Google Git
Sign in
go/go.git/096f21b1c50fe62bc54c1fb1ede60fca63239123
commit
096f21b1c50fe62bc54c1fb1ede60fca63239123
[log]
author
Neal Patel <nealpatel@google.com>
Tue Feb 24 23:05:34 2026 +0000
committer
Gopher Robot <gobot@golang.org>
Tue Apr 07 12:14:20 2026 -0700
tree
1f2a12c36785c55f13b439d092ea77b6e23d8b49
parent
7cafb4140d5616f1a0316a194a977b0794cd7d7c [diff]
[release-branch.go1.26] cmd/go: disallow cgo trust boundary bypass

The cgo compiler implicitly trusts generated files
with 'cgo' prefixes; thus, SWIG files containing 'cgo'
in their names will cause bypass of the trust boundary,
leading to code smuggling or arbitrary code execution.

The cgo compiler will now produce an error if it
encounters any SWIG files containing this prefix.

Thanks to Juho Forsén of Mattermost for reporting this issue.


Fixes #78335
Fixes CVE-2026-27140

Change-Id: I44185a84e07739b3b347efdb86be7d8fa560b030
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3520
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4021
Commit-Queue: Damien Neil <dneil@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/763549
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
1 file changed
tree: 1f2a12c36785c55f13b439d092ea77b6e23d8b49
  1. .github/
  2. api/
  3. doc/
  4. lib/
  5. misc/
  6. src/
  7. test/
  8. .gitattributes
  9. .gitignore
  10. codereview.cfg
  11. CONTRIBUTING.md
  12. go.env
  13. LICENSE
  14. PATENTS
  15. README.md
  16. SECURITY.md
  17. VERSION
README.md

The Go Programming Language

Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.

Gopher image Gopher image by Renee French, licensed under Creative Commons 4.0 Attribution license.

Our canonical Git repository is located at https://go.googlesource.com/go. There is a mirror of the repository at https://github.com/golang/go.

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Download and Install

Binary Distributions

Official binary distributions are available at https://go.dev/dl/.

After downloading a binary release, visit https://go.dev/doc/install for installation instructions.

Install From Source

If a binary distribution is not available for your combination of operating system and architecture, visit https://go.dev/doc/install/source for source installation instructions.

Contributing

Go is the work of thousands of contributors. We appreciate your help!

To contribute, please read the contribution guidelines at https://go.dev/doc/contribute.

Note that the Go project uses the issue tracker for bug reports and proposals only. See https://go.dev/wiki/Questions for a list of places to ask questions about the Go language.