From abaa0cbb259e059ee60c33a7507eddc1fe7d20fa Mon Sep 17 00:00:00 2001 From: Neal Patel Date: Tue, 24 Feb 2026 23:05:34 +0000 Subject: [release-branch.go1.25] cmd/go: disallow cgo trust boundary bypass MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The cgo compiler implicitly trusts generated files with 'cgo' prefixes; thus, SWIG files containing 'cgo' in their names will cause bypass of the trust boundary, leading to code smuggling or arbitrary code execution. The cgo compiler will now produce an error if it encounters any SWIG files containing this prefix. Thanks to Juho Forsén of Mattermost for reporting this issue. Fixes #78335 Fixes CVE-2026-27140 Change-Id: I44185a84e07739b3b347efdb86be7d8fa560b030 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3520 Reviewed-by: Nicholas Husin Reviewed-by: Damien Neil Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3989 Reviewed-on: https://go-review.googlesource.com/c/go/+/763556 Reviewed-by: David Chase TryBot-Bypass: Gopher Robot Reviewed-by: Junyang Shao Auto-Submit: Gopher Robot --- src/cmd/go/internal/work/exec.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go index 6bfc83aae2..8c3bac51e6 100644 --- a/src/cmd/go/internal/work/exec.go +++ b/src/cmd/go/internal/work/exec.go @@ -3231,6 +3231,10 @@ func (b *Builder) swigIntSize(objdir string) (intsize string, err error) { // Run SWIG on one SWIG input file. func (b *Builder) swigOne(a *Action, file, objdir string, pcCFLAGS []string, cxx bool, intgosize string) (outGo, outC string, err error) { + if strings.HasPrefix(file, "cgo") { + return "", "", errors.New("SWIG file must not use prefix 'cgo'") + } + p := a.Package sh := b.Shell(a) -- cgit v1.3