pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/lang



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Sat Jun 10 11:41:31 UTC 2023

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go120: PLIST distinfo

Log Message:
go120: update to 1.20.5 (security)

This minor release includes 3 security fixes following the security policy:

- cmd/go: cgo code injection

  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories
  with newline characters in their names. Modules which are retrieved using the
  go command, i.e. via "go get", are not affected (modules retrieved using
  GOPATH-mode, i.e.  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

- runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with
  standard I/O file descriptors closed, opening any files could result in
  unexpected content being read/written with elevated prilieges. Similarly if a
  setuid/setgid program was terminated, either via panic or signal, it could
  leak the contents of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

- cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This
  may occur when running "go get" on a malicious module, or when running any
  other command which builds untrusted code. This is can by triggered by linker
  flags, specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues
  https://go.dev/issue/60305 and https://go.dev/issue/60306.


To generate a diff of this commit:
cvs rdiff -u -r1.180 -r1.181 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.5 -r1.6 pkgsrc/lang/go120/PLIST pkgsrc/lang/go120/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.180 pkgsrc/lang/go/version.mk:1.181
--- pkgsrc/lang/go/version.mk:1.180     Tue Jun  6 18:49:04 2023
+++ pkgsrc/lang/go/version.mk   Sat Jun 10 11:41:31 2023
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.180 2023/06/06 18:49:04 bsiegert Exp $
+# $NetBSD: version.mk,v 1.181 2023/06/10 11:41:31 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,7 +6,7 @@
 #
 .include "go-vars.mk"
 
