GO-2024-2825

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2024-2825

Import Source

https://vuln.go.dev/ID/GO-2024-2825.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2024-2825

Aliases

BIT-golang-2024-24787
CGA-67wh-9fxr-2w4p
CVE-2024-24787
GHSA-5fq7-4mxc-535h

Published

2024-05-08T15:17:04Z

Modified

2024-10-15T05:42:09.738603Z

Summary

Arbitrary code execution during build on Darwin in cmd/go

Details

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2024-2825",
    "review_status": "REVIEWED"
}

References

Credits

- Juho Forsén (Mattermost)

Affected packages

Go / toolchain

Package

Name: toolchain; View open source insights on deps.dev
Purl: pkg:golang/toolchain

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.21.10

Introduced

1.22.0-0

Fixed

1.22.3

Ecosystem specific

{
    "imports": [
        {
            "goos": [
                "darwin"
            ],
            "path": "cmd/go"
        }
    ]
}