diff --git a/0102-Backport-runtime-implement-SUID-SGID-protections.patch b/0102-Backport-runtime-implement-SUID-SGID-protections.patch index 9ba471c894d5fa031e841d56909223d82b68a9a6..4d0e51409dd7dcb082a41fe69dbae9b4311482b8 100644 --- a/0102-Backport-runtime-implement-SUID-SGID-protections.patch +++ b/0102-Backport-runtime-implement-SUID-SGID-protections.patch @@ -1,7 +1,7 @@ -From fbac3ddaf0d7f33a11ce18844d431cdf455b482e Mon Sep 17 00:00:00 2001 +From eb318de64a49fac50ff18e9f467198113ed7ef33 Mon Sep 17 00:00:00 2001 From: Michael Pratt Date: Tue, 8 Feb 2022 16:45:14 -0500 -Subject: [PATCH] [Backport] runtime: implement SUID/SGID protections +Subject: [PATCH] runtime: implement SUID/SGID protections Offering: Cloud Core Network CVE: CVE-2023-29403 @@ -88,11 +88,11 @@ Signed-off-by: Tang Xi tangxi6@huawei.com src/runtime/panic.go | 3 + src/runtime/proc.go | 1 + src/runtime/security_aix.go | 17 +++ - src/runtime/security_issetugid.go | 20 +++ + src/runtime/security_issetugid.go | 19 +++ src/runtime/security_linux.go | 15 ++ - src/runtime/security_nonunix.go | 14 ++ - src/runtime/security_test.go | 144 ++++++++++++++++++ - src/runtime/security_unix.go | 73 +++++++++ + src/runtime/security_nonunix.go | 13 ++ + src/runtime/security_test.go | 143 ++++++++++++++++++ + src/runtime/security_unix.go | 72 +++++++++ src/runtime/signal_unix.go | 4 + src/runtime/sys_darwin.go | 27 +++- src/runtime/sys_darwin_amd64.s | 7 + @@ -113,7 +113,7 @@ Signed-off-by: Tang Xi tangxi6@huawei.com src/runtime/syscall2_solaris.go | 2 + src/runtime/syscall_solaris.go | 1 + src/runtime/testdata/testsuid/main.go | 25 +++ - 52 files changed, 751 insertions(+), 59 deletions(-) + 52 files changed, 747 insertions(+), 59 deletions(-) create mode 100644 src/runtime/internal/syscall/asm_linux_386.s create mode 100644 src/runtime/internal/syscall/asm_linux_amd64.s create mode 100644 src/runtime/internal/syscall/asm_linux_arm.s @@ -134,7 +134,7 @@ Signed-off-by: Tang Xi tangxi6@huawei.com create mode 100644 src/runtime/testdata/testsuid/main.go diff --git a/src/cmd/compile/internal/gc/racewalk.go b/src/cmd/compile/internal/gc/racewalk.go -index 6f251377c9..710c97a84b 100644 +index 6f25137..710c97a 100644 --- a/src/cmd/compile/internal/gc/racewalk.go +++ b/src/cmd/compile/internal/gc/racewalk.go @@ -34,8 +34,9 @@ import ( @@ -149,7 +149,7 @@ index 6f251377c9..710c97a84b 100644 "runtime/race", "runtime/msan", diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go -index 875acebf9c..c134417567 100644 +index 875aceb..c134417 100644 --- a/src/go/build/deps_test.go +++ b/src/go/build/deps_test.go @@ -81,6 +81,7 @@ var depsRules = ` @@ -161,7 +161,7 @@ index 875acebf9c..c134417567 100644 < runtime/internal/math < runtime diff --git a/src/runtime/export_darwin_test.go b/src/runtime/export_darwin_test.go -index e9b6eb36da..034c52d603 100644 +index e9b6eb3..034c52d 100644 --- a/src/runtime/export_darwin_test.go +++ b/src/runtime/export_darwin_test.go @@ -4,10 +4,3 @@ @@ -176,7 +176,7 @@ index e9b6eb36da..034c52d603 100644 - return uintptr(r), 0 -} diff --git a/src/runtime/export_unix_test.go b/src/runtime/export_unix_test.go -index 621488eaba..b1cf15f035 100644 +index 621488e..b1cf15f 100644 --- a/src/runtime/export_unix_test.go +++ b/src/runtime/export_unix_test.go @@ -12,6 +12,7 @@ var NonblockingPipe = nonblockingPipe @@ -188,7 +188,7 @@ index 621488eaba..b1cf15f035 100644 func sigismember(mask *sigset, i int) bool { clear := *mask diff --git a/src/runtime/extern.go b/src/runtime/extern.go -index 7316503ed2..056465cccb 100644 +index 7316503..056465c 100644 --- a/src/runtime/extern.go +++ b/src/runtime/extern.go @@ -172,6 +172,25 @@ the set of Go environment variables. They influence the building of Go programs @@ -219,7 +219,7 @@ index 7316503ed2..056465cccb 100644 diff --git a/src/runtime/internal/syscall/asm_linux_386.s b/src/runtime/internal/syscall/asm_linux_386.s new file mode 100644 -index 0000000000..15aae4d8bd +index 0000000..15aae4d --- /dev/null +++ b/src/runtime/internal/syscall/asm_linux_386.s @@ -0,0 +1,34 @@ @@ -259,7 +259,7 @@ index 0000000000..15aae4d8bd + RET diff --git a/src/runtime/internal/syscall/asm_linux_amd64.s b/src/runtime/internal/syscall/asm_linux_amd64.s new file mode 100644 -index 0000000000..961d9bd640 +index 0000000..961d9bd --- /dev/null +++ b/src/runtime/internal/syscall/asm_linux_amd64.s @@ -0,0 +1,33 @@ @@ -298,7 +298,7 @@ index 0000000000..961d9bd640 + RET diff --git a/src/runtime/internal/syscall/asm_linux_arm.s b/src/runtime/internal/syscall/asm_linux_arm.s new file mode 100644 -index 0000000000..dbf1826d94 +index 0000000..dbf1826 --- /dev/null +++ b/src/runtime/internal/syscall/asm_linux_arm.s @@ -0,0 +1,32 @@ @@ -336,7 +336,7 @@ index 0000000000..dbf1826d94 + RET diff --git a/src/runtime/internal/syscall/asm_linux_arm64.s b/src/runtime/internal/syscall/asm_linux_arm64.s new file mode 100644 -index 0000000000..83e862ff72 +index 0000000..83e862f --- /dev/null +++ b/src/runtime/internal/syscall/asm_linux_arm64.s @@ -0,0 +1,29 @@ @@ -371,7 +371,7 @@ index 0000000000..83e862ff72 + RET diff --git a/src/runtime/internal/syscall/defs_linux_386.go b/src/runtime/internal/syscall/defs_linux_386.go new file mode 100644 -index 0000000000..31d704e235 +index 0000000..31d704e --- /dev/null +++ b/src/runtime/internal/syscall/defs_linux_386.go @@ -0,0 +1,7 @@ @@ -384,7 +384,7 @@ index 0000000000..31d704e235 +const SYS_FCNTL = 55 diff --git a/src/runtime/internal/syscall/defs_linux_amd64.go b/src/runtime/internal/syscall/defs_linux_amd64.go new file mode 100644 -index 0000000000..2368eb03b4 +index 