Arbitrary Code Injection Affecting policy-controller package, versions <0.7.0-r4
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CHAINGUARDLATEST-POLICYCONTROLLER-6252512
- published 19 Feb 2024
- disclosed 8 Jun 2023
Introduced: 8 Jun 2023
CVE-2023-29404 Open this link in a new tabHow to fix?
Upgrade Chainguard
policy-controller
to version 0.7.0-r4 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream policy-controller
package and not the policy-controller
package as distributed by Chainguard
.
See How to fix?
for Chainguard
relevant fixed versions and status.
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
References
- https://go.dev/cl/501225
- https://go.dev/issue/60305
- https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
- https://pkg.go.dev/vuln/GO-2023-1841
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
- https://security.gentoo.org/glsa/202311-09