Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runtime: dll injection vulnerabilities on Windows [1.12 backport] #30666

Closed
gopherbot opened this issue Mar 8, 2019 · 7 comments
Closed

runtime: dll injection vulnerabilities on Windows [1.12 backport] #30666

gopherbot opened this issue Mar 8, 2019 · 7 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone
Go1.12.2

Comments

@gopherbot
Copy link

@bradfitz requested issue #30642 to be considered for backport to the next 1.12 minor release.

@gopherbot, please backport to Go 1.12.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Mar 8, 2019
@gopherbot gopherbot mentioned this issue Mar 8, 2019
Closed
@gopherbot gopherbot added this to the Go1.12.1 milestone Mar 8, 2019
@julieqiu
Copy link
Member

@bradfitz - there isn't a reason provided in the gopherbot message. Would you mind providing one for this backport?

@bradfitz
Copy link
Contributor

Windows security issue. From the title: "dll injection vulnerabilities on Windows"

@julieqiu
Copy link
Member

Thanks! I'll mark this as CherryPickApproved since this is a security issue, per our policy at https://golang.org/wiki/MinorReleases.

@julieqiu julieqiu added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Mar 12, 2019
@andybons andybons modified the milestones: Go1.12.1, Go1.12.2 Mar 14, 2019
@zx2c4
Copy link
Contributor

zx2c4 commented Mar 19, 2019

This appears to have missed 1.12.1. What's up?

@bradfitz
Copy link
Contributor

@zx2c4, because we screwed up yet again. Last time we did this I filed #30422 to fix it in our release automation, but nobody's implemented that yet.

/cc @andybons @dmitshur @ianlancetaylor @katiehockman @FiloSottile @julieqiu

@gopherbot
Copy link
Author

Change https://golang.org/cl/168339 mentions this issue: [release-branch.go1.12] runtime: safely load DLLs

@gopherbot
Copy link
Author

Closed by merging fc6457d to release-branch.go1.12.

gopherbot pushed a commit that referenced this issue Mar 24, 2019
@zx2c4 @bradfitz
[release-branch.go1.12] runtime: safely load DLLs
fc6457d 
While many other call sites have been moved to using the proper
higher-level system loading, these areas were left out. This prevents
DLL directory injection attacks. This includes both the runtime load
calls (using LoadLibrary prior) and the implicitly linked ones via
cgo_import_dynamic, which we move to our LoadLibraryEx. The goal is to
only loosely load kernel32.dll and strictly load all others.

Meanwhile we make sure that we never fallback to insecure loading on
older or unpatched systems.

This is CVE-2019-9634.

Fixes #30666
Updates #14959
Updates #28978
Updates #30642

Change-Id: I401a13ed8db248ab1bb5039bf2d31915cac72b93
Reviewed-on: https://go-review.googlesource.com/c/go/+/165798
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
(cherry picked from commit 9b6e9f0)
Reviewed-on: https://go-review.googlesource.com/c/go/+/168339
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
@golang golang locked and limited conversation to collaborators Mar 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Milestone
Go1.12.2
Development

No branches or pull requests
6 participants
@bradfitz @zx2c4 @andybons @julieqiu @tatianab @gopherbot