blob: 7a4b86eb3aeb025044e7d02cbf514194dfe977e7 [file] [log] [blame]
package: cmd/go
do_not_export: true
stdlib: true
versions:
- fixed: go1.14.14
- fixed: go1.15.7
description: |
The go command may execute arbitrary code at build time when using cgo on Windows.
This can be triggered by running go get on a malicious module, or any other time
the code is built.
published: 2021-04-14T12:00:00Z
cve: CVE-2021-3115
credit: RyotaK
os:
- windows
links:
pr: https://golang.org/cl/284783
commit: https://github.com/golang/go/commit/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0
context:
- https://github.com/golang/go/issues/43783
- https://golang.org/cl/284780
- https://github.com/golang/go/commit/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0