[pkgsrc/trunk]: pkgsrc/lang Update go116 to 1.16.14 (security update).

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/lang Update go116 to 1.16.14 (security update).
From: bsiegert <bsiegert%pkgsrc.org@localhost>
Date: Sat, 12 Feb 2022 21:18:02 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/6174d9946228
branches:  trunk
changeset: 373759:6174d9946228
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Sat Feb 12 19:52:40 2022 +0000

description:
Update go116 to 1.16.14 (security update).

crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.

Thanks to Guido Vranken for reporting this.

This is CVE-2022-23806 and https://go.dev/issue/50974.

math/big: prevent large memory consumption in Rat.SetString

An attacker can cause unbounded memory growth in a program using (*Rat).SetString
due to an unhandled overflow.

Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke
(@odeke_et) for reporting it.

This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.

cmd/go: prevent branches from materializing into versions

A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev")
can be considered a valid version by the go command. Materializing versions from
branches might be unexpected and bypass ACLs that limit the creation of tags but not
branches.

This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.

diffstat:

 lang/go/version.mk  |  4 ++--
 lang/go116/PLIST    |  5 ++++-
 lang/go116/distinfo |  8 ++++----
 3 files changed, 10 insertions(+), 7 deletions(-)

diffs (60 lines):

diff -r 7661686f31ac -r 6174d9946228 lang/go/version.mk
--- a/lang/go/version.mk        Sat Feb 12 18:09:10 2022 +0000
+++ b/lang/go/version.mk        Sat Feb 12 19:52:40 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.139 2022/01/09 19:54:46 bsiegert Exp $
+# $NetBSD: version.mk,v 1.140 2022/02/12 19:52:40 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -7,7 +7,7 @@
 .include "go-vars.mk"
 
 GO117_VERSION= 1.17.6
-GO116_VERSION= 1.16.13
+GO116_VERSION= 1.16.14
 GO110_VERSION= 1.10.8
 GO19_VERSION=  1.9.7
 GO14_VERSION=  1.4.3
diff -r 7661686f31ac -r 6174d9946228 lang/go116/PLIST
--- a/lang/go116/PLIST  Sat Feb 12 18:09:10 2022 +0000
+++ b/lang/go116/PLIST  Sat Feb 12 19:52:40 2022 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.11 2022/01/09 19:18:52 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.12 2022/02/12 19:52:40 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go116/AUTHORS
@@ -254,6 +254,7 @@
 go116/misc/cgo/testplugin/plugin_test.go
 go116/misc/cgo/testplugin/testdata/checkdwarf/main.go
 go116/misc/cgo/testplugin/testdata/common/common.go
+go116/misc/cgo/testplugin/testdata/forkexec/main.go
 go116/misc/cgo/testplugin/testdata/host/host.go
 go116/misc/cgo/testplugin/testdata/iface/main.go
 go116/misc/cgo/testplugin/testdata/iface_a/a.go
@@ -9230,6 +9231,8 @@
 go116/test/fixedbugs/issue4964.go
 go116/test/fixedbugs/issue5002.go
 go116/test/fixedbugs/issue5056.go
+go116/test/fixedbugs/issue50671.go
+go116/test/fixedbugs/issue50854.go
 go116/test/fixedbugs/issue5089.go
 go116/test/fixedbugs/issue5105.dir/a.go
 go116/test/fixedbugs/issue5105.dir/b.go
diff -r 7661686f31ac -r 6174d9946228 lang/go116/distinfo
--- a/lang/go116/distinfo       Sat Feb 12 18:09:10 2022 +0000
+++ b/lang/go116/distinfo       Sat Feb 12 19:52:40 2022 +0000
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.19 2022/01/09 19:18:52 bsiegert Exp $
+$NetBSD: distinfo,v 1.20 2022/02/12 19:52:40 bsiegert Exp $
 
-BLAKE2s (go1.16.13.src.tar.gz) = f36014c1832d5e67db746db97a1b57546d62998095c1bb59fbb476c213d44997
-SHA512 (go1.16.13.src.tar.gz) = e168583a6264db5e28af0bc6a5de1e7586e0f4c248b8c387c8dd4a817c4a2bb303532e1f32067db3c565de9c1b39248f59573365c61c2f1116ba73f4af59b6bc
-Size (go1.16.13.src.tar.gz) = 20927103 bytes
+BLAKE2s (go1.16.14.src.tar.gz) = 4cea58059f72e37c0d72513211f901f2fbe3c9956fb361d2bf82eae389556c7d
+SHA512 (go1.16.14.src.tar.gz) = cd613d94d3c476a61bf9c3a7bb4f6f6c55a2b5c2732837e31bff4ca1f96941e42b2daa39ce3a8fced1a3808206c9711fc1c6cfe8c950b93b18179116478eef4e
+Size (go1.16.14.src.tar.gz) = 20932846 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e

Prev by Date: [pkgsrc/trunk]: pkgsrc/doc Updated devel/colordiff, devel/py-packageurl
Next by Date: [pkgsrc/trunk]: pkgsrc/doc doc: Updated lang/go116 to 1.16.14
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc Updated devel/colordiff, devel/py-packageurl
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc doc: Updated lang/go116 to 1.16.14
Indexes:

Home | Main Index | Thread Index | Old Index