CVS commit: pkgsrc/lang

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Fri Nov 10 15:39:34 UTC 2023

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go120: PLIST distinfo
        pkgsrc/lang/go121: PLIST distinfo

Log Message:
Update go120 to 1.20.11 and go121 to 1.21.4 (security).

These minor releases include 2 security fixes following the security policy:

- path/filepath: recognize \??\ as a Root Local Device path prefix.

  On Windows, a path beginning with \??\ is a Root Local Device path equivalent
  to a path beginning with \\?\. Paths with a \??\ prefix may be used to access
  arbitrary locations on the system. For example, the path \??\c:\x is
  equivalent to the more common path c:\x.

  The filepath package did not recognize paths with a \??\ prefix as special.

  Clean could convert a rooted path such as \a\..\??\b into
  the root local device path \??\b. It will now convert this
  path into .\??\b.

  IsAbs did not report paths beginning with \??\ as absolute.
  It now does so.

  VolumeName now reports the \??\ prefix as a volume name.

  Join(`\`, `??`, `b`) could convert a seemingly innocent
  sequence of path elements into the root local device path
  \??\b. It will now convert this to \.\??\b.

  This is CVE-2023-45283 and https://go.dev/issue/63713.

- path/filepath: recognize device names with trailing spaces and superscripts

  The IsLocal function did not correctly detect reserved names in some cases:

  reserved names followed by spaces, such as "COM1 ".
  "COM" or "LPT" followed by a superscript 1, 2, or 3.
  IsLocal now correctly reports these names as non-local.

  This is CVE-2023-45284 and https://go.dev/issue/63713.


To generate a diff of this commit:
cvs rdiff -u -r1.193 -r1.194 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/go120/PLIST
cvs rdiff -u -r1.11 -r1.12 pkgsrc/lang/go120/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go121/PLIST pkgsrc/lang/go121/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.193 pkgsrc/lang/go/version.mk:1.194
--- pkgsrc/lang/go/version.mk:1.193     Sun Oct 29 14:40:35 2023
+++ pkgsrc/lang/go/version.mk   Fri Nov 10 15:39:34 2023
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.193 2023/10/29 14:40:35 bsiegert Exp $
+# $NetBSD: version.mk,v 1.194 2023/11/10 15:39:34 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,8 +6,8 @@
 #
 .include "go-vars.mk"
 
-GO121_VERSION= 1.21.3
-GO120_VERSION= 1.20.10
+GO121_VERSION= 1.21.4
+GO120_VERSION= 1.20.11
 GO119_VERSION= 1.19.13
 GO118_VERSION= 1.18.10
 GO14_VERSION=  1.4.3

Index: pkgsrc/lang/go120/PLIST
diff -u pkgsrc/lang/go120/PLIST:1.9 pkgsrc/lang/go120/PLIST:1.10
--- pkgsrc/lang/go120/PLIST:1.9 Sat Oct  7 18:09:35 2023
+++ pkgsrc/lang/go120/PLIST     Fri Nov 10 15:39:34 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.9 2023/10/07 18:09:35 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.10 2023/11/10 15:39:34 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go120/CONTRIBUTING.md
@@ -6972,6 +6972,7 @@ go120/src/path/filepath/export_windows_t
 go120/src/path/filepath/match.go
 go120/src/path/filepath/match_test.go
 go120/src/path/filepath/path.go
+go120/src/path/filepath/path_nonwindows.go
 go120/src/path/filepath/path_plan9.go
 go120/src/path/filepath/path_test.go
 go120/src/path/filepath/path_unix.go

Index: pkgsrc/lang/go120/distinfo
diff -u pkgsrc/lang/go120/distinfo:1.11 pkgsrc/lang/go120/distinfo:1.12
--- pkgsrc/lang/go120/distinfo:1.11     Sun Oct 15 11:02:08 2023
+++ pkgsrc/lang/go120/distinfo  Fri Nov 10 15:39:34 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.11 2023/10/15 11:02:08 bsiegert Exp $
+$NetBSD: distinfo,v 1.12 2023/11/10 15:39:34 bsiegert Exp $
 
