[release-branch.go1.25] cmd/go/internal/work: sanitize flags before invoking 'pkg-config'

The addition of CgoPkgConfig allowed execution with flags not matching the safelist. In order to prevent potential arbitrary code execution at build time, ensure that flags are validated prior to invoking the 'pkg-config' binary. Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. Fixes CVE-2025-61731 Fixes #77100 Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3240 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3343 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/736722 TryBot-Bypass: Michael Pratt <mpratt@google.com> Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Junyang Shao <shaojunyang@google.com>
author: Neal Patel <nealpatel@google.com> 2025-12-04 12:30:39 -0500
committer: Gopher Robot <gobot@golang.org> 2026-01-15 10:14:54 -0800
commit: 2526187481ee31241b72f491992accbdd66c2655 (patch)
tree: a63923b70bfcf8da2a9ab0ade47486f8845acdea
parent: 082365aa552a7e2186f79110d5311dce70749cc0 (diff)
download: go-2526187481ee31241b72f491992accbdd66c2655.tar.xz
2 files changed, 9 insertions, 0 deletions
diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
index 63fd13f754..9d4429a51c 100644
--- a/src/cmd/go/internal/work/exec.go
+++ b/src/cmd/go/internal/work/exec.go
@@ -1636,6 +1636,14 @@ func (b *Builder) getPkgConfigFlags(a *Action) (cflags, ldflags []string, err er
 				return nil, nil, fmt.Errorf("invalid pkg-config package name: %s", pkg)
 			}
 		}
+
+		// Running 'pkg-config' can cause execution of
+		// arbitrary code using flags that are not in
+		// the safelist.
+		if err := checkCompilerFlags("CFLAGS", "pkg-config --cflags", pcflags); err != nil {
+			return nil, nil, err
+		}
+
 		var out []byte
 		out, err = sh.runOut(p.Dir, nil, b.PkgconfigCmd(), "--cflags", pcflags, "--", pkgs)
 		if err != nil {
diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
index 3b3eba536c..68d2706051 100644
--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
@@ -130,6 +130,7 @@ var validCompilerFlags = []*lazyregexp.Regexp{
 	re(`-pedantic(-errors)?`),
 	re(`-pipe`),
 	re(`-pthread`),
+	re(`--static`),
 	re(`-?-std=([^@\-].*)`),
 	re(`-?-stdlib=([^@\-].*)`),
 	re(`--sysroot=([^@\-].*)`),
author	Neal Patel <nealpatel@google.com>	2025-12-04 12:30:39 -0500
committer	Gopher Robot <gobot@golang.org>	2026-01-15 10:14:54 -0800
commit	2526187481ee31241b72f491992accbdd66c2655 (patch)
tree	a63923b70bfcf8da2a9ab0ade47486f8845acdea
parent	082365aa552a7e2186f79110d5311dce70749cc0 (diff)
download	go-2526187481ee31241b72f491992accbdd66c2655.tar.xz