CVE-2024-24787
Published: 8 May 2024
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
Notes
Author | Note |
---|---|
mdeslaur | Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. Warning: do not include nullboot in the list of no-change rebuilds after fixing an issue in golang. |
rodrigo-zaiden | issue affecting macOS only. |
Priority
Status
Package | Release | Status |
---|---|---|
golang Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
golang-1.10 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(MacOS only)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Not vulnerable
(MacOS only)
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(MacOS only)
|
|
golang-1.13 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(MacOS only)
|
focal |
Not vulnerable
(MacOS only)
|
|
jammy |
Not vulnerable
(MacOS only)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(MacOS only)
|
|
golang-1.14 Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(MacOS only)
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
golang-1.16 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(MacOS only)
|
focal |
Not vulnerable
(MacOS only)
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
golang-1.17 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Not vulnerable
(MacOS only)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
golang-1.18 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(MacOS only)
|
focal |
Not vulnerable
(MacOS only)
|
|
jammy |
Not vulnerable
(MacOS only)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(MacOS only)
|
|
golang-1.19 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
golang-1.20 Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(MacOS only)
|
jammy |
Not vulnerable
(MacOS only)
|
|
mantic |
Not vulnerable
(MacOS only)
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
golang-1.21 Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(MacOS only)
|
jammy |
Not vulnerable
(MacOS only)
|
|
mantic |
Not vulnerable
(MacOS only)
|
|
noble |
Not vulnerable
(MacOS only)
|
|
upstream |
Needs triage
|
|
golang-1.22 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Not vulnerable
(MacOS only)
|
|
upstream |
Needs triage
|
|
golang-1.6 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(MacOS only)
|
|
golang-1.8 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(MacOS only)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
golang-1.9 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(MacOS only)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|