security: fix CVE-2024-24787 [1.22 backport] #67122
Labels
Milestone
Comments
gopherbot
added
CherryPickCandidate
rolandshoemaker
added
CherryPickApproved
|
Change https://go.dev/cl/583796 mentions this issue: |
|
Closed by merging fa0292d to release-branch.go1.22. |
gopherbot
pushed a commit
that referenced
this issue
May 7, 2024
The darwin linker allows setting the LTO library with the -lto_library flag. This wasn't caught by our "safe linker flags" check because it was covered by the -lx flag used for linking libraries. This change adds a specific check for excluded flags which otherwise satisfy our existing checks. Loading a mallicious LTO library would allow an attacker to cause the linker to execute abritrary code when "go build" was called. Thanks to Juho Forsén of Mattermost for reporting this issue. Fixes #67119 Fixes #67122 Fixes CVE-2024-24787 Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380 Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1420 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/583796 Reviewed-by: David Chase <drchase@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@rolandshoemaker requested issue #67119 to be considered for backport to the next 1.22 minor release.
The text was updated successfully, but these errors were encountered: