[kirkstone,0/1] go: Fix CVE-2023-39323

Message ID	20251218071818.4106098-1-libo.chen.cn@windriver.com
Headers	show Return-Path: <libo.chen.cn@windriver.com> ip: 205.220.166.238, mailfrom: prvs=44479b5b93=libo.chen.cn@windriver.com) From: libo.chen.cn@windriver.com To: openembedded-core@lists.openembedded.org Subject: [kirkstone][PATCH 0/1] go: Fix CVE-2023-39323 Date: Thu, 18 Dec 2025 15:18:17 +0800 Message-Id: <20251218071818.4106098-1-libo.chen.cn@windriver.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0
Series	go: Fix CVE-2023-39323 \| expand [kirkstone,0/1] go: Fix CVE-2023-39323 [kirkstone,1/1] go: Fix CVE-2023-39323

Message ID

20251218071818.4106098-1-libo.chen.cn@windriver.com

Headers

From: libo.chen.cn@windriver.com
To: openembedded-core@lists.openembedded.org
Subject: [kirkstone][PATCH 0/1] go: Fix CVE-2023-39323
Date: Thu, 18 Dec 2025 15:18:17 +0800
Message-Id: <20251218071818.4106098-1-libo.chen.cn@windriver.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 jKiSO9D/2Toq0UhTpt0qVphYhdUOAzo1KJKyPThGpQ6WhP5SUlC+vfJEPg5y2tatQs2JsHSijRxY615ACRdVXP8PbrJxyCsja/q/P/AOFl2av7qolY1Uv1o269MKnFlfxRugouTIKe4+SZ0BjTMfOx7DlBfJuaSyqKOYwyzB8NHZsCpwbS1/XFYsWJ5QdwkjgrxmgnYHjIGTo/eaJFwmIBLSYHpOjvchG8jhCkUVYZ114zX7yOBrx6drLjaAcndT+YS7F3oXmhx4xd0ON6ZTvUgiC2vvNJHh5zKdpgx948RnJc3t3Hq4tGnzBR8+XCewAep3nkQp0wfl2Rl6Ot2zznVgMStNvhaQg4PLaYzrKvuFQsQg4Gjmpuhayl6CuL9GKAip11OwkMEDC+fW7XXHBxkCBsFqINxoFltVkghFtowmf8UrD45JVUed2o0RCc8v87ayb17VADzb0e3T2/4UAccjFKgDdFVGKeeexclaGS/Enpm4i2oYgvM7Z7sfT/cCOj6Fu6b0w7nb6a3GPfGeVXkf1S9IQVpSu1jTdyBm14JbrpmaJnPxk50R67HsZqOiXh0PREx5lSDdOeET/GJZfnHiQniFtQMm0AdMCeH/ttY+3da/Mb7QVbLrnci+2PjyQWlK2WnyuCo1wVnKKd3OwXxEBBD8ukCecsbZJmZM3ewO4tc2RyrODPaP35daLox0mLAVuzP/G+nPotnrmI4xciSDv/kGQAAbyQ93YCwzncziObAll/Ldc+bIE391JGfI2YDjQKJ8rKEsatnUgkMrgXjplaSc2W7ekHpeDNfF+nyTSKvbErKNIr6Ni93xtIeLN/48P7sV5bbmJz45ln/tfJiUlzOfCta4nKIOFotMONh11BQrbOB1YSLahCey78xR0bCeqWE7UDsUaH9kDoGJ/YzMBEweQDFHmOyvr8Hy9eYHMGphtGI0MU9dUZ7tKcLgGr0bnYRuKQdl4qqOwvOpDWpCbPTO/7VGMt1c4kfkkU5KMHzooH2qNx8F53aTLdL/fCp77A6WOM6p8KtnWUrKawiG/ZkamADWjHpCLvgu9ALYDjeKJem7v4+5Tc9P+E4jkTFAUZ+gOMxalVtFmiOw3Y1VYdFr4GX7NZmyZXwHIe70FJwQUR6ay5gUKn/9qvHi+2uqXL1ZR7M7Ay3jFh2lwQ64jmb6tF7AGsobRMukPc7iZMSRJNDkysciYtaMwI47GYe6DqaLj6QkGuMa20ot2YTMuAxP4DZGU3DykCcxjQKokRSB8qP8UmV870OPwgrr0NAs15d3Zics9+BxU6oBf50JgTvLKV5/tLCuFCUqDXgcN+niJ1AGaUlPaCCBocifUNJhVlRmcWXxlIiF6BFDd0r2hgsJEEZq1Ax2Qy+ySPE9QZ/aNxhgZ5wnMAmkVUl8xPsWkWT788hr6AitFKZC+Nhs/vKYfnYHQwP4bvlY1xaXXj0CWjw9mOX6F5EQKykOFFEpxg8H0z5fVfiTuqVh7su9GOOoiQFiIkD1EqYYctA+Pi1QnN1akTQAi21+A9SjSiZgMuXUspN2QAPVDBjdJBxzHVViDe+8Loxu/d7Mf5Kv+vV/OoflRIKjujdtl0o2RO+m6HAHZ/73Ooqak+s7lQ==
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 9b59e52d-9f61-408f-802b-08de3e05b64f
X-MS-Exchange-CrossTenant-AuthSource: BN9PR11MB5354.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Dec 2025 07:18:59.0353
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 GWpa7MKZXOhDQa/vwwyVUSN4ZkCCJDGTLvafRVHs9TTKFQsfH+R5GDzcWmlTtKDi1pOOJGJgU5pRn+WNBb/oGDoc3g+TalZqiy0RsqW4EaM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV3PR11MB8601
X-Authority-Analysis: v=2.4 cv=ErvfbCcA c=1 sm=1 tr=0 ts=6943aae5 cx=c_pps
 a=BZqtFTcsvC7LidonbSP6GA==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19
 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19
 a=xqWC_Br6kY4A:10 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22
 a=iGHA9ds3AAAA:8 a=t7CeM3EgAAAA:8 a=ZgYacfYeLsUf0t0JWCcA:9
 a=nM-MV4yxpKKO9kiQg6Ot:22 a=FdTzh2GWekK77mhwV6Dw:22
X-Proofpoint-GUID: w3kku-dRr9jk90HJYZ3gY-CYJZ52F2LO
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjE4MDA1OCBTYWx0ZWRfX81dk1zULJkQf
 nYVtOTki7I0p8mlV2gHG+q5T8ZfiKLvZI0gj5CLahQsCNuRY/nK8ZORKlE6LdGmyeUdR6pjAqWm
 3oko6V8a8oJiAx3IRSS6UGIQ1ejgD+IjYHQBi6on+HQg2/+H7LxhiRMuutltmcj5SUH+bO/PlkW
 3Qaa7zHhkU+2q2t/wEwx39JczfKo5SccNqNx9aX3MkVukIvMJVOMwPiVuHUX/0NGvlrBrNj2miv
 QBdVI7MdMiApQQJd330MyIku+nh6Yfc51yu4tau/qlM8lfFQ2VWqFCLesvvHS2v2YNPS78VES5N
 Jo7hvkk+i8z6IzE//TqZ4aaQ6yEXcdcTuWVsdtHU7tooeqJxyvo+oiUV+GSF0yC4J7NjgtKDlql
 IwG5pG0VhQMyfBHDYQEyYo7E2l6dmw==
X-Proofpoint-ORIG-GUID: w3kku-dRr9jk90HJYZ3gY-CYJZ52F2LO
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49
 definitions=2025-12-18_01,2025-12-17_02,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 spamscore=0 priorityscore=1501 clxscore=1015 bulkscore=0 lowpriorityscore=0
 suspectscore=0 impostorscore=0 malwarescore=0 adultscore=0 phishscore=0
 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0
 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2512180058
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 18 Dec 2025 07:19:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/228090

