Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 682920 (CVE-2019-9634) - dev-lang/go: DLL injection
Summary: dev-lang/go: DLL injection
Alias: CVE-2019-9634
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [stable?]
Depends on:
Reported: 2019-04-09 06:37 UTC by Agostino Sarubbo
Modified: 2019-04-21 18:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-04-09 06:37:24 UTC
From ${URL} :

Golang before 1.12.2 linked against various DLLs that were
same-directory injectable and generally its library loading mechanism
did not use LoadLibraryEx, allowing the classic DLL injection attacks,
especially with regards to executables saved to the Downloads/ folder
[1]. It was assigned CVE-2019-9634 and fixed in [2] and [3]. It wasn't
mentioned in the 1.12.2 release notes, so I'm mentioning it here


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 William Hubbs gentoo-dev 2019-04-15 20:11:34 UTC

there was another bump today (go-1.12.4 and 1.11.9).

We need to stabilize the 1.12.x version with the fix as well as
whichever 1.11.x version has the fix. Go ahead and stabilize the fixed
versions then I'll remove all vulnerable versions.


Comment 2 William Hubbs gentoo-dev 2019-04-21 18:30:30 UTC
I spoke with zlogene about this bug, and he verified that it is not
a concern on Linux.