cmd/go: arbitrary code execution during build on darwin (CVE-2024-24787)

[rolandshoemaker]

On Darwin, building a Go module which contains CGO can trigger arbitrary code
execution when using the Apple version of ld, due to usage of the -lto_library
flag in a "#cgo LDFLAGS" directive.

Thanks to Juho Forsén of Mattermost for reporting this issue.

This is CVE-2024-24787.

---

This is a PRIVATE issue for CVE-2024-24787, tracked in http://b/335700829.

/cc @golang/security and @golang/release

[rolandshoemaker]

@gopherbot please open backports, this is a PRIVATE track security issue.

[gopherbot]

Backport issue(s) opened: #67121 (for 1.21), #67122 (for 1.22).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/583795 mentions this issue: [release-branch.go1.21] cmd/go: disallow -lto_library in LDFLAGS

[gopherbot]

Change https://go.dev/cl/583796 mentions this issue: [release-branch.go1.22] cmd/go: disallow -lto_library in LDFLAGS

[gopherbot]

Change https://go.dev/cl/583815 mentions this issue: cmd/go: disallow -lto_library in LDFLAGS