0000000..2368eb0 --- /dev/null +++ b/src/runtime/internal/syscall/defs_linux_amd64.go @@ -0,0 +1,7 @@ @@ -397,7 +397,7 @@ index 0000000000..2368eb03b4 +const SYS_FCNTL = 72 diff --git a/src/runtime/internal/syscall/defs_linux_arm.go b/src/runtime/internal/syscall/defs_linux_arm.go new file mode 100644 -index 0000000000..31d704e235 +index 0000000..31d704e --- /dev/null +++ b/src/runtime/internal/syscall/defs_linux_arm.go @@ -0,0 +1,7 @@ @@ -410,7 +410,7 @@ index 0000000000..31d704e235 +const SYS_FCNTL = 55 diff --git a/src/runtime/internal/syscall/defs_linux_arm64.go b/src/runtime/internal/syscall/defs_linux_arm64.go new file mode 100644 -index 0000000000..6292c90af5 +index 0000000..6292c90 --- /dev/null +++ b/src/runtime/internal/syscall/defs_linux_arm64.go @@ -0,0 +1,7 @@ @@ -423,7 +423,7 @@ index 0000000000..6292c90af5 +const SYS_FCNTL = 25 diff --git a/src/runtime/internal/syscall/syscall_linux.go b/src/runtime/internal/syscall/syscall_linux.go new file mode 100644 -index 0000000000..06d5f21e7c +index 0000000..06d5f21 --- /dev/null +++ b/src/runtime/internal/syscall/syscall_linux.go @@ -0,0 +1,12 @@ @@ -441,7 +441,7 @@ index 0000000000..06d5f21e7c +func Syscall6(num, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2, errno uintptr) diff --git a/src/runtime/nbpipe_fcntl_libc_test.go b/src/runtime/nbpipe_fcntl_libc_test.go deleted file mode 100644 -index b38c58399b..0000000000 +index b38c583..0000000 --- a/src/runtime/nbpipe_fcntl_libc_test.go +++ /dev/null @@ -1,18 +0,0 @@ @@ -465,7 +465,7 @@ index b38c58399b..0000000000 -} diff --git a/src/runtime/nbpipe_fcntl_unix_test.go b/src/runtime/nbpipe_fcntl_unix_test.go deleted file mode 100644 -index 75acdb62dd..0000000000 +index 75acdb6..0000000 --- a/src/runtime/nbpipe_fcntl_unix_test.go +++ /dev/null @@ -1,17 +0,0 @@ @@ -487,7 +487,7 @@ index 75acdb62dd..0000000000 - return res, err -} diff --git a/src/runtime/nbpipe_test.go b/src/runtime/nbpipe_test.go -index d739f57864..9496f83a44 100644 +index d739f57..9496f83 100644 --- a/src/runtime/nbpipe_test.go +++ b/src/runtime/nbpipe_test.go @@ -14,23 +14,29 @@ import ( @@ -549,7 +549,7 @@ index d739f57864..9496f83a44 100644 } else if flags&syscall.FD_CLOEXEC == 0 { t.Errorf("FD_CLOEXEC not set in %s flags %#x", name, flags) diff --git a/src/runtime/os2_aix.go b/src/runtime/os2_aix.go -index 31ac6ddf79..8b609aaf90 100644 +index 31ac6dd..8b609aa 100644 --- a/src/runtime/os2_aix.go +++ b/src/runtime/os2_aix.go @@ -55,6 +55,10 @@ var ( @@ -586,7 +586,7 @@ index 31ac6ddf79..8b609aaf90 100644 libpthread___pth_init, libpthread_attr_destroy, diff --git a/src/runtime/os_aix.go b/src/runtime/os_aix.go -index 9a6b8aec7c..7fb7aafa74 100644 +index 9a6b8ae..7fb7aaf 100644 --- a/src/runtime/os_aix.go +++ b/src/runtime/os_aix.go @@ -375,3 +375,43 @@ func setNonblock(fd int32) { @@ -634,7 +634,7 @@ index 9a6b8aec7c..7fb7aafa74 100644 + return int32(r) +} diff --git a/src/runtime/os_dragonfly.go b/src/runtime/os_dragonfly.go -index 6578fcbeb1..df0ff3828f 100644 +index 6578fcb..df0ff38 100644 --- a/src/runtime/os_dragonfly.go +++ b/src/runtime/os_dragonfly.go @@ -62,6 +62,8 @@ func pipe() (r, w int32, errno int32) @@ -647,7 +647,7 @@ index 6578fcbeb1..df0ff3828f 100644 const ( _CTL_HW = 6 diff --git a/src/runtime/os_freebsd.go b/src/runtime/os_freebsd.go -index 730973a202..35242c3894 100644 +index 730973a..35242c3 100644 --- a/src/runtime/os_freebsd.go +++ b/src/runtime/os_freebsd.go @@ -46,6 +46,8 @@ func pipe2(flags int32) (r, w int32, errno int32) @@ -660,7 +660,7 @@ index 730973a202..35242c3894 100644 const ( _CTL_HW = 6 diff --git a/src/runtime/os_linux.go b/src/runtime/os_linux.go -index 7b95ff2428..e83b6df048 100644 +index 7b95ff2..e83b6df 100644 --- a/src/runtime/os_linux.go +++ b/src/runtime/os_linux.go @@ -7,6 +7,7 @@ package runtime @@ -790,7 +790,7 @@ index 7b95ff2428..e83b6df048 100644 func rt_sigaction(sig uintptr, new, old *sigactiont, size uintptr) int32 diff --git a/src/runtime/os_netbsd.go b/src/runtime/os_netbsd.go -index 97106c7b9d..748e324f6f 100644 +index 97106c7..748e324 100644 --- a/src/runtime/os_netbsd.go +++ b/src/runtime/os_netbsd.go @@ -77,6 +77,8 @@ func pipe2(flags int32) (r, w int32, errno int32) @@ -803,7 +803,7 @@ index 97106c7b9d..748e324f6f 100644 _ESRCH = 3 _ETIMEDOUT = 60 diff --git a/src/runtime/os_solaris.go b/src/runtime/os_solaris.go -index 89129e5f1a..a9c081d292 100644 +index 89129e5..a9c081d 100644 --- a/src/runtime/os_solaris.go +++ b/src/runtime/os_solaris.go @@ -264,3 +264,7 @@ func sysvicall6(fn *libcFunc, a1, a2, a3, a4, a5, a6 uintptr) uintptr { @@ -815,7 +815,7 @@ index 89129e5f1a..a9c081d292 100644 + return int32(sysvicall0(&libc_issetugid)) +} diff --git a/src/runtime/panic.go b/src/runtime/panic.go -index 615249f33c..e6d787d20d 100644 +index 615249f..e6d787d 100644 --- a/src/runtime/panic.go +++ b/src/runtime/panic.go @@ -1166,6 +1166,9 @@ func fatalthrow() { @@ -829,7 +829,7 @@ index 615249f33c..e6d787d20d 100644 if dopanic_m(gp, pc, sp) { diff --git a/src/runtime/proc.go b/src/runtime/proc.go -index e1aafffc93..c0b961f13e 100644 +index e1aafff..c0b961f 100644 --- a/src/runtime/proc.go +++ b/src/runtime/proc.go @@ -634,6 +634,7 @@ func schedinit() { @@ -842,7 +842,7 @@ index e1aafffc93..c0b961f13e 100644 diff --git a/src/runtime/security_aix.go b/src/runtime/security_aix.go new file mode 100644 -index 0000000000..c11b9c3f01 +index 0000000..c11b9c3 --- /dev/null +++ b/src/runtime/security_aix.go @@ -0,0 +1,17 @@ @@ -865,15 +865,14 @@ index 0000000000..c11b9c3f01 +} diff --git a/src/runtime/security_issetugid.go b/src/runtime/security_issetugid.go new file mode 100644 -index 0000000000..856f50a504 +index 0000000..ee1aa67 --- /dev/null +++ b/src/runtime/security_issetugid.go -@@ -0,0 +1,20 @@ +@@ -0,0 +1,19 @@ +// Copyright 2023 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + -+//go:build darwin || dragonfly || freebsd || illumos || netbsd || openbsd || solaris +// +build darwin dragonfly freebsd illumos netbsd openbsd solaris + +package runtime @@ -891,7 +890,7 @@ index 0000000000..856f50a504 +} diff --git a/src/runtime/security_linux.go b/src/runtime/security_linux.go new file mode 100644 -index 0000000000..181f3a184e +index 0000000..181f3a1 --- /dev/null +++ b/src/runtime/security_linux.go @@ -0,0 +1,15 @@ @@ -912,15 +911,14 @@ index 0000000000..181f3a184e +} diff --git a/src/runtime/security_nonunix.go b/src/runtime/security_nonunix.go new file mode 100644 -index 0000000000..42c3bf408a +index 0000000..19d16ea --- /dev/null +++ b/src/runtime/security_nonunix.go -@@ -0,0 +1,14 @@ +@@ -0,0 +1,13 @@ +// Copyright 2023 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + -+//go:build !aix && !android && !darwin && !dragonfly && !freebsd && !hurd && !illumos && !ios && !linux && !netbsd && !openbsd && !solaris +// +build !aix,!android,!darwin,!dragonfly,!freebsd,!hurd,!illumos,!ios,!linux,!netbsd,!openbsd,!solaris + +package runtime @@ -932,15 +930,14 @@ index 0000000000..42c3bf408a +func secure() {} diff --git a/src/runtime/security_test.go b/src/runtime/security_test.go new file mode 100644 -index 0000000000..7e0c7ad245 +index 0000000..d7d5d25 --- /dev/null +++ b/src/runtime/security_test.go -@@ -0,0 +1,144 @@ +@@ -0,0 +1,143 @@ +// Copyright 2023 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + -+//go:build aix || android || darwin || dragonfly || freebsd || hurd || illumos || ios || linux || netbsd || openbsd || solaris +// +build aix android darwin dragonfly freebsd hurd illumos ios linux netbsd openbsd solaris + +package runtime_test @@ -1082,15 +1079,14 @@ index 0000000000..7e0c7ad245 +} diff --git a/src/runtime/security_unix.go b/src/runtime/security_unix.go new file mode 100644 -index 0000000000..791590b2a6 +index 0000000..724471c --- /dev/null +++ b/src/runtime/security_unix.go -@@ -0,0 +1,73 @@ +@@ -0,0 +1,72 @@ +// Copyright 2023 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + -+//go:build aix || android || darwin || dragonfly || freebsd || hurd || illumos || ios || linux || netbsd || openbsd || solaris +// +build aix android darwin dragonfly freebsd hurd illumos ios linux netbsd openbsd solaris + +package runtime @@ -1160,7 +1156,7 @@ index 0000000000..791590b2a6 + } +} diff --git a/src/runtime/signal_unix.go b/src/runtime/signal_unix.go -index 003c7b0bc8..c13ede9d8a 100644 +index 003c7b0..c13ede9 100644 --- a/src/runtime/signal_unix.go +++ b/src/runtime/signal_unix.go @@ -633,6 +633,10 @@ func sighandler(sig uint32, info *siginfo, ctxt unsafe.Pointer, gp *g) { @@ -1175,7 +1171,7 @@ index 003c7b0bc8..c13ede9d8a 100644 if _g_.m.lockedg != 0 && _g_.m.ncgo > 0 && gp == _g_.m.g0 { print("signal arrived during cgo execution\n") diff --git a/src/runtime/sys_darwin.go b/src/runtime/sys_darwin.go -index 06474434c9..6c3527d4ae 100644 +index 0647443..6c3527d 100644 --- a/src/runtime/sys_darwin.go +++ b/src/runtime/sys_darwin.go @@ -10,6 +10,7 @@ import "unsafe" @@ -1242,7 +1238,7 @@ index 06474434c9..6c3527d4ae 100644 + +//go:cgo_import_dynamic libc_issetugid issetugid "/usr/lib/libSystem.B.dylib" diff --git a/src/runtime/sys_darwin_amd64.s b/src/runtime/sys_darwin_amd64.s -index 825852d673..85d0e40873 100644 +index 825852d..85d0e40 100644 --- a/src/runtime/sys_darwin_amd64.s +++ b/src/runtime/sys_darwin_amd64.s @@ -851,3 +851,10 @@ TEXT runtime·syscallNoErr(SB),NOSPLIT,$0 @@ -1257,7 +1253,7 @@ index 825852d673..85d0e40873 100644 + POPQ BP + RET diff --git a/src/runtime/sys_darwin_arm64.s b/src/runtime/sys_darwin_arm64.s -index 585d4f2c64..fa3f9d8579 100644 +index 585d4f2..fa3f9d8 100644 --- a/src/runtime/sys_darwin_arm64.s +++ b/src/runtime/sys_darwin_arm64.s @@ -693,3 +693,7 @@ TEXT runtime·syscall6X(SB),NOSPLIT,$0 @@ -1270,7 +1266,7 @@ index 585d4f2c64..fa3f9d8579 100644 + RET \ No newline at end of file diff --git a/src/runtime/sys_dragonfly_amd64.s b/src/runtime/sys_dragonfly_amd64.s -index 580633af55..ea04d0eae7 100644 +index 580633a..ea04d0e 100644 --- a/src/runtime/sys_dragonfly_amd64.s +++ b/src/runtime/sys_dragonfly_amd64.s @@ -405,3 +405,13 @@ TEXT runtime·setNonblock(SB),NOSPLIT,$0-4 @@ -1288,7 +1284,7 @@ index 580633af55..ea04d0eae7 100644 + MOVL AX, ret+0(FP) + RET diff --git a/src/runtime/sys_freebsd_386.s b/src/runtime/sys_freebsd_386.s -index c346e719e1..f725d2b291 100644 +index c346e71..f725d2b 100644 --- a/src/runtime/sys_freebsd_386.s +++ b/src/runtime/sys_freebsd_386.s @@ -464,3 +464,10 @@ TEXT runtime·cpuset_getaffinity(SB), NOSPLIT, $0-28 @@ -1303,7 +1299,7 @@ index c346e719e1..f725d2b291 100644 + MOVL AX, ret+0(FP) + RET diff --git a/src/runtime/sys_freebsd_amd64.s b/src/runtime/sys_freebsd_amd64.s -index 010b2ec4d4..0eb0a03458 100644 +index 010b2ec..0eb0a03 100644 --- a/src/runtime/sys_freebsd_amd64.s +++ b/src/runtime/sys_freebsd_amd64.s @@ -502,3 +502,13 @@ TEXT runtime·cpuset_getaffinity(SB), NOSPLIT, $0-44 @@ -1321,7 +1317,7 @@ index 010b2ec4d4..0eb0a03458 100644 + MOVL AX, ret+0(FP) + RET diff --git a/src/runtime/sys_freebsd_arm.s b/src/runtime/sys_freebsd_arm.s -index 1e12f9cfcb..c31b77cb99 100644 +index 1e12f9c..c31b77c 100644 --- a/src/runtime/sys_freebsd_arm.s +++ b/src/runtime/sys_freebsd_arm.s @@ -28,6 +28,7 @@ @@ -1344,7 +1340,7 @@ index 1e12f9cfcb..c31b77cb99 100644 + MOVW