From a70d173915e466c36e9c2390e257274ec6786b23 Mon Sep 17 00:00:00 2001 From: EulerOSWander <314264452@qq.com> Date: Fri, 21 Jun 2024 15:23:30 +0800 Subject: [PATCH] backport: fix CVE-2023-45285 Signed-off-by: EulerOSWander <314264452@qq.com> --- ...internal-vcs-error-out-if-the-reques.patch | 108 ++++++++++++++++++ golang.spec | 6 +- 2 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 backport-0009-Backport-cmd-go-internal-vcs-error-out-if-the-reques.patch diff --git a/backport-0009-Backport-cmd-go-internal-vcs-error-out-if-the-reques.patch b/backport-0009-Backport-cmd-go-internal-vcs-error-out-if-the-reques.patch new file mode 100644 index 0000000..fb5d4bb --- /dev/null +++ b/backport-0009-Backport-cmd-go-internal-vcs-error-out-if-the-reques.patch @@ -0,0 +1,108 @@ +From 558cbc498c70278bea8297272f2d4fc50d67893b Mon Sep 17 00:00:00 2001 +From: "Bryan C. Mills" +Date: Thu, 2 Nov 2023 15:06:35 -0400 +Subject: [PATCH] [Backport] cmd/go/internal/vcs: error out if the requested + repo does not support a secure protocol + +CVE: CVE-2023-45285 +Reference: https://go-review.googlesource.com/c/go/+/540335 + +Updates #63845. +Fixes #63972. + +Change-Id: If86d6b13d3b55877b35c087112bd76388c9404b8 +Reviewed-on: https://go-review.googlesource.com/c/go/+/539321 +Reviewed-by: Michael Matloob +LUCI-TryBot-Result: Go LUCI +Reviewed-by: Roland Shoemaker +Auto-Submit: Bryan Mills +(cherry picked from commit be26ae18caf7ddffca4073333f80d0d9e76483c3) +Reviewed-on: https://go-review.googlesource.com/c/go/+/540335 +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Dmitri Shuralyov +Signed-off-by: wangbingyao 00557526 +--- + src/cmd/go/internal/vcs/vcs.go | 25 +++++++++++++---- + .../script/mod_insecure_issue63845.txt | 28 +++++++++++++++++++ + 2 files changed, 47 insertions(+), 6 deletions(-) + create mode 100644 src/cmd/go/testdata/script/mod_insecure_issue63845.txt + +diff --git a/src/cmd/go/internal/vcs/vcs.go b/src/cmd/go/internal/vcs/vcs.go +index c65dd0f624..dbf16d1de7 100644 +--- a/src/cmd/go/internal/vcs/vcs.go ++++ b/src/cmd/go/internal/vcs/vcs.go +@@ -1204,18 +1204,31 @@ func repoRootFromVCSPaths(importPath string, security web.SecurityMode, vcsPaths + var ok bool + repoURL, ok = interceptVCSTest(repo, vcs, security) + if !ok { +- scheme := vcs.Scheme[0] // default to first scheme +- if vcs.PingCmd != "" { +- // If we know how to test schemes, scan to find one. ++ scheme, err := func() (string, error) { + for _, s := range vcs.Scheme { + if security == web.SecureOnly && !vcs.isSecureScheme(s) { + continue + } +- if vcs.Ping(s, repo) == nil { +- scheme = s +- break ++ ++ // If we know how to ping URL schemes for this VCS, ++ // check that this repo works. ++ // Otherwise, default to the first scheme ++ // that meets the requested security level. ++ if vcs.PingCmd == "" { ++ return s, nil ++ } ++ if err := vcs.Ping(s, repo); err == nil { ++ return s, nil + } + } ++ securityFrag := "" ++ if security == web.SecureOnly { ++ securityFrag = "secure " ++ } ++ return "", fmt.Errorf("no %sprotocol found for repository", securityFrag) ++ }() ++ if err != nil { ++ return nil, err + } + repoURL = scheme + "://" + repo + } +diff --git a/src/cmd/go/testdata/script/mod_insecure_issue63845.txt b/src/cmd/go/testdata/script/mod_insecure_issue63845.txt +new file mode 100644 +index 0000000000..5fa6a4f12b +--- /dev/null ++++ b/src/cmd/go/testdata/script/mod_insecure_issue63845.txt +@@ -0,0 +1,28 @@ ++# Regression test for https://go.dev/issue/63845: ++# If 'git ls-remote' fails for all secure protocols, ++# we should fail instead of falling back to an arbitrary protocol. ++# ++# Note that this test does not use the local vcweb test server ++# (vcs-test.golang.org), because the hook for redirecting to that ++# server bypasses the "ping to determine protocol" logic ++# in cmd/go/internal/vcs. ++ ++[!net] skip ++[!git] skip ++[short] skip 'tries to access a nonexistent external Git repo' ++ ++env GOPRIVATE=golang.org ++env CURLOPT_TIMEOUT_MS=100 ++env GIT_SSH_COMMAND=false ++ ++! go get -x golang.org/nonexist.git@latest ++stderr '^git ls-remote https://golang.org/nonexist$' ++stderr '^git ls-remote git\+ssh://golang.org/nonexist' ++stderr '^git ls-remote ssh://golang.org/nonexist$' ++! stderr 'git://' ++stderr '^go: golang.org/nonexist.git@latest: no secure protocol found for repository$' ++ ++-- go.mod -- ++module example ++ ++go 1.19 +-- +2.33.0 + diff --git a/golang.spec b/golang.spec index f652f8e..e5ad99b 100644 --- a/golang.spec +++ b/golang.spec @@ -66,7 +66,7 @@ Name: golang Version: 1.21.4 -Release: 11 +Release: 12 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -128,6 +128,7 @@ Patch6005: backport-0005-release-branch.go1.21-net-mail-properly-handle-speci.pa Patch6006: backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch Patch6007: backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch Patch6008: backport-0008-release-branch.go1.21-net-netip-check-if-address-is-v6.patch +Patch6009: backport-0009-Backport-cmd-go-internal-vcs-error-out-if-the-reques.patch ExclusiveArch: %{golang_arches} @@ -366,6 +367,9 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Fri Jun 21 2024 EulerOSWander <314264452@qq.com> - 1.21.4-12 +- fix CVE-2023-45285 + * Thu Jun 13 2024 Zhao Mengmeng - 1.21.4-11 - fix CVE-2024-24790 -- Gitee