diff --git a/0013-drop-hard-code-cert.patch b/0013-drop-hard-code-cert.patch new file mode 100644 index 0000000000000000000000000000000000000000..1af1acc73a346d0e546ae1f4be3c0f0bd6c55841 --- /dev/null +++ b/0013-drop-hard-code-cert.patch @@ -0,0 +1,135 @@ +From 2720067ebfb7568792bb0c8fe3fbf095c89b77a9 Mon Sep 17 00:00:00 2001 +From: jingrui +Date: Tue, 17 Mar 2020 17:43:33 +0800 +Subject: [PATCH] drop hard-code cert + +Signed-off-by: jingrui +--- + src/crypto/x509/test-file.crt | 32 --------------------------- + src/crypto/x509/testdata/test-dir.crt | 31 -------------------------- + src/net/http/internal/testcert.go | 31 ++------------------------ + 3 files changed, 2 insertions(+), 92 deletions(-) + delete mode 100644 src/crypto/x509/test-file.crt + delete mode 100644 src/crypto/x509/testdata/test-dir.crt + +diff --git a/src/crypto/x509/test-file.crt b/src/crypto/x509/test-file.crt +deleted file mode 100644 +index caa83b9..0000000 +--- a/src/crypto/x509/test-file.crt ++++ /dev/null +@@ -1,32 +0,0 @@ +------BEGIN CERTIFICATE----- +-MIIFbTCCA1WgAwIBAgIJAN338vEmMtLsMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV +-BAYTAlVLMRMwEQYDVQQIDApUZXN0LVN0YXRlMRUwEwYDVQQKDAxHb2xhbmcgVGVz +-dHMxEjAQBgNVBAMMCXRlc3QtZmlsZTAeFw0xNzAyMDEyMzUyMDhaFw0yNzAxMzAy +-MzUyMDhaME0xCzAJBgNVBAYTAlVLMRMwEQYDVQQIDApUZXN0LVN0YXRlMRUwEwYD +-VQQKDAxHb2xhbmcgVGVzdHMxEjAQBgNVBAMMCXRlc3QtZmlsZTCCAiIwDQYJKoZI +-hvcNAQEBBQADggIPADCCAgoCggIBAPMGiLjdiffQo3Xc8oUe7wsDhSaAJFOhO6Qs +-i0xYrYl7jmCuz9rGD2fdgk5cLqGazKuQ6fIFzHXFU2BKs4CWXt9KO0KFEhfvZeuW +-jG5d7C1ZUiuKOrPqjKVu8SZtFPc7y7Ke7msXzY+Z2LLyiJJ93LCMq4+cTSGNXVlI +-KqUxhxeoD5/QkUPyQy/ilu3GMYfx/YORhDP6Edcuskfj8wRh1UxBejP8YPMvI6St +-cE2GkxoEGqDWnQ/61F18te6WI3MD29tnKXOkXVhnSC+yvRLljotW2/tAhHKBG4tj +-iQWT5Ri4Wrw2tXxPKRLsVWc7e1/hdxhnuvYpXkWNhKsm002jzkFXlzfEwPd8nZdw +-5aT6gPUBN2AAzdoqZI7E200i0orEF7WaSoMfjU1tbHvExp3vyAPOfJ5PS2MQ6W03 +-Zsy5dTVH+OBH++rkRzQCFcnIv/OIhya5XZ9KX9nFPgBEP7Xq2A+IjH7B6VN/S/bv +-8lhp2V+SQvlew9GttKC4hKuPsl5o7+CMbcqcNUdxm9gGkN8epGEKCuix97bpNlxN +-fHZxHE5+8GMzPXMkCD56y5TNKR6ut7JGHMPtGl5lPCLqzG/HzYyFgxsDfDUu2B0A +-GKj0lGpnLfGqwhs2/s3jpY7+pcvVQxEpvVTId5byDxu1ujP4HjO/VTQ2P72rE8Ft +-C6J2Av0tAgMBAAGjUDBOMB0GA1UdDgQWBBTLT/RbyfBB/Pa07oBnaM+QSJPO9TAf +-BgNVHSMEGDAWgBTLT/RbyfBB/Pa07oBnaM+QSJPO9TAMBgNVHRMEBTADAQH/MA0G +-CSqGSIb3DQEBCwUAA4ICAQB3sCntCcQwhMgRPPyvOCMyTcQ/Iv+cpfxz2Ck14nlx +-AkEAH2CH0ov5GWTt07/ur3aa5x+SAKi0J3wTD1cdiw4U/6Uin6jWGKKxvoo4IaeK +-SbM8w/6eKx6UbmHx7PA/eRABY9tTlpdPCVgw7/o3WDr03QM+IAtatzvaCPPczake +-pbdLwmBZB/v8V+6jUajy6jOgdSH0PyffGnt7MWgDETmNC6p/Xigp5eh+C8Fb4NGT +-xgHES5PBC+sruWp4u22bJGDKTvYNdZHsnw/CaKQWNsQqwisxa3/8N5v+PCff/pxl +-r05pE3PdHn9JrCl4iWdVlgtiI9BoPtQyDfa/OEFaScE8KYR8LxaAgdgp3zYncWls +-BpwQ6Y/A2wIkhlD9eEp5Ib2hz7isXOs9UwjdriKqrBXqcIAE5M+YIk3+KAQKxAtd +-4YsK3CSJ010uphr12YKqlScj4vuKFjuOtd5RyyMIxUG3lrrhAu2AzCeKCLdVgA8+ +-75FrYMApUdvcjp4uzbBoED4XRQlx9kdFHVbYgmE/+yddBYJM8u4YlgAL0hW2/D8p +-z9JWIfxVmjJnBnXaKGBuiUyZ864A3PJndP6EMMo7TzS2CDnfCYuJjvI0KvDjFNmc +-rQA04+qfMSEz3nmKhbbZu4eYLzlADhfH8tT4GMtXf71WLA5AUHGf2Y4+HIHTsmHG +-vQ== +------END CERTIFICATE----- +diff --git a/src/crypto/x509/testdata/test-dir.crt b/src/crypto/x509/testdata/test-dir.crt +deleted file mode 100644 +index b7fc9c5..0000000 +--- a/src/crypto/x509/testdata/test-dir.crt ++++ /dev/null +@@ -1,31 +0,0 @@ +------BEGIN CERTIFICATE----- +-MIIFazCCA1OgAwIBAgIJAL8a/lsnspOqMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV +-BAYTAlVLMRMwEQYDVQQIDApUZXN0LVN0YXRlMRUwEwYDVQQKDAxHb2xhbmcgVGVz +-dHMxETAPBgNVBAMMCHRlc3QtZGlyMB4XDTE3MDIwMTIzNTAyN1oXDTI3MDEzMDIz +-NTAyN1owTDELMAkGA1UEBhMCVUsxEzARBgNVBAgMClRlc3QtU3RhdGUxFTATBgNV +-BAoMDEdvbGFuZyBUZXN0czERMA8GA1UEAwwIdGVzdC1kaXIwggIiMA0GCSqGSIb3 +-DQEBAQUAA4ICDwAwggIKAoICAQDzBoi43Yn30KN13PKFHu8LA4UmgCRToTukLItM +-WK2Je45grs/axg9n3YJOXC6hmsyrkOnyBcx1xVNgSrOAll7fSjtChRIX72Xrloxu +-XewtWVIrijqz6oylbvEmbRT3O8uynu5rF82Pmdiy8oiSfdywjKuPnE0hjV1ZSCql +-MYcXqA+f0JFD8kMv4pbtxjGH8f2DkYQz+hHXLrJH4/MEYdVMQXoz/GDzLyOkrXBN +-hpMaBBqg1p0P+tRdfLXuliNzA9vbZylzpF1YZ0gvsr0S5Y6LVtv7QIRygRuLY4kF +-k+UYuFq8NrV8TykS7FVnO3tf4XcYZ7r2KV5FjYSrJtNNo85BV5c3xMD3fJ2XcOWk +-+oD1ATdgAM3aKmSOxNtNItKKxBe1mkqDH41NbWx7xMad78gDznyeT0tjEOltN2bM +-uXU1R/jgR/vq5Ec0AhXJyL/ziIcmuV2fSl/ZxT4ARD+16tgPiIx+welTf0v27/JY +-adlfkkL5XsPRrbSguISrj7JeaO/gjG3KnDVHcZvYBpDfHqRhCgrosfe26TZcTXx2 +-cRxOfvBjMz1zJAg+esuUzSkerreyRhzD7RpeZTwi6sxvx82MhYMbA3w1LtgdABio +-9JRqZy3xqsIbNv7N46WO/qXL1UMRKb1UyHeW8g8btboz+B4zv1U0Nj+9qxPBbQui +-dgL9LQIDAQABo1AwTjAdBgNVHQ4EFgQUy0/0W8nwQfz2tO6AZ2jPkEiTzvUwHwYD +-VR0jBBgwFoAUy0/0W8nwQfz2tO6AZ2jPkEiTzvUwDAYDVR0TBAUwAwEB/zANBgkq +-hkiG9w0BAQsFAAOCAgEAvEVnUYsIOt87rggmLPqEueynkuQ+562M8EDHSQl82zbe +-xDCxeg3DvPgKb+RvaUdt1362z/szK10SoeMgx6+EQLoV9LiVqXwNqeYfixrhrdw3 +-ppAhYYhymdkbUQCEMHypmXP1vPhAz4o8Bs+eES1M+zO6ErBiD7SqkmBElT+GixJC +-6epC9ZQFs+dw3lPlbiZSsGE85sqc3VAs0/JgpL/pb1/Eg4s0FUhZD2C2uWdSyZGc +-g0/v3aXJCp4j/9VoNhI1WXz3M45nysZIL5OQgXymLqJElQa1pZ3Wa4i/nidvT4AT +-Xlxc/qijM8set/nOqp7hVd5J0uG6qdwLRILUddZ6OpXd7ZNi1EXg+Bpc7ehzGsDt +-3UFGzYXDjxYnK2frQfjLS8stOQIqSrGthW6x0fdkVx0y8BByvd5J6+JmZl4UZfzA +-m99VxXSt4B9x6BvnY7ktzcFDOjtuLc4B/7yg9fv1eQuStA4cHGGAttsCg1X/Kx8W +-PvkkeH0UWDZ9vhH9K36703z89da6MWF+bz92B0+4HoOmlVaXRkvblsNaynJnL0LC +-Ayry7QBxuh5cMnDdRwJB3AVJIiJ1GVpb7aGvBOnx+s2lwRv9HWtghb+cbwwktx1M +-JHyBf3GZNSWTpKY7cD8V+NnBv3UuioOVVo+XAU4LF/bYUjdRpxWADJizNtZrtFo= +------END CERTIFICATE----- +diff --git a/src/net/http/internal/testcert.go b/src/net/http/internal/testcert.go +index 2284a83..a33d06b 100644 +--- a/src/net/http/internal/testcert.go ++++ b/src/net/http/internal/testcert.go +@@ -10,36 +10,9 @@ import "strings" + // "127.0.0.1" and "[::1]", expiring at Jan 29 16:00:00 2084 GMT. + // generated from src/crypto/tls: + // go run generate_cert.go --rsa-bits 1024 --host 127.0.0.1,::1,example.com --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h +-var