cmd/go: packages using cgo can cause arbitrary code execution on Windows #43783
The go command may execute arbitrary code at build time when using cgo on Windows. This can be triggered by running go get for a malicious package, or any other time the code is built.
This can be triggered by malicious packages which contain specifically named binaries which are executed when cgo is executed in the context of the malicious package directory. This is due to the path lookup behavior of os/exec.LookPath on Windows.
This will also affect Unix users who have “.” listed explicitly in their PATH and are running “go get” outside of a module or with module mode disabled.
This has been fixed by altering the usage of os/exec.LookPath by the go command to reject the usage of any binaries that reside in the current directory. If you are interested in understanding whether your own programs have a problem, we’ve written a blog post about the underlying issue: https://blog.golang.org/path-security.
Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
This issue is CVE-2021-3115.
The text was updated successfully, but these errors were encountered:
Introduces a wrapper around os/exec, internal/execabs, for use in all commands. This wrapper prevents exec.LookPath and exec.Command from running executables in the current directory. All imports of os/exec in non-test files in cmd/ are replaced with imports of internal/execabs. This issue was reported by RyotaK. Fixes CVE-2021-3115 Fixes #43783 Change-Id: I0423451a6e27ec1e1d6f3fe929ab1ef69145c08f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/955304 Reviewed-by: Russ Cox <email@example.com> Reviewed-by: Katie Hockman <firstname.lastname@example.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/284783 Run-TryBot: Roland Shoemaker <email@example.com> Reviewed-by: Katie Hockman <firstname.lastname@example.org> Trust: Roland Shoemaker <email@example.com>