From aa2d93f05bb6278ebc329356a34e2cfe206f4889 Mon Sep 17 00:00:00 2001 From: sunchendong Date: Mon, 9 Oct 2023 14:27:41 +0800 Subject: [PATCH] fix CVE-2023-39323 --- ...o1.20-cmd-compile-use-absolute-file-.patch | 116 ++++++++++++++++++ golang.spec | 6 +- 2 files changed, 121 insertions(+), 1 deletion(-) create mode 100644 0004-release-branch.go1.20-cmd-compile-use-absolute-file-.patch diff --git a/0004-release-branch.go1.20-cmd-compile-use-absolute-file-.patch b/0004-release-branch.go1.20-cmd-compile-use-absolute-file-.patch new file mode 100644 index 0000000..f40e4d7 --- /dev/null +++ b/0004-release-branch.go1.20-cmd-compile-use-absolute-file-.patch @@ -0,0 +1,116 @@ +From 31d5b604ac0adb58aec4870ac1b974c08312fd49 Mon Sep 17 00:00:00 2001 +From: Ian Lance Taylor +Date: Wed, 20 Sep 2023 16:16:29 -0700 +Subject: [PATCH] [release-branch.go1.20] cmd/compile: use absolute file name + in isCgo check + +For #23672 +Updates #63211 +Fixes #63213 +Fixes CVE-2023-39323 + +Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884 +Reviewed-by: Matthew Dempsky +Reviewed-by: Roland Shoemaker +(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629 +Reviewed-by: Tatiana Bradley +Run-TryBot: Roland Shoemaker +Reviewed-by: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/go/+/533195 +Auto-Submit: Michael Pratt +Reviewed-by: Ian Lance Taylor +TryBot-Bypass: Michael Pratt +Reviewed-by: Than McIntosh +--- + misc/cgo/errors/errors_test.go | 24 ++++++++++++++++-------- + misc/cgo/errors/testdata/err5.go | 11 +++++++++++ + src/cmd/compile/internal/noder/noder.go | 8 +++++++- + 3 files changed, 34 insertions(+), 9 deletions(-) + create mode 100644 misc/cgo/errors/testdata/err5.go + +diff --git a/misc/cgo/errors/errors_test.go b/misc/cgo/errors/errors_test.go +index 9718b7f9fb..8168032dc3 100644 +--- a/misc/cgo/errors/errors_test.go ++++ b/misc/cgo/errors/errors_test.go +@@ -36,16 +36,23 @@ func check(t *testing.T, file string) { + continue + } + +- _, frag, ok := bytes.Cut(line, []byte("ERROR HERE: ")) +- if !ok { +- continue ++ if _, frag, ok := bytes.Cut(line, []byte("ERROR HERE: ")); ok { ++ re, err := regexp.Compile(fmt.Sprintf(":%d:.*%s", i+1, frag)) ++ if err != nil { ++ t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frag) ++ continue ++ } ++ errors = append(errors, re) + } +- re, err := regexp.Compile(fmt.Sprintf(":%d:.*%s", i+1, frag)) +- if err != nil { +- t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frag) +- continue ++ ++ if _, frag, ok := bytes.Cut(line, []byte("ERROR MESSAGE: ")); ok { ++ re, err := regexp.Compile(string(frag)) ++ if err != nil { ++ t.Errorf("Invalid regexp after `ERROR MESSAGE: `: %#q", frag) ++ continue ++ } ++ errors = append(errors, re) + } +- errors = append(errors, re) + } + if len(errors) == 0 { + t.Fatalf("cannot find ERROR HERE") +@@ -106,6 +113,7 @@ func TestReportsTypeErrors(t *testing.T) { + for _, file := range []string{ + "err1.go", + "err2.go", ++ "err5.go", + "issue11097a.go", + "issue11097b.go", + "issue18452.go", +diff --git a/misc/cgo/errors/testdata/err5.go b/misc/cgo/errors/testdata/err5.go +new file mode 100644 +index 0000000000..c12a290d38 +--- /dev/null ++++ b/misc/cgo/errors/testdata/err5.go +@@ -0,0 +1,11 @@ ++// Copyright 2023 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package main ++ ++//line /tmp/_cgo_.go:1 ++//go:cgo_dynamic_linker "/elf/interp" ++// ERROR MESSAGE: only allowed in cgo-generated code ++ ++func main() {} +diff --git a/src/cmd/compile/internal/noder/noder.go b/src/cmd/compile/internal/noder/noder.go +index d0d95451ac..c99c085037 100644 +--- a/src/cmd/compile/internal/noder/noder.go ++++ b/src/cmd/compile/internal/noder/noder.go +@@ -359,8 +359,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P + // contain cgo directives, and for security reasons + // (primarily misuse of linker flags), other files are not. + // See golang.org/issue/23672. ++// Note that cmd/go ignores files whose names start with underscore, ++// so the only _cgo_ files we will see from cmd/go are generated by cgo. ++// It's easy to bypass this check by calling the compiler directly; ++// we only protect against uses by cmd/go. + func isCgoGeneratedFile(pos syntax.Pos) bool { +- return strings.HasPrefix(filepath.Base(trimFilename(pos.Base())), "_cgo_") ++ // We need the absolute file, independent of //line directives, ++ // so we call pos.Base().Pos(). ++ return strings.HasPrefix(filepath.Base(trimFilename(pos.Base().Pos().Base())), "_cgo_") + } + + // safeArg reports whether arg is a "safe" command-line argument, +-- +2.33.0 + diff --git a/golang.spec b/golang.spec index eb8b362..fc9405a 100644 --- a/golang.spec +++ b/golang.spec @@ -60,7 +60,7 @@ Name: golang Version: 1.20.7 -Release: 2 +Release: 3 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -117,6 +117,7 @@ Requires: %{vendor}-rpm-config Patch6001: 0001-Enable-go-plugin-support-for-riscv64-based-on-work-b.patch Patch6002: 0002-cmd-go-use-local-proxy-and-sumdb.patch Patch6003: 0003-net-http-permit-requests-with-invalid-Host-headers.patch +Patch6004: 0004-release-branch.go1.20-cmd-compile-use-absolute-file-.patch ExclusiveArch: %{golang_arches} %description @@ -354,6 +355,9 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Mon Oct 9 2023 sunchendong - 1.20.7-3 +- fix CVE-2023-39323 + * Thu Aug 24 2023 wanglimin - 1.20.7-2 - permit invalid host header for docker -- Gitee