Browse Source

golang: Update to 1.15.5

This includes security fixes for:
* CVE-2020-28362: panic during recursive division of very large numbers
* CVE-2020-28366: arbitrary code can be injected into cgo generated
  files
* CVE-2020-28367: improper validation of cgo flags can lead to remote
  code execution at build time

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
lilik-openwrt-22.03
Jeffery To 4 years ago
committed by Hannu Nyman
parent
commit
bd38850609
2 changed files with 95 additions and 2 deletions
  1. +2
    -2
      lang/golang/golang/Makefile
  2. +93
    -0
      lang/golang/golang/patches/001-allow-flags-in-CGO_LDFLAGS-environment-variable-not-in-security-allowlist-GH-42567.patch

+ 2
- 2
lang/golang/golang/Makefile View File

@ -8,7 +8,7 @@
include $(TOPDIR)/rules.mk
GO_VERSION_MAJOR_MINOR:=1.15
GO_VERSION_PATCH:=4
GO_VERSION_PATCH:=5
PKG_NAME:=golang
PKG_VERSION:=$(GO_VERSION_MAJOR_MINOR)$(if $(GO_VERSION_PATCH),.$(GO_VERSION_PATCH))
@ -20,7 +20,7 @@ GO_SOURCE_URLS:=https://dl.google.com/go/ \
PKG_SOURCE:=go$(PKG_VERSION).src.tar.gz
PKG_SOURCE_URL:=$(GO_SOURCE_URLS)
PKG_HASH:=063da6a9a4186b8118a0e584532c8c94e65582e2cd951ed078bfd595d27d2367
PKG_HASH:=c1076b90cf94b73ebed62a81d802cd84d43d02dea8c07abdc922c57a071c84f1
PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
PKG_LICENSE:=BSD-3-Clause


+ 93
- 0
lang/golang/golang/patches/001-allow-flags-in-CGO_LDFLAGS-environment-variable-not-in-security-allowlist-GH-42567.patch View File

@ -0,0 +1,93 @@
From 39f8e98946a0958a4f69ec28c78b8e5d46125e44 Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Fri, 13 Nov 2020 11:05:37 -0800
Subject: [PATCH] [release-branch.go1.15] cmd/go: permit CGO_LDFLAGS to appear in //go:ldflag
For #42565
Fixes #42567
Change-Id: If7cf39905d124dbd54dfac6a53ee38270498efed
Reviewed-on: https://go-review.googlesource.com/c/go/+/269818
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jay Conrod <jayconrod@google.com>
(cherry picked from commit 782cf560db4c919790fdb476d1bbe18e5ddf5ffd)
---
diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
index 13d4c8c..dc0c4fc 100644
--- a/src/cmd/go/internal/work/exec.go
+++ b/src/cmd/go/internal/work/exec.go
@@ -2766,6 +2766,21 @@
idx = bytes.Index(src, []byte(cgoLdflag))
}
}
+
+ // We expect to find the contents of cgoLDFLAGS in flags.
+ if len(cgoLDFLAGS) > 0 {
+ outer:
+ for i := range flags {
+ for j, f := range cgoLDFLAGS {
+ if f != flags[i+j] {
+ continue outer
+ }
+ }
+ flags = append(flags[:i], flags[i+len(cgoLDFLAGS):]...)
+ break
+ }
+ }
+
if err := checkLinkerFlags("LDFLAGS", "go:cgo_ldflag", flags); err != nil {
return nil, nil, err
}
diff --git a/src/cmd/go/testdata/script/ldflag.txt b/src/cmd/go/testdata/script/ldflag.txt
new file mode 100644
index 0000000..6ceb33b
--- /dev/null
+++ b/src/cmd/go/testdata/script/ldflag.txt
@@ -0,0 +1,44 @@
+# Issue #42565
+
+[!cgo] skip
+
+# We can't build package bad, which uses #cgo LDFLAGS.
+cd bad
+! go build
+stderr no-such-warning
+
+# We can build package ok with the same flags in CGO_LDFLAGS.
+env CGO_LDFLAGS=-Wno-such-warning -Wno-unknown-warning-option
+cd ../ok
+go build
+
+# Build a main program that actually uses LDFLAGS.
+cd ..
+go build -ldflags=-v
+
+# Because we passed -v the Go linker should print the external linker
+# command which should include the flag we passed in CGO_LDFLAGS.
+stderr no-such-warning
+
+-- go.mod --
+module ldflag
+
+-- bad/bad.go --
+package bad
+
+// #cgo LDFLAGS: -Wno-such-warning -Wno-unknown-warning
+import "C"
+
+func F() {}
+-- ok/ok.go --
+package ok
+
+import "C"
+
+func F() {}
+-- main.go --
+package main
+
+import _ "ldflag/ok"
+
+func main() {}

Loading…
Cancel
Save