From a29af64327ac865e7251f4f624425f67659492e2 Mon Sep 17 00:00:00 2001
From: Zhao Mengmeng <zhaomengmeng@kylinos.cn>
Date: Thu, 9 May 2024 14:52:07 +0800
Subject: [PATCH] backport: fix CVE-2024-24787

Backport upstream commit a79ea27e36a1c56ae48dc36ce48549c9787ca4b7 ("
[release-branch.go1.21] cmd/go: disallow -lto_library in LDFLAGS").

Signed-off-by: Zhao Mengmeng <zhaomengmeng@kylinos.cn>
---
 ...d-go-disallow-lto_library-in-LDFLAGS.patch | 129 ++++++++++++++++++
 golang.spec                                   |   6 +-
 2 files changed, 134 insertions(+), 1 deletion(-)
 create mode 100644 backport-0007-cmd-go-disallow-lto_library-in-LDFLAGS.patch

diff --git a/backport-0007-cmd-go-disallow-lto_library-in-LDFLAGS.patch b/backport-0007-cmd-go-disallow-lto_library-in-LDFLAGS.patch
new file mode 100644
index 0000000..e6973f8
--- /dev/null
+++ b/backport-0007-cmd-go-disallow-lto_library-in-LDFLAGS.patch
@@ -0,0 +1,129 @@
+From 4c4f83ccb0403cb1d35e06818a339899edcaa270 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 25 Apr 2024 13:09:54 -0700
+Subject: [PATCH] cmd/go: disallow -lto_library in LDFLAGS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The darwin linker allows setting the LTO library with the -lto_library
+flag. This wasn't caught by our "safe linker flags" check because it
+was covered by the -lx flag used for linking libraries. This change
+adds a specific check for excluded flags which otherwise satisfy our
+existing checks.
+
+Loading a mallicious LTO library would allow an attacker to cause the
+linker to execute abritrary code when "go build" was called.
+
+Thanks to Juho Forsén of Mattermost for reporting this issue.
+
+Fixes #67119
+Fixes #67121
+Fixes CVE-2024-24787
+
+Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290)
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1401
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/583795
+Reviewed-by: David Chase <drchase@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Signed-off-by: Zhao Mengmeng <zhaomengmeng@kylinos.cn>
+---
+ src/cmd/go/internal/work/security.go          | 19 +++++++++++++++----
+ .../script/darwin_lto_library_ldflag.txt      | 17 +++++++++++++++++
+ 2 files changed, 32 insertions(+), 4 deletions(-)
+ create mode 100644 src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+
+diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
+index 270a34e..db49eb6 100644
+--- a/src/cmd/go/internal/work/security.go
++++ b/src/cmd/go/internal/work/security.go
+@@ -141,6 +141,12 @@ var validCompilerFlagsWithNextArg = []string{
+ 	"-x",
+ }
+ 
++var invalidLinkerFlags = []*lazyregexp.Regexp{
++	// On macOS this means the linker loads and executes the next argument.
++	// Have to exclude separately because -lfoo is allowed in general.
++	re(`-lto_library`),
++}
++
+ var validLinkerFlags = []*lazyregexp.Regexp{
+ 	re(`-F([^@\-].*)`),
+ 	re(`-l([^@\-].*)`),
+@@ -231,12 +237,12 @@ var validLinkerFlagsWithNextArg = []string{
+ 
+ func checkCompilerFlags(name, source string, list []string) error {
+ 	checkOverrides := true
+-	return checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides)
++	return checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides)
+ }
+ 
+ func checkLinkerFlags(name, source string, list []string) error {
+ 	checkOverrides := true
+-	return checkFlags(name, source, list, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides)
++	return checkFlags(name, source, list, invalidLinkerFlags, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides)
+ }
+ 
+ // checkCompilerFlagsForInternalLink returns an error if 'list'
+@@ -245,7 +251,7 @@ func checkLinkerFlags(name, source string, list []string) error {
+ // external linker).
+ func checkCompilerFlagsForInternalLink(name, source string, list []string) error {
+ 	checkOverrides := false
+-	if err := checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil {
++	if err := checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil {
+ 		return err
+ 	}
+ 	// Currently the only flag on the allow list that causes problems
+@@ -258,7 +264,7 @@ func checkCompilerFlagsForInternalLink(name, source string, list []string) error
+ 	return nil
+ }
+ 
+-func checkFlags(name, source string, list []string, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error {
++func checkFlags(name, source string, list []string, invalid, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error {
+ 	// Let users override rules with $CGO_CFLAGS_ALLOW, $CGO_CFLAGS_DISALLOW, etc.
+ 	var (
+ 		allow    *regexp.Regexp
+@@ -290,6 +296,11 @@ Args:
+ 		if allow != nil && allow.FindString(arg) == arg {
+ 			continue Args
+ 		}
++		for _, re := range invalid {
++			if re.FindString(arg) == arg { // must be complete match
++				goto Bad
++			}
++		}
+ 		for _, re := range valid {
+ 			if re.FindString(arg) == arg { // must be complete match
+ 				continue Args
+diff --git a/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+new file mode 100644
+index 0000000..d7acefd
+--- /dev/null
++++ b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+@@ -0,0 +1,17 @@
++[!GOOS:darwin] skip
++[!cgo] skip
++
++! go build
++stderr 'invalid flag in #cgo LDFLAGS: -lto_library'
++
++-- go.mod --
++module ldflag
++
++-- main.go --
++package main
++
++// #cgo CFLAGS: -flto
++// #cgo LDFLAGS: -lto_library bad.dylib
++import "C"
++
++func main() {}
+\ No newline at end of file
+-- 
+2.33.0
+
diff --git a/golang.spec b/golang.spec
index d214f53..7690cbb 100644
--- a/golang.spec
+++ b/golang.spec
@@ -66,7 +66,7 @@
 
 Name:           golang
 Version:        1.21.4
-Release:        8
+Release:        9
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -126,6 +126,7 @@ Patch6003:	backport-0003-release-branch.go1.21-net-textproto-mime-multipart-a.pa
 Patch6004:	backport-0004-release-branch.go1.21-net-http-net-http-cookiejar-av.patch
 Patch6005:	backport-0005-release-branch.go1.21-net-mail-properly-handle-speci.patch
 Patch6006:	backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch
+Patch6007:	backport-0007-cmd-go-disallow-lto_library-in-LDFLAGS.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -364,6 +365,9 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Thu May 09 2024 Zhao Mengmeng <zhaomengmeng@kylinos.cn> - 1.21.4-9
+- fix CVE-2024-24787
+
 * Thu Apr 18 2024 Huang Yang <huangyang@loongson.cn> - 1.21.4-8
 - enable external_linker and cgo on loongarch64
 
-- 
Gitee