Описание
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
A vulnerability was found in the cmd/go golang package. On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive.
Отчет
This issue only affects go1.24rc2. The go1.24rc2 version is not used in any of the Red Hat products, therefore, Red Hat is not affected by this vulnerability.
Меры по смягчению последствий
No mitigation is available for this issue other than updating the affected package to the version containing the fix.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | golang | Not affected | ||
| Red Hat Enterprise Linux 8 | golang | Not affected | ||
| Red Hat Enterprise Linux 8 | go-toolset:rhel8/golang | Not affected | ||
| Red Hat Enterprise Linux 9 | golang | Not affected | ||
| Red Hat Enterprise Linux 9 | rhel9/go-toolset | Not affected | ||
| Red Hat Enterprise Linux 9 | ubi9/go-toolset | Not affected | ||
| Red Hat Storage 3 | golang | Not affected | ||
| Red Hat Trusted Artifact Signer | rhtas/fulcio-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
On Darwin, building a Go module which contains CGO can trigger arbitra ...
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
EPSS
7.5 High
CVSS3