Series

go: Fix CVE-2023-39323 | expand

Message

Chen, Libo (CN) Dec. 18, 2025, 7:18 a.m. UTC

From: Libo Chen <libo.chen.cn@windriver.com>

Test steps:
1. git clone https://git.yoctoproject.org/poky

2. go to kirkstone branch and set up environment
cd poky
git checkout kirkstone
source oe-init-build-env

3. backport the patch

4. add the followings to conf/local.conf:
IMAGE_INSTALL:append = " go"
IMAGE_FEATURES += "dev-pkgs tools-sdk"

5. bitbake core-image-full-cmdline

6. start Qemu target
runqemu qemux86-64 kvm nographic qemuparams="-m 8196"

7. at Qemu target
7.1 go build test_cgo_error.go
7.2 go build test_cgo.go 

Expected behaviors:
7.1 command shall fail due to "only allowed in cgo-generated code"
7.2 command shall pass

Test logs:

Poky (Yocto Project Reference Distro) 4.0.32 qemux86-64 ttyS0

qemux86-64 login: root
root@qemux86-64:~# which go
/usr/bin/go
root@qemux86-64:~# ls -l
total 8
-rw-r--r-- 1 root root 106 Dec 18 06:14 test_cgo.go
-rw-r--r-- 1 root root 304 Dec 18 06:14 test_cgo_error.go
root@qemux86-64:~# cat test_go_error.go
cat: test_go_error.go: No such file or directory
root@qemux86-64:~# cat test_cgo_error.go
// Copyright 2023 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package main

//line /tmp/_cgo_.go:1
//go:cgo_dynamic_linker "/elf/interp"
// ERROR MESSAGE: only allowed in cgo-generated code

func main() {}
root@qemux86-64:~# cat test_cgo.go
package main

import "fmt"

//this is main entry
func main() {
    fmt.Println("Hello from custom Go!")
}
root@qemux86-64:~# go build test_cgo_error.go
# command-line-arguments
/tmp/_cgo_.go:1: //go:cgo_dynamic_linker "/elf/interp" only allowed in cgo-generated code
root@qemux86-64:~# echo $?
2
root@qemux86-64:~# go build test_cgo.go
root@qemux86-64:~# ls -l test_cgo
-rwxr-xr-x 1 root root 1772006 Dec 18 06:15 test_cgo
root@qemux86-64:~# ./test_cgo
Hello from custom Go!
root@qemux86-64:~# 

Libo Chen (1):
  go: Fix CVE-2023-39323

 meta/recipes-devtools/go/go-1.17.13.inc       |  1 +
 .../go/go-1.21/CVE-2023-39323.patch           | 55 +++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch