Cypherpunks repositories - gostls13.git/commit

author	Neal Patel <nealpatel@google.com>
	Thu, 4 Dec 2025 17:30:39 +0000 (12:30 -0500)
committer	Gopher Robot <gobot@golang.org>
	Thu, 15 Jan 2026 18:14:36 +0000 (10:14 -0800)
commit	6ed1ff80d68b3e6de9366f65038a43eede049a4a
tree	a5c4e5fdc178e65748bea1d5166f8cf4869a6bd3	tree
parent	29f3f72dbd67c25033df944c8ced91e0efd46851	commit \| diff

[release-branch.go1.26] cmd/go/internal/work: sanitize flags before invoking 'pkg-config'

The addition of CgoPkgConfig allowed execution with flags not
matching the safelist. In order to prevent potential arbitrary
code execution at build time, ensure that flags are validated
prior to invoking the 'pkg-config' binary.

Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
for reporting this issue.

Fixes CVE-2025-61731
Fixes #77100

Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3240
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3324
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/736706
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
TryBot-Bypass: Michael Pratt <mpratt@google.com>

src/cmd/go/internal/work/exec.go		diff \| blob \| history
src/cmd/go/internal/work/security.go		diff \| blob \| history