{"id":"GO-2023-1840","summary":"Unsafe behavior in setuid/setgid binaries in runtime","details":"On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors.\n\nIf a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.","aliases":["BIT-golang-2023-29403","CVE-2023-29403"],"modified":"2026-03-17T04:43:27.876831Z","published":"2023-06-08T20:16:06Z","related":["CGA-xvp7-rwmp-pp3m","RHSA-2023:3920","RHSA-2023:3922","RHSA-2023:3923"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2023-1840"},"references":[{"type":"REPORT","url":"https://go.dev/issue/60272"},{"type":"FIX","url":"https://go.dev/cl/501223"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.19.10"},{"introduced":"1.20.0-0"},{"fixed":"1.20.5"}]}],"ecosystem_specific":{"imports":[{"path":"runtime"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-1840.json"}}],"schema_version":"1.7.5","credits":[{"name":"Vincent Dehors from Synacktiv"}]}