CVS commit: pkgsrc/lang/go

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Thu Feb  8 19:32:17 UTC 2018

Modified Files:
        pkgsrc/lang/go: PLIST distinfo version.mk

Log Message:
Update Go to 1.9.4.

By using the clang or gcc plugin mechanism, it was possible for an attacker to
trick the “go get” command into executing arbitrary code. The go command now
restricts the set of allowed host compiler and linker arguments in cgo source
files to a list of allowed flags, in particular disallowing -fplugin= and
-plugin=.

The issue is CVE-2018-6574 and Go issue golang.org/issue/23672. See the Go
issue for details.

Thanks to Christopher Brown of Mattermost for reporting this problem.


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 pkgsrc/lang/go/PLIST
cvs rdiff -u -r1.56 -r1.57 pkgsrc/lang/go/distinfo
cvs rdiff -u -r1.33 -r1.34 pkgsrc/lang/go/version.mk

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/PLIST
diff -u pkgsrc/lang/go/PLIST:1.37 pkgsrc/lang/go/PLIST:1.38
--- pkgsrc/lang/go/PLIST:1.37   Sun Jan 28 11:31:03 2018
+++ pkgsrc/lang/go/PLIST        Thu Feb  8 19:32:17 2018
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.37 2018/01/28 11:31:03 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.38 2018/02/08 19:32:17 bsiegert Exp $
 bin/go
 bin/gofmt
 go/AUTHORS
@@ -1789,6 +1789,8 @@ go/src/cmd/go/internal/web/http.go
 go/src/cmd/go/internal/web/security.go
 go/src/cmd/go/internal/work/build.go
 go/src/cmd/go/internal/work/build_test.go
+go/src/cmd/go/internal/work/security.go
+go/src/cmd/go/internal/work/security_test.go
 go/src/cmd/go/internal/work/testgo.go
 go/src/cmd/go/main.go
 go/src/cmd/go/mkalldocs.sh

Index: pkgsrc/lang/go/distinfo
diff -u pkgsrc/lang/go/distinfo:1.56 pkgsrc/lang/go/distinfo:1.57
--- pkgsrc/lang/go/distinfo:1.56        Sun Jan 28 11:31:03 2018
+++ pkgsrc/lang/go/distinfo     Thu Feb  8 19:32:17 2018
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.56 2018/01/28 11:31:03 bsiegert Exp $
+$NetBSD: distinfo,v 1.57 2018/02/08 19:32:17 bsiegert Exp $
 
-SHA1 (go1.9.3.src.tar.gz) = e1854548e8e2defca7d63ab752ff46f38eb7db2a
-RMD160 (go1.9.3.src.tar.gz) = 0088a287f3a3c4bd4c152101f684e22173c59fa4
-SHA512 (go1.9.3.src.tar.gz) = 31c564af58b78c648c9bece8fa2ed3334feb80316b07b16f6286319e26d317da90d1af0464c3a2f776a3da72d31b22b063dbc620b93114bf142a11e8a625e527
-Size (go1.9.3.src.tar.gz) = 16385451 bytes
+SHA1 (go1.9.4.src.tar.gz) = 12b0ecee83525cd594f4fbf30380d4832e06f189
+RMD160 (go1.9.4.src.tar.gz) = 801d6a8a57d2dc0fefba283ea1ae456b869a7398
+SHA512 (go1.9.4.src.tar.gz) = 1a7c830e07507ff7b89025adfb5c713444d97301f8ad47ef2564722c1e28186e946350f07e22777fbdd6f2f589c334eb01dfd589e97cb8a86f73669547badb0b
+Size (go1.9.4.src.tar.gz) = 16392325 bytes
 SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29
 SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e
 SHA1 (patch-src_cmd_link_internal_ld_elf.go) = acc8d92b7eae1b77470bd3e88af93d458695ac76

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.33 pkgsrc/lang/go/version.mk:1.34
--- pkgsrc/lang/go/version.mk:1.33      Tue Jan 30 17:05:21 2018
+++ pkgsrc/lang/go/version.mk   Thu Feb  8 19:32:17 2018
@@ -1,10 +1,10 @@
-# $NetBSD: version.mk,v 1.33 2018/01/30 17:05:21 jperkin Exp $
+# $NetBSD: version.mk,v 1.34 2018/02/08 19:32:17 bsiegert Exp $
 
 SSP_SUPPORTED= no
 
 .include "../../mk/bsd.prefs.mk"
 
-GO_VERSION=    1.9.3
+GO_VERSION=    1.9.4
 GO14_VERSION=  1.4.3
 
 ONLY_FOR_PLATFORM=     *-*-i386 *-*-x86_64 *-*-earmv[67]hf