-GO120_VERSION= 1.20.4
+GO120_VERSION= 1.20.5
 GO119_VERSION= 1.19.10
 GO118_VERSION= 1.18.10
 GO14_VERSION=  1.4.3

Index: pkgsrc/lang/go120/PLIST
diff -u pkgsrc/lang/go120/PLIST:1.5 pkgsrc/lang/go120/PLIST:1.6
--- pkgsrc/lang/go120/PLIST:1.5 Fri May  5 18:33:15 2023
+++ pkgsrc/lang/go120/PLIST     Sat Jun 10 11:41:31 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.5 2023/05/05 18:33:15 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.6 2023/06/10 11:41:31 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go120/CONTRIBUTING.md
@@ -1891,6 +1891,7 @@ go120/src/cmd/go/testdata/script/build_c
 go120/src/cmd/go/testdata/script/build_cgo_consistent_results.txt
 go120/src/cmd/go/testdata/script/build_cgo_error.txt
 go120/src/cmd/go/testdata/script/build_concurrent_backend.txt
+go120/src/cmd/go/testdata/script/build_cwd_newline.txt
 go120/src/cmd/go/testdata/script/build_darwin_cc_arch.txt
 go120/src/cmd/go/testdata/script/build_dash_n_cgo.txt
 go120/src/cmd/go/testdata/script/build_dash_o_dev_null.txt
@@ -1995,6 +1996,7 @@ go120/src/cmd/go/testdata/script/filelin
 go120/src/cmd/go/testdata/script/fmt_load_errors.txt
 go120/src/cmd/go/testdata/script/fsys_walk.txt
 go120/src/cmd/go/testdata/script/gccgo_link_c.txt
+go120/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
 go120/src/cmd/go/testdata/script/gccgo_m.txt
 go120/src/cmd/go/testdata/script/gccgo_mangle.txt
 go120/src/cmd/go/testdata/script/gcflags_patterns.txt
@@ -2359,6 +2361,7 @@ go120/src/cmd/go/testdata/script/mod_sta
 go120/src/cmd/go/testdata/script/mod_std_vendor.txt
 go120/src/cmd/go/testdata/script/mod_string_alias.txt
 go120/src/cmd/go/testdata/script/mod_sum_ambiguous.txt
+go120/src/cmd/go/testdata/script/mod_sum_issue56222.txt
 go120/src/cmd/go/testdata/script/mod_sum_lookup.txt
 go120/src/cmd/go/testdata/script/mod_sum_readonly.txt
 go120/src/cmd/go/testdata/script/mod_sum_replaced.txt
@@ -6460,6 +6463,7 @@ go120/src/net/file_plan9.go
 go120/src/net/file_stub.go
 go120/src/net/file_test.go
 go120/src/net/file_unix.go
+go120/src/net/file_unix_test.go
 go120/src/net/file_windows.go
 go120/src/net/hook.go
 go120/src/net/hook_plan9.go
@@ -7316,10 +7320,8 @@ go120/src/runtime/export_debug_test.go
 go120/src/runtime/export_debuglog_test.go
 go120/src/runtime/export_linux_test.go
 go120/src/runtime/export_mmap_test.go
-go120/src/runtime/export_openbsd_test.go
 go120/src/runtime/export_pipe2_test.go
 go120/src/runtime/export_pipe_test.go
-go120/src/runtime/export_solaris_test.go
 go120/src/runtime/export_test.go
 go120/src/runtime/export_unix2_test.go
 go120/src/runtime/export_unix_test.go
@@ -7524,8 +7526,6 @@ go120/src/runtime/msize.go
 go120/src/runtime/mspanset.go
 go120/src/runtime/mstats.go
 go120/src/runtime/mwbbuf.go
-go120/src/runtime/nbpipe_fcntl_libc_test.go
-go120/src/runtime/nbpipe_fcntl_unix_test.go
 go120/src/runtime/nbpipe_pipe.go
 go120/src/runtime/nbpipe_pipe2.go
 go120/src/runtime/nbpipe_pipe_test.go
@@ -7771,6 +7771,12 @@ go120/src/runtime/runtime_test.go
 go120/src/runtime/runtime_unix_test.go
 go120/src/runtime/rwmutex.go
 go120/src/runtime/rwmutex_test.go
+go120/src/runtime/security_aix.go
+go120/src/runtime/security_issetugid.go
+go120/src/runtime/security_linux.go
+go120/src/runtime/security_nonunix.go
+go120/src/runtime/security_test.go
+go120/src/runtime/security_unix.go
 go120/src/runtime/select.go
 go120/src/runtime/sema.go
 go120/src/runtime/sema_test.go
@@ -8001,6 +8007,7 @@ go120/src/runtime/testdata/testprognet/m
 go120/src/runtime/testdata/testprognet/net.go
 go120/src/runtime/testdata/testprognet/signal.go
 go120/src/runtime/testdata/testprognet/signalexec.go
+go120/src/runtime/testdata/testsuid/main.go
 go120/src/runtime/testdata/testwinlib/main.c
 go120/src/runtime/testdata/testwinlib/main.go
 go120/src/runtime/testdata/testwinlibsignal/dummy.go
Index: pkgsrc/lang/go120/distinfo
diff -u pkgsrc/lang/go120/distinfo:1.5 pkgsrc/lang/go120/distinfo:1.6
--- pkgsrc/lang/go120/distinfo:1.5      Fri May  5 18:33:15 2023
+++ pkgsrc/lang/go120/distinfo  Sat Jun 10 11:41:31 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.5 2023/05/05 18:33:15 bsiegert Exp $
+$NetBSD: distinfo,v 1.6 2023/06/10 11:41:31 bsiegert Exp $
 
-BLAKE2s (go1.20.4.src.tar.gz) = fe3bbdd7cce52b89e3ce260e926ae7b79388b55d026c8f2c8e6039fff92133d3
-SHA512 (go1.20.4.src.tar.gz) = 43898325bab48c24e533f360a2c7de356a8a56946602e727b5bcd4a62ff4f64fd750e2650032f7e0525b0699e40e506d79446e16838f097e6bdc2a16f10d81be
-Size (go1.20.4.src.tar.gz) = 26185429 bytes
+BLAKE2s (go1.20.5.src.tar.gz) = a739ed4608461945d17e7198d148bfb9ebee68c72debb61fda6059b5d45e3a46
+SHA512 (go1.20.5.src.tar.gz) = 94cecb366cd9d9722b53e52ea3b0a5715a9e9dc21da0273dd3db9354557f71b9501b018125ef073dacc2e59125335f436cea1151cd8df0d60e2ad513f841905c
+Size (go1.20.5.src.tar.gz) = 26192951 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35



Home | Main Index | Thread Index | Old Index