From bd38850609027f6ab140894bff7c4f53d8cc6243 Mon Sep 17 00:00:00 2001
From: Jeffery To <jeffery.to@gmail.com>
Date: Mon, 16 Nov 2020 01:57:05 +0800
Subject: [PATCH] golang: Update to 1.15.5

This includes security fixes for:
* CVE-2020-28362: panic during recursive division of very large numbers
* CVE-2020-28366: arbitrary code can be injected into cgo generated
  files
* CVE-2020-28367: improper validation of cgo flags can lead to remote
  code execution at build time

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
---
 lang/golang/golang/Makefile                   |  4 +-
 ...e-not-in-security-allowlist-GH-42567.patch | 93 +++++++++++++++++++
 2 files changed, 95 insertions(+), 2 deletions(-)
 create mode 100644 lang/golang/golang/patches/001-allow-flags-in-CGO_LDFLAGS-environment-variable-not-in-security-allowlist-GH-42567.patch

diff --git a/lang/golang/golang/Makefile b/lang/golang/golang/Makefile
index 7e8157f7b..f7b2a2d99 100644
--- a/lang/golang/golang/Makefile
+++ b/lang/golang/golang/Makefile
@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 GO_VERSION_MAJOR_MINOR:=1.15
-GO_VERSION_PATCH:=4
+GO_VERSION_PATCH:=5
 
 PKG_NAME:=golang
 PKG_VERSION:=$(GO_VERSION_MAJOR_MINOR)$(if $(GO_VERSION_PATCH),.$(GO_VERSION_PATCH))
@@ -20,7 +20,7 @@ GO_SOURCE_URLS:=https://dl.google.com/go/ \
 
 PKG_SOURCE:=go$(PKG_VERSION).src.tar.gz
 PKG_SOURCE_URL:=$(GO_SOURCE_URLS)
-PKG_HASH:=063da6a9a4186b8118a0e584532c8c94e65582e2cd951ed078bfd595d27d2367
+PKG_HASH:=c1076b90cf94b73ebed62a81d802cd84d43d02dea8c07abdc922c57a071c84f1
 
 PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
 PKG_LICENSE:=BSD-3-Clause
diff --git a/lang/golang/golang/patches/001-allow-flags-in-CGO_LDFLAGS-environment-variable-not-in-security-allowlist-GH-42567.patch b/lang/golang/golang/patches/001-allow-flags-in-CGO_LDFLAGS-environment-variable-not-in-security-allowlist-GH-42567.patch
new file mode 100644
index 000000000..49ca5a519
--- /dev/null
+++ b/lang/golang/golang/patches/001-allow-flags-in-CGO_LDFLAGS-environment-variable-not-in-security-allowlist-GH-42567.patch
@@ -0,0 +1,93 @@
+From 39f8e98946a0958a4f69ec28c78b8e5d46125e44 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Fri, 13 Nov 2020 11:05:37 -0800
+Subject: [PATCH] [release-branch.go1.15] cmd/go: permit CGO_LDFLAGS to appear in //go:ldflag
+
+For #42565
+Fixes #42567
+
+Change-Id: If7cf39905d124dbd54dfac6a53ee38270498efed
+Reviewed-on: https://go-review.googlesource.com/c/go/+/269818
+Trust: Ian Lance Taylor <iant@golang.org>
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Jay Conrod <jayconrod@google.com>
+(cherry picked from commit 782cf560db4c919790fdb476d1bbe18e5ddf5ffd)
+---
+
+diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
+index 13d4c8c..dc0c4fc 100644
+--- a/src/cmd/go/internal/work/exec.go
++++ b/src/cmd/go/internal/work/exec.go
+@@ -2766,6 +2766,21 @@
+ 				idx = bytes.Index(src, []byte(cgoLdflag))
+ 			}
+ 		}
++
++		// We expect to find the contents of cgoLDFLAGS in flags.
++		if len(cgoLDFLAGS) > 0 {
++		outer:
++			for i := range flags {
++				for j, f := range cgoLDFLAGS {
++					if f != flags[i+j] {
++						continue outer
++					}
++				}
++				flags = append(flags[:i], flags[i+len(cgoLDFLAGS):]...)
++				break
++			}
++		}
++
+ 		if err := checkLinkerFlags("LDFLAGS", "go:cgo_ldflag", flags); err != nil {
+ 			return nil, nil, err
+ 		}
+diff --git a/src/cmd/go/testdata/script/ldflag.txt b/src/cmd/go/testdata/script/ldflag.txt
+new file mode 100644
+index 0000000..6ceb33b
+--- /dev/null
++++ b/src/cmd/go/testdata/script/ldflag.txt
+@@ -0,0 +1,44 @@
++# Issue #42565
++
++[!cgo] skip
++
++# We can't build package bad, which uses #cgo LDFLAGS.
++cd bad
++! go build
++stderr no-such-warning
++
++# We can build package ok with the same flags in CGO_LDFLAGS.
++env CGO_LDFLAGS=-Wno-such-warning -Wno-unknown-warning-option
++cd ../ok
++go build
++
++# Build a main program that actually uses LDFLAGS.
++cd ..
++go build -ldflags=-v
++
++# Because we passed -v the Go linker should print the external linker
++# command which should include the flag we passed in CGO_LDFLAGS.
++stderr no-such-warning
++
++-- go.mod --
++module ldflag
++
++-- bad/bad.go --
++package bad
++
++// #cgo LDFLAGS: -Wno-such-warning -Wno-unknown-warning
++import "C"
++
++func F() {}
++-- ok/ok.go --
++package ok
++
++import "C"
++
++func F() {}
++-- main.go --
++package main
++
++import _ "ldflag/ok"
++
++func main() {}