From 40fd5bde39898309974b9032a033a5bbd6aa1839 Mon Sep 17 00:00:00 2001
From: LuoYujie <luoyujie5@huawei.com>
Date: Mon, 14 Aug 2023 02:53:23 +0000
Subject: [PATCH 1/4] update golang.spec.

Signed-off-by: LuoYujie <luoyujie5@huawei.com>
---
 golang.spec | 110 +++++++++++++++++++++++++++++-----------------------
 1 file changed, 61 insertions(+), 49 deletions(-)

diff --git a/golang.spec b/golang.spec
index 123995c..bc530f2 100644
--- a/golang.spec
+++ b/golang.spec
@@ -63,7 +63,7 @@
 
 Name:           golang
 Version:        1.17.3
-Release:        20
+Release:        12.%{subr}8
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -76,7 +76,7 @@ BuildRequires:  golang > 1.4
 %endif
 BuildRequires:  hostname
 # for tests
-BuildRequires:  pcre-devel, glibc-static, perl-interpreter, procps-ng
+BuildRequires:  glibc-static, perl-interpreter, procps-ng
 
 Provides:       go = %{version}-%{release}
 Requires:       %{name}-devel = %{version}-%{release}
@@ -173,30 +173,31 @@ Patch6020:	0020-release-branch.go1.18-regexp-limit-size-of-parsed-re.patch
 Patch6021:	0021-release-branch.go1.18-net-http-httputil-avoid-query-.patch
 Patch6022:	0022-release-branch.go1.18-archive-tar-limit-size-of-head.patch
 Patch6023:	0023-syscall-os-exec-reject-environment-variables-contain.patch
-Patch6024:	0024-release-branch.go1.18-add-definition-byte-string-cut.patch
-Patch6025:	0025-release-branch.go1.17-crypto-elliptic-make-IsOnCurve.patch
-Patch6026:	0026-release-branch.go1.17-cmd-go-internal-modfetch-do-no.patch
-Patch6027:	0027-release-branch.go1.17-regexp-syntax-reject-very-deep.patch
-Patch6028:	0028-release-branch.go1.17-net-http-update-bundled-golang.patch
-Patch6029:	0029-release-branch.go1.17-math-big-prevent-overflow-in-R.patch
-Patch6030:	0030-release-branch.go1.18-net-http-update-bundled-golang.patch
-Patch6031:	0031-all-update-vendored-golang.org-x-net.patch
-Patch6032:	0032-crypto-tls-replace-all-usages-of-BytesOrPanic.patch
-Patch6033:	0033-mime-multipart-limit-memory-inode-consumption-of-Rea.patch
-Patch6034:	0034-release-branch.go1.19-net-textproto-avoid-overpredic.patch
-Patch6035:	0035-release-branch.go1.19-go-scanner-reject-large-line-a.patch
-Patch6036:	0036-release-branch.go1.19-html-template-disallow-actions.patch
-Patch6037:	0037-release-branch.go1.19-mime-multipart-avoid-excessive.patch
-Patch6038:	0038-release-branch.go1.19-net-textproto-mime-multipart-i.patch
-Patch6039:	0039-release-branch.go1.19-mime-multipart-limit-parsed-mi.patch
-Patch6040:  0040-Backport-html-template-emit-filterFailsafe-for-empty.patch
-Patch6041:  0041-Backport-html-template-handle-all-JS-whitespace-char.patch
-Patch6042:  0042-Backport-html-template-disallow-angle-brackets-in-CS.patch
-Patch6043:	0043-Backport-runtime-implement-SUID-SGID-protections.patch
-Patch6044:	0044-Backport-cmd-go-disallow-package-directories-contain.patch
-Patch6045:	0045-Backport-cmd-go-enforce-flags-with-non-optional-argu.patch
-Patch6046:	0046-Backport-cmd-go-cmd-cgo-in-_cgo_flags-use-one-line-p.patch
-Patch6047:	0047-Backport-net-http-validate-Host-header-before-sendin.patch
+Patch6024:	backport-0024-release-branch.go1.18-add-definition-byte-string-cut.patch
+Patch6025:	backport-0025-release-branch.go1.17-crypto-elliptic-make-IsOnCurve.patch
+Patch6026:	backport-0026-release-branch.go1.17-cmd-go-internal-modfetch-do-no.patch
+Patch6027:	backport-0027-release-branch.go1.17-regexp-syntax-reject-very-deep.patch
+Patch6028:	backport-0028-release-branch.go1.17-net-http-update-bundled-golang.patch
+Patch6029:	backport-0029-release-branch.go1.17-math-big-prevent-overflow-in-R.patch
+Patch6030:	backport-0030-release-branch.go1.18-net-http-update-bundled-golang.patch
+Patch6031:	backport-0031-all-update-vendored-golang.org-x-net.patch
+Patch6032:	backport-0032-crypto-tls-replace-all-usages-of-BytesOrPanic.patch
+Patch6033:	backport-0033-mime-multipart-limit-memory-inode-consumption-of-Rea.patch
+Patch6034:	backport-0034-release-branch.go1.19-net-textproto-avoid-overpredic.patch
+Patch6035:	backport-0035-release-branch.go1.19-go-scanner-reject-large-line-a.patch
+Patch6036:	backport-0036-release-branch.go1.19-html-template-disallow-actions.patch
+Patch6037:	backport-0037-release-branch.go1.19-mime-multipart-avoid-excessive.patch
+Patch6038:	backport-0038-release-branch.go1.19-net-textproto-mime-multipart-i.patch
+Patch6039:	backport-0039-release-branch.go1.19-mime-multipart-limit-parsed-mi.patch
+Patch6040:	backport-0040-Backport-html-template-emit-filterFailsafe-for-empty.patch
+Patch6041:	backport-0041-Backport-html-template-handle-all-JS-whitespace-char.patch
+Patch6042:	backport-0042-Backport-html-template-disallow-angle-brackets-in-CS.patch
+Patch6043:	backport-0043-Backport-runtime-implement-SUID-SGID-protections.patch
+Patch6044:	backport-0044-Backport-cmd-go-disallow-package-directories-contain.patch
+Patch6045:	backport-0045-Backport-cmd-go-enforce-flags-with-non-optional-argu.patch
+Patch6046:	backport-0046-Backport-cmd-go-cmd-cgo-in-_cgo_flags-use-one-line-p.patch
+Patch6047:	backport-0047-Backport-net-http-validate-Host-header-before-sendin.patch
+Patch6048:	backport-0048-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -404,6 +405,11 @@ if [ $1 = 0 ]; then
     %{_sbindir}/update-alternatives --remove go %{goroot}/bin/go
 fi
 
+%posttrans
+if [ ! -f "%{_bindir}/go" ]; then
+    %{_sbindir}/update-alternatives --install %{_bindir}/go go %{goroot}/bin/go 90 --slave %{_bindir}/gofmt gofmt %{goroot}/bin/gofmt
+fi
+
 %if %{shared}
 %files -f go-pkg.list -f go-shared.list
 %else
@@ -435,55 +441,61 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
-* Fri Jul 21 2023 hanchao <hanchao63@huawei.com> - 1.17.3-20
+* Mon Aug 14 2023 hanchao <hanchao63@huawei.com> - 1.17.3-12.%{subr}8
+- Type:CVE
+- CVE:CVE-2023-29409
+- SUG:NA
+- DESC:fix CVE-2023-29409
+
+* Fri Jul 21 2023 hanchao <hanchao63@huawei.com> - 1.17.3-12.%{subr}7
 - Type:CVE
 - CVE:CVE-2023-29406
 - SUG:NA
 - DESC:fix CVE-2023-29406
 
-* Wed Jun 21 2023 hanchao <hanchao63@huawei.com> - 1.17.3-19
+* Fri Jun 23 2023 hanchao <hanchao63@huawei.com> - 1.17.3-12.%{subr}6
 - Type:CVE
 - CVE:CVE-2023-29402,CVE-2023-29403,CVE-2023-29404,CVE-2023-29405
 - SUG:NA
 - DESC:fix CVE-2023-29402,CVE-2023-29403,CVE-2023-29404,CVE-2023-29405
 
-* Mon May 22 2023 hanchao <hanchao63@huawei.com> - 1.17.3-18
+* Thu May 25 2023 hanchao <hanchao63@huawei.com> - 1.17.3-12.%{subr}5
 - Type:CVE
-- CVE:CVE-2023-29400,CVE-2023-24539,CVE-2023-24540
+- CVE:CVE-2023-24539,CVE-2023-24540,CVE-2023-29400
 - SUG:NA
-- DESC: fix CVE-2023-29400,CVE-2023-24539,CVE-2023-24540
+- DESC:fix CVE-2023-24539,CVE-2023-24540,CVE-2023-29400
 
-* Thu Apr 13 2023 hanchao <hanchao47@huawei.com> - 1.17.3-17
-- Type:CVE
-- CVE:CVE-2023-24534,CVE-2023-24536,CVE-2023-24537,CVE-2023-24538
+* Fri Apr 28 2023 zhangsong <zhangsong34@huawei.com> - 1.17.3-12.%{subr}4
+- Type:bugfix
+- CVE:
 - SUG:NA
-- DESC: fix CVE-2023-24534,CVE-2023-24536,CVE-2023-24537,CVE-2023-24538
+- DESC:use subr instead of hardcoding 'h'
 
-* Thu Apr 13 2023 penghaitao <htpengc@isoftstone.com> - 1.17.3-16
-- fix bogus date in %changelog
+* Thu Apr 27 2023 hanchao <hanchao47@huawei.com> - 1.17.3-12.%{subr}3
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:change 'h' to Macro 'subr'
 
-* Tue Mar 21 2023 hanchao <hanchao47@huawei.com> - 1.17.3-15
-- Type:CVE
-- CVE:CVE-2022-41723,CVE-2022-41724,CVE-2022-41725
+* Tue Apr 25 2023 hanchao <hanchao47@huawei.com> - 1.17.3-12.%{subr}2
+- Type:bugfix
+- CVE:
 - SUG:NA
-- DESC: fix CVE-2022-41723,CVE-2022-41724,CVE-2022-41725
+- DESC:golang remove pcre-devel dependency
 