LocalhostCert = []byte(`-----BEGIN CERTIFICATE----- +-MIICEzCCAXygAwIBAgIQMIMChMLGrR+QvmQvpwAU6zANBgkqhkiG9w0BAQsFADAS +-MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw +-MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +-iQKBgQDuLnQAI3mDgey3VBzWnB2L39JUU4txjeVE6myuDqkM/uGlfjb9SjY1bIw4 +-iA5sBBZzHi3z0h1YV8QPuxEbi4nW91IJm2gsvvZhIrCHS3l6afab4pZBl2+XsDul +-rKBxKKtD1rGxlG4LjncdabFn9gvLZad2bSysqz/qTAUStTvqJQIDAQABo2gwZjAO +-BgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUw +-AwEB/zAuBgNVHREEJzAlggtleGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAAAAAAAAAA +-AAAAATANBgkqhkiG9w0BAQsFAAOBgQCEcetwO59EWk7WiJsG4x8SY+UIAA+flUI9 +-tyC4lNhbcF2Idq9greZwbYCqTTTr2XiRNSMLCOjKyI7ukPoPjo16ocHj+P3vZGfs +-h1fIw3cSS2OolhloGw/XM6RWPWtPAlGykKLciQrBru5NAPvCMsb/I1DAceTiotQM +-fblo6RBxUQ== +------END CERTIFICATE-----`) ++var LocalhostCert = []byte(``) + + // LocalhostKey is the private key for localhostCert. +-var LocalhostKey = []byte(testingKey(`-----BEGIN RSA TESTING KEY----- +-MIICXgIBAAKBgQDuLnQAI3mDgey3VBzWnB2L39JUU4txjeVE6myuDqkM/uGlfjb9 +-SjY1bIw4iA5sBBZzHi3z0h1YV8QPuxEbi4nW91IJm2gsvvZhIrCHS3l6afab4pZB +-l2+XsDulrKBxKKtD1rGxlG4LjncdabFn9gvLZad2bSysqz/qTAUStTvqJQIDAQAB +-AoGAGRzwwir7XvBOAy5tM/uV6e+Zf6anZzus1s1Y1ClbjbE6HXbnWWF/wbZGOpet +-3Zm4vD6MXc7jpTLryzTQIvVdfQbRc6+MUVeLKwZatTXtdZrhu+Jk7hx0nTPy8Jcb +-uJqFk541aEw+mMogY/xEcfbWd6IOkp+4xqjlFLBEDytgbIECQQDvH/E6nk+hgN4H +-qzzVtxxr397vWrjrIgPbJpQvBsafG7b0dA4AFjwVbFLmQcj2PprIMmPcQrooz8vp +-jy4SHEg1AkEA/v13/5M47K9vCxmb8QeD/asydfsgS5TeuNi8DoUBEmiSJwma7FXY +-fFUtxuvL7XvjwjN5B30pNEbc6Iuyt7y4MQJBAIt21su4b3sjXNueLKH85Q+phy2U +-fQtuUE9txblTu14q3N7gHRZB4ZMhFYyDy8CKrN2cPg/Fvyt0Xlp/DoCzjA0CQQDU +-y2ptGsuSmgUtWj3NM9xuwYPm+Z/F84K6+ARYiZ6PYj013sovGKUFfYAqVXVlxtIX +-qyUBnu3X9ps8ZfjLZO7BAkEAlT4R5Yl6cGhaJQYZHOde3JEMhNRcVFMO8dJDaFeo +-f9Oeos0UUothgiDktdQHxdNEwLjQf7lJJBzV+5OtwswCWA== +------END RSA TESTING KEY-----`)) ++var LocalhostKey = []byte(testingKey(``)) + + func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") } +-- +2.17.1 + diff --git a/backport-0013-release-branch.go1.13-security-src-go.mod-import-x-c.patch b/backport-0013-release-branch.go1.13-security-src-go.mod-import-x-c.patch new file mode 100644 index 0000000000000000000000000000000000000000..5a6166b548173a555a66912ceedfca041d44bedc --- /dev/null +++ b/backport-0013-release-branch.go1.13-security-src-go.mod-import-x-c.patch @@ -0,0 +1,124 @@ +From f938e06d0623d0e1de202575d16f1e126741f6e0 Mon Sep 17 00:00:00 2001 +From: Filippo Valsorda +Date: Fri, 24 Jan 2020 18:04:20 -0500 +Subject: [PATCH] [release-branch.go1.13-security] src/go.mod: import + x/crypto/cryptobyte security fix for 32-bit archs + + cryptobyte: fix panic due to malformed ASN.1 inputs on 32-bit archs + + When int is 32 bits wide (on 32-bit architectures like 386 and arm), an + overflow could occur, causing a panic, due to malformed ASN.1 being + passed to any of the ASN1 methods of String. + + Tested on linux/386 and darwin/amd64. + + This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof + test vectors. + + Change-Id: I8c9696a8bfad1b40ec877cd740dba3467d66ab54 + Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/645211 + Reviewed-by: Katie Hockman + Reviewed-by: Adam Langley + +x/crypto/cryptobyte is used in crypto/x509 for parsing certificates. +Malformed certificates might cause a panic during parsing on 32-bit +architectures (like arm and 386). + +Change-Id: I840feb54eba880dbb96780ef7adcade073c4c4e3 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647741 +Reviewed-by: Katie Hockman +--- + src/go.mod | 2 +- + src/go.sum | 4 ++-- + src/vendor/golang.org/x/crypto/cryptobyte/asn1.go | 5 +++-- + src/vendor/golang.org/x/crypto/cryptobyte/string.go | 7 +------ + src/vendor/modules.txt | 2 +- + 5 files changed, 8 insertions(+), 12 deletions(-) + +diff --git a/src/go.mod b/src/go.mod +index 90af2a7ea0..9c9026f0d8 100644 +--- a/src/go.mod ++++ b/src/go.mod +@@ -3,7 +3,7 @@ module std + go 1.12 + + require ( +- golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 ++ golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 + golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 + golang.org/x/sys v0.0.0-20190529130038-5219a1e1c5f8 // indirect + golang.org/x/text v0.3.2 // indirect +diff --git a/src/go.sum b/src/go.sum +index e358118e4c..e408f66328 100644 +--- a/src/go.sum ++++ b/src/go.sum +@@ -1,6 +1,6 @@ + golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +-golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 h1:1wopBVtVdWnn03fZelqdXTqk7U7zPQCb+T4rbU9ZEoU= +-golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= ++golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 h1:WPLCzSEbawp58wezcvLvLnvhiDJAai54ESbc41NdXS0= ++golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= + golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= + golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH9uqVPRCUVUDhs0wnbA= + golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +diff --git a/src/vendor/golang.org/x/crypto/cryptobyte/asn1.go b/src/vendor/golang.org/x/crypto/cryptobyte/asn1.go +index 528b9bff67..f930f7e526 100644 +--- a/src/vendor/golang.org/x/crypto/cryptobyte/asn1.go ++++ b/src/vendor/golang.org/x/crypto/cryptobyte/asn1.go +@@ -470,7 +470,8 @@ func (s *String) ReadASN1GeneralizedTime(out *time.Time) bool { + // It reports whether the read was successful. + func (s *String) ReadASN1BitString(out *encoding_asn1.BitString) bool { + var bytes String +- if !s.ReadASN1(&bytes, asn1.BIT_STRING) || len(bytes) == 0 { ++ if !s.ReadASN1(&bytes, asn1.BIT_STRING) || len(bytes) == 0 || ++ len(bytes)*8/8 != len(bytes) { + return false + } + +@@ -740,7 +741,7 @@ func (s *String) readASN1(out *String, outTag *asn1.Tag, skipHeader bool) bool { + length = headerLen + len32 + } + +- if uint32(int(length)) != length || !s.ReadBytes((*[]byte)(out), int(length)) { ++ if int(length) < 0 || !s.ReadBytes((*[]byte)(out), int(length)) { + return false + } + if skipHeader && !out.Skip(int(headerLen)) { +diff --git a/src/vendor/golang.org/x/crypto/cryptobyte/string.go b/src/vendor/golang.org/x/crypto/cryptobyte/string.go +index 39bf98aeea..589d297e6b 100644 +--- a/src/vendor/golang.org/x/crypto/cryptobyte/string.go ++++ b/src/vendor/golang.org/x/crypto/cryptobyte/string.go +@@ -24,7 +24,7 @@ type String []byte + // read advances a String by n bytes and returns them. If less than n bytes + // remain, it returns nil. + func (s *String) read(n int) []byte { +- if len(*s) < n { ++ if len(*s) < n || n < 0 { + return nil + } + v := (*s)[:n] +@@ -105,11 +105,6 @@ func (s *String) readLengthPrefixed(lenLen int, outChild *String) bool { + length = length << 8 + length = length | uint32(b) + } +- if int(length) < 0 { +- // This currently cannot overflow because we read uint24 at most, but check +- // anyway in case that changes in the future. +- return false +- } + v := s.read(int(length)) + if v == nil { + return false +diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt +index 453a312661..cff8acd02e 100644 +--- a/src/vendor/modules.txt ++++ b/src/vendor/modules.txt +@@ -1,4 +1,4 @@ +-# golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 ++# golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 + golang.org/x/crypto/chacha20poly1305 + golang.org/x/crypto/cryptobyte + golang.org/x/crypto/cryptobyte/asn1 +-- +2.17.1 + diff --git a/go1.13.src.tar.gz b/go1.13.3.src.tar.gz similarity index 100% rename from go1.13.src.tar.gz rename to go1.13.3.src.tar.gz diff --git a/golang.spec b/golang.spec index ea0e06b35b4f64432ecea1075e09cb8fc5c50cfb..2cddb145e3ece4e722ad1837df5810491733e24b 100644 --- a/golang.spec +++ b/golang.spec @@ -61,8 +61,8 @@ %endif Name: golang -Version: 1.13 -Release: 3.3 +Version: 1.13.3 +Release: 6 Summary: The Go Programming Language License: BSD and Public Domain URL: http://golang.org/ @@ -160,6 +160,8 @@ Patch6009: 0009-release-branch.go1.13-net-http-don-t-cache-http2.err.patch Patch6010: 0010-release-branch.go1.13-net-http-fix-Server.ConnContex.patch Patch6011: 0011-release-branch.go1.13-runtime-fix-textOff-for-multip.patch Patch6012: 0012-release-branch.go1.13-runtime-ensure-memmove-write-p.patch +Patch6013: backport-0013-release-branch.go1.13-security-src-go.mod-import-x-c.patch +Patch6014: 0013-drop-hard-code-cert.patch ExclusiveArch: %{golang_arches} @@ -393,6 +395,15 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Tue May 12 2020 lixiang - 1.13.6 +- rename tar name and make it same with upstream + +* Tue Mar 17 2020 jingrui - 1.13.5 +- drop hard code cert + +* Mon Mar 23 2020 jingrui - 1.13.4 +- fix CVE-2020-7919 + * Thu Feb 20 2020 openEuler Buildteam - 1.13-3.2 - requires remove mercurial