R0, ret+0(FP) + RET diff --git a/src/runtime/sys_freebsd_arm64.s b/src/runtime/sys_freebsd_arm64.s -index 2330f2ffe2..af87220976 100644 +index 2330f2f..af87220 100644 --- a/src/runtime/sys_freebsd_arm64.s +++ b/src/runtime/sys_freebsd_arm64.s @@ -33,6 +33,7 @@ @@ -1367,7 +1363,7 @@ index 2330f2ffe2..af87220976 100644 + MOVW R0, ret+0(FP) + RET diff --git a/src/runtime/sys_netbsd_386.s b/src/runtime/sys_netbsd_386.s -index d0c470c457..59f43cfcc9 100644 +index d0c470c..59f43cf 100644 --- a/src/runtime/sys_netbsd_386.s +++ b/src/runtime/sys_netbsd_386.s @@ -29,6 +29,7 @@ @@ -1390,7 +1386,7 @@ index d0c470c457..59f43cfcc9 100644 + MOVL AX, ret+0(FP) + RET diff --git a/src/runtime/sys_netbsd_amd64.s b/src/runtime/sys_netbsd_amd64.s -index dc9bd127d2..9e780147f4 100644 +index dc9bd12..9e78014 100644 --- a/src/runtime/sys_netbsd_amd64.s +++ b/src/runtime/sys_netbsd_amd64.s @@ -29,6 +29,7 @@ @@ -1416,7 +1412,7 @@ index dc9bd127d2..9e780147f4 100644 + MOVL AX, ret+0(FP) + RET diff --git a/src/runtime/sys_netbsd_arm.s b/src/runtime/sys_netbsd_arm.s -index 678dea57c6..91fb22f08c 100644 +index 678dea5..91fb22f 100644 --- a/src/runtime/sys_netbsd_arm.s +++ b/src/runtime/sys_netbsd_arm.s @@ -30,6 +30,7 @@ @@ -1438,7 +1434,7 @@ index 678dea57c6..91fb22f08c 100644 + MOVW R0, ret+0(FP) + RET diff --git a/src/runtime/sys_netbsd_arm64.s b/src/runtime/sys_netbsd_arm64.s -index e70be0fa74..b263662079 100644 +index e70be0f..b263662 100644 --- a/src/runtime/sys_netbsd_arm64.s +++ b/src/runtime/sys_netbsd_arm64.s @@ -32,6 +32,7 @@ @@ -1460,7 +1456,7 @@ index e70be0fa74..b263662079 100644 + MOVW R0, ret+0(FP) + RET diff --git a/src/runtime/sys_openbsd_386.s b/src/runtime/sys_openbsd_386.s -index 24fbfd6266..72637d19a5 100644 +index 24fbfd6..72637d1 100644 --- a/src/runtime/sys_openbsd_386.s +++ b/src/runtime/sys_openbsd_386.s @@ -459,3 +459,12 @@ TEXT runtime·setNonblock(SB),NOSPLIT,$16-4 @@ -1477,7 +1473,7 @@ index 24fbfd6266..72637d19a5 100644 + POPL BP + RET diff --git a/src/runtime/sys_openbsd_amd64.s b/src/runtime/sys_openbsd_amd64.s -index 37d70ab9aa..9cb49a6229 100644 +index 37d70ab..9cb49a6 100644 --- a/src/runtime/sys_openbsd_amd64.s +++ b/src/runtime/sys_openbsd_amd64.s @@ -414,3 +414,9 @@ TEXT runtime·setNonblock(SB),NOSPLIT,$0-4 @@ -1491,7 +1487,7 @@ index 37d70ab9aa..9cb49a6229 100644 + MOVL AX, 0(BX) // return value + RET diff --git a/src/runtime/sys_openbsd_arm.s b/src/runtime/sys_openbsd_arm.s -index 9e18ce0e16..5467cf83b4 100644 +index 9e18ce0..5467cf8 100644 --- a/src/runtime/sys_openbsd_arm.s +++ b/src/runtime/sys_openbsd_arm.s @@ -433,3 +433,12 @@ TEXT runtime·read_tls_fallback(SB),NOSPLIT|NOFRAME,$0 @@ -1508,7 +1504,7 @@ index 9e18ce0e16..5467cf83b4 100644 + MOVW R9, R13 + RET diff --git a/src/runtime/sys_openbsd_arm64.s b/src/runtime/sys_openbsd_arm64.s -index 621b1b1a42..00b7864ada 100644 +index 621b1b1..00b7864 100644 --- a/src/runtime/sys_openbsd_arm64.s +++ b/src/runtime/sys_openbsd_arm64.s @@ -446,3 +446,9 @@ TEXT runtime·setNonblock(SB),NOSPLIT|NOFRAME,$0-4 @@ -1522,7 +1518,7 @@ index 621b1b1a42..00b7864ada 100644 + MOVW R0, 0(R19) // return value + RET diff --git a/src/runtime/syscall2_solaris.go b/src/runtime/syscall2_solaris.go -index e098e8006a..426481bab5 100644 +index e098e80..426481b 100644 --- a/src/runtime/syscall2_solaris.go +++ b/src/runtime/syscall2_solaris.go @@ -23,6 +23,7 @@ import _ "unsafe" // for go:linkname @@ -1539,7 +1535,7 @@ index e098e8006a..426481bab5 100644 //go:linkname libc_wait4 libc_wait4 +//go:linkname libc_issetugid libc_issetugid diff --git a/src/runtime/syscall_solaris.go b/src/runtime/syscall_solaris.go -index 094516927f..aff1504489 100644 +index 0945169..aff1504 100644 --- a/src/runtime/syscall_solaris.go +++ b/src/runtime/syscall_solaris.go @@ -22,6 +22,7 @@ var ( @@ -1552,7 +1548,7 @@ index 094516927f..aff1504489 100644 diff --git a/src/runtime/testdata/testsuid/main.go b/src/runtime/testdata/testsuid/main.go new file mode 100644 -index 0000000000..1949d2d666 +index 0000000..1949d2d --- /dev/null +++ b/src/runtime/testdata/testsuid/main.go @@ -0,0 +1,25 @@ @@ -1582,5 +1578,5 @@ index 0000000000..1949d2d666 + fmt.Fprintf(os.Stderr, "hello\n") +} -- -2.33.0 +2.30.2 diff --git a/golang.spec b/golang.spec index f0215361b943b9833386be9bcc580a37bd162e5b..91a04e75b280b33f981025d016e70f747ab60315 100644 --- a/golang.spec +++ b/golang.spec @@ -58,7 +58,7 @@ Name: golang Version: 1.15.7 -Release: 28 +Release: 29 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -243,7 +243,7 @@ Patch6098: 0098-Backport-html-template-disallow-angle-brackets-in-CS.patch Patch6099: 0099-Backport-cmd-go-disallow-package-directories-contain.patch Patch6100: 0100-Backport-cmd-go-enforce-flags-with-non-optional-argu.patch Patch6101: 0101-Backport-cmd-go-cmd-cgo-in-_cgo_flags-use-one-line-p.patch -#Patch6102: 0102-Backport-runtime-implement-SUID-SGID-protections.patch +Patch6102: 0102-Backport-runtime-implement-SUID-SGID-protections.patch Patch9001: 0001-drop-hard-code-cert.patch Patch9002: 0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch @@ -483,11 +483,17 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Thu Jun 29 2023 hanchao - 1.15.7-29 +- Type:CVE +- CVE:CVE-2023-29403 +- SUG:NA +- DESC: fix CVE-2023-29403 + * Wed Jun 28 2023 hanchao - 1.15.7-28 - Type:CVE -- CVE:CVE-2023-29402,CVE-2023-29404,CVE-2023-29405,CVE-2023-29403 +- CVE:CVE-2023-29402,CVE-2023-29404,CVE-2023-29405 - SUG:NA -- DESC: fix CVE-2023-29402,CVE-2023-29404,CVE-2023-29405,CVE-2023-29403 +- DESC: fix CVE-2023-29402,CVE-2023-29404,CVE-2023-29405 * Mon May 22 2023 hanchao - 1.15.7-27 - Type:CVE