Vulnerability Report: GO-2022-0476

standard library

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious gcc flags specified via a cgo directive.

Affected Packages

  • Path
    Go Versions
    Symbols
  • before go1.14.12, from go1.15.0-0 before go1.15.5
    1 unexported affected symbols
    • validCompilerFlags

Aliases

References

Credits

  • Imre Rad

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL