From ${URL} : Golang before 1.12.2 linked against various DLLs that were same-directory injectable and generally its library loading mechanism did not use LoadLibraryEx, allowing the classic DLL injection attacks, especially with regards to executables saved to the Downloads/ folder [1]. It was assigned CVE-2019-9634 and fixed in [2] and [3]. It wasn't mentioned in the 1.12.2 release notes, so I'm mentioning it here instead. [1] https://user-images.githubusercontent.com/10643/53921755-eb9e1a00-4071-11e9-83a7-058ceb008e55.gif [2] https://github.com/golang/go/commit/9b6e9f0c8c66355c0f0575d808b32f52c8c6d21c [3] https://github.com/golang/sys/commit/10058d7d4faa7dd5ef860cbd31af00903076e7b8 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
All, there was another bump today (go-1.12.4 and 1.11.9). We need to stabilize the 1.12.x version with the fix as well as whichever 1.11.x version has the fix. Go ahead and stabilize the fixed versions then I'll remove all vulnerable versions. Thanks, William
I spoke with zlogene about this bug, and he verified that it is not a concern on Linux.
