diff --git a/backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch b/backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch new file mode 100644 index 0000000000000000000000000000000000000000..b1c16a57272a2bf324a3b7f41903651bea8b75bb --- /dev/null +++ b/backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch @@ -0,0 +1,133 @@ +From 7edadbad6c5ba7db3c4ab6925369096dedcf8e0b Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 25 Apr 2024 13:09:54 -0700 +Subject: [PATCH] [Backport] cmd/go: disallow -lto_library in LDFLAGS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Offering: Cloud Core Network +CVE: CVE-2024-24787 +Reference: https://go-review.googlesource.com/c/go/+/583796 + +The darwin linker allows setting the LTO library with the -lto_library +flag. This wasn't caught by our "safe linker flags" check because it +was covered by the -lx flag used for linking libraries. This change +adds a specific check for excluded flags which otherwise satisfy our +existing checks. + +Loading a mallicious LTO library would allow an attacker to cause the +linker to execute abritrary code when "go build" was called. + +Thanks to Juho Forsén of Mattermost for reporting this issue. + +Fixes #67119 +Fixes #67122 +Fixes CVE-2024-24787 + +Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380 +Reviewed-by: Russ Cox +Reviewed-by: Damien Neil +(cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290) +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1420 +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/go/+/583796 +Reviewed-by: David Chase +LUCI-TryBot-Result: Go LUCI +Signed-off-by: Ma Chang Wang machangwang@huawei.com +--- + src/cmd/go/internal/work/security.go | 19 +++++++++++++++---- + .../script/darwin_lto_library_ldflag.txt | 17 +++++++++++++++++ + 2 files changed, 32 insertions(+), 4 deletions(-) + create mode 100644 src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt + +diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go +index 270a34e9c7..db49eb6488 100644 +--- a/src/cmd/go/internal/work/security.go ++++ b/src/cmd/go/internal/work/security.go +@@ -141,6 +141,12 @@ var validCompilerFlagsWithNextArg = []string{ + "-x", + } + ++var invalidLinkerFlags = []*lazyregexp.Regexp{ ++ // On macOS this means the linker loads and executes the next argument. ++ // Have to exclude separately because -lfoo is allowed in general. ++ re(`-lto_library`), ++} ++ + var validLinkerFlags = []*lazyregexp.Regexp{ + re(`-F([^@\-].*)`), + re(`-l([^@\-].*)`), +@@ -231,12 +237,12 @@ var validLinkerFlagsWithNextArg = []string{ + + func checkCompilerFlags(name, source string, list []string) error { + checkOverrides := true +- return checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides) ++ return checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides) + } + + func checkLinkerFlags(name, source string, list []string) error { + checkOverrides := true +- return checkFlags(name, source, list, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides) ++ return checkFlags(name, source, list, invalidLinkerFlags, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides) + } + + // checkCompilerFlagsForInternalLink returns an error if 'list' +@@ -245,7 +251,7 @@ func checkLinkerFlags(name, source string, list []string) error { + // external linker). + func checkCompilerFlagsForInternalLink(name, source string, list []string) error { + checkOverrides := false +- if err := checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil { ++ if err := checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg, checkOverrides); err != nil { + return err + } + // Currently the only flag on the allow list that causes problems +@@ -258,7 +264,7 @@ func checkCompilerFlagsForInternalLink(name, source string, list []string) error + return nil + } + +-func checkFlags(name, source string, list []string, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error { ++func checkFlags(name, source string, list []string, invalid, valid []*lazyregexp.Regexp, validNext []string, checkOverrides bool) error { + // Let users override rules with $CGO_CFLAGS_ALLOW, $CGO_CFLAGS_DISALLOW, etc. + var ( + allow *regexp.Regexp +@@ -290,6 +296,11 @@ Args: + if allow != nil && allow.FindString(arg) == arg { + continue Args + } ++ for _, re := range invalid { ++ if re.FindString(arg) == arg { // must be complete match ++ goto Bad ++ } ++ } + for _, re := range valid { + if re.FindString(arg) == arg { // must be complete match + continue Args +diff --git a/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt +new file mode 100644 +index 0000000000..d7acefdbad +--- /dev/null ++++ b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt +@@ -0,0 +1,17 @@ ++[!GOOS:darwin] skip ++[!cgo] skip ++ ++! go build ++stderr 'invalid flag in #cgo LDFLAGS: -lto_library' ++ ++-- go.mod -- ++module ldflag ++ ++-- main.go -- ++package main ++ ++// #cgo CFLAGS: -flto ++// #cgo LDFLAGS: -lto_library bad.dylib ++import "C" ++ ++func main() {} +\ No newline at end of file +-- +2.33.0 + diff --git a/golang.spec b/golang.spec index eacab68a0bc299b65fdcebd5e2bbad0b850c1df5..ecd47a754af9f6c5362a443f61d623fe2bb539e0 100644 --- a/golang.spec +++ b/golang.spec @@ -126,6 +126,7 @@ Patch6003: backport-0003-release-branch.go1.21-net-textproto-mime-multipart-a.pa Patch6004: backport-0004-release-branch.go1.21-net-http-net-http-cookiejar-av.patch Patch6005: backport-0005-release-branch.go1.21-net-mail-properly-handle-speci.patch Patch6006: backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch +Patch6007: backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch Patch6008: backport-0008-release-branch.go1.21-net-netip-check-if-address-is-v6.patch @@ -366,6 +367,9 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Fri Jun 23 2024 <314264452@qq.com> - 1.21.4-11 +- fix CVE-2024-24787 + * Thu Jun 13 2024 Zhao Mengmeng - 1.21.4-10 - fix CVE-2024-24790