Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

runtime: dll injection vulnerabilities on Windows [1.11 backport] #30989

Closed
dmitshur opened this issue Mar 21, 2019 · 4 comments
Closed

runtime: dll injection vulnerabilities on Windows [1.11 backport] #30989

dmitshur opened this issue Mar 21, 2019 · 4 comments
Assignees
Milestone

Comments

@dmitshur
Copy link
Member

@dmitshur dmitshur commented Mar 21, 2019

@bradfitz requested issue #30642 to be considered for backport to the next 1.11 minor release.

@gopherbot, please backport to Go 1.11 [because it is a Windows security issue].

(I'm opening this issue for @gopherbot because it hasn't learned to listen to followup requests. That's being tracked in issue #25574.)

@dmitshur

This comment has been minimized.

Copy link
Member Author

@dmitshur dmitshur commented Mar 21, 2019

Approving this because it's a security issue, which is in line with our backport policy.

@dmitshur

This comment has been minimized.

Copy link
Member Author

@dmitshur dmitshur commented Mar 21, 2019

@zx2c4, since you're the author of the original CL 165798, would you like to send a backport CL?

The process for doing so is described at https://golang.org/wiki/MinorReleases#making-cherry-pick-cls.

@andybons andybons modified the milestones: Go1.11.7, Go1.11.8, Go1.11.9, Go1.11.10 Apr 5, 2019
@bcmills bcmills added the NeedsFix label Apr 12, 2019
havoc-io added a commit to mutagen-io/mutagen that referenced this issue Apr 25, 2019
This commit brings Travis and AppVeyor up to Go 1.12 to incorporate the
fix for CVE-2019-9634 (which hasn't yet been backported to Go 1.11).
This breaks with our tradition of pinning release branches to a specific
Go release, but it's necessary since this fix won't be backported until
Go 1.11.10:

golang/go#30989
@dmitshur dmitshur self-assigned this May 6, 2019
@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented May 6, 2019

Change https://golang.org/cl/175378 mentions this issue: [release-branch.go1.11] runtime: safely load DLLs

@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented May 6, 2019

Closed by merging 1bebc53 to release-branch.go1.11.

@gopherbot gopherbot closed this May 6, 2019
gopherbot pushed a commit that referenced this issue May 6, 2019
While many other call sites have been moved to using the proper
higher-level system loading, these areas were left out. This prevents
DLL directory injection attacks. This includes both the runtime load
calls (using LoadLibrary prior) and the implicitly linked ones via
cgo_import_dynamic, which we move to our LoadLibraryEx. The goal is to
only loosely load kernel32.dll and strictly load all others.

Meanwhile we make sure that we never fallback to insecure loading on
older or unpatched systems.

This is CVE-2019-9634.

Fixes #30989
Updates #14959
Updates #28978
Updates #30642

Change-Id: I401a13ed8db248ab1bb5039bf2d31915cac72b93
Reviewed-on: https://go-review.googlesource.com/c/go/+/165798
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
(cherry picked from commit 9b6e9f0)
Reviewed-on: https://go-review.googlesource.com/c/go/+/175378
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
@dmitshur dmitshur removed the NeedsFix label May 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.