-* Fri Jan 20 2023 hanchao <hanchao47@huawei.com> - 1.17.3-14
+* Fri Jan 20 2023 hanchao <hanchao47@huawei.com> - 1.17.3-12.%{subr}1
 - Type:CVE
-- CVE:CVE-2022-23806,CVE-2022-23773,CVE-2022-24921,CVE-2021-44716,CVE-2022-23772,CVE-2022-41717
+- CVE:CVE-2022-23806,CVE-2022-23773,CVE-2022-24921,CVE-2021-44716,CVE-2022-23772,CVE-2022-41717,CVE-2022-41723,CVE-2022-41724,CVE-2022-41725,CVE-2023-24534,CVE-2023-24536,CVE-2023-24537,CVE-2023-24538
 - SUG:NA
-- DESC: fix CVE-2022-23806,CVE-2022-23773,CVE-2022-24921,CVE-2021-44716,CVE-2022-23772,CVE-2022-41717
-
-* Sat Dec 17 2022 wanglimin<wanglimin@xfusion.com> - 1.17.3-13
-- Add string cut
+- DESC: fix CVE-2022-23806,CVE-2022-23773,CVE-2022-24921,CVE-2021-44716,CVE-2022-23772,CVE-2022-41717,CVE-2022-41723,CVE-2022-41724,CVE-2022-41725,CVE-2023-24534,CVE-2023-24536,CVE-2023-24537,CVE-2023-24538
 
-* Tue Oct 11 2022 hanchao <hanchao47@huawei.com> - 1.17.3-12
+* Fri Oct 11 2022 hanchao <hanchao47@huawei.com> - 1.17.3-12
 - Type:CVE
 - CVE:CVE-2022-41716
 - SUG:NA
 - DESC: remove hard code and strong dependency of git, subversion and mercurial
 
-* Tue Oct 11 2022 hanchao <hanchao47@huawei.com> - 1.17.3-11
+* Fri Oct 11 2022 hanchao <hanchao47@huawei.com> - 1.17.3-11
 - Type:CVE
 - CVE:CVE-2022-41716
 - SUG:NA
-- 
Gitee


From 6939332950d56610b8ee43bcc3ff7e8b3a2ca758 Mon Sep 17 00:00:00 2001
From: LuoYujie <luoyujie5@huawei.com>
Date: Mon, 14 Aug 2023 03:04:41 +0000
Subject: [PATCH 2/4] add
 0048-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch.

Signed-off-by: LuoYujie <luoyujie5@huawei.com>
---
 ...ict-RSA-keys-in-certificates-to-8192.patch | 233 ++++++++++++++++++
 1 file changed, 233 insertions(+)
 create mode 100644 0048-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch

diff --git a/0048-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch b/0048-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch
new file mode 100644
index 0000000..7674e24
--- /dev/null
+++ b/0048-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch
@@ -0,0 +1,233 @@
+From aac702c23d02f2e66cab136fd85368a9850bf829 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Wed, 7 Jun 2023 15:27:13 -0700
+Subject: [PATCH] crypto/tls: restrict RSA keys in certificates to <= 8192 bits
+
+Extremely large RSA keys in certificate chains can cause a client/server
+to expend significant CPU time verifying signatures. Limit this by
+restricting the size of RSA keys transmitted during handshakes to <=
+8192 bits.
+
+Based on a survey of publicly trusted RSA keys, there are currently only
+three certificates in circulation with keys larger than this, and all
+three appear to be test certificates that are not actively deployed. It
+is possible there are larger keys in use in private PKIs, but we target
+the web PKI, so causing breakage here in the interests of increasing the
+default safety of users of crypto/tls seems reasonable.
+
+Thanks to Mateusz Poliwczak for reporting this issue.
+
+Fixes #61460
+Fixes CVE-2023-29409
+
+Change-Id: Ie35038515a649199a36a12fc2c5df3af855dca6c
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1912161
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/515257
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Auto-Submit: David Chase <drchase@google.com>
+Run-TryBot: David Chase <drchase@google.com>
+---
+ src/crypto/tls/handshake_client.go      |  11 +-
+ src/crypto/tls/handshake_client_test.go | 141 ++++++++++++++++++++++++
+ src/crypto/tls/handshake_server.go      |   4 +
+ 3 files changed, 155 insertions(+), 1 deletion(-)
+
+diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
+index 85622f159b..708d264ae8 100644
+--- a/src/crypto/tls/handshake_client.go
++++ b/src/crypto/tls/handshake_client.go
+@@ -852,6 +852,10 @@ func (hs *clientHandshakeState) sendFinished(out []byte) error {
+ 	return nil
+ }
+ 
++// maxRSAKeySize is the maximum RSA key size in bits that we are willing
++// to verify the signatures of during a TLS handshake.
++const maxRSAKeySize = 8192
++
+ // verifyServerCertificate parses and verifies the provided chain, setting
+ // c.verifiedChains and c.peerCertificates or sending the appropriate alert.
+ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
+@@ -862,7 +866,12 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
+ 			c.sendAlert(alertBadCertificate)
+ 			return errors.New("tls: failed to parse certificate from server: " + err.Error())
+ 		}
+-		certs[i] = cert
++		if cert.cert.PublicKeyAlgorithm == x509.RSA && cert.cert.PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize {
++			c.sendAlert(alertBadCertificate)
++			return fmt.Errorf("tls: server sent certificate containing RSA key larger than %d bits", maxRSAKeySize)
++		}
++		activeHandles[i] = cert
++		certs[i] = cert.cert
+ 	}
+ 
+ 	if !c.config.InsecureSkipVerify {
+diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go
+index 0228745155..f92d22ac97 100644
+--- a/src/crypto/tls/handshake_client_test.go
++++ b/src/crypto/tls/handshake_client_test.go
+@@ -2595,3 +2595,144 @@ func TestClientHandshakeContextCancellation(t *testing.T) {
+ 		t.Error("Client connection was not closed when the context was canceled")
+ 	}
+ }
++
++// TestTLS13OnlyClientHelloCipherSuite tests that when a client states that
++// it only supports TLS 1.3, it correctly advertises only TLS 1.3 ciphers.
++func TestTLS13OnlyClientHelloCipherSuite(t *testing.T) {
++	tls13Tests := []struct {
++		name    string
++		ciphers []uint16
++	}{
++		{
++			name:    "nil",
++			ciphers: nil,
++		},
++		{
++			name:    "empty",
++			ciphers: []uint16{},
++		},
++		{
++			name:    "some TLS 1.2 cipher",
++			ciphers: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
++		},
++		{
++			name:    "some TLS 1.3 cipher",
++			ciphers: []uint16{TLS_AES_128_GCM_SHA256},
++		},
++		{
++			name:    "some TLS 1.2 and 1.3 ciphers",
++			ciphers: []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_AES_256_GCM_SHA384},
++		},
++	}
++	for _, tt := range tls13Tests {
++		tt := tt
++		t.Run(tt.name, func(t *testing.T) {
++			t.Parallel()
++			testTLS13OnlyClientHelloCipherSuite(t, tt.ciphers)
++		})
++	}
++}
++
++func testTLS13OnlyClientHelloCipherSuite(t *testing.T, ciphers []uint16) {
++	serverConfig := &Config{
++		Certificates: testConfig.Certificates,
++		GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) {
++			if len(chi.CipherSuites) != len(defaultCipherSuitesTLS13NoAES) {
++				t.Errorf("only TLS 1.3 suites should be advertised, got=%x", chi.CipherSuites)
++			} else {
++				for i := range defaultCipherSuitesTLS13NoAES {
++					if want, got := defaultCipherSuitesTLS13NoAES[i], chi.CipherSuites[i]; want != got {
++						t.Errorf("cipher at index %d does not match, want=%x, got=%x", i, want, got)
++					}
++				}
++			}
++			return nil, nil
++		},
++	}
++	clientConfig := &Config{
++		MinVersion:         VersionTLS13, // client only supports TLS 1.3
++		CipherSuites:       ciphers,
++		InsecureSkipVerify: true,
++	}
++	if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil {
++		t.Fatalf("handshake failed: %s", err)
++	}
++}
++
++// discardConn wraps a net.Conn but discards all writes, but reports that they happened.
++type discardConn struct {
++	net.Conn
++}
++
++func (dc *discardConn) Write(data []byte) (int, error) {
++	return len(data), nil
++}
++
++// largeRSAKeyCertPEM contains a 8193 bit RSA key
++const largeRSAKeyCertPEM = `-----BEGIN CERTIFICATE-----
++MIIInjCCBIWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwd0ZXN0
++aW5nMB4XDTIzMDYwNzIxMjMzNloXDTIzMDYwNzIzMjMzNlowEjEQMA4GA1UEAxMH
++dGVzdGluZzCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQBAWdHsf6Rh2Ca
++n2SQwn4t4OQrOjbLLdGE1pM6TBKKrHUFy62uEL8atNjlcfXIsa4aEu3xNGiqxqur
++ZectlkZbm0FkaaQ1Wr9oikDY3KfjuaXdPdO/XC/h8AKNxlDOylyXwUSK/CuYb+1j
++gy8yF5QFvVfwW/xwTlHmhUeSkVSQPosfQ6yXNNsmMzkd+ZPWLrfq4R+wiNtwYGu0
++WSBcI/M9o8/vrNLnIppoiBJJ13j9CR1ToEAzOFh9wwRWLY10oZhoh1ONN1KQURx4
++qedzvvP2DSjZbUccdvl2rBGvZpzfOiFdm1FCnxB0c72Cqx+GTHXBFf8bsa7KHky9
++sNO1GUanbq17WoDNgwbY6H51bfShqv0CErxatwWox3we4EcAmFHPVTCYL1oWVMGo
++a3Eth91NZj+b/nGhF9lhHKGzXSv9brmLLkfvM1jA6XhNhA7BQ5Vz67lj2j3XfXdh
++t/BU5pBXbL4Ut4mIhT1YnKXAjX2/LF5RHQTE8Vwkx5JAEKZyUEGOReD/B+7GOrLp
++HduMT9vZAc5aR2k9I8qq1zBAzsL69lyQNAPaDYd1BIAjUety9gAYaSQffCgAgpRO
++Gt+DYvxS+7AT/yEd5h74MU2AH7KrAkbXOtlwupiGwhMVTstncDJWXMJqbBhyHPF8
++3UmZH0hbL4PYmzSj9LDWQQXI2tv6vrCpfts3Cqhqxz9vRpgY7t1Wu6l/r+KxYYz3
++1pcGpPvRmPh0DJm7cPTiXqPnZcPt+ulSaSdlxmd19OnvG5awp0fXhxryZVwuiT8G
++VDkhyARrxYrdjlINsZJZbQjO0t8ketXAELJOnbFXXzeCOosyOHkLwsqOO96AVJA8
++45ZVL5m95ClGy0RSrjVIkXsxTAMVG6SPAqKwk6vmTdRGuSPS4rhgckPVDHmccmuq
++dfnT2YkX+wB2/M3oCgU+s30fAHGkbGZ0pCdNbFYFZLiH0iiMbTDl/0L/z7IdK0nH
++GLHVE7apPraKC6xl6rPWsD2iSfrmtIPQa0+rqbIVvKP5JdfJ8J4alI+OxFw/znQe
++V0/Rez0j22Fe119LZFFSXhRv+ZSvcq20xDwh00mzcumPWpYuCVPozA18yIhC9tNn
++ALHndz0tDseIdy9vC71jQWy9iwri3ueN0DekMMF8JGzI1Z6BAFzgyAx3DkHtwHg7
++B7qD0jPG5hJ5+yt323fYgJsuEAYoZ8/jzZ01pkX8bt+UsVN0DGnSGsI2ktnIIk3J
++l+8krjmUy6EaW79nITwoOqaeHOIp8m3UkjEcoKOYrzHRKqRy+A09rY+m/cAQaafW
++4xp0Zv7qZPLwnu0jsqB4jD8Ll9yPB02ndsoV6U5PeHzTkVhPml19jKUAwFfs7TJg
++kXy+/xFhYVUCAwEAATANBgkqhkiG9w0BAQsFAAOCBAIAAQnZY77pMNeypfpba2WK
++aDasT7dk2JqP0eukJCVPTN24Zca+xJNPdzuBATm/8SdZK9lddIbjSnWRsKvTnO2r
++/rYdlPf3jM5uuJtb8+Uwwe1s+gszelGS9G/lzzq+ehWicRIq2PFcs8o3iQMfENiv
++qILJ+xjcrvms5ZPDNahWkfRx3KCg8Q+/at2n5p7XYjMPYiLKHnDC+RE2b1qT20IZ
++FhuK/fTWLmKbfYFNNga6GC4qcaZJ7x0pbm4SDTYp0tkhzcHzwKhidfNB5J2vNz6l
++Ur6wiYwamFTLqcOwWo7rdvI+sSn05WQBv0QZlzFX+OAu0l7WQ7yU+noOxBhjvHds
++14+r9qcQZg2q9kG+evopYZqYXRUNNlZKo9MRBXhfrISulFAc5lRFQIXMXnglvAu+
++Ipz2gomEAOcOPNNVldhKAU94GAMJd/KfN0ZP7gX3YvPzuYU6XDhag5RTohXLm18w
++5AF+ES3DOQ6ixu3DTf0D+6qrDuK+prdX8ivcdTQVNOQ+MIZeGSc6NWWOTaMGJ3lg
++aZIxJUGdo6E7GBGiC1YTjgFKFbHzek1LRTh/LX3vbSudxwaG0HQxwsU9T4DWiMqa
++Fkf2KteLEUA6HrR+0XlAZrhwoqAmrJ+8lCFX3V0gE9lpENfVHlFXDGyx10DpTB28
++DdjnY3F7EPWNzwf9P3oNT69CKW3Bk6VVr3ROOJtDxVu1ioWo3TaXltQ0VOnap2Pu
++sa5wfrpfwBDuAS9JCDg4ttNp2nW3F7tgXC6xPqw5pvGwUppEw9XNrqV8TZrxduuv
++rQ3NyZ7KSzIpmFlD3UwV/fGfz3UQmHS6Ng1evrUID9DjfYNfRqSGIGjDfxGtYD+j
++Z1gLJZuhjJpNtwBkKRtlNtrCWCJK2hidK/foxwD7kwAPo2I9FjpltxCRywZUs07X
++KwXTfBR9v6ij1LV6K58hFS+8ezZyZ05CeVBFkMQdclTOSfuPxlMkQOtjp8QWDj+F
++j/MYziT5KBkHvcbrjdRtUJIAi4N7zCsPZtjik918AK1WBNRVqPbrgq/XSEXMfuvs
++6JbfK0B76vdBDRtJFC1JsvnIrGbUztxXzyQwFLaR/AjVJqpVlysLWzPKWVX6/+SJ
++u1NQOl2E8P6ycyBsuGnO89p0S4F8cMRcI2X1XQsZ7/q0NBrOMaEp5T3SrWo9GiQ3
++o2SBdbs3Y6MBPBtTu977Z/0RO63J3M5i2tjUiDfrFy7+VRLKr7qQ7JibohyB8QaR
++9tedgjn2f+of7PnP/PEl1cCphUZeHM7QKUMPT8dbqwmKtlYY43EHXcvNOT5IBk3X
++9lwJoZk/B2i+ZMRNSP34ztAwtxmasPt6RAWGQpWCn9qmttAHAnMfDqe7F7jVR6rS
++u58=
++-----END CERTIFICATE-----`
++
++func TestHandshakeRSATooBig(t *testing.T) {
++	testCert, _ := pem.Decode([]byte(largeRSAKeyCertPEM))
++
++	c := &Conn{conn: &discardConn{}, config: testConfig.Clone()}
++
++	expectedErr := "tls: server sent certificate containing RSA key larger than 8192 bits"
++	err := c.verifyServerCertificate([][]byte{testCert.Bytes})
++	if err == nil || err.Error() != expectedErr {
++		t.Errorf("Conn.verifyServerCertificate unexpected error: want %q, got %q", expectedErr, err)
++	}
++
++	expectedErr = "tls: client sent certificate containing RSA key larger than 8192 bits"
++	err = c.processCertsFromClient(Certificate{Certificate: [][]byte{testCert.Bytes}})
++	if err == nil || err.Error() != expectedErr {
++		t.Errorf("Conn.processCertsFromClient unexpected error: want %q, got %q", expectedErr, err)
++	}
++}
+diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
+index 8d51e7e55f..a5d8f4a9a8 100644
+--- a/src/crypto/tls/handshake_server.go
++++ b/src/crypto/tls/handshake_server.go
+@@ -812,6 +812,10 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {
+ 			c.sendAlert(alertBadCertificate)
+ 			return errors.New("tls: failed to parse client certificate: " + err.Error())
+ 		}
++		if certs[i].PublicKeyAlgorithm == x509.RSA && certs[i].PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize {
++			c.sendAlert(alertBadCertificate)
++			return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", maxRSAKeySize)
++		}
+ 	}
+ 
+ 	if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
+-- 
+2.33.0
+
-- 
Gitee


