CVS commit: pkgsrc/lang

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Tue Jun  6 18:49:04 UTC 2023

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go119: PLIST distinfo

Log Message:
go119: update to 1.19.10 (security)

This minor release includes 3 security fixes following the security policy:

- cmd/go: cgo code injection

  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories
  with newline characters in their names. Modules which are retrieved using the
  go command, i.e. via "go get", are not affected (modules retrieved using
  GOPATH-mode, i.e.  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

- runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with
  standard I/O file descriptors closed, opening any files could result in
  unexpected content being read/written with elevated prilieges. Similarly if a
  setuid/setgid program was terminated, either via panic or signal, it could
  leak the contents of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

- cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This
  may occur when running "go get" on a malicious module, or when running any
  other command which builds untrusted code. This is can by triggered by linker
  flags, specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues
  https://go.dev/issue/60305 and https://go.dev/issue/60306.


To generate a diff of this commit:
cvs rdiff -u -r1.179 -r1.180 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/go119/PLIST
cvs rdiff -u -r1.11 -r1.12 pkgsrc/lang/go119/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.179 pkgsrc/lang/go/version.mk:1.180
--- pkgsrc/lang/go/version.mk:1.179     Fri May  5 18:33:15 2023
+++ pkgsrc/lang/go/version.mk   Tue Jun  6 18:49:04 2023
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.179 2023/05/05 18:33:15 bsiegert Exp $
+# $NetBSD: version.mk,v 1.180 2023/06/06 18:49:04 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -7,7 +7,7 @@
 .include "go-vars.mk"
 
