pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/lang



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Tue Apr  4 18:22:14 UTC 2023

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go119: PLIST distinfo

Log Message:
go119: update to 1.19.8 (security)

This minor release includes 4 security fixes following the security policy:

- go/parser: