From 2a14123eb44dda0e66325ed16983ab94139c1671 Mon Sep 17 00:00:00 2001
From: sunchendong <sunchendong@xfusion.com>
Date: Mon, 9 Oct 2023 15:17:19 +0800
Subject: [PATCH] fix CVE-2023-39323

---
 ...o1.20-cmd-compile-use-absolute-file-.patch | 98 +++++++++++++++++++
 golang.spec                                   |  9 +-
 2 files changed, 106 insertions(+), 1 deletion(-)
 create mode 100644 0052-release-branch.go1.20-cmd-compile-use-absolute-file-.patch

diff --git a/0052-release-branch.go1.20-cmd-compile-use-absolute-file-.patch b/0052-release-branch.go1.20-cmd-compile-use-absolute-file-.patch
new file mode 100644
index 0000000..ac688da
--- /dev/null
+++ b/0052-release-branch.go1.20-cmd-compile-use-absolute-file-.patch
@@ -0,0 +1,98 @@
+From c7f86498e2d6b7a1f2f4818347ba24a123ac9528 Mon Sep 17 00:00:00 2001
+From: sunchendong <sunchendong@xfusion.com>
+Date: Mon, 9 Oct 2023 15:14:56 +0800
+Subject: [PATCH] [release-branch.go1.20] cmd/compile: use absolute file name
+ in isCgo check
+
+---
+ misc/cgo/errors/errors_test.go          | 25 ++++++++++++++++---------
+ misc/cgo/errors/testdata/err5.go        | 11 +++++++++++
+ src/cmd/compile/internal/noder/noder.go |  8 +++++++-
+ 3 files changed, 34 insertions(+), 10 deletions(-)
+ create mode 100644 misc/cgo/errors/testdata/err5.go
+
+diff --git a/misc/cgo/errors/errors_test.go b/misc/cgo/errors/errors_test.go
+index 68a30a4..785f5a0 100644
+--- a/misc/cgo/errors/errors_test.go
++++ b/misc/cgo/errors/errors_test.go
+@@ -36,17 +36,23 @@ func check(t *testing.T, file string) {
+ 				continue
+ 			}
+ 
+-			frags := bytes.SplitAfterN(line, []byte("ERROR HERE: "), 2)
+-			if len(frags) == 1 {
+-				continue
++			if _, frag, ok := bytes.Cut(line, []byte("ERROR HERE: ")); ok {
++				re, err := regexp.Compile(fmt.Sprintf(":%d:.*%s", i+1, frag))
++				if err != nil {
++					t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frag)
++					continue
++				}
++				errors = append(errors, re)
+ 			}
+-			frag := fmt.Sprintf(":%d:.*%s", i+1, frags[1])
+-			re, err := regexp.Compile(frag)
+-			if err != nil {
+-				t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frags[1])
+-				continue
++
++			if _, frag, ok := bytes.Cut(line, []byte("ERROR MESSAGE: ")); ok {
++				re, err := regexp.Compile(string(frag))
++				if err != nil {
++					t.Errorf("Invalid regexp after `ERROR MESSAGE: `: %#q", frag)
++					continue
++				}
++				errors = append(errors, re)
+ 			}
+-			errors = append(errors, re)
+ 		}
+ 		if len(errors) == 0 {
+ 			t.Fatalf("cannot find ERROR HERE")
+@@ -107,6 +113,7 @@ func TestReportsTypeErrors(t *testing.T) {
+ 	for _, file := range []string{
+ 		"err1.go",
+ 		"err2.go",
++		"err5.go",
+ 		"issue11097a.go",
+ 		"issue11097b.go",
+ 		"issue18452.go",
+diff --git a/misc/cgo/errors/testdata/err5.go b/misc/cgo/errors/testdata/err5.go
+new file mode 100644
+index 0000000..c12a290
+--- /dev/null
++++ b/misc/cgo/errors/testdata/err5.go
+@@ -0,0 +1,11 @@
++// Copyright 2023 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++
++package main
++
++//line /tmp/_cgo_.go:1
++//go:cgo_dynamic_linker "/elf/interp"
++// ERROR MESSAGE: only allowed in cgo-generated code
++
++func main() {}
+diff --git a/src/cmd/compile/internal/noder/noder.go b/src/cmd/compile/internal/noder/noder.go
+index 5fcad09..d974b49 100644
+--- a/src/cmd/compile/internal/noder/noder.go
++++ b/src/cmd/compile/internal/noder/noder.go
+@@ -1690,8 +1690,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P
+ // contain cgo directives, and for security reasons
+ // (primarily misuse of linker flags), other files are not.
+ // See golang.org/issue/23672.
++// Note that cmd/go ignores files whose names start with underscore,
++// so the only _cgo_ files we will see from cmd/go are generated by cgo.
++// It's easy to bypass this check by calling the compiler directly;
++// we only protect against uses by cmd/go.
+ func isCgoGeneratedFile(pos syntax.Pos) bool {
+-	return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Filename()))), "_cgo_")
++	// We need the absolute file, independent of //line directives,
++	// so we call pos.Base().Pos().
++	return strings.HasPrefix(filepath.Base(trimFilename(pos.Base().Pos().Base())), "_cgo_")
+ }
+ 
+ // safeArg reports whether arg is a "safe" command-line argument,
+-- 
+2.33.0
+
diff --git a/golang.spec b/golang.spec
index 35acea0..072240e 100644
--- a/golang.spec
+++ b/golang.spec
@@ -66,7 +66,7 @@
 
 Name:           golang
 Version:        1.17.3
-Release:        23
+Release:        24
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -209,6 +209,7 @@ Patch6048:	0048-Backport-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.pa
 Patch6049:	0049-Backport-net-http-permit-requests-with-invalid-Host-headers.patch
 Patch6050:	0050-Backport-html-template-support-HTML-like-comments-in.patch
 Patch6051:	0051-Backport-html-template-properly-handle-special-tags-.patch
+Patch6052:      0052-release-branch.go1.20-cmd-compile-use-absolute-file-.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -454,6 +455,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Mon Oct 9 2023 sunchendong <sunchendong@xfusion.com> - 1.17.3-24
+- Type:CVE
+- CVE:CVE-2023-39323
+- SUG:NA
+- DESC:CVE-2023-39323
+
 * Mon Sep 25 2023 luoyujie <luoyujie5@huawei.com> - 1.17.3-23
 - Type:CVE
 - CVE:CVE-2023-39318,CVE-2023-39319
-- 
Gitee