Closed rolandshoemaker closed 1 week ago
@gopherbot please open backports, this is a PRIVATE track security issue.
Backport issue(s) opened: #67121 (for 1.21), #67122 (for 1.22).
Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.
Change https://go.dev/cl/583795 mentions this issue: [release-branch.go1.21] cmd/go: disallow -lto_library in LDFLAGS
Change https://go.dev/cl/583796 mentions this issue: [release-branch.go1.22] cmd/go: disallow -lto_library in LDFLAGS
Change https://go.dev/cl/583815 mentions this issue: cmd/go: disallow -lto_library in LDFLAGS
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2024-24787.
This is a PRIVATE issue for CVE-2024-24787, tracked in http://b/335700829.
/cc @golang/security and @golang/release