diff --git a/backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch b/backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch new file mode 100644 index 0000000000000000000000000000000000000000..ab4dfb26ee02452ab3fdfcf7861b42cc2f3818d9 --- /dev/null +++ b/backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch @@ -0,0 +1,82 @@ +From a65a2b54e18a7e269bff32526b4180ece22e9aa6 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Thu, 28 Mar 2024 16:57:51 -0700 +Subject: [PATCH] [Backport] net/http: update bundled golang.org/x/net/http2 + +Offering: Cloud Core Network +CVE: CVE-2023-45288 +Reference: https://go-review.googlesource.com/c/go/+/576076 + +Disable cmd/internal/moddeps test, since this update includes PRIVATE +track fixes. + +Fixes CVE-2023-45288 +For #65051 +Fixes #66298 + +Change-Id: I5bbf774ebe7651e4bb7e55139d3794bd2b8e8fa8 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197227 +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-by: Dmitri Shuralyov +Reviewed-on: https://go-review.googlesource.com/c/go/+/576076 +Auto-Submit: Dmitri Shuralyov +TryBot-Bypass: Dmitri Shuralyov +Reviewed-by: Than McIntosh +Signed-off-by: Ma Chang Wang machangwang@huawei.com +--- + src/net/http/h2_bundle.go | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go +index dd59e1f4f2..cd95f84269 100644 +--- a/src/net/http/h2_bundle.go ++++ b/src/net/http/h2_bundle.go +@@ -2966,6 +2966,7 @@ func (fr *http2Framer) readMetaFrame(hf *http2HeadersFrame) (*http2MetaHeadersFr + if size > remainSize { + hdec.SetEmitEnabled(false) + mh.Truncated = true ++ remainSize = 0 + return + } + remainSize -= size +@@ -2978,6 +2979,36 @@ func (fr *http2Framer) readMetaFrame(hf *http2HeadersFrame) (*http2MetaHeadersFr + var hc http2headersOrContinuation = hf + for { + frag := hc.HeaderBlockFragment() ++ ++ // Avoid parsing large amounts of headers that we will then discard. ++ // If the sender exceeds the max header list size by too much, ++ // skip parsing the fragment and close the connection. ++ // ++ // "Too much" is either any CONTINUATION frame after we've already ++ // exceeded the max header list size (in which case remainSize is 0), ++ // or a frame whose encoded size is more than twice the remaining ++ // header list bytes we're willing to accept. ++ if int64(len(frag)) > int64(2*remainSize) { ++ if http2VerboseLogs { ++ log.Printf("http2: header list too large") ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, http2ConnectionError(http2ErrCodeProtocol) ++ } ++ ++ // Also close the connection after any CONTINUATION frame following an ++ // invalid header, since we stop tracking the size of the headers after ++ // an invalid one. ++ if invalid != nil { ++ if http2VerboseLogs { ++ log.Printf("http2: invalid header: %v", invalid) ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, http2ConnectionError(http2ErrCodeProtocol) ++ } ++ + if _, err := hdec.Write(frag); err != nil { + return nil, http2ConnectionError(http2ErrCodeCompression) + } +-- +2.33.0 + diff --git a/backport-0007-cmd-go-disallow-lto_library-in-LDFLAGS.patch b/backport-0007-cmd-go-disallow-lto_library-in-LDFLAGS.patch new file mode 100644 index 0000000000000000000000000000000000000000..e6973f8fc99aef5f3de8da2cc669d19808069705 --- /dev/null +++ b/backport-0007-cmd-go-disallow-lto_library-in-LDFLAGS.patch @@ -0,0 +1,129 @@ +From 4c4f83ccb0403cb1d35e06818a339899edcaa270 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 25 Apr 2024 13:09:54 -0700 +Subject: [PATCH] cmd/go: disallow -lto_library in LDFLAGS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The darwin linker allows setting the LTO library with the -lto_library +flag. This wasn't caught by our "safe linker flags" check because it +was covered by the -lx flag used for linking libraries. This change +adds a specific check for excluded flags which otherwise satisfy our +existing checks. + +Loading a mallicious LTO library would allow an attacker to cause the +linker to execute abritrary code when "go build" was called. + +Thanks to Juho Forsén of Mattermost for reporting this issue. + +Fixes #67119 +Fixes #67121 +Fixes CVE-2024-24787 + +Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380 +Reviewed-by: Russ Cox +Reviewed-by: Damien Neil +(cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290) +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1401 +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/go/+/583795 +Reviewed-by: David Chase +LUCI-TryBot-Result: Go LUCI +Signed-off-by: Zhao Mengmeng +--- + src/cmd/go/internal/work/security.go | 19 +++++++++++++++---- + .../script/darwin_lto_library_ldflag.txt | 17 +++++++++++++++++ + 2 files changed, 32 insertions(+), 4 deletions(-) + create mode 100644 src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt + +diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go +index 270a34e..db49eb6 100644 +--- a/src/cmd/go/internal/work/security.go ++++ b/src/cmd/go/internal/work/security.go +@@ -141,6 +141,12 @@ var validCompilerFlagsWithNextArg = []string{ + "-x", + } + ++var invalidLinkerFlags = []*lazyregexp.Regexp{ ++ // On macOS this means the linker loads and executes the next argument. ++ // Have to exclude separately because -lfoo is allowed in general. ++ re(`-lto_library`), ++} ++ + var validLinkerFlags = []*lazyregexp.Regexp{ + re(`-F([^@\-].*)`), + re(`-l([^@\-].*)`), +@@ -231,12 +237,12 @@ var validLinkerFlagsWithNextArg = []string{ + + func checkCompilerFlags(name, source string, list []string) error { + checkOverrides := true +- return checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides) ++ return checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides) + } + + func checkLinkerFlags(name, source string, list []string) error { + checkOverrides := true +- return checkFlags(name, source, list, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides) ++ return checkFlags(name, source, list, invalidLinkerFlags, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides) + } + + // checkCompilerFlagsForInternalLink returns an error if 'list' +@@ -245,7 +251,7 @@ func checkLinkerFlags(name, source string, list []string) error { + // external linker). + func checkCompilerFlagsForInternalLink(name, source string, list []string) error { + checkOverrides := false +- if err := checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil { ++ if err := checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil { + return err + } + // Currently the only flag on the allow list that causes problems +@@ -258,7 +264,7 @@ func checkCompilerFlagsForInternalLink(name, source string, list []string) error + return nil + } + +-func checkFlags(name, source string, list []string, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error { ++func checkFlags(name, source string, list []string, invalid, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error { + // Let users override rules with $CGO_CFLAGS_ALLOW, $CGO_CFLAGS_DISALLOW, etc. + var ( + allow *regexp.Regexp +@@ -290,6 +296,11 @@ Args: + if allow != nil && allow.FindString(arg) == arg { + continue Args + } ++ for _, re := range invalid { ++ if re.FindString(arg) == arg { // must be complete match ++ goto Bad ++ } ++ } + for _, re := range valid { + if re.FindString(arg) == arg { // must be complete match + continue Args +diff --git a/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt +new file mode 100644 +index 0000000..d7acefd +--- /dev/null ++++ b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt +@@ -0,0 +1,17 @@ ++[!GOOS:darwin] skip ++[!cgo] skip ++ ++! go build ++stderr 'invalid flag in #cgo LDFLAGS: -lto_library' ++ ++-- go.mod -- ++module ldflag ++ ++-- main.go -- ++package main ++ ++// #cgo CFLAGS: -flto ++// #cgo LDFLAGS: -lto_library bad.dylib ++import "C" ++ ++func main() {} +\ No newline at end of file +-- +2.33.0 + diff --git a/golang.spec b/golang.spec index 00bf64b56e787992cd7b8017aac72d2497c181c5..7690cbbfa104ddfab9b6d602274e4deb5955e02e 100644 --- a/golang.spec +++ b/golang.spec @@ -12,19 +12,19 @@ %define __find_requires %{nil} %bcond_with bootstrap -%ifarch x86_64 aarch64 riscv64 ppc64le +%ifarch x86_64 aarch64 riscv64 loongarch64 ppc64le %bcond_without ignore_tests %else %bcond_with ignore_tests %endif -%ifarch x86_64 aarch64 riscv64 ppc64le +%ifarch x86_64 aarch64 riscv64 loongarch64 ppc64le %global external_linker 1 %else %global external_linker 0 %endif -%ifarch x86_64 aarch64 riscv64 ppc64le +%ifarch x86_64 aarch64 riscv64 loongarch64 ppc64le %global cgo_enabled 1 %else %global cgo_enabled 0 @@ -66,7 +66,7 @@ Name: golang Version: 1.21.4 -Release: 6 +Release: 9 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -125,6 +125,8 @@ Patch6002: backport-0002-release-branch.go1.21-html-template-escape-additiona.pa Patch6003: backport-0003-release-branch.go1.21-net-textproto-mime-multipart-a.patch Patch6004: backport-0004-release-branch.go1.21-net-http-net-http-cookiejar-av.patch Patch6005: backport-0005-release-branch.go1.21-net-mail-properly-handle-speci.patch +Patch6006: backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch +Patch6007: backport-0007-cmd-go-disallow-lto_library-in-LDFLAGS.patch ExclusiveArch: %{golang_arches} @@ -363,6 +365,15 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Thu May 09 2024 Zhao Mengmeng - 1.21.4-9 +- fix CVE-2024-24787 + +* Thu Apr 18 2024 Huang Yang - 1.21.4-8 +- enable external_linker and cgo on loongarch64 + +* Tue Apr 16 2024 hanchao - 1.21.4-7 +- fix CVE-2023-45288 + * Thu Mar 28 2024 hanchao - 1.21.4-6 - fix CVE-2024-24784