DLL injection in Go < 1.12.2 [CVE-2019-9634]

["Jason A. Donenfeld" <Jason () zx2c4 com>]

Hey folks,

Golang before 1.12.2 linked against various DLLs that were
same-directory injectable and generally its library loading mechanism
did not use LoadLibraryEx, allowing the classic DLL injection attacks,
especially with regards to executables saved to the Downloads/ folder
[1]. It was assigned CVE-2019-9634 and fixed in [2] and [3]. It wasn't
mentioned in the 1.12.2 release notes, so I'm mentioning it here
instead.

Jason

[1] https://user-images.githubusercontent.com/10643/53921755-eb9e1a00-4071-11e9-83a7-058ceb008e55.gif
[2] https://github.com/golang/go/commit/9b6e9f0c8c66355c0f0575d808b32f52c8c6d21c
[3] https://github.com/golang/sys/commit/10058d7d4faa7dd5ef860cbd31af00903076e7b8