From 78dac0bc42c23de025b077acdd9302a7144981de Mon Sep 17 00:00:00 2001 From: hanchao Date: Fri, 15 Mar 2024 13:05:09 +0800 Subject: [PATCH 1/7] backport: fix CVE-2024-24783,CVE-2024-24785,CVE-2023-45290,CVE-2023-45289 --- ...o1.21-crypto-x509-make-sure-pub-key-.patch | 78 +++++ ...o1.21-html-template-escape-additiona.patch | 193 +++++++++++++ ...o1.21-net-textproto-mime-multipart-a.patch | 266 ++++++++++++++++++ ...o1.21-net-http-net-http-cookiejar-av.patch | 117 ++++++++ golang.spec | 5 +- 5 files changed, 658 insertions(+), 1 deletion(-) create mode 100644 backport-0001-release-branch.go1.21-crypto-x509-make-sure-pub-key-.patch create mode 100644 backport-0002-release-branch.go1.21-html-template-escape-additiona.patch create mode 100644 backport-0003-release-branch.go1.21-net-textproto-mime-multipart-a.patch create mode 100644 backport-0004-release-branch.go1.21-net-http-net-http-cookiejar-av.patch diff --git a/backport-0001-release-branch.go1.21-crypto-x509-make-sure-pub-key-.patch b/backport-0001-release-branch.go1.21-crypto-x509-make-sure-pub-key-.patch new file mode 100644 index 0000000..7ee3178 --- /dev/null +++ b/backport-0001-release-branch.go1.21-crypto-x509-make-sure-pub-key-.patch @@ -0,0 +1,78 @@ +From 5dfc2e6c42724349a9e9ecbcc69be920c18d90e9 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 18 Jan 2024 12:51:13 -0800 +Subject: [PATCH 1/4] [release-branch.go1.21] crypto/x509: make sure pub key is + non-nil before interface conversion + +alreadyInChain assumes all keys fit a interface which contains the +Equal method (which they do), but this ignores that certificates may +have a nil key when PublicKeyAlgorithm is UnknownPublicKeyAlgorithm. In +this case alreadyInChain panics. + +Check that the key is non-nil as part of considerCandidate (we are never +going to build a chain containing UnknownPublicKeyAlgorithm anyway). + +For #65390 +Fixes #65392 +Fixes CVE-2024-24783 + +Change-Id: Ibdccc0a487e3368b6812be35daad2512220243f3 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2137282 +Reviewed-by: Damien Neil +Run-TryBot: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173774 +Reviewed-by: Roland Shoemaker +Reviewed-by: Carlos Amedee +Reviewed-on: https://go-review.googlesource.com/c/go/+/569238 +Auto-Submit: Michael Knyszek +LUCI-TryBot-Result: Go LUCI +Reviewed-by: Carlos Amedee +--- + src/crypto/x509/verify.go | 2 +- + src/crypto/x509/verify_test.go | 19 +++++++++++++++++++ + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 345d434453c..56a1a1725cc 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -899,7 +899,7 @@ func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, o + ) + + considerCandidate := func(certType int, candidate *Certificate) { +- if alreadyInChain(candidate, currentChain) { ++ if candidate.PublicKey == nil || alreadyInChain(candidate, currentChain) { + return + } + +diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go +index 3551b470ced..d8678d03f93 100644 +--- a/src/crypto/x509/verify_test.go ++++ b/src/crypto/x509/verify_test.go +@@ -2693,3 +2693,22 @@ func TestVerifyEKURootAsLeaf(t *testing.T) { + } + + } ++ ++func TestVerifyNilPubKey(t *testing.T) { ++ c := &Certificate{ ++ RawIssuer: []byte{1, 2, 3}, ++ AuthorityKeyId: []byte{1, 2, 3}, ++ } ++ opts := &VerifyOptions{} ++ opts.Roots = NewCertPool() ++ r := &Certificate{ ++ RawSubject: []byte{1, 2, 3}, ++ SubjectKeyId: []byte{1, 2, 3}, ++ } ++ opts.Roots.AddCert(r) ++ ++ _, err := c.buildChains([]*Certificate{r}, nil, opts) ++ if _, ok := err.(UnknownAuthorityError); !ok { ++ t.Fatalf("buildChains returned unexpected error, got: %v, want %v", err, UnknownAuthorityError{}) ++ } ++} +-- +2.33.0 + diff --git a/backport-0002-release-branch.go1.21-html-template-escape-additiona.patch b/backport-0002-release-branch.go1.21-html-template-escape-additiona.patch new file mode 100644 index 0000000..403cf6b --- /dev/null +++ b/backport-0002-release-branch.go1.21-html-template-escape-additiona.patch @@ -0,0 +1,193 @@ +From 0787ee55dd0d42dd8bef97d4e7ed7584f44c16e9 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Wed, 14 Feb 2024 17:18:36 -0800 +Subject: [PATCH 2/4] [release-branch.go1.21] html/template: escape additional + tokens in MarshalJSON errors + +Escape " +Reviewed-by: Damien Neil +(cherry picked from commit ccbc725f2d678255df1bd326fa511a492aa3a0aa) +Reviewed-on: https://go-review.googlesource.com/c/go/+/567515 +Reviewed-by: Carlos Amedee +--- + src/html/template/js.go | 22 ++++++++- + src/html/template/js_test.go | 96 ++++++++++++++++++++---------------- + 2 files changed, 74 insertions(+), 44 deletions(-) + +diff --git a/src/html/template/js.go b/src/html/template/js.go +index 4e05c145572..f4d1303bebe 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -171,13 +171,31 @@ func jsValEscaper(args ...any) string { + // cyclic data. This may be an unacceptable DoS risk. + b, err := json.Marshal(a) + if err != nil { +- // Put a space before comment so that if it is flush against ++ // While the standard JSON marshaller does not include user controlled ++ // information in the error message, if a type has a MarshalJSON method, ++ // the content of the error message is not guaranteed. Since we insert ++ // the error into the template, as part of a comment, we attempt to ++ // prevent