Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

runtime: dll injection vulnerabilities on Windows [1.12 backport] #30666

Closed
gopherbot opened this issue Mar 8, 2019 · 7 comments

Comments

Projects
None yet
5 participants
@gopherbot
Copy link

commented Mar 8, 2019

@bradfitz requested issue #30642 to be considered for backport to the next 1.12 minor release.

@gopherbot, please backport to Go 1.12.

@julieqiu

This comment has been minimized.

Copy link

commented Mar 12, 2019

@bradfitz - there isn't a reason provided in the gopherbot message. Would you mind providing one for this backport?

@bradfitz

This comment has been minimized.

Copy link
Member

commented Mar 12, 2019

Windows security issue. From the title: "dll injection vulnerabilities on Windows"

@julieqiu

This comment has been minimized.

Copy link

commented Mar 12, 2019

Thanks! I'll mark this as CherryPickApproved since this is a security issue, per our policy at https://golang.org/wiki/MinorReleases.

@zx2c4

This comment has been minimized.

Copy link
Contributor

commented Mar 19, 2019

This appears to have missed 1.12.1. What's up?

@bradfitz

This comment has been minimized.

Copy link
Member

commented Mar 19, 2019

@zx2c4, because we screwed up yet again. Last time we did this I filed #30422 to fix it in our release automation, but nobody's implemented that yet.

/cc @andybons @dmitshur @ianlancetaylor @katiehockman @FiloSottile @julieqiu

@gopherbot

This comment has been minimized.

Copy link
Author

commented Mar 19, 2019

Change https://golang.org/cl/168339 mentions this issue: [release-branch.go1.12] runtime: safely load DLLs

@gopherbot

This comment has been minimized.

Copy link
Author

commented Mar 24, 2019

Closed by merging fc6457d to release-branch.go1.12.

@gopherbot gopherbot closed this Mar 24, 2019

gopherbot pushed a commit that referenced this issue Mar 24, 2019

[release-branch.go1.12] runtime: safely load DLLs
While many other call sites have been moved to using the proper
higher-level system loading, these areas were left out. This prevents
DLL directory injection attacks. This includes both the runtime load
calls (using LoadLibrary prior) and the implicitly linked ones via
cgo_import_dynamic, which we move to our LoadLibraryEx. The goal is to
only loosely load kernel32.dll and strictly load all others.

Meanwhile we make sure that we never fallback to insecure loading on
older or unpatched systems.

This is CVE-2019-9634.

Fixes #30666
Updates #14959
Updates #28978
Updates #30642

Change-Id: I401a13ed8db248ab1bb5039bf2d31915cac72b93
Reviewed-on: https://go-review.googlesource.com/c/go/+/165798
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
(cherry picked from commit 9b6e9f0)
Reviewed-on: https://go-review.googlesource.com/c/go/+/168339
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.