runtime: dll injection vulnerabilities on Windows [1.11 backport] #30989

dmitshur · 2019-03-21T19:39:59Z

@bradfitz requested issue #30642 to be considered for backport to the next 1.11 minor release.

@gopherbot, please backport to Go 1.11 [because it is a Windows security issue].

(I'm opening this issue for @gopherbot because it hasn't learned to listen to followup requests. That's being tracked in issue #25574.)

dmitshur · 2019-03-21T19:41:21Z

Approving this because it's a security issue, which is in line with our backport policy.

dmitshur · 2019-03-21T19:49:52Z

@zx2c4, since you're the author of the original CL 165798, would you like to send a backport CL?

The process for doing so is described at https://golang.org/wiki/MinorReleases#making-cherry-pick-cls.

This commit brings Travis and AppVeyor up to Go 1.12 to incorporate the fix for CVE-2019-9634 (which hasn't yet been backported to Go 1.11). This breaks with our tradition of pinning release branches to a specific Go release, but it's necessary since this fix won't be backported until Go 1.11.10: golang/go#30989

gopherbot · 2019-05-06T17:56:52Z

Change https://golang.org/cl/175378 mentions this issue: [release-branch.go1.11] runtime: safely load DLLs

gopherbot · 2019-05-06T19:25:19Z

Closed by merging 1bebc53 to release-branch.go1.11.

While many other call sites have been moved to using the proper higher-level system loading, these areas were left out. This prevents DLL directory injection attacks. This includes both the runtime load calls (using LoadLibrary prior) and the implicitly linked ones via cgo_import_dynamic, which we move to our LoadLibraryEx. The goal is to only loosely load kernel32.dll and strictly load all others. Meanwhile we make sure that we never fallback to insecure loading on older or unpatched systems. This is CVE-2019-9634. Fixes #30989 Updates #14959 Updates #28978 Updates #30642 Change-Id: I401a13ed8db248ab1bb5039bf2d31915cac72b93 Reviewed-on: https://go-review.googlesource.com/c/go/+/165798 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Alex Brainman <alex.brainman@gmail.com> (cherry picked from commit 9b6e9f0) Reviewed-on: https://go-review.googlesource.com/c/go/+/175378 Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Andrew Bonventre <andybons@golang.org>

dmitshur added the CherryPickCandidate Used during the release process for point releases label Mar 21, 2019

dmitshur added this to the Go1.11.7 milestone Mar 21, 2019

dmitshur added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Mar 21, 2019

andybons modified the milestones: Go1.11.7, Go1.11.8, Go1.11.9, Go1.11.10 Apr 5, 2019

bcmills added the NeedsFix The path to resolution is known, but the work has not been done. label Apr 12, 2019

dmitshur self-assigned this May 6, 2019

gopherbot closed this as completed May 6, 2019

dmitshur removed the NeedsFix The path to resolution is known, but the work has not been done. label May 6, 2019

golang locked and limited conversation to collaborators May 5, 2020

gopherbot added the FrozenDueToAge label May 5, 2020

rsc unassigned dmitshur Jun 23, 2022

tatianab added the Security label Aug 4, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

runtime: dll injection vulnerabilities on Windows [1.11 backport] #30989

runtime: dll injection vulnerabilities on Windows [1.11 backport] #30989

dmitshur commented Mar 21, 2019

dmitshur commented Mar 21, 2019

dmitshur commented Mar 21, 2019

gopherbot commented May 6, 2019

gopherbot commented May 6, 2019

runtime: dll injection vulnerabilities on Windows [1.11 backport] #30989

runtime: dll injection vulnerabilities on Windows [1.11 backport] #30989

Comments

dmitshur commented Mar 21, 2019

dmitshur commented Mar 21, 2019

dmitshur commented Mar 21, 2019

gopherbot commented May 6, 2019

gopherbot commented May 6, 2019