 GO120_VERSION= 1.20.4
-GO119_VERSION= 1.19.9
+GO119_VERSION= 1.19.10
 GO118_VERSION= 1.18.10
 GO14_VERSION=  1.4.3
 

Index: pkgsrc/lang/go119/PLIST
diff -u pkgsrc/lang/go119/PLIST:1.9 pkgsrc/lang/go119/PLIST:1.10
--- pkgsrc/lang/go119/PLIST:1.9 Wed May  3 19:24:54 2023
+++ pkgsrc/lang/go119/PLIST     Tue Jun  6 18:49:04 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.9 2023/05/03 19:24:54 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.10 2023/06/06 18:49:04 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go119/CONTRIBUTING.md
@@ -450,10 +450,6 @@ go119/misc/wasm/go_js_wasm_exec
 go119/misc/wasm/wasm_exec.html
 go119/misc/wasm/wasm_exec.js
 go119/misc/wasm/wasm_exec_node.js
-go119/pkg/include/asm_amd64.h
-go119/pkg/include/asm_ppc64x.h
-go119/pkg/include/funcdata.h
-go119/pkg/include/textflag.h
 go119/pkg/${GO_PLATFORM}/archive/tar.a
 go119/pkg/${GO_PLATFORM}/archive/zip.a
 go119/pkg/${GO_PLATFORM}/bufio.a
@@ -907,6 +903,10 @@ go119/pkg/${GO_PLATFORM}/vendor/golang.o
 go119/pkg/${GO_PLATFORM}/vendor/golang.org/x/text/transform.a
 go119/pkg/${GO_PLATFORM}/vendor/golang.org/x/text/unicode/bidi.a
 go119/pkg/${GO_PLATFORM}/vendor/golang.org/x/text/unicode/norm.a
+go119/pkg/include/asm_amd64.h
+go119/pkg/include/asm_ppc64x.h
+go119/pkg/include/funcdata.h
+go119/pkg/include/textflag.h
 go119/pkg/tool/${GO_PLATFORM}/addr2line
 go119/pkg/tool/${GO_PLATFORM}/api
 go119/pkg/tool/${GO_PLATFORM}/asm
@@ -2321,6 +2321,7 @@ go119/src/cmd/go/testdata/mod/example.co
 go119/src/cmd/go/testdata/mod/example.com_downgrade_v2_v2.0.1.txt
 go119/src/cmd/go/testdata/mod/example.com_fuzzfail_v0.1.0.txt
 go119/src/cmd/go/testdata/mod/example.com_fuzzfail_v0.2.0.txt
+go119/src/cmd/go/testdata/mod/example.com_generics_v1.0.0.txt
 go119/src/cmd/go/testdata/mod/example.com_incompatiblewithsub_v1.0.0.txt
 go119/src/cmd/go/testdata/mod/example.com_incompatiblewithsub_v2.0.0+incompatible.txt
 go119/src/cmd/go/testdata/mod/example.com_invalidpath_v1_v1.0.0.txt
@@ -2495,6 +2496,7 @@ go119/src/cmd/go/testdata/script/build_c
 go119/src/cmd/go/testdata/script/build_cd_gopath_different.txt
 go119/src/cmd/go/testdata/script/build_cgo_consistent_results.txt
 go119/src/cmd/go/testdata/script/build_concurrent_backend.txt
+go119/src/cmd/go/testdata/script/build_cwd_newline.txt
 go119/src/cmd/go/testdata/script/build_darwin_cc_arch.txt
 go119/src/cmd/go/testdata/script/build_dash_n_cgo.txt
 go119/src/cmd/go/testdata/script/build_dash_o_dev_null.txt
@@ -2586,6 +2588,7 @@ go119/src/cmd/go/testdata/script/filelin
 go119/src/cmd/go/testdata/script/fmt_load_errors.txt
 go119/src/cmd/go/testdata/script/fsys_walk.txt
 go119/src/cmd/go/testdata/script/gccgo_link_c.txt
+go119/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
 go119/src/cmd/go/testdata/script/gccgo_m.txt
 go119/src/cmd/go/testdata/script/gccgo_mangle.txt
 go119/src/cmd/go/testdata/script/gcflags_patterns.txt
@@ -2936,6 +2939,7 @@ go119/src/cmd/go/testdata/script/mod_ski
 go119/src/cmd/go/testdata/script/mod_std_vendor.txt
 go119/src/cmd/go/testdata/script/mod_string_alias.txt
 go119/src/cmd/go/testdata/script/mod_sum_ambiguous.txt
+go119/src/cmd/go/testdata/script/mod_sum_issue56222.txt
 go119/src/cmd/go/testdata/script/mod_sum_lookup.txt
 go119/src/cmd/go/testdata/script/mod_sum_readonly.txt
 go119/src/cmd/go/testdata/script/mod_sum_replaced.txt
@@ -7668,7 +7672,6 @@ go119/src/runtime/export_linux_test.go
 go119/src/runtime/export_mmap_test.go
 go119/src/runtime/export_pipe2_test.go
 go119/src/runtime/export_pipe_test.go
-go119/src/runtime/export_solaris_test.go
 go119/src/runtime/export_test.go
 go119/src/runtime/export_unix_test.go
 go119/src/runtime/export_windows_test.go
@@ -7741,6 +7744,16 @@ go119/src/runtime/internal/syscall/asm_l
 go119/src/runtime/internal/syscall/asm_linux_ppc64x.s
 go119/src/runtime/internal/syscall/asm_linux_riscv64.s
 go119/src/runtime/internal/syscall/asm_linux_s390x.s
+go119/src/runtime/internal/syscall/defs_linux_386.go
+go119/src/runtime/internal/syscall/defs_linux_amd64.go
+go119/src/runtime/internal/syscall/defs_linux_arm.go
+go119/src/runtime/internal/syscall/defs_linux_arm64.go
+go119/src/runtime/internal/syscall/defs_linux_loong64.go
+go119/src/runtime/internal/syscall/defs_linux_mips64x.go
+go119/src/runtime/internal/syscall/defs_linux_mipsx.go
+go119/src/runtime/internal/syscall/defs_linux_ppc64x.go
+go119/src/runtime/internal/syscall/defs_linux_riscv64.go
+go119/src/runtime/internal/syscall/defs_linux_s390x.go
 go119/src/runtime/internal/syscall/syscall_linux.go
 go119/src/runtime/lfstack.go
 go119/src/runtime/lfstack_32bit.go
@@ -7854,8 +7867,6 @@ go119/src/runtime/msize.go
 go119/src/runtime/mspanset.go
 go119/src/runtime/mstats.go
 go119/src/runtime/mwbbuf.go
-go119/src/runtime/nbpipe_fcntl_libc_test.go
-go119/src/runtime/nbpipe_fcntl_unix_test.go
 go119/src/runtime/nbpipe_pipe.go
 go119/src/runtime/nbpipe_pipe2.go
 go119/src/runtime/nbpipe_pipe_test.go
@@ -8085,6 +8096,12 @@ go119/src/runtime/runtime_test.go
 go119/src/runtime/runtime_unix_test.go
 go119/src/runtime/rwmutex.go
 go119/src/runtime/rwmutex_test.go
+go119/src/runtime/security_aix.go
+go119/src/runtime/security_issetugid.go
+go119/src/runtime/security_linux.go
+go119/src/runtime/security_nonunix.go
+go119/src/runtime/security_test.go
+go119/src/runtime/security_unix.go
 go119/src/runtime/select.go
 go119/src/runtime/sema.go
 go119/src/runtime/sema_test.go
@@ -8304,6 +8321,7 @@ go119/src/runtime/testdata/testprognet/m
 go119/src/runtime/testdata/testprognet/net.go
 go119/src/runtime/testdata/testprognet/signal.go
 go119/src/runtime/testdata/testprognet/signalexec.go
+go119/src/runtime/testdata/testsuid/main.go
 go119/src/runtime/testdata/testwinlib/main.c
 go119/src/runtime/testdata/testwinlib/main.go
 go119/src/runtime/testdata/testwinlibsignal/dummy.go

Index: pkgsrc/lang/go119/distinfo
diff -u pkgsrc/lang/go119/distinfo:1.11 pkgsrc/lang/go119/distinfo:1.12
--- pkgsrc/lang/go119/distinfo:1.11     Wed May  3 19:24:54 2023
+++ pkgsrc/lang/go119/distinfo  Tue Jun  6 18:49:04 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.11 2023/05/03 19:24:54 bsiegert Exp $
+$NetBSD: distinfo,v 1.12 2023/06/06 18:49:04 bsiegert Exp $
 
-BLAKE2s (go1.19.9.src.tar.gz) = e2e97859cac2288f04d7bc458179fb5037024bd448e1efce408f2d03c3804c61
-SHA512 (go1.19.9.src.tar.gz) = 548525fc33b0d0c6e5e175190b3235a3bfe2046607a87e3b890735bae4f6279f77a15122cfd432c7971c829a631883a1ed2e39399e23c9b8fa96f86502a8c02e
-Size (go1.19.9.src.tar.gz) = 26556330 bytes
+BLAKE2s (go1.19.10.src.tar.gz) = 0a8fd698ed37ecd0490d9adc1262c79dbc423709839dbdfb8c46d2d41367ccfa
+SHA512 (go1.19.10.src.tar.gz) = e8e7d1118d0c409d692ebb406f0e6807781dfd8f7dbe8b03be145e3fc287cde967fde387a216eb9996366508f4e61954cd131cd33f85b652bfd223e37bf41a67
+Size (go1.19.10.src.tar.gz) = 26563069 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35