8000 cmd/go: arbitrary code execution during build on darwin (CVE-2024-24787) · Issue #67119 · golang/go · GitHub
[go: up one dir, main page]
Skip to content

cmd/go: arbitrary code execution during build on darwin (CVE-2024-24787) #67119

New issue
New issue
Closed
Closed
cmd/go: arbitrary code execution during build on darwin (CVE-2024-24787)#67119
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
Go1.23
@rolandshoemaker

Description

@rolandshoemaker
rolandshoemaker
opened on Apr 30, 2024

On Darwin, building a Go module which contains CGO can trigger arbitrary code
execution when using the Apple version of ld, due to usage of the -lto_library
flag in a "#cgo LDFLAGS" directive.

Thanks to Juho Forsén of Mattermost for reporting this issue.

This is CVE-2024-24787.

This is a PRIVATE issue for CVE-2024-24787, tracked in http://b/335700829.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0