-BLAKE2s (go1.20.10.src.tar.gz) = 30b04898bf10cd5592451b3767e235fa31f73383948239a759bc1bd732621910
-SHA512 (go1.20.10.src.tar.gz) = 1c6304abb8a7847cedb634380d43fcbf2b206f0e6af99e915b4735b4c5f9dfc08a01db6d41edaed91a2a8140fcd886343d39465bd6fb53bd37be0a7f41dc6525
-Size (go1.20.10.src.tar.gz) = 26198392 bytes
+BLAKE2s (go1.20.11.src.tar.gz) = b636e61be275b981dc8140041d423373bfd6077c6ee917abce41348d5adb9717
+SHA512 (go1.20.11.src.tar.gz) = d89fb9ecd9fe394b7f6b9a0ad98db2f9401bec203d64cc5c301d3678f6a74524bae85a9ece31ad2ea66a3ffec90f35cb30e600e0c910bcc6010ad36b501c5c37
+Size (go1.20.11.src.tar.gz) = 26198249 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Index: pkgsrc/lang/go121/PLIST
diff -u pkgsrc/lang/go121/PLIST:1.3 pkgsrc/lang/go121/PLIST:1.4
--- pkgsrc/lang/go121/PLIST:1.3 Sun Oct 15 09:26:35 2023
+++ pkgsrc/lang/go121/PLIST     Fri Nov 10 15:39:34 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.3 2023/10/15 09:26:35 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.4 2023/11/10 15:39:34 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go121/CONTRIBUTING.md
@@ -7396,6 +7396,7 @@ go121/src/path/filepath/export_windows_t
 go121/src/path/filepath/match.go
 go121/src/path/filepath/match_test.go
 go121/src/path/filepath/path.go
+go121/src/path/filepath/path_nonwindows.go
 go121/src/path/filepath/path_plan9.go
 go121/src/path/filepath/path_test.go
 go121/src/path/filepath/path_unix.go
@@ -11579,6 +11580,9 @@ go121/test/fixedbugs/issue61992.go
 go121/test/fixedbugs/issue62203.go
 go121/test/fixedbugs/issue62469.go
 go121/test/fixedbugs/issue6247.go
+go121/test/fixedbugs/issue62498.dir/a.go
+go121/test/fixedbugs/issue62498.dir/main.go
+go121/test/fixedbugs/issue62498.go
 go121/test/fixedbugs/issue6269.go
 go121/test/fixedbugs/issue6295.dir/p0.go
 go121/test/fixedbugs/issue6295.dir/p1.go
Index: pkgsrc/lang/go121/distinfo
diff -u pkgsrc/lang/go121/distinfo:1.3 pkgsrc/lang/go121/distinfo:1.4
--- pkgsrc/lang/go121/distinfo:1.3      Sun Oct 15 09:26:35 2023
+++ pkgsrc/lang/go121/distinfo  Fri Nov 10 15:39:34 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.3 2023/10/15 09:26:35 bsiegert Exp $
+$NetBSD: distinfo,v 1.4 2023/11/10 15:39:34 bsiegert Exp $
 
-BLAKE2s (go1.21.3.src.tar.gz) = ac5137ef1bfd608d983c67a1e2969c3ee49171b7430193d4bbf5b4dfdd3ef1bf
-SHA512 (go1.21.3.src.tar.gz) = c98d31b9c477c0ac4b6f6933adefb40fdce5cdbb171e5236e3b694fec9e5b04695487af734259eab304dd42e86341240621a781f54b60c719627fd7b5efe4742
-Size (go1.21.3.src.tar.gz) = 26976568 bytes
+BLAKE2s (go1.21.4.src.tar.gz) = ee8cdd84e28c4106b2eb5181308a6912e24689382553d19b0d365ac4a66b7364
+SHA512 (go1.21.4.src.tar.gz) = a6019d51876d7705f7737cddae748f9df3b4e1b40d678094465d2e81b18a4a99b93c3979d318d6c0c6d314e44554894105d07665b7d81acbbfd80203d3ed95bc
+Size (go1.21.4.src.tar.gz) = 26979154 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35
 SHA1 (patch-src_crypto_x509_root__solaris.go) = d636a1599ede225ac339388fba2b6e253112d461