the error from either terminating the comment, or the script ++ // block itself. ++ // ++ // In particular we: ++ // * replace "*/" comment end tokens with "* /", which does not ++ // terminate the comment ++ // * replace " 1 so this loses precision in JS + // but it is still a representable integer literal. +- {uint64(1)<<53 + 1, " 9007199254740993 "}, +- {float32(1.0), " 1 "}, +- {float32(-1.0), " -1 "}, +- {float32(0.5), " 0.5 "}, +- {float32(-0.5), " -0.5 "}, +- {float32(1.0) / float32(256), " 0.00390625 "}, +- {float32(0), " 0 "}, +- {math.Copysign(0, -1), " -0 "}, +- {float64(1.0), " 1 "}, +- {float64(-1.0), " -1 "}, +- {float64(0.5), " 0.5 "}, +- {float64(-0.5), " -0.5 "}, +- {float64(0), " 0 "}, +- {math.Copysign(0, -1), " -0 "}, +- {"", `""`}, +- {"foo", `"foo"`}, ++ {uint64(1)<<53 + 1, " 9007199254740993 ", false}, ++ {float32(1.0), " 1 ", false}, ++ {float32(-1.0), " -1 ", false}, ++ {float32(0.5), " 0.5 ", false}, ++ {float32(-0.5), " -0.5 ", false}, ++ {float32(1.0) / float32(256), " 0.00390625 ", false}, ++ {float32(0), " 0 ", false}, ++ {math.Copysign(0, -1), " -0 ", false}, ++ {float64(1.0), " 1 ", false}, ++ {float64(-1.0), " -1 ", false}, ++ {float64(0.5), " 0.5 ", false}, ++ {float64(-0.5), " -0.5 ", false}, ++ {float64(0), " 0 ", false}, ++ {math.Copysign(0, -1), " -0 ", false}, ++ {"", `""`, false}, ++ {"foo", `"foo"`, false}, + // Newlines. +- {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`}, ++ {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`, false}, + // "\v" == "v" on IE 6 so use "\u000b" instead. +- {"\t\x0b", `"\t\u000b"`}, +- {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`}, +- {[]any{}, "[]"}, +- {[]any{42, "foo", nil}, `[42,"foo",null]`}, +- {[]string{""}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`}, +- {"", `"--\u003e"`}, +- {"", `"]]\u003e"`}, +- {"", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`, false}, ++ {"", `"--\u003e"`, false}, ++ {"", `"]]\u003e"`, false}, ++ {" +Date: Tue, 16 Jan 2024 15:37:52 -0800 +Subject: [PATCH 3/4] [release-branch.go1.21] net/textproto, mime/multipart: + avoid unbounded read in MIME header + +mime/multipart.Reader.ReadForm allows specifying the maximum amount +of memory that will be consumed by the form. While this limit is +correctly applied to the parsed form data structure, it was not +being applied to individual header lines in a form. + +For example, when presented with a form containing a header line +that never ends, ReadForm will continue to read the line until it +runs out of memory. + +Limit the amount of data consumed when reading a header. + +Fixes CVE-2023-45290 +Fixes #65389 +For #65383 + +Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435 +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173776 +Reviewed-by: Carlos Amedee +Reviewed-on: https://go-review.googlesource.com/c/go/+/569240 +Auto-Submit: Michael Knyszek +LUCI-TryBot-Result: Go LUCI +Reviewed-by: Carlos Amedee +--- + src/mime/multipart/formdata_test.go | 42 +++++++++++++++++++++++++ + src/net/textproto/reader.go | 48 ++++++++++++++++++++--------- + src/net/textproto/reader_test.go | 12 ++++++++ + 3 files changed, 87 insertions(+), 15 deletions(-) + +diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go +index d422729c96a..bfa9f683825 100644 +--- a/src/mime/multipart/formdata_test.go ++++ b/src/mime/multipart/formdata_test.go +@@ -452,6 +452,48 @@ func TestReadFormLimits(t *testing.T) { + } + } + ++func TestReadFormEndlessHeaderLine(t *testing.T) { ++ for _, test := range []struct { ++ name string ++ prefix string ++ }{{ ++ name: "name", ++ prefix: "X-", ++ }, { ++ name: "value", ++ prefix: "X-Header: ", ++ }, { ++ name: "continuation", ++ prefix: "X-Header: foo\r\n ", ++ }} { ++ t.Run(test.name, func(t *testing.T) { ++ const eol = "\r\n" ++ s := `--boundary` + eol ++ s += `Content-Disposition: form-data; name="a"` + eol ++ s += `Content-Type: text/plain` + eol ++ s += test.prefix ++ fr := io.MultiReader( ++ strings.NewReader(s), ++ neverendingReader('X'), ++ ) ++ r := NewReader(fr, "boundary") ++ _, err := r.ReadForm(1 << 20) ++ if err != ErrMessageTooLarge { ++ t.Fatalf("ReadForm(1 << 20): %v, want ErrMessageTooLarge", err) ++ } ++ }) ++ } ++} ++ ++type neverendingReader byte ++ ++func (r neverendingReader) Read(p []byte) (n int, err error) { ++ for i := range p { ++ p[i] = byte(r) ++ } ++ return len(p), nil ++} ++ + func BenchmarkReadForm(b *testing.B) { + for _, test := range []struct { + name string +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index fc2590b1cdc..fcd1a011ac7 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -16,6 +16,10 @@ import ( + "sync" + ) + ++// TODO: This should be a distinguishable error (ErrMessageTooLarge) ++// to allow mime/multipart to detect it. ++var errMessageTooLarge = errors.New("message too large") ++ + // A Reader implements convenience methods for reading requests + // or responses from a text protocol network connection. + type Reader struct { +@@ -36,20 +40,23 @@ func NewReader(r *bufio.Reader) *Reader { + // ReadLine reads a single line from r, + // eliding the final \n or \r\n from the returned string. + func (r *Reader) ReadLine() (string, error) { +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(-1) + return string(line), err + } + + // ReadLineBytes is like ReadLine but returns a []byte instead of a string. + func (r *Reader) ReadLineBytes() ([]byte, error) { +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(-1) + if line != nil { + line = bytes.Clone(line) + } + return line, err + } + +-func (r *Reader) readLineSlice() ([]byte, error) { ++// readLineSlice reads a single line from r, ++// up to lim bytes long (or unlimited if lim is less than 0), ++// eliding the final \r or \r\n from the returned string. ++func (r *Reader) readLineSlice(lim int64) ([]byte, error) { + r.closeDot() + var line []byte + for { +@@ -57,6 +64,9 @@ func (r *Reader) readLineSlice() ([]byte, error) { + if err != nil { + return nil, err + } ++ if lim >= 0 && int64(len(line))+int64(len(l)) > lim { ++ return nil, errMessageTooLarge ++ } + // Avoid the copy if the first call produced a full line. + if line == nil && !more { + return l, nil +@@ -88,7 +98,7 @@ func (r *Reader) readLineSlice() ([]byte, error) { + // + // Empty lines are never continued. + func (r *Reader) ReadContinuedLine() (string, error) { +- line, err := r.readContinuedLineSlice(noValidation) ++ line, err := r.readContinuedLineSlice(-1, noValidation) + return string(line), err + } + +@@ -109,7 +119,7 @@ func trim(s []byte) []byte { + // ReadContinuedLineBytes is like ReadContinuedLine but + // returns a []byte instead of a string. + func (r *Reader) ReadContinuedLineBytes() ([]byte, error) { +- line, err := r.readContinuedLineSlice(noValidation) ++ line, err := r.readContinuedLineSlice(-1, noValidation) + if line != nil { + line = bytes.Clone(line) + } +@@ -120,13 +130,14 @@ func (r *Reader) ReadContinuedLineBytes() ([]byte, error) { + // returning a byte slice with all lines. The validateFirstLine function + // is run on the first read line, and if it returns an error then this + // error is returned from readContinuedLineSlice. +-func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([]byte, error) { ++// It reads up to lim bytes of data (or unlimited if lim is less than 0). ++func (r *Reader) readContinuedLineSlice(lim int64, validateFirstLine func([]byte) error) ([]byte, error) { + if validateFirstLine == nil { + return nil, fmt.Errorf("missing validateFirstLine func") + } + + // Read the first line. +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(lim) + if err != nil { + return nil, err + } +@@ -154,13 +165,21 @@ func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([ + // copy the slice into buf. + r.buf = append(r.buf[:0], trim(line)...) + ++ if lim < 0 { ++ lim = math.MaxInt64 ++ } ++ lim -= int64(len(r.buf)) ++ + // Read continuation lines. + for r.skipSpace() > 0 { +- line, err := r.readLineSlice() ++ r.buf = append(r.buf, ' ') ++ if int64(len(r.buf)) >= lim { ++ return nil, errMessageTooLarge ++ } ++ line, err := r.readLineSlice(lim - int64(len(r.buf))) + if err != nil { + break + } +- r.buf = append(r.buf, ' ') + r.buf = append(r.buf, trim(line)...) + } + return r.buf, nil +@@ -507,7 +526,8 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + + // The first line cannot start with a leading space. + if buf, err := r.R.Peek(1); err == nil && (buf[0] == ' ' || buf[0] == '\t') { +- line, err := r.readLineSlice() ++ const errorLimit = 80 // arbitrary limit on how much of the line we'll quote ++ line, err := r.readLineSlice(errorLimit) + if err != nil { + return m, err + } +@@ -515,7 +535,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + } + + for { +- kv, err := r.readContinuedLineSlice(mustHaveFieldNameColon) ++ kv, err := r.readContinuedLineSlice(maxMemory, mustHaveFieldNameColon) + if len(kv) == 0 { + return m, err + } +@@ -544,7 +564,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + + maxHeaders-- + if maxHeaders < 0 { +- return nil, errors.New("message too large") ++ return nil, errMessageTooLarge + } + + // Skip initial spaces in value. +@@ -557,9 +577,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + } + maxMemory -= int64(len(value)) + if maxMemory < 0 { +- // TODO: This should be a distinguishable error (ErrMessageTooLarge) +- // to allow mime/multipart to detect it. +- return m, errors.New("message too large") ++ return m, errMessageTooLarge + } + if vv == nil && len(strs) > 0 { + // More than likely this will be a single-element key. +diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go +index 696ae406f38..26ff617470b 100644 +--- a/src/net/textproto/reader_test.go ++++ b/src/net/textproto/reader_test.go +@@ -36,6 +36,18 @@ func TestReadLine(t *testing.T) { + } + } + ++func TestReadLineLongLine(t *testing.T) { ++ line := strings.Repeat("12345", 10000) ++ r := reader(line + "\r\n") ++ s, err := r.ReadLine() ++ if err != nil { ++ t.Fatalf("Line 1: %v", err) ++ } ++ if s != line { ++ t.Fatalf("%v-byte line does not match expected %v-byte line", len(s), len(line)) ++ } ++} ++ + func TestReadContinuedLine(t *testing.T) { + r := reader("line1\nline\n 2\nline3\n") + s, err := r.ReadContinuedLine() +-- +2.33.0 + diff --git a/backport-0004-release-branch.go1.21-net-http-net-http-cookiejar-av.patch b/backport-0004-release-branch.go1.21-net-http-net-http-cookiejar-av.patch new file mode 100644 index 0000000..db25f1e --- /dev/null +++ b/backport-0004-release-branch.go1.21-net-http-net-http-cookiejar-av.patch @@ -0,0 +1,117 @@ +From 6021dca711926c32959c2dc4c2a68c9494e9a4fc Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Thu, 11 Jan 2024 11:31:57 -0800 +Subject: [PATCH 4/4] [release-branch.go1.21] net/http, net/http/cookiejar: + avoid subdomain matches on IPv6 zones + +When deciding whether to forward cookies or sensitive headers +across a redirect, do not attempt to interpret an IPv6 address +as a domain name. + +Avoids a case where a maliciously-crafted redirect to an +IPv6 address with a scoped addressing zone could be +misinterpreted as a within-domain redirect. For example, +we could interpret "::1%.www.example.com" as a subdomain +of "www.example.com". + +Thanks to Juho Nurminen of Mattermost for reporting this issue. + +Fixes CVE-2023-45289 +Fixes #65385 +For #65065 + +Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938 +Reviewed-by: Tatiana Bradley +Reviewed-by: Roland Shoemaker +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775 +Reviewed-by: Carlos Amedee +Reviewed-on: https://go-review.googlesource.com/c/go/+/569239 +Reviewed-by: Carlos Amedee +Auto-Submit: Michael Knyszek +TryBot-Bypass: Michael Knyszek +--- + src/net/http/client.go | 6 ++++++ + src/net/http/client_test.go | 1 + + src/net/http/cookiejar/jar.go | 7 +++++++ + src/net/http/cookiejar/jar_test.go | 10 ++++++++++ + 4 files changed, 24 insertions(+) + +diff --git a/src/net/http/client.go b/src/net/http/client.go +index 2cab53a585a..77a701b8061 100644 +--- a/src/net/http/client.go ++++ b/src/net/http/client.go +@@ -1014,6 +1014,12 @@ func isDomainOrSubdomain(sub, parent string) bool { + if sub == parent { + return true + } ++ // If sub contains a :, it's probably an IPv6 address (and is definitely not a hostname). ++ // Don't check the suffix in this case, to avoid matching the contents of a IPv6 zone. ++ // For example, "::1%.www.example.com" is not a subdomain of "www.example.com". ++ if strings.ContainsAny(sub, ":%") { ++ return false ++ } + // If sub is "foo.example.com" and parent is "example.com", + // that means sub must end in "."+parent. + // Do it without allocating. +diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go +index 0fe555af38f..fc1d7916124 100644 +--- a/src/net/http/client_test.go ++++ b/src/net/http/client_test.go +@@ -1725,6 +1725,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) { + {"authorization", "http://foo.com/", "https://foo.com/", true}, + {"authorization", "http://foo.com:1234/", "http://foo.com:4321/", true}, + {"www-authenticate", "http://foo.com/", "http://bar.com/", false}, ++ {"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false}, + + // But subdomains should work: + {"www-authenticate", "http://foo.com/", "http://foo.com/", true}, +diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go +index 273b54c84c7..4b16266057b 100644 +--- a/src/net/http/cookiejar/jar.go ++++ b/src/net/http/cookiejar/jar.go +@@ -362,6 +362,13 @@ func jarKey(host string, psl PublicSuffixList) string { + + // isIP reports whether host is an IP address. + func isIP(host string) bool { ++ if strings.ContainsAny(host, ":%") { ++ // Probable IPv6 address. ++ // Hostnames can't contain : or %, so this is definitely not a valid host. ++ // Treating it as an IP is the more conservative option, and avoids the risk ++ // of interpeting ::1%.www.example.com as a subtomain of www.example.com. ++ return true ++ } + return net.ParseIP(host) != nil + } + +diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go +index 56d0695a660..251f7c16171 100644 +--- a/src/net/http/cookiejar/jar_test.go ++++ b/src/net/http/cookiejar/jar_test.go +@@ -252,6 +252,7 @@ var isIPTests = map[string]bool{ + "127.0.0.1": true, + "1.2.3.4": true, + "2001:4860:0:2001::68": true, ++ "::1%zone": true, + "example.com": false, + "1.1.1.300": false, + "www.foo.bar.net": false, +@@ -629,6 +630,15 @@ var basicsTests = [...]jarTest{ + {"http://www.host.test:1234/", "a=1"}, + }, + }, ++ { ++ "IPv6 zone is not treated as a host.", ++ "https://example.com/", ++ []string{"a=1"}, ++ "a=1", ++ []query{ ++ {"https://[::1%25.example.com]:80/", ""}, ++ }, ++ }, + } + + func TestBasics(t *testing.T) { +-- +2.33.0 + diff --git a/golang.spec b/golang.spec index 2a6e4ca..b1affa4 100644 --- a/golang.spec +++ b/golang.spec @@ -63,7 +63,7 @@ Name: golang Version: 1.21.4 -Release: 2 +Release: 3 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -354,6 +354,9 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Fri Mar 15 2024 hanchao - 1.21.4-3 +- fix CVE-2024-24783,CVE-2024-24785,CVE-2023-45290,CVE-2023-45289 + * Wed Dec 13 2023 jiahua.yu - 1.21.4-2 - init support for arch ppc64le -- Gitee From ab448e9c4c9ac0f334fd4fc519e73c193597fcc8 Mon Sep 17 00:00:00 2001 From: zhangwenlong01 Date: Wed, 27 Mar 2024 09:49:20 +0000 Subject: [PATCH 2/7] fix build error for loongarch64 Signed-off-by: zhangwenlong01 --- golang.spec | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/golang.spec b/golang.spec index b1affa4..fd6d64e 100644 --- a/golang.spec +++ b/golang.spec @@ -60,10 +60,13 @@ %ifarch ppc64le %global gohostarch ppc64le %endif +%ifarch loongarch64 +%global gohostarch loong64 +%endif Name: golang Version: 1.21.4 -Release: 3 +Release: 4 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -354,6 +357,9 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Tue