[go/release-branch.go1.24] [release-branch.go1.24] cmd/go/internal/work: sanitize flags before invoking 'pkg-config'

0 views
Skip to first unread message

Gopher Robot (Gerrit)

unread,
Jan 15, 2026, 1:14:24 PM (3 days ago) Jan 15
to Michael Pratt, Neal Patel, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Junyang Shao, golang-co...@googlegroups.com

Gopher Robot submitted the change

Change information

Commit message:
[release-branch.go1.24] cmd/go/internal/work: sanitize flags before invoking 'pkg-config'

The addition of CgoPkgConfig allowed execution with flags not
matching the safelist. In order to prevent potential arbitrary
code execution at build time, ensure that flags are validated
prior to invoking the 'pkg-config' binary.

Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
for reporting this issue.

Fixes CVE-2025-61731
Fixes #77100
Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Neal Patel <neal...@google.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Reviewed-by: Junyang Shao <shaoj...@google.com>
Files:
  • M src/cmd/go/internal/work/exec.go
  • M src/cmd/go/internal/work/security.go
Change size: XS
Delta: 2 files changed, 9 insertions(+), 0 deletions(-)
Branch: refs/heads/release-branch.go1.24
Submit Requirements:
  • requirement satisfiedCode-Review: +2 by Junyang Shao
  • requirement satisfiedTryBots-Pass: TryBot-Bypass+1 by Michael Pratt
Open in Gerrit
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: go
Gerrit-Branch: release-branch.go1.24
Gerrit-Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364
Gerrit-Change-Number: 736701
Gerrit-PatchSet: 2
Gerrit-Owner: Michael Pratt <mpr...@google.com>
Gerrit-Reviewer: Gopher Robot <go...@golang.org>
Gerrit-Reviewer: Junyang Shao <shaoj...@google.com>
Gerrit-Reviewer: Michael Pratt <mpr...@google.com>
Gerrit-CC: Neal Patel <neal...@google.com>
open
diffy
satisfied_requirement

Gopher Robot (Gerrit)

unread,
Jan 15, 2026, 1:14:40 PM (3 days ago) Jan 15
to Michael Pratt, Neal Patel, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Junyang Shao, golang-co...@googlegroups.com

Gopher Robot submitted the change

Change information

Commit message:
[release-branch.go1.26] cmd/go/internal/work: sanitize flags before invoking 'pkg-config'


The addition of CgoPkgConfig allowed execution with flags not
matching the safelist. In order to prevent potential arbitrary
code execution at build time, ensure that flags are validated
prior to invoking the 'pkg-config' binary.

Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
for reporting this issue.

Fixes CVE-2025-61731
Fixes #77100
Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Neal Patel <neal...@google.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
Reviewed-by: Junyang Shao <shaoj...@google.com>
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Files:
  • M src/cmd/go/internal/work/exec.go
  • M src/cmd/go/internal/work/security.go
Change size: XS
Delta: 2 files changed, 9 insertions(+), 0 deletions(-)
Branch: refs/heads/release-branch.go1.26
Submit Requirements:
  • requirement satisfiedCode-Review: +2 by Junyang Shao
  • requirement satisfiedTryBots-Pass: TryBot-Bypass+1 by Michael Pratt
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: go
Gerrit-Branch: release-branch.go1.26
Gerrit-Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364
Gerrit-Change-Number: 736706
open
diffy
satisfied_requirement

Gopher Robot (Gerrit)

unread,
Jan 15, 2026, 1:14:59 PM (3 days ago) Jan 15
to Michael Pratt, Neal Patel, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Junyang Shao, golang-co...@googlegroups.com

Gopher Robot submitted the change

Change information

Commit message:
[release-branch.go1.25] cmd/go/internal/work: sanitize flags before invoking 'pkg-config'


The addition of CgoPkgConfig allowed execution with flags not
matching the safelist. In order to prevent potential arbitrary
code execution at build time, ensure that flags are validated
prior to invoking the 'pkg-config' binary.

Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
for reporting this issue.

Fixes CVE-2025-61731
Fixes #77100
Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-by: Damien Neil <dn...@google.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
Reviewed-by: Junyang Shao <shaoj...@google.com>
Files:
  • M src/cmd/go/internal/work/exec.go
  • M src/cmd/go/internal/work/security.go
Change size: XS
Delta: 2 files changed, 9 insertions(+), 0 deletions(-)
Branch: refs/heads/release-branch.go1.25
Submit Requirements:
  • requirement satisfiedCode-Review: +2 by Junyang Shao
  • requirement satisfiedTryBots-Pass: TryBot-Bypass+1 by Michael Pratt
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: go
Gerrit-Branch: release-branch.go1.25
Gerrit-Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364
Gerrit-Change-Number: 736722
open
diffy
satisfied_requirement

Gopher Robot (Gerrit)

unread,
Jan 15, 2026, 1:35:58 PM (3 days ago) Jan 15
to Michael Pratt, Neal Patel, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Go LUCI, Junyang Shao, golang-co...@googlegroups.com

Gopher Robot submitted the change

Change information

Commit message:
cmd/go/internal/work: sanitize flags before invoking 'pkg-config'


The addition of CgoPkgConfig allowed execution with flags not
matching the safelist. In order to prevent potential arbitrary
code execution at build time, ensure that flags are validated
prior to invoking the 'pkg-config' binary.

Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
for reporting this issue.

Fixes CVE-2025-61731
Fixes #77100
Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Junyang Shao <shaoj...@google.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
Files:
  • M src/cmd/go/internal/work/exec.go
  • M src/cmd/go/internal/work/security.go
Change size: XS
Delta: 2 files changed, 9 insertions(+), 0 deletions(-)
Branch: refs/heads/master
Submit Requirements:
    • requirement satisfiedCode-Review: +2 by Junyang Shao
    • requirement satisfiedTryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
    Open in Gerrit
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: merged
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364
    Gerrit-Change-Number: 736711
    Gerrit-PatchSet: 2
    Gerrit-Owner: Michael Pratt <mpr...@google.com>
    open
    diffy
    satisfied_requirement
    Reply all
    Reply to author
    Forward
    0 new messages