Commit - go-fedora - 1bebc53bc3c200890dd5f03cbd67fbe1023156d1

    [release-branch.go1.11] runtime: safely load DLLs
    
    While many other call sites have been moved to using the proper
    higher-level system loading, these areas were left out. This prevents
    DLL directory injection attacks. This includes both the runtime load
    calls (using LoadLibrary prior) and the implicitly linked ones via
    cgo_import_dynamic, which we move to our LoadLibraryEx. The goal is to
    only loosely load kernel32.dll and strictly load all others.
    
    Meanwhile we make sure that we never fallback to insecure loading on
    older or unpatched systems.
    
    This is CVE-2019-9634.
    
    Fixes #30989
    Updates #14959
    Updates #28978
    Updates #30642
    
    Change-Id: I401a13ed8db248ab1bb5039bf2d31915cac72b93
    Reviewed-on: https://go-review.googlesource.com/c/go/+/165798
    Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
    (cherry picked from commit 9b6e9f0c8c66355c0f0575d808b32f52c8c6d21c)
    Reviewed-on: https://go-review.googlesource.com/c/go/+/175378
    Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
    Reviewed-by: Andrew Bonventre <andybons@golang.org>

src/runtime/os_windows.go

file modified

+54 -10

src/runtime/syscall_windows.go

file modified

+6 -8

src/syscall/dll_windows.go

file modified

+26 -2

src/syscall/security_windows.go

file modified

+1 -0

src/syscall/zsyscall_windows.go

file modified

+14 -0

go-fedora

Source Code

1bebc53 [release-branch.go1.11] runtime: safely load DLLs

5 files Authored by Jason A. Donenfeld 4 years ago, Committed by Dmitri Shuralyov 4 years ago,

`1bebc53` [release-branch.go1.11] runtime: safely load DLLs