Mar 26 2024 Wenlong Zhang - 1.21.4-4 +- fix build error for loongarch64 + * Fri Mar 15 2024 hanchao - 1.21.4-3 - fix CVE-2024-24783,CVE-2024-24785,CVE-2023-45290,CVE-2023-45289 -- Gitee From eefcccadf309e788e130c5bda7227f189f8fc6c1 Mon Sep 17 00:00:00 2001 From: hanchao Date: Thu, 28 Mar 2024 01:24:36 +0800 Subject: [PATCH 3/7] bugfix: enabling the patching function --- golang.spec | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/golang.spec b/golang.spec index fd6d64e..c9a24a2 100644 --- a/golang.spec +++ b/golang.spec @@ -66,7 +66,7 @@ Name: golang Version: 1.21.4 -Release: 4 +Release: 5 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -120,6 +120,11 @@ Obsoletes: %{name}-vim < 1.4 Obsoletes: emacs-%{name} < 1.4 Requires: %{vendor}-rpm-config +Patch6001: backport-0001-release-branch.go1.21-crypto-x509-make-sure-pub-key-.patch +Patch6002: backport-0002-release-branch.go1.21-html-template-escape-additiona.patch +Patch6003: backport-0003-release-branch.go1.21-net-textproto-mime-multipart-a.patch +Patch6004: backport-0004-release-branch.go1.21-net-http-net-http-cookiejar-av.patch + ExclusiveArch: %{golang_arches} %description @@ -312,7 +317,7 @@ export GO_TEST_TIMEOUT_SCALE=2 %if %{fail_on_tests} echo tests ignored %else -./run.bash --no-rebuild -v -v -v -k go_test:testing || : +./run.bash --no-rebuild -v -k -run='!(cmd/go|go/build|cmd/internal/testdir|cmd/link|cmd/nm|cmd/cgo/internal/testlife|cmd/cgo/internal/teststdio|cmd/cgo/internal/testerrors|tyepparams|race|flag|cgo_stdio|cgo_life|cgo_errors|test:0_1|api)' %endif cd .. @@ -357,6 +362,9 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Thu Mar 28 2024 hanchao - 1.21.4-5 +- enabling the patches + * Tue Mar 26 2024 Wenlong Zhang - 1.21.4-4 - fix build error for loongarch64 -- Gitee From c6082fce4350c4a1886779f1c4a34a039266b850 Mon Sep 17 00:00:00 2001 From: hanchao Date: Thu, 28 Mar 2024 17:52:54 +0800 Subject: [PATCH 4/7] backport: fix CVE-2024-24784 --- ...o1.21-net-mail-properly-handle-speci.patch | 204 ++++++++++++++++++ golang.spec | 6 +- 2 files changed, 209 insertions(+), 1 deletion(-) create mode 100644 backport-0005-release-branch.go1.21-net-mail-properly-handle-speci.patch diff --git a/backport-0005-release-branch.go1.21-net-mail-properly-handle-speci.patch b/backport-0005-release-branch.go1.21-net-mail-properly-handle-speci.patch new file mode 100644 index 0000000..fc7b26c --- /dev/null +++ b/backport-0005-release-branch.go1.21-net-mail-properly-handle-speci.patch @@ -0,0 +1,204 @@ +From 11c0f19796e30484848a6c9c469364c0841c17ef Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Wed, 10 Jan 2024 11:02:14 -0800 +Subject: [PATCH] [release-branch.go1.21] net/mail: properly handle special + characters in phrase and obs-phrase + +Fixes a couple of misalignments with RFC 5322 which introduce +significant diffs between (mostly) conformant parsers. + +This change reverts the changes made in CL50911, which allowed certain +special RFC 5322 characters to appear unquoted in the "phrase" syntax. +It is unclear why this change was made in the first place, and created +a divergence from comformant parsers. In particular this resulted in +treating comments in display names incorrectly. + +Additionally properly handle trailing malformed comments in the group +syntax. + +For #65083 +Fixes #65848 + +Change-Id: I00dddc044c6ae3381154e43236632604c390f672 +Reviewed-on: https://go-review.googlesource.com/c/go/+/555596 +Reviewed-by: Damien Neil +LUCI-TryBot-Result: Go LUCI +Reviewed-on: https://go-review.googlesource.com/c/go/+/566195 +Reviewed-by: Carlos Amedee +--- + src/net/mail/message.go | 30 +++++++++++++++------------ + src/net/mail/message_test.go | 40 ++++++++++++++++++++++++++---------- + 2 files changed, 46 insertions(+), 24 deletions(-) + +diff --git a/src/net/mail/message.go b/src/net/mail/message.go +index af516fc30f..fc2a9e46f8 100644 +--- a/src/net/mail/message.go ++++ b/src/net/mail/message.go +@@ -280,7 +280,7 @@ func (a *Address) String() string { + // Add quotes if needed + quoteLocal := false + for i, r := range local { +- if isAtext(r, false, false) { ++ if isAtext(r, false) { + continue + } + if r == '.' { +@@ -444,7 +444,7 @@ func (p *addrParser) parseAddress(handleGroup bool) ([]*Address, error) { + if !p.consume('<') { + atext := true + for _, r := range displayName { +- if !isAtext(r, true, false) { ++ if !isAtext(r, true) { + atext = false + break + } +@@ -479,7 +479,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) { + // handle empty group. + p.skipSpace() + if p.consume(';') { +- p.skipCFWS() ++ if !p.skipCFWS() { ++ return nil, errors.New("mail: misformatted parenthetical comment") ++ } + return group, nil + } + +@@ -496,7 +498,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) { + return nil, errors.New("mail: misformatted parenthetical comment") + } + if p.consume(';') { +- p.skipCFWS() ++ if !p.skipCFWS() { ++ return nil, errors.New("mail: misformatted parenthetical comment") ++ } + break + } + if !p.consume(',') { +@@ -566,6 +570,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) { + var words []string + var isPrevEncoded bool + for { ++ // obs-phrase allows CFWS after one word ++ if len(words) > 0 { ++ if !p.skipCFWS() { ++ return "", errors.New("mail: misformatted parenthetical comment") ++ } ++ } + // word = atom / quoted-string + var word string + p.skipSpace() +@@ -661,7 +671,6 @@ Loop: + // If dot is true, consumeAtom parses an RFC 5322 dot-atom instead. + // If permissive is true, consumeAtom will not fail on: + // - leading/trailing/double dots in the atom (see golang.org/issue/4938) +-// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018) + func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) { + i := 0 + +@@ -672,7 +681,7 @@ Loop: + case size == 1 && r == utf8.RuneError: + return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s) + +- case size == 0 || !isAtext(r, dot, permissive): ++ case size == 0 || !isAtext(r, dot): + break Loop + + default: +@@ -850,18 +859,13 @@ func (e charsetError) Error() string { + + // isAtext reports whether r is an RFC 5322 atext character. + // If dot is true, period is included. +-// If permissive is true, RFC 5322 3.2.3 specials is included, +-// except '<', '>', ':' and '"'. +-func isAtext(r rune, dot, permissive bool) bool { ++func isAtext(r rune, dot bool) bool { + switch r { + case '.': + return dot + + // RFC 5322 3.2.3. specials +- case '(', ')', '[', ']', ';', '@', '\\', ',': +- return permissive +- +- case '<', '>', '"', ':': ++ case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials + return false + } + return isVchar(r) +diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go +index 1e1bb4092f..1f2f62afbf 100644 +--- a/src/net/mail/message_test.go ++++ b/src/net/mail/message_test.go +@@ -385,8 +385,11 @@ func TestAddressParsingError(t *testing.T) { + 13: {"group not closed: null@example.com", "expected comma"}, + 14: {"group: first@example.com, second@example.com;", "group with multiple addresses"}, + 15: {"john.doe", "missing '@' or angle-addr"}, +- 16: {"john.doe@", "no angle-addr"}, ++ 16: {"john.doe@", "missing '@' or angle-addr"}, + 17: {"John Doe@foo.bar", "no angle-addr"}, ++ 18: {" group: null@example.com; (asd", "misformatted parenthetical comment"}, ++ 19: {" group: ; (asd", "misformatted parenthetical comment"}, ++ 20: {`(John) Doe `, "missing word in phrase:"}, + } + + for i, tc := range mustErrTestCases { +@@ -436,24 +439,19 @@ func TestAddressParsing(t *testing.T) { + Address: "john.q.public@example.com", + }}, + }, +- { +- `"John (middle) Doe" `, +- []*Address{{ +- Name: "John (middle) Doe", +- Address: "jdoe@machine.example", +- }}, +- }, ++ // Comment in display name + { + `John (middle) Doe `, + []*Address{{ +- Name: "John (middle) Doe", ++ Name: "John Doe", + Address: "jdoe@machine.example", + }}, + }, ++ // Display name is quoted string, so comment is not a comment + { +- `John !@M@! Doe `, ++ `"John (middle) Doe" `, + []*Address{{ +- Name: "John !@M@! Doe", ++ Name: "John (middle) Doe", + Address: "jdoe@machine.example", + }}, + }, +@@ -788,6 +786,26 @@ func TestAddressParsing(t *testing.T) { + }, + }, + }, ++ // Comment in group display name ++ { ++ `group (comment:): a@example.com, b@example.com;`, ++ []*Address{ ++ { ++ Address: "a@example.com", ++ }, ++ { ++ Address: "b@example.com", ++ }, ++ }, ++ }, ++ { ++ `x(:"):"@a.example;("@b.example;`, ++ []*Address{ ++ { ++ Address: `@a.example;(@b.example`, ++ }, ++ }, ++ }, + } + for _, test := range tests { + if len(test.exp) == 1 { +-- +2.33.0 + diff --git a/golang.spec b/golang.spec index c9a24a2..00bf64b 100644 --- a/golang.spec +++ b/golang.spec @@ -66,7 +66,7 @@ Name: golang Version: 1.21.4 -Release: 5 +Release: 6 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -124,6 +124,7 @@ Patch6001: backport-0001-release-branch.go1.21-crypto-x509-make-sure-pub-key-.pa Patch6002: backport-0002-release-branch.go1.21-html-template-escape-additiona.patch Patch6003: backport-0003-release-branch.go1.21-net-textproto-mime-multipart-a.patch Patch6004: backport-0004-release-branch.go1.21-net-http-net-http-cookiejar-av.patch +Patch6005: backport-0005-release-branch.go1.21-net-mail-properly-handle-speci.patch ExclusiveArch: %{golang_arches} @@ -362,6 +363,9 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Thu Mar 28 2024 hanchao - 1.21.4-6 +- fix CVE-2024-24784 + * Thu Mar 28 2024 hanchao - 1.21.4-5 - enabling the patches -- Gitee From 7e1ae283dedcab38fc23e5bb7fb52c0562f4f481 Mon Sep 17 00:00:00 2001 From: hanchao Date: Tue, 16 Apr 2024 21:40:09 +0800 Subject: [PATCH 5/7] backport: fix CVE-2023-45288 --- ...p-update-bundled-golang.org-x-net-ht.patch | 82 +++++++++++++++++++ golang.spec | 6 +- 2 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch diff --git a/backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch b/backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch new file mode 100644 index 0000000..ab4dfb2 --- /dev/null +++ b/backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch @@ -0,0 +1,82 @@ +From a65a2b54e18a7e269bff32526b4180ece22e9aa6 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Thu, 28 Mar 2024 16:57:51 -0700 +Subject: [PATCH] [Backport] net/http: update bundled golang.org/x/net/http2 + +Offering: Cloud Core Network +CVE: CVE-2023-45288 +Reference: https://go-review.googlesource.com/c/go/+/576076 + +Disable cmd/internal/moddeps test, since this update includes PRIVATE +track fixes. + +Fixes CVE-2023-45288 +For #65051 +Fixes #66298 + +Change-Id: I5bbf774ebe7651e4bb7e55139d3794bd2b8e8fa8 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197227 +Reviewed-by: Tatiana Bradley +Run-TryBot: Damien Neil +Reviewed-by: Dmitri Shuralyov +Reviewed-on: https://go-review.googlesource.com/c/go/+/576076 +Auto-Submit: Dmitri Shuralyov +TryBot-Bypass: Dmitri Shuralyov +Reviewed-by: Than McIntosh +Signed-off-by: Ma Chang Wang machangwang@huawei.com +--- + src/net/http/h2_bundle.go | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go +index dd59e1f4f2..cd95f84269 100644 +--- a/src/net/http/h2_bundle.go ++++ b/src/net/http/h2_bundle.go +@@ -2966,6 +2966,7 @@ func (fr *http2Framer) readMetaFrame(hf *http2HeadersFrame) (*http2MetaHeadersFr + if size > remainSize { + hdec.SetEmitEnabled(false) + mh.Truncated = true ++ remainSize = 0 + return + } + remainSize -= size +@@ -2978,6 +2979,36 @@ func (fr *http2Framer) readMetaFrame(hf *http2HeadersFrame) (*http2MetaHeadersFr + var hc http2headersOrContinuation = hf + for { + frag := hc.HeaderBlockFragment() ++ ++ // Avoid parsing large amounts of headers that we will then discard. ++ // If the sender exceeds the max header list size by too much, ++ // skip parsing the fragment and close the connection. ++ // ++ // "Too much" is either any CONTINUATION frame after we've already ++ // exceeded the max header list size (in which case remainSize is 0), ++ // or a frame whose encoded size is more than twice the remaining ++ // header list bytes we're willing to accept. ++ if int64(len(frag)) > int64(2*remainSize) { ++ if http2VerboseLogs { ++ log.Printf("http2: header list too large") ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, http2ConnectionError(http2ErrCodeProtocol) ++ } ++ ++ // Also close the connection after any CONTINUATION frame following an ++ // invalid header, since we stop tracking the size of the headers after ++ // an invalid one. ++ if invalid != nil { ++ if http2VerboseLogs { ++ log.Printf("http2: invalid header: %v", invalid) ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, http2ConnectionError(http2ErrCodeProtocol) ++ } ++ + if _, err := hdec.Write(frag); err != nil { + return nil, http2ConnectionError(http2ErrCodeCompression) + } +-- +2.33.0 + diff --git a/golang.spec b/golang.spec index 00bf64b..01f72aa 100644 --- a/golang.spec +++ b/golang.spec @@ -66,7 +66,7 @@ Name: golang Version: 1.21.4 -Release: 6 +Release: 7 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -125,6 +125,7 @@ Patch6002: backport-0002-release-branch.go1.21-html-template-escape-additiona.pa Patch6003: backport-0003-release-branch.go1.21-net-textproto-mime-multipart-a.patch Patch6004: backport-0004-release-branch.go1.21-net-http-net-http-cookiejar-av.patch Patch6005: backport-0005-release-branch.go1.21-net-mail-properly-handle-speci.patch +Patch6006: backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch ExclusiveArch: %{golang_arches} @@ -363,6 +364,9 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Thu Apr 16 2024 hanchao - 1.21.4-7 +- fix CVE-2023-45288 + * Thu Mar 28 2024 hanchao - 1.21.4-6 - fix CVE-2024-24784 -- Gitee From b371d7393739e28dfa39b18263a74f1088f373d9 Mon Sep 17 00:00:00 2001 From: Huang Yang Date: Thu, 18 Apr 2024 08:20:46 +0000 Subject: [PATCH 6/7] enable external_linker and cgo on loongarch64 --- golang.spec | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/golang.spec b/golang.spec index 01f72aa..d214f53 100644 --- a/golang.spec +++ b/golang.spec @@ -12,19 +12,19 @@ %define __find_requires %{nil} %bcond_with bootstrap -%ifarch x86_64 aarch64 riscv64 ppc64le +%ifarch x86_64 aarch64 riscv64 loongarch64 ppc64le %bcond_without ignore_tests %else %bcond_with ignore_tests %endif -%ifarch x86_64 aarch64 riscv64 ppc64le +%ifarch x86_64 aarch64 riscv64 loongarch64 ppc64le %global external_linker 1 %else %global external_linker 0 %endif -%ifarch x86_64 aarch64 riscv64 ppc64le +%ifarch x86_64 aarch64 riscv64 loongarch64 ppc64le %global cgo_enabled 1 %else %global cgo_enabled 0 @@ -66,7 +66,7 @@ Name: golang Version: 1.21.4 -Release: 7 +Release: 8 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -364,7 +364,10 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog -* Thu Apr 16 2024 hanchao - 1.21.4-7 +* Thu Apr 18 2024 Huang Yang - 1.21.4-8 +- enable external_linker and cgo on loongarch64 + +* Tue Apr 16 2024 hanchao - 1.21.4-7 - fix CVE-2023-45288 * Thu Mar 28 2024 hanchao - 1.21.4-6 -- Gitee From 9f5aff2a9b704ff5c90088772adda3832abcc3f7 Mon Sep 17 00:00:00 2001 From: EulerOSWander <314264452@qq.com> Date: Sat, 25 May 2024 16:21:16 +0800 Subject: [PATCH 7/7] bugfix: fix CVE-2024-24787 --- ...d-go-disallow-lto_library-in-LDFLAGS.patch | 133 ++++++++++++++++++ golang.spec | 6 +- 2 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch diff --git a/backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch b/backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch new file mode 100644 index 0000000..b1c16a5 --- /dev/null +++ b/backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch @@ -0,0 +1,133 @@ +From 7edadbad6c5ba7db3c4ab6925369096dedcf8e0b Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 25 Apr 2024 13:09:54 -0700 +Subject: [PATCH] [Backport] cmd/go: disallow -lto_library in LDFLAGS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Offering: Cloud Core