CVE-2023-29403: 
NixOS vulnerability analysis and mitigation

CVE-2023-29403 is a security vulnerability discovered in the Go runtime that affects Unix platforms when binaries are run with setuid/setgid bits. The vulnerability was discovered by Vincent Dehors from Synacktiv and was publicly disclosed in June 2023. It affects Go versions prior to 1.19.10 and versions from 1.20.0 up to (excluding) 1.20.5 (Go Advisory, NVD).

The vulnerability stems from the Go runtime's failure to handle setuid/setgid bits differently on Unix platforms. When a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Additionally, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The successful exploitation of this vulnerability could lead to unauthorized disclosure of sensitive information, unauthorized modification of data, or Denial of Service (DoS). The vulnerability is particularly concerning as it could allow attackers to read or write content with elevated privileges, potentially compromising system security (NetApp Advisory).

The vulnerability has been fixed in Go versions 1.19.10 and 1.20.5. Users are advised to upgrade to these or later versions to mitigate the vulnerability. The fix was released as part of the security updates announced in the Go 1.20.5 and 1.19.10 releases (Golang Announce).