cmd/go: arbitrary code can be injected into cgo generated files [Go 1.15] #42561

katiehockman · 2020-11-12T20:07:24Z

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code.

This can be caused by malicious unquoted symbol names. This has been fixed by rejecting invalid symbols which may add a //go:cgo_ldflag directive to the generated file, and by ensuring that the go tool follows existing LDFLAG restrictions.

Thanks to Chris Brown and Tempus Ex for reporting this issue.

This issue is CVE-2020-28366.

katiehockman · 2020-11-12T20:56:43Z

Github seems to have created a duplicate. Closing as duplicate of #42562

katiehockman added Security CherryPickApproved Used during the release process for point releases labels Nov 12, 2020

katiehockman added this to the Go1.15.5 milestone Nov 12, 2020

katiehockman closed this as completed Nov 12, 2020

katiehockman removed this from the Go1.15.5 milestone Nov 12, 2020

katiehockman removed the CherryPickApproved Used during the release process for point releases label Nov 12, 2020

golang locked and limited conversation to collaborators Nov 12, 2021

gopherbot added the FrozenDueToAge label Nov 12, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cmd/go: arbitrary code can be injected into cgo generated files [Go 1.15] #42561

cmd/go: arbitrary code can be injected into cgo generated files [Go 1.15] #42561

katiehockman commented Nov 12, 2020

katiehockman commented Nov 12, 2020

cmd/go: arbitrary code can be injected into cgo generated files [Go 1.15] #42561

cmd/go: arbitrary code can be injected into cgo generated files [Go 1.15] #42561

Comments

katiehockman commented Nov 12, 2020

katiehockman commented Nov 12, 2020