cmd/go: arbitrary code execution during build on darwin (fix CVE-2025-22867)

[rolandshoemaker]

cmd/go: arbitrary code execution during build on darwin

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive.

This issue only affected go1.24rc2.

Thanks to Juho Forsén of Mattermost for reporting this issue.

This is CVE-2025-22867 and Go issue https://go.dev/issue/71476 (this issue).

---

This is a PRIVATE issue for CVE-2025-22867, tracked in http://b/390637555 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1900.

/cc @golang/security and @golang/release

[gopherbot]

Change https://go.dev/cl/646995 mentions this issue: [release-branch.go1.24] Revert "cmd/go/internal/work: allow @ character in some -Wl, linker flags on darwin"

[gopherbot]

Change https://go.dev/cl/646996 mentions this issue: Revert "cmd/go/internal/work: allow @ character in some -Wl, linker flags on darwin"

[gopherbot]

Closed by merging CL 646995 (commit c43ac38) to release-branch.go1.24.