Chris Waldon d2db4f6875 internal/{egl,gl}: [Windows] restrict graphics DLL sources
In order to avoid DLL preloading attacks, we should be careful about where we
load DLLs from. These packages load graphics DLLs, which may be provided by the
OS, by a graphics vendor, or even by individual applications. As such, we can't
restrict loading them to just system32-provided paths. Instead, we invoke
LoadLibraryEx [0] with the LOAD_LIBRARY_SEARCH_DEFAULT_DIRS path, which will search
system32, application-defined paths, and the path of the primary application
executable. This mode ignores the system %PATH% variable, which dramatically
reduces the attack surface of malicious or unintended DLLs.

Applications may add custom paths to the search list by calling the standard
windows AddDllDirectory function [1] prior to attempting to initialize GL.

Thanks to Mohsen Mirzakhani and Utkarsh Satya Prakash for bringing this to
our attention.

[0] https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryexa
[1] https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-adddlldirectory

Signed-off-by: Chris Waldon <christopher.waldon.dev@gmail.com>
2025-01-09 21:57:47 +01:00
2022-10-11 13:27:57 -06:00
2024-04-15 10:18:25 +02:00
2024-12-18 13:28:16 -05:00
2023-01-01 10:19:50 -06:00
2024-12-06 10:23:02 +01:00
2024-12-06 10:23:02 +01:00
2020-12-11 16:42:04 +01:00
2023-07-01 12:38:39 -04:00

Gio - https://gioui.org

Immediate mode GUI programs in Go for Android, iOS, macOS, Linux, FreeBSD, OpenBSD, Windows, and WebAssembly (experimental).

Installation, examples, documentation

Go to gioui.org.

builds.sr.ht status

Issues

File bugs and TODOs through the issue tracker or send an email to ~eliasnaur/gio@todo.sr.ht. For general discussion, use the mailing list: ~eliasnaur/gio@lists.sr.ht.

Contributing

Post discussion to the mailing list and patches to gio-patches. No Sourcehut account is required and you can post without being subscribed.

See the contribution guide for more details.

An official GitHub mirror is available.

Tags

Pre-1.0 tags are provided for reference only, and do not designate releases with ongoing support. Bugfixes will not be backported to older tags.

Tags follow semantic versioning. In particular, as the major version is zero:

  • breaking API or behavior changes will increment the minor version component.
  • non-breaking changes will increment the patch version component.
S
Description
No description provided
Readme Multiple Licenses 6.2 MiB
Languages
Go 89.6%
C 7%
Java 1.7%
Objective-C 1.6%