cmd/go: bypass of flag sanitization can lead to arbitrary code execution (CVE-2025-61731)

[neild]

Usage of 'CgoPkgConfig' allowed execution of the pkg-config
binary with flags that are not explicitly safe-listed.

To prevent this behavior, compiler flags resulting from usage
of 'CgoPkgConfig' are sanitized prior to invoking pkg-config.

Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
for reporting this issue.

This is CVE-2025-61731 and https://go.dev/issue/77100.

---

This is a PRIVATE issue for CVE-2025-61731, tracked in http://b/463693513 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3240.

/cc @golang/security and @golang/release

[neild]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #77105 (for 1.24), #77106 (for 1.25).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/736701 mentions this issue: [release-branch.go1.24] cmd/go/internal/work: sanitize flags before invoking 'pkg-config'

[gopherbot]

Change https://go.dev/cl/736722 mentions this issue: [release-branch.go1.25] cmd/go/internal/work: sanitize flags before invoking 'pkg-config'

[gopherbot]

Change https://go.dev/cl/736706 mentions this issue: [release-branch.go1.26] cmd/go/internal/work: sanitize flags before invoking 'pkg-config'

[gopherbot]

Change https://go.dev/cl/736711 mentions this issue: cmd/go/internal/work: sanitize flags before invoking 'pkg-config'