CVE-2023-39323: 
NixOS vulnerability analysis and mitigation

CVE-2023-39323 is a security vulnerability discovered in the Go programming language that affects versions prior to 1.20.9 and versions from 1.21.0-0 up to (excluding) 1.21.2. The vulnerability was disclosed on October 5, 2023, and involves line directives that can bypass security restrictions in the Go build system (Go Announce, NVD).

The vulnerability allows line directives ('//line') to bypass the restrictions on '//go:cgo_' directives, which can lead to unauthorized linker and compiler flags being passed during compilation. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The exploitation complexity is increased by the requirement that the line directive must contain the absolute path of the file in which the directive lives (NVD, Go Package).

When successfully exploited, this vulnerability can result in unexpected execution of arbitrary code when running 'go build'. The impact includes potential disclosure of sensitive information, addition or modification of data, and possible Denial of Service (DoS) (NetApp Advisory).

The vulnerability has been fixed in Go versions 1.20.9 and 1.21.2. Users are advised to upgrade to these or later versions to mitigate the vulnerability. The fix was released as part of the October 2023 security updates (Go Announce).