blob: 375db808a443a17b721d05aebfd9ff6834f9aa73 [file] [log] [blame]
id: GO-2022-0220
modules:
- module: std
versions:
- fixed: 1.11.10
- introduced: 1.12.0-0
fixed: 1.12.2
vulnerable_at: 1.12.1
packages:
- package: runtime
goos:
- windows
symbols:
- loadOptionalSyscalls
- osinit
- syscall_loadsystemlibrary
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
- package: syscall
goos:
- windows
symbols:
- LoadDLL
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
summary: DLL injection on Windows in runtime and syscall
description: |-
Go on Windows misused certain LoadLibrary functionality, leading to DLL
injection.
published: 2022-05-25T18:01:46Z
cves:
- CVE-2019-9634
credits:
- Samuel Cochran
- Jason Donenfeld
references:
- fix: https://go.dev/cl/165798
- fix: https://go.googlesource.com/go/+/9b6e9f0c8c66355c0f0575d808b32f52c8c6d21c
- report: https://go.dev/issue/28978
- web: https://groups.google.com/g/golang-announce/c/z9eTD34GEIs/m/Z_XmhTrVAwAJ