Описание
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| golang-1.15 | fixed | 1.15.5-1 | package | |
| golang-1.11 | removed | package | ||
| golang-1.8 | removed | package | ||
| golang-1.7 | removed | package | ||
| golang-1.7 | ignored | stretch | package |
Примечания
https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ
https://github.com/golang/go/issues/42556
Fixed by: https://github.com/golang/go/commit/da7aa86917811a571e6634b45a457f918b8e6561 (go1.16beta1)
Regression: https://github.com/golang/go/commit/782cf560db4c919790fdb476d1bbe18e5ddf5ffd (go1.16beta1)
Связанные уязвимости
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection.