RE: The GNU C Library security advisories update for 2025-05-16

["Caveney, Seamus G" <sgcaveney () seattleschools org>]

> From: Solar Designer <solar () openwall com>
> Sent: Friday, May 16, 2025 10:59 PM
> To: Carlos O'Donell <carlos () redhat com>
> Cc: oss-security () lists openwall com
> Subject: Re: [oss-security] The GNU C Library security advisories update for 2025-05-16
>
> [...]
>
> Notably, Go produces static binaries, and I guess would include glibc from its own build?  Do they also use any of 
> the affected functions?
> Searching around shows people building Go programs complain about the glibc "warning: Using 'getaddrinfo' in 
> statically linked applications requires at runtime the shared libraries from the glibc version used for linking" (and 
> ditto for some other functions), but only a subset (maybe
> none?) of those programs would be installed SUID/SGID/setcaps.  Are we aware of any?
>
> Alexander

Go has poor support for SUID/SGID out of the box, due to interactions between the semantics of goroutines and Linux 
setugid syscalls applying on a per-thread basis. AIUI it's explicitly advised to not drop/gain privileges within a 
Golang binary itself. I would imagine capabilities have similar drawbacks since they are also per-thread attributes. 

OTOH, much of the Golang software I've seen that does need privileges tends to be run as root directly, making this 
attack a bit of a moot point.