CVE-2023-29404: 
NixOS vulnerability analysis and mitigation

CVE-2023-29404 is a critical vulnerability in the Go programming language discovered in 2023. The vulnerability affects Go versions prior to 1.19.10 and versions 1.20.0 to 1.20.5. The issue allows arbitrary code execution at build time when using cgo, which can be triggered when running 'go get' on a malicious module or when building untrusted code (Go Issue, Go Advisory).

The vulnerability stems from improper sanitization of LDFLAGS in the go command. The issue occurs when linker flags are specified via '#cgo LDFLAGS' directive. The core problem is that arguments for several non-optional flags were incorrectly considered optional, allowing disallowed flags to bypass the LDFLAGS sanitization. This vulnerability affects both gc and gccgo compilers. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could lead to arbitrary code execution during build time. This poses significant risks including disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability is particularly concerning when building untrusted code or when using 'go get' on potentially malicious modules (NetApp Advisory).

The vulnerability has been fixed in Go versions 1.19.10 and 1.20.5. Users are strongly advised to upgrade to these or later versions. For Go 1.19.x, upgrade to version 1.19.10 or later. For Go 1.20.x, upgrade to version 1.20.5 or later. There are no known workarounds, making upgrading the only effective mitigation strategy (Gentoo Advisory).

The vulnerability was responsibly disclosed by Juho Nurminen of Mattermost. The Go team promptly addressed the issue and released patches. However, there was an initial issue with the fix breaking some use cases of '#cgo LDFLAGS' directives when using -compiler=gccgo, which was later addressed in subsequent releases (Go Announce).