From 6a4582817d98bc625baaf5115e6ffb6b93a997a7 Mon Sep 17 00:00:00 2001
From: LuoYujie <luoyujie5@huawei.com>
Date: Mon, 14 Aug 2023 03:06:44 +0000
Subject: [PATCH 3/4] Revert "update golang.spec."

This reverts commit 40fd5bde39898309974b9032a033a5bbd6aa1839.
---
 golang.spec | 110 +++++++++++++++++++++++-----------------------------
 1 file changed, 49 insertions(+), 61 deletions(-)

diff --git a/golang.spec b/golang.spec
index bc530f2..123995c 100644
--- a/golang.spec
+++ b/golang.spec
@@ -63,7 +63,7 @@
 
 Name:           golang
 Version:        1.17.3
-Release:        12.%{subr}8
+Release:        20
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -76,7 +76,7 @@ BuildRequires:  golang > 1.4
 %endif
 BuildRequires:  hostname
 # for tests
-BuildRequires:  glibc-static, perl-interpreter, procps-ng
+BuildRequires:  pcre-devel, glibc-static, perl-interpreter, procps-ng
 
 Provides:       go = %{version}-%{release}
 Requires:       %{name}-devel = %{version}-%{release}
@@ -173,31 +173,30 @@ Patch6020:	0020-release-branch.go1.18-regexp-limit-size-of-parsed-re.patch
 Patch6021:	0021-release-branch.go1.18-net-http-httputil-avoid-query-.patch
 Patch6022:	0022-release-branch.go1.18-archive-tar-limit-size-of-head.patch
 Patch6023:	0023-syscall-os-exec-reject-environment-variables-contain.patch
-Patch6024:	backport-0024-release-branch.go1.18-add-definition-byte-string-cut.patch
-Patch6025:	backport-0025-release-branch.go1.17-crypto-elliptic-make-IsOnCurve.patch
-Patch6026:	backport-0026-release-branch.go1.17-cmd-go-internal-modfetch-do-no.patch
-Patch6027:	backport-0027-release-branch.go1.17-regexp-syntax-reject-very-deep.patch
-Patch6028:	backport-0028-release-branch.go1.17-net-http-update-bundled-golang.patch
-Patch6029:	backport-0029-release-branch.go1.17-math-big-prevent-overflow-in-R.patch
-Patch6030:	backport-0030-release-branch.go1.18-net-http-update-bundled-golang.patch
-Patch6031:	backport-0031-all-update-vendored-golang.org-x-net.patch
-Patch6032:	backport-0032-crypto-tls-replace-all-usages-of-BytesOrPanic.patch
-Patch6033:	backport-0033-mime-multipart-limit-memory-inode-consumption-of-Rea.patch
-Patch6034:	backport-0034-release-branch.go1.19-net-textproto-avoid-overpredic.patch
-Patch6035:	backport-0035-release-branch.go1.19-go-scanner-reject-large-line-a.patch
-Patch6036:	backport-0036-release-branch.go1.19-html-template-disallow-actions.patch
-Patch6037:	backport-0037-release-branch.go1.19-mime-multipart-avoid-excessive.patch
-Patch6038:	backport-0038-release-branch.go1.19-net-textproto-mime-multipart-i.patch
-Patch6039:	backport-0039-release-branch.go1.19-mime-multipart-limit-parsed-mi.patch
-Patch6040:	backport-0040-Backport-html-template-emit-filterFailsafe-for-empty.patch
-Patch6041:	backport-0041-Backport-html-template-handle-all-JS-whitespace-char.patch
-Patch6042:	backport-0042-Backport-html-template-disallow-angle-brackets-in-CS.patch
-Patch6043:	backport-0043-Backport-runtime-implement-SUID-SGID-protections.patch
-Patch6044:	backport-0044-Backport-cmd-go-disallow-package-directories-contain.patch
-Patch6045:	backport-0045-Backport-cmd-go-enforce-flags-with-non-optional-argu.patch
-Patch6046:	backport-0046-Backport-cmd-go-cmd-cgo-in-_cgo_flags-use-one-line-p.patch
-Patch6047:	backport-0047-Backport-net-http-validate-Host-header-before-sendin.patch
-Patch6048:	backport-0048-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch
+Patch6024:	0024-release-branch.go1.18-add-definition-byte-string-cut.patch
+Patch6025:	0025-release-branch.go1.17-crypto-elliptic-make-IsOnCurve.patch
+Patch6026:	0026-release-branch.go1.17-cmd-go-internal-modfetch-do-no.patch
+Patch6027:	0027-release-branch.go1.17-regexp-syntax-reject-very-deep.patch
+Patch6028:	0028-release-branch.go1.17-net-http-update-bundled-golang.patch
+Patch6029:	0029-release-branch.go1.17-math-big-prevent-overflow-in-R.patch
+Patch6030:	0030-release-branch.go1.18-net-http-update-bundled-golang.patch
+Patch6031:	0031-all-update-vendored-golang.org-x-net.patch
+Patch6032:	0032-crypto-tls-replace-all-usages-of-BytesOrPanic.patch
+Patch6033:	0033-mime-multipart-limit-memory-inode-consumption-of-Rea.patch
+Patch6034:	0034-release-branch.go1.19-net-textproto-avoid-overpredic.patch
+Patch6035:	0035-release-branch.go1.19-go-scanner-reject-large-line-a.patch
+Patch6036:	0036-release-branch.go1.19-html-template-disallow-actions.patch
+Patch6037:	0037-release-branch.go1.19-mime-multipart-avoid-excessive.patch
+Patch6038:	0038-release-branch.go1.19-net-textproto-mime-multipart-i.patch
+Patch6039:	0039-release-branch.go1.19-mime-multipart-limit-parsed-mi.patch
+Patch6040:  0040-Backport-html-template-emit-filterFailsafe-for-empty.patch
+Patch6041:  0041-Backport-html-template-handle-all-JS-whitespace-char.patch
+Patch6042:  0042-Backport-html-template-disallow-angle-brackets-in-CS.patch
+Patch6043:	0043-Backport-runtime-implement-SUID-SGID-protections.patch
+Patch6044:	0044-Backport-cmd-go-disallow-package-directories-contain.patch
+Patch6045:	0045-Backport-cmd-go-enforce-flags-with-non-optional-argu.patch
+Patch6046:	0046-Backport-cmd-go-cmd-cgo-in-_cgo_flags-use-one-line-p.patch
+Patch6047:	0047-Backport-net-http-validate-Host-header-before-sendin.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -405,11 +404,6 @@ if [ $1 = 0 ]; then
     %{_sbindir}/update-alternatives --remove go %{goroot}/bin/go
 fi
 
-%posttrans
-if [ ! -f "%{_bindir}/go" ]; then
-    %{_sbindir}/update-alternatives --install %{_bindir}/go go %{goroot}/bin/go 90 --slave %{_bindir}/gofmt gofmt %{goroot}/bin/gofmt
-fi
-
 %if %{shared}
 %files -f go-pkg.list -f go-shared.list
 %else
@@ -441,61 +435,55 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
-* Mon Aug 14 2023 hanchao <hanchao63@huawei.com> - 1.17.3-12.%{subr}8
-- Type:CVE
-- CVE:CVE-2023-29409
-- SUG:NA
-- DESC:fix CVE-2023-29409
-
-* Fri Jul 21 2023 hanchao <hanchao63@huawei.com> - 1.17.3-12.%{subr}7
+* Fri Jul 21 2023 hanchao <hanchao63@huawei.com> - 1.17.3-20
 - Type:CVE
 - CVE:CVE-2023-29406
 - SUG:NA
 - DESC:fix CVE-2023-29406
 
-* Fri Jun 23 2023 hanchao <hanchao63@huawei.com> - 1.17.3-12.%{subr}6
+* Wed Jun 21 2023 hanchao <hanchao63@huawei.com> - 1.17.3-19
 - Type:CVE
 - CVE:CVE-2023-29402,CVE-2023-29403,CVE-2023-29404,CVE-2023-29405
 - SUG:NA
 - DESC:fix CVE-2023-29402,CVE-2023-29403,CVE-2023-29404,CVE-2023-29405
 
-* Thu May 25 2023 hanchao <hanchao63@huawei.com> - 1.17.3-12.%{subr}5
+* Mon May 22 2023 hanchao <hanchao63@huawei.com> - 1.17.3-18
 - Type:CVE
-- CVE:CVE-2023-24539,CVE-2023-24540,CVE-2023-29400
+- CVE:CVE-2023-29400,CVE-2023-24539,CVE-2023-24540
 - SUG:NA
-- DESC:fix CVE-2023-24539,CVE-2023-24540,CVE-2023-29400
+- DESC: fix CVE-2023-29400,CVE-2023-24539,CVE-2023-24540
 
