cmd/go: arbitrary code execution during build on darwin (fix CVE-2025-22867) #71476
Labels
NeedsFix
The path to resolution is known, but the work has not been done.
OS-Darwin
release-blocker
Security
vulncheck or vulndb
Issues for the x/vuln or x/vulndb repo
Milestone
Comments
cagedmantis
added
the
NeedsFix
|
Change https://go.dev/cl/646995 mentions this issue: |
|
Change https://go.dev/cl/646996 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Feb 5, 2025
…er in some -Wl, linker flags on darwin" This reverts commit e3cd55e. This change introduced a security issue as @ flags are first resolved as files by the darwin linker, before their meaning as flags, allowing the flag filtering logic to be entirely bypassed. Thanks to Juho Forsén for reporting this issue. Fixes #71476 Fixes CVE-2025-22867 Change-Id: I3a4b4a6fc534de105d930b8ed5b9900bc94b0c4e Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1900 Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit cc0d725a4168f234ef38859b2d951a50a8fd94b5) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1940 Reviewed-by: Neal Patel <nealpatel@google.com> Commit-Queue: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/646995 Reviewed-by: Carlos Amedee <carlos@golang.org> TryBot-Bypass: Cherry Mui <cherryyz@google.com>
cherrymui
changed the title
gopherbot
pushed a commit
that referenced
this issue
Feb 5, 2025
…lags on darwin" This reverts CL 638075 (commit e3cd55e). This change introduced a security issue as @ flags are first resolved as files by the darwin linker, before their meaning as flags, allowing the flag filtering logic to be entirely bypassed. Thanks to Juho Forsén for reporting this issue. Fixes #71476 Fixes CVE-2025-22867 Change-Id: I3a4b4a6fc534de105d930b8ed5b9900bc94b0c4e Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1900 Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/646996 Reviewed-by: Carlos Amedee <carlos@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
cmd/go: arbitrary code execution during build on darwin
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive.
This issue only affected go1.24rc2.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2025-22867 and Go issue https://go.dev/issue/71476 (this issue).
This is a PRIVATE issue for CVE-2025-22867, tracked in http://b/390637555 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1900.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: