pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/lang
Module Name: pkgsrc
Committed By: bsiegert
Date: Tue Jun 6 18:49:04 UTC 2023
Modified Files:
pkgsrc/lang/go: version.mk
pkgsrc/lang/go119: PLIST distinfo
Log Message:
go119: update to 1.19.10 (security)
This minor release includes 3 security fixes following the security policy:
- cmd/go: cgo code injection
The go command may generate unexpected code at build time when using cgo. This
may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories
with newline characters in their names. Modules which are retrieved using the
go command, i.e. via "go get", are not affected (modules retrieved using
GOPATH-mode, i.e. GO111MODULE=off, may be affected).
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
- runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the setuid/setgid
bit set. On Unix platforms, if a setuid/setgid binary was executed with
standard I/O file descriptors closed, opening any files could result in
unexpected content being read/written with elevated prilieges. Similarly if a
setuid/setgid program was terminated, either via panic or signal, it could
leak the contents of its registers.
Thanks to Vincent Dehors from Synacktiv for reporting this issue.
This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
- cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time when using cgo. This
may occur when running "go get" on a malicious module, or when running any
other command which builds untrusted code. This is can by triggered by linker
flags, specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29404 and CVE-2023-29405 and Go issues
https://go.dev/issue/60305 and https://go.dev/issue/60306.
To generate a diff of this commit:
cvs rdiff -u -r1.179 -r1.180 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/go119/PLIST
cvs rdiff -u -r1.11 -r1.12 pkgsrc/lang/go119/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.179 pkgsrc/lang/go/version.mk:1.180
--- pkgsrc/lang/go/version.mk:1.179 Fri May 5 18:33:15 2023
+++ pkgsrc/lang/go/version.mk Tue Jun 6 18:49:04 2023
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.179 2023/05/05 18:33:15 bsiegert Exp $
+# $NetBSD: version.mk,v 1.180 2023/06/06 18:49:04 bsiegert Exp $
#
# If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -7,7 +7,7 @@
.include "go-vars.mk"
GO120_VERSION= 1.20.4
-GO119_VERSION= 1.19.9
+GO119_VERSION= 1.19.10
GO118_VERSION= 1.18.10
GO14_VERSION= 1.4.3
Index: pkgsrc/lang/go119/PLIST
diff -u pkgsrc/lang/go119/PLIST:1.9 pkgsrc/lang/go119/PLIST:1.10
--- pkgsrc/lang/go119/PLIST:1.9 Wed May 3 19:24:54 2023
+++ pkgsrc/lang/go119/PLIST Tue Jun 6 18:49:04 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.9 2023/05/03 19:24:54 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.10 2023/06/06 18:49:04 bsiegert Exp $
bin/go${GOVERSSUFFIX}
bin/gofmt${GOVERSSUFFIX}
go119/CONTRIBUTING.md
@@ -450,10 +450,6 @@ go119/misc/wasm/go_js_wasm_exec
go119/misc/wasm/wasm_exec.html
go119/misc/wasm/wasm_exec.js
go119/misc/wasm/wasm_exec_node.js
-go119/pkg/include/asm_amd64.h
-go119/pkg/include/asm_ppc64x.h
-go119/pkg/include/funcdata.h
-go119/pkg/include/textflag.h
go119/pkg/${GO_PLATFORM}/archive/tar.a
go119/pkg/${GO_PLATFORM}/archive/zip.a
go119/pkg/${GO_PLATFORM}/bufio.a
@@ -907,6 +903,10 @@ go119/pkg/${GO_PLATFORM}/vendor/golang.o
go119/pkg/${GO_PLATFORM}/vendor/golang.org/x/text/transform.a
go119/pkg/${GO_PLATFORM}/vendor/golang.org/x/text/unicode/bidi.a
go119/pkg/${GO_PLATFORM}/vendor/golang.org/x/text/unicode/norm.a
+go119/pkg/include/asm_amd64.h
+go119/pkg/include/asm_ppc64x.h
+go119/pkg/include/funcdata.h
+go119/pkg/include/textflag.h
go119/pkg/tool/${GO_PLATFORM}/addr2line
go119/pkg/tool/${GO_PLATFORM}/api
go119/pkg/tool/${GO_PLATFORM}/asm
@@ -2321,6 +2321,7 @@ go119/src/cmd/go/testdata/mod/example.co
go119/src/cmd/go/testdata/mod/example.com_downgrade_v2_v2.0.1.txt
go119/src/cmd/go/testdata/mod/example.com_fuzzfail_v0.1.0.txt
go119/src/cmd/go/testdata/mod/example.com_fuzzfail_v0.2.0.txt
+go119/src/cmd/go/testdata/mod/example.com_generics_v1.0.0.txt
go119/src/cmd/go/testdata/mod/example.com_incompatiblewithsub_v1.0.0.txt
go119/src/cmd/go/testdata/mod/example.com_incompatiblewithsub_v2.0.0+incompatible.txt
go119/src/cmd/go/testdata/mod/example.com_invalidpath_v1_v1.0.0.txt
@@ -2495,6 +2496,7 @@ go119/src/cmd/go/testdata/script/build_c
go119/src/cmd/go/testdata/script/build_cd_gopath_different.txt
go119/src/cmd/go/testdata/script/build_cgo_consistent_results.txt
go119/src/cmd/go/testdata/script/build_concurrent_backend.txt
+go119/src/cmd/go/testdata/script/build_cwd_newline.txt
go119/src/cmd/go/testdata/script/build_darwin_cc_arch.txt
go119/src/cmd/go/testdata/script/build_dash_n_cgo.txt
go119/src/cmd/go/testdata/script/build_dash_o_dev_null.txt
@@ -2586,6 +2588,7 @@ go119/src/cmd/go/testdata/script/filelin
go119/src/cmd/go/testdata/script/fmt_load_errors.txt
go119/src/cmd/go/testdata/script/fsys_walk.txt
go119/src/cmd/go/testdata/script/gccgo_link_c.txt
+go119/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
go119/src/cmd/go/testdata/script/gccgo_m.txt
go119/src/cmd/go/testdata/script/gccgo_mangle.txt
go119/src/cmd/go/testdata/script/gcflags_patterns.txt
@@ -2936,6 +2939,7 @@ go119/src/cmd/go/testdata/script/mod_ski
go119/src/cmd/go/testdata/script/mod_std_vendor.txt
go119/src/cmd/go/testdata/script/mod_string_alias.txt
go119/src/cmd/go/testdata/script/mod_sum_ambiguous.txt
+go119/src/cmd/go/testdata/script/mod_sum_issue56222.txt
go119/src/cmd/go/testdata/script/mod_sum_lookup.txt
go119/src/cmd/go/testdata/script/mod_sum_readonly.txt
go119/src/cmd/go/testdata/script/mod_sum_replaced.txt
@@ -7668,7 +7672,6 @@ go119/src/runtime/export_linux_test.go
go119/src/runtime/export_mmap_test.go
go119/src/runtime/export_pipe2_test.go
go119/src/runtime/export_pipe_test.go
-go119/src/runtime/export_solaris_test.go
go119/src/runtime/export_test.go
go119/src/runtime/export_unix_test.go
go119/src/runtime/export_windows_test.go
@@ -7741,6 +7744,16 @@ go119/src/runtime/internal/syscall/asm_l
go119/src/runtime/internal/syscall/asm_linux_ppc64x.s
go119/src/runtime/internal/syscall/asm_linux_riscv64.s
go119/src/runtime/internal/syscall/asm_linux_s390x.s
+go119/src/runtime/internal/syscall/defs_linux_386.go
+go119/src/runtime/internal/syscall/defs_linux_amd64.go
+go119/src/runtime/internal/syscall/defs_linux_arm.go
+go119/src/runtime/internal/syscall/defs_linux_arm64.go
+go119/src/runtime/internal/syscall/defs_linux_loong64.go
+go119/src/runtime/internal/syscall/defs_linux_mips64x.go
+go119/src/runtime/internal/syscall/defs_linux_mipsx.go
+go119/src/runtime/internal/syscall/defs_linux_ppc64x.go
+go119/src/runtime/internal/syscall/defs_linux_riscv64.go
+go119/src/runtime/internal/syscall/defs_linux_s390x.go
go119/src/runtime/internal/syscall/syscall_linux.go
go119/src/runtime/lfstack.go
go119/src/runtime/lfstack_32bit.go
@@ -7854,8 +7867,6 @@ go119/src/runtime/msize.go
go119/src/runtime/mspanset.go
go119/src/runtime/mstats.go
go119/src/runtime/mwbbuf.go
-go119/src/runtime/nbpipe_fcntl_libc_test.go
-go119/src/runtime/nbpipe_fcntl_unix_test.go
go119/src/runtime/nbpipe_pipe.go
go119/src/runtime/nbpipe_pipe2.go
go119/src/runtime/nbpipe_pipe_test.go
@@ -8085,6 +8096,12 @@ go119/src/runtime/runtime_test.go
go119/src/runtime/runtime_unix_test.go
go119/src/runtime/rwmutex.go
go119/src/runtime/rwmutex_test.go
+go119/src/runtime/security_aix.go
+go119/src/runtime/security_issetugid.go
+go119/src/runtime/security_linux.go
+go119/src/runtime/security_nonunix.go
+go119/src/runtime/security_test.go
+go119/src/runtime/security_unix.go
go119/src/runtime/select.go
go119/src/runtime/sema.go
go119/src/runtime/sema_test.go
@@ -8304,6 +8321,7 @@ go119/src/runtime/testdata/testprognet/m
go119/src/runtime/testdata/testprognet/net.go
go119/src/runtime/testdata/testprognet/signal.go
go119/src/runtime/testdata/testprognet/signalexec.go
+go119/src/runtime/testdata/testsuid/main.go
go119/src/runtime/testdata/testwinlib/main.c
go119/src/runtime/testdata/testwinlib/main.go
go119/src/runtime/testdata/testwinlibsignal/dummy.go
Index: pkgsrc/lang/go119/distinfo
diff -u pkgsrc/lang/go119/distinfo:1.11 pkgsrc/lang/go119/distinfo:1.12
--- pkgsrc/lang/go119/distinfo:1.11 Wed May 3 19:24:54 2023
+++ pkgsrc/lang/go119/distinfo Tue Jun 6 18:49:04 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.11 2023/05/03 19:24:54 bsiegert Exp $
+$NetBSD: distinfo,v 1.12 2023/06/06 18:49:04 bsiegert Exp $
-BLAKE2s (go1.19.9.src.tar.gz) = e2e97859cac2288f04d7bc458179fb5037024bd448e1efce408f2d03c3804c61
-SHA512 (go1.19.9.src.tar.gz) = 548525fc33b0d0c6e5e175190b3235a3bfe2046607a87e3b890735bae4f6279f77a15122cfd432c7971c829a631883a1ed2e39399e23c9b8fa96f86502a8c02e
-Size (go1.19.9.src.tar.gz) = 26556330 bytes
+BLAKE2s (go1.19.10.src.tar.gz) = 0a8fd698ed37ecd0490d9adc1262c79dbc423709839dbdfb8c46d2d41367ccfa
+SHA512 (go1.19.10.src.tar.gz) = e8e7d1118d0c409d692ebb406f0e6807781dfd8f7dbe8b03be145e3fc287cde967fde387a216eb9996366508f4e61954cd131cd33f85b652bfd223e37bf41a67
+Size (go1.19.10.src.tar.gz) = 26563069 bytes
SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35
Home |
Main Index |
Thread Index |
Old Index