-* Fri Apr 28 2023 zhangsong <zhangsong34@huawei.com> - 1.17.3-12.%{subr}4
-- Type:bugfix
-- CVE:
+* Thu Apr 13 2023 hanchao <hanchao47@huawei.com> - 1.17.3-17
+- Type:CVE
+- CVE:CVE-2023-24534,CVE-2023-24536,CVE-2023-24537,CVE-2023-24538
 - SUG:NA
-- DESC:use subr instead of hardcoding 'h'
+- DESC: fix CVE-2023-24534,CVE-2023-24536,CVE-2023-24537,CVE-2023-24538
 
-* Thu Apr 27 2023 hanchao <hanchao47@huawei.com> - 1.17.3-12.%{subr}3
-- Type:bugfix
-- CVE:
-- SUG:NA
-- DESC:change 'h' to Macro 'subr'
+* Thu Apr 13 2023 penghaitao <htpengc@isoftstone.com> - 1.17.3-16
+- fix bogus date in %changelog
 
-* Tue Apr 25 2023 hanchao <hanchao47@huawei.com> - 1.17.3-12.%{subr}2
-- Type:bugfix
-- CVE:
+* Tue Mar 21 2023 hanchao <hanchao47@huawei.com> - 1.17.3-15
+- Type:CVE
+- CVE:CVE-2022-41723,CVE-2022-41724,CVE-2022-41725
 - SUG:NA
-- DESC:golang remove pcre-devel dependency
+- DESC: fix CVE-2022-41723,CVE-2022-41724,CVE-2022-41725
 
-* Fri Jan 20 2023 hanchao <hanchao47@huawei.com> - 1.17.3-12.%{subr}1
+* Fri Jan 20 2023 hanchao <hanchao47@huawei.com> - 1.17.3-14
 - Type:CVE
-- CVE:CVE-2022-23806,CVE-2022-23773,CVE-2022-24921,CVE-2021-44716,CVE-2022-23772,CVE-2022-41717,CVE-2022-41723,CVE-2022-41724,CVE-2022-41725,CVE-2023-24534,CVE-2023-24536,CVE-2023-24537,CVE-2023-24538
+- CVE:CVE-2022-23806,CVE-2022-23773,CVE-2022-24921,CVE-2021-44716,CVE-2022-23772,CVE-2022-41717
 - SUG:NA
-- DESC: fix CVE-2022-23806,CVE-2022-23773,CVE-2022-24921,CVE-2021-44716,CVE-2022-23772,CVE-2022-41717,CVE-2022-41723,CVE-2022-41724,CVE-2022-41725,CVE-2023-24534,CVE-2023-24536,CVE-2023-24537,CVE-2023-24538
+- DESC: fix CVE-2022-23806,CVE-2022-23773,CVE-2022-24921,CVE-2021-44716,CVE-2022-23772,CVE-2022-41717
+
+* Sat Dec 17 2022 wanglimin<wanglimin@xfusion.com> - 1.17.3-13
+- Add string cut
 
-* Fri Oct 11 2022 hanchao <hanchao47@huawei.com> - 1.17.3-12
+* Tue Oct 11 2022 hanchao <hanchao47@huawei.com> - 1.17.3-12
 - Type:CVE
 - CVE:CVE-2022-41716
 - SUG:NA
 - DESC: remove hard code and strong dependency of git, subversion and mercurial
 
-* Fri Oct 11 2022 hanchao <hanchao47@huawei.com> - 1.17.3-11
+* Tue Oct 11 2022 hanchao <hanchao47@huawei.com> - 1.17.3-11
 - Type:CVE
 - CVE:CVE-2022-41716
 - SUG:NA
-- 
Gitee


From 8a57b25c3641adb88d8e7562f436e7aeef8d9024 Mon Sep 17 00:00:00 2001
From: LuoYujie <luoyujie5@huawei.com>
Date: Mon, 14 Aug 2023 03:10:41 +0000
Subject: [PATCH 4/4] update golang.spec.

Signed-off-by: LuoYujie <luoyujie5@huawei.com>
---
 golang.spec | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/golang.spec b/golang.spec
index 123995c..badc2a1 100644
--- a/golang.spec
+++ b/golang.spec
@@ -63,7 +63,7 @@
 
 Name:           golang
 Version:        1.17.3
-Release:        20
+Release:        21
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -197,6 +197,7 @@ Patch6044:	0044-Backport-cmd-go-disallow-package-directories-contain.patch
 Patch6045:	0045-Backport-cmd-go-enforce-flags-with-non-optional-argu.patch
 Patch6046:	0046-Backport-cmd-go-cmd-cgo-in-_cgo_flags-use-one-line-p.patch
 Patch6047:	0047-Backport-net-http-validate-Host-header-before-sendin.patch
+Patch6048:  0048-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -435,6 +436,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Mon Aug 14 2023 hanchao <hanchao63@huawei.com> - 1.17.3-21
+- Type:CVE
+- CVE:CVE-2023-29409
+- SUG:NA
+- DESC:fix CVE-2023-29409
+
 * Fri Jul 21 2023 hanchao <hanchao63@huawei.com> - 1.17.3-20
 - Type:CVE
 - CVE:CVE-2023-29406
-- 
Gitee