Network +CVE: CVE-2024-24787 +Reference: https://go-review.googlesource.com/c/go/+/583796 + +The darwin linker allows setting the LTO library with the -lto_library +flag. This wasn't caught by our "safe linker flags" check because it +was covered by the -lx flag used for linking libraries. This change +adds a specific check for excluded flags which otherwise satisfy our +existing checks. + +Loading a mallicious LTO library would allow an attacker to cause the +linker to execute abritrary code when "go build" was called. + +Thanks to Juho Forsén of Mattermost for reporting this issue. + +Fixes #67119 +Fixes #67122 +Fixes CVE-2024-24787 + +Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380 +Reviewed-by: Russ Cox +Reviewed-by: Damien Neil +(cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290) +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1420 +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/go/+/583796 +Reviewed-by: David Chase +LUCI-TryBot-Result: Go LUCI +Signed-off-by: Ma Chang Wang machangwang@huawei.com +--- + src/cmd/go/internal/work/security.go | 19 +++++++++++++++---- + .../script/darwin_lto_library_ldflag.txt | 17 +++++++++++++++++ + 2 files changed, 32 insertions(+), 4 deletions(-) + create mode 100644 src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt + +diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go +index 270a34e9c7..db49eb6488 100644 +--- a/src/cmd/go/internal/work/security.go ++++ b/src/cmd/go/internal/work/security.go +@@ -141,6 +141,12 @@ var validCompilerFlagsWithNextArg = []string{ + "-x", + } + ++var invalidLinkerFlags = []*lazyregexp.Regexp{ ++ // On macOS this means the linker loads and executes the next argument. ++ // Have to exclude separately because -lfoo is allowed in general. ++ re(`-lto_library`), ++} ++ + var validLinkerFlags = []*lazyregexp.Regexp{ + re(`-F([^@\-].*)`), + re(`-l([^@\-].*)`), +@@ -231,12 +237,12 @@ var validLinkerFlagsWithNextArg = []string{ + + func checkCompilerFlags(name, source string, list []string) error { + checkOverrides := true +- return checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides) ++ return checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides) + } + + func checkLinkerFlags(name, source string, list []string) error { + checkOverrides := true +- return checkFlags(name, source, list, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides) ++ return checkFlags(name, source, list, invalidLinkerFlags, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides) + } + + // checkCompilerFlagsForInternalLink returns an error if 'list' +@@ -245,7 +251,7 @@ func checkLinkerFlags(name, source string, list []string) error { + // external linker). + func checkCompilerFlagsForInternalLink(name, source string, list []string) error { + checkOverrides := false +- if err := checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil { ++ if err := checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil { + return err + } + // Currently the only flag on the allow list that causes problems +@@ -258,7 +264,7 @@ func checkCompilerFlagsForInternalLink(name, source string, list []string) error + return nil + } + +-func checkFlags(name, source string, list []string, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error { ++func checkFlags(name, source string, list []string, invalid, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error { + // Let users override rules with $CGO_CFLAGS_ALLOW, $CGO_CFLAGS_DISALLOW, etc. + var ( + allow *regexp.Regexp +@@ -290,6 +296,11 @@ Args: + if allow != nil && allow.FindString(arg) == arg { + continue Args + } ++ for _, re := range invalid { ++ if re.FindString(arg) == arg { // must be complete match ++ goto Bad ++ } ++ } + for _, re := range valid { + if re.FindString(arg) == arg { // must be complete match + continue Args +diff --git a/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt +new file mode 100644 +index 0000000000..d7acefdbad +--- /dev/null ++++ b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt +@@ -0,0 +1,17 @@ ++[!GOOS:darwin] skip ++[!cgo] skip ++ ++! go build ++stderr 'invalid flag in #cgo LDFLAGS: -lto_library' ++ ++-- go.mod -- ++module ldflag ++ ++-- main.go -- ++package main ++ ++// #cgo CFLAGS: -flto ++// #cgo LDFLAGS: -lto_library bad.dylib ++import "C" ++ ++func main() {} +\ No newline at end of file +-- +2.33.0 + diff --git a/golang.spec b/golang.spec index d214f53..608127d 100644 --- a/golang.spec +++ b/golang.spec @@ -66,7 +66,7 @@ Name: golang Version: 1.21.4 -Release: 8 +Release: 9 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -126,6 +126,7 @@ Patch6003: backport-0003-release-branch.go1.21-net-textproto-mime-multipart-a.pa Patch6004: backport-0004-release-branch.go1.21-net-http-net-http-cookiejar-av.patch Patch6005: backport-0005-release-branch.go1.21-net-mail-properly-handle-speci.patch Patch6006: backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch +Patch6007: backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch ExclusiveArch: %{golang_arches} @@ -364,6 +365,9 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Thu May 23 2024 <314264452@qq.com> - 1.21.4-9 +- fix CVE-2024-24787 + * Thu Apr 18 2024 Huang Yang - 1.21.4-8 - enable external_linker and cgo on loongarch64 -- Gitee