On Tue, Jun 6, 2023 at 11:12 AM <annou...@golang.org> wrote: > > cmd/go: improper sanitization of LDFLAGS > > The go command may execute arbitrary code at build time when using cgo. This > may > occur when running "go get" on a malicious module, or when running any other > command which builds untrusted code. This is can by triggered by linker flags, > specified via a "#cgo LDFLAGS" directive.
Due to an unfortunate mistake, this change will break the use of "#cgo LDFLAGS" directives when using -compiler=gccgo. Most people using gccgo or GoLLVM use the cmd/go that is distributed with those tools, and that is unaffected. Therefore, we will fix this in the next minor release. The current minor releases 1.20.5 and 1.19.10 are unfortunately broken for some cases when using gccgo or GoLLVM. Our apologies for the mishap. Thanks to Jeffrey Tolar for spotting the problem. Ian -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAOyqgcUH50FN7hndBWSJoFs-%2BmbO84%2BaKvM__vWSwt4gFtpk1w%40mail.gmail.com.
