[release-branch.go1.25] cmd/go/internal/work: sanitize flags before invoking 'pkg-config'
The addition of CgoPkgConfig allowed execution with flags not matching the safelist. In order to prevent potential arbitrary code execution at build time, ensure that flags are validated prior to invoking the 'pkg-config' binary. Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. Fixes CVE-2025-61731 Fixes #77100 Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3240 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3343 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/736722 TryBot-Bypass: Michael Pratt <mpratt@google.com> Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Junyang Shao <shaojunyang@google.com>
N
Neal Patel committed
2526187481ee31241b72f491992accbdd66c2655
Parent: 082365a
Committed by Gopher Robot <gobot@golang.org>
on 1/15/2026, 6:14:54 PM