From 3586b45a234a59f12b18b6d62af0f135aad9b155 Mon Sep 17 00:00:00 2001 From: Zhao Mengmeng Date: Thu, 9 May 2024 14:52:07 +0800 Subject: [PATCH] backport: fix CVE-2024-24787 Backport upstream commit a79ea27e36a1c56ae48dc36ce48549c9787ca4b7 (" [release-branch.go1.21] cmd/go: disallow -lto_library in LDFLAGS"). Signed-off-by: Zhao Mengmeng --- ...d-go-disallow-lto_library-in-LDFLAGS.patch | 118 ++++++++++++++++++ golang.spec | 9 +- 2 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 0121-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch diff --git a/0121-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch b/0121-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch new file mode 100644 index 0000000..0f56813 --- /dev/null +++ b/0121-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch @@ -0,0 +1,118 @@ +From 6f64a3a2060fc4fe72d4ddbf0cd7293bfff1cd61 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 25 Apr 2024 13:09:54 -0700 +Subject: [PATCH] cmd/go: disallow -lto_library in LDFLAGS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The darwin linker allows setting the LTO library with the -lto_library +flag. This wasn't caught by our "safe linker flags" check because it +was covered by the -lx flag used for linking libraries. This change +adds a specific check for excluded flags which otherwise satisfy our +existing checks. + +Loading a mallicious LTO library would allow an attacker to cause the +linker to execute abritrary code when "go build" was called. + +Thanks to Juho Forsén of Mattermost for reporting this issue. + +Fixes #67119 +Fixes #67121 +Fixes CVE-2024-24787 + +Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380 +Reviewed-by: Russ Cox +Reviewed-by: Damien Neil +(cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290) +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1401 +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/go/+/583795 +Reviewed-by: David Chase +LUCI-TryBot-Result: Go LUCI +Conflicts: + src/cmd/go/internal/work/security.go + [ checkFlags() has less arguments and don't have +checkCompilerFlagsForInternalLink() ] +Signed-off-by: Zhao Mengmeng +--- + src/cmd/go/internal/work/security.go | 17 ++++++++++++++--- + .../script/darwin_lto_library_ldflag.txt | 17 +++++++++++++++++ + 2 files changed, 31 insertions(+), 3 deletions(-) + create mode 100644 src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt + +diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go +index 91e6e4c..5dddff9 100644 +--- a/src/cmd/go/internal/work/security.go ++++ b/src/cmd/go/internal/work/security.go +@@ -140,6 +140,12 @@ var validCompilerFlagsWithNextArg = []string{ + "-x", + } + ++var invalidLinkerFlags = []*lazyregexp.Regexp{ ++ // On macOS this means the linker loads and executes the next argument. ++ // Have to exclude separately because -lfoo is allowed in general. ++ re(`-lto_library`), ++} ++ + var validLinkerFlags = []*lazyregexp.Regexp{ + re(`-F([^@\-].*)`), + re(`-l([^@\-].*)`), +@@ -229,14 +235,14 @@ var validLinkerFlagsWithNextArg = []string{ + } + + func checkCompilerFlags(name, source string, list []string) error { +- return checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg) ++ return checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg) + } + + func checkLinkerFlags(name, source string, list []string) error { +- return checkFlags(name, source, list, validLinkerFlags, validLinkerFlagsWithNextArg) ++ return checkFlags(name, source, list, invalidLinkerFlags, validLinkerFlags, validLinkerFlagsWithNextArg) + } + +-func checkFlags(name, source string, list []string, valid []*lazyregexp.Regexp, validNext []string) error { ++func checkFlags(name, source string, list []string, invalid, valid []*lazyregexp.Regexp, validNext []string) error { + // Let users override rules with $CGO_CFLAGS_ALLOW, $CGO_CFLAGS_DISALLOW, etc. + var ( + allow *regexp.Regexp +@@ -266,6 +272,11 @@ Args: + if allow != nil && allow.FindString(arg) == arg { + continue Args + } ++ for _, re := range invalid { ++ if re.FindString(arg) == arg { // must be complete match ++ goto Bad ++ } ++ } + for _, re := range valid { + if re.FindString(arg) == arg { // must be complete match + continue Args +diff --git a/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt +new file mode 100644 +index 0000000..d7acefd +--- /dev/null ++++ b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt +@@ -0,0 +1,17 @@ ++[!GOOS:darwin] skip ++[!cgo] skip ++ ++! go build ++stderr 'invalid flag in #cgo LDFLAGS: -lto_library' ++ ++-- go.mod -- ++module ldflag ++ ++-- main.go -- ++package main ++ ++// #cgo CFLAGS: -flto ++// #cgo LDFLAGS: -lto_library bad.dylib ++import "C" ++ ++func main() {} +\ No newline at end of file +-- +2.33.0 + diff --git a/golang.spec b/golang.spec index eb8a52e..e0319d6 100644 --- a/golang.spec +++ b/golang.spec @@ -58,7 +58,7 @@ Name: golang Version: 1.15.7 -Release: 43 +Release: 44 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -262,6 +262,7 @@ Patch6117: 0117-Backport-net-mail-properly-handle-special-characters.patch Patch6118: 0118-1.15-backport-runtime-decrement-netpollWaiters-in-ne.patch Patch6119: 0119-1.15-backport-runtime-adjust-netpollWaiters-after-go.patch Patch6120: 0120-Backport-net-http-update-bundled-golang.org-x-net-ht.patch +Patch6121: 0121-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch Patch9001: 0001-drop-hard-code-cert.patch Patch9002: 0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch @@ -501,6 +502,12 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Thu May 09 2024 Zhao Mengmeng - 1.15.7-44 +- Type:CVE +- CVE:CVE-2024-24787 +- SUG:NA +- DESC:fix CVE-2024-24787 + * Mon Apr 15 2024 hanchao - 1.15.7-43 - Type:CVE - CVE:CVE-2023-45288 -- Gitee