diff options
| author | Jeffery To <jeffery.to@gmail.com> | 2020-11-16 01:57:05 +0800 |
|---|---|---|
| committer | Hannu Nyman <hannu.nyman@iki.fi> | 2020-11-15 21:43:07 +0200 |
| commit | bd38850609027f6ab140894bff7c4f53d8cc6243 (patch) | |
| tree | 265d6f609eaa9ab79ebb0125be04089cfad4b976 /lang/golang | |
| parent | a561fe0d35c6279fd905c4f3130fd3087ae630f2 (diff) | |
golang: Update to 1.15.5
This includes security fixes for:
* CVE-2020-28362: panic during recursive division of very large numbers
* CVE-2020-28366: arbitrary code can be injected into cgo generated
files
* CVE-2020-28367: improper validation of cgo flags can lead to remote
code execution at build time
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Diffstat (limited to 'lang/golang')
| -rw-r--r-- | lang/golang/golang/Makefile | 4 | ||||
| -rw-r--r-- | lang/golang/golang/patches/001-allow-flags-in-CGO_LDFLAGS-environment-variable-not-in-security-allowlist-GH-42567.patch | 93 |
2 files changed, 95 insertions, 2 deletions
diff --git a/lang/golang/golang/Makefile b/lang/golang/golang/Makefile index 7e8157f7b..f7b2a2d99 100644 --- a/lang/golang/golang/Makefile +++ b/lang/golang/golang/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk GO_VERSION_MAJOR_MINOR:=1.15 -GO_VERSION_PATCH:=4 +GO_VERSION_PATCH:=5 PKG_NAME:=golang PKG_VERSION:=$(GO_VERSION_MAJOR_MINOR)$(if $(GO_VERSION_PATCH),.$(GO_VERSION_PATCH)) @@ -20,7 +20,7 @@ GO_SOURCE_URLS:=https://dl.google.com/go/ \ PKG_SOURCE:=go$(PKG_VERSION).src.tar.gz PKG_SOURCE_URL:=$(GO_SOURCE_URLS) -PKG_HASH:=063da6a9a4186b8118a0e584532c8c94e65582e2cd951ed078bfd595d27d2367 +PKG_HASH:=c1076b90cf94b73ebed62a81d802cd84d43d02dea8c07abdc922c57a071c84f1 PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com> PKG_LICENSE:=BSD-3-Clause diff --git a/lang/golang/golang/patches/001-allow-flags-in-CGO_LDFLAGS-environment-variable-not-in-security-allowlist-GH-42567.patch b/lang/golang/golang/patches/001-allow-flags-in-CGO_LDFLAGS-environment-variable-not-in-security-allowlist-GH-42567.patch new file mode 100644 index 000000000..49ca5a519 --- /dev/null +++ b/lang/golang/golang/patches/001-allow-flags-in-CGO_LDFLAGS-environment-variable-not-in-security-allowlist-GH-42567.patch @@ -0,0 +1,93 @@ +From 39f8e98946a0958a4f69ec28c78b8e5d46125e44 Mon Sep 17 00:00:00 2001 +From: Ian Lance Taylor <iant@golang.org> +Date: Fri, 13 Nov 2020 11:05:37 -0800 +Subject: [PATCH] [release-branch.go1.15] cmd/go: permit CGO_LDFLAGS to appear in //go:ldflag + +For #42565 +Fixes #42567 + +Change-Id: If7cf39905d124dbd54dfac6a53ee38270498efed +Reviewed-on: https://go-review.googlesource.com/c/go/+/269818 +Trust: Ian Lance Taylor <iant@golang.org> +Run-TryBot: Ian Lance Taylor <iant@golang.org> +TryBot-Result: Go Bot <gobot@golang.org> +Reviewed-by: Jay Conrod <jayconrod@google.com> +(cherry picked from commit 782cf560db4c919790fdb476d1bbe18e5ddf5ffd) +--- + +diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go +index 13d4c8c..dc0c4fc 100644 +--- a/src/cmd/go/internal/work/exec.go ++++ b/src/cmd/go/internal/work/exec.go +@@ -2766,6 +2766,21 @@ + idx = bytes.Index(src, []byte(cgoLdflag)) + } + } ++ ++ // We expect to find the contents of cgoLDFLAGS in flags. ++ if len(cgoLDFLAGS) > 0 { ++ outer: ++ for i := range flags { ++ for j, f := range cgoLDFLAGS { ++ if f != flags[i+j] { ++ continue outer ++ } ++ } ++ flags = append(flags[:i], flags[i+len(cgoLDFLAGS):]...) ++ break ++ } ++ } ++ + if err := checkLinkerFlags("LDFLAGS", "go:cgo_ldflag", flags); err != nil { + return nil, nil, err + } +diff --git a/src/cmd/go/testdata/script/ldflag.txt b/src/cmd/go/testdata/script/ldflag.txt +new file mode 100644 +index 0000000..6ceb33b +--- /dev/null ++++ b/src/cmd/go/testdata/script/ldflag.txt +@@ -0,0 +1,44 @@ ++# Issue #42565 ++ ++[!cgo] skip ++ ++# We can't build package bad, which uses #cgo LDFLAGS. ++cd bad ++! go build ++stderr no-such-warning ++ ++# We can build package ok with the same flags in CGO_LDFLAGS. ++env CGO_LDFLAGS=-Wno-such-warning -Wno-unknown-warning-option ++cd ../ok ++go build ++ ++# Build a main program that actually uses LDFLAGS. ++cd .. ++go build -ldflags=-v ++ ++# Because we passed -v the Go linker should print the external linker ++# command which should include the flag we passed in CGO_LDFLAGS. ++stderr no-such-warning ++ ++-- go.mod -- ++module ldflag ++ ++-- bad/bad.go -- ++package bad ++ ++// #cgo LDFLAGS: -Wno-such-warning -Wno-unknown-warning ++import "C" ++ ++func F() {} ++-- ok/ok.go -- ++package ok ++ ++import "C" ++ ++func F() {} ++-- main.go -- ++package main ++ ++import _ "ldflag/ok" ++ ++func main() {} |