642: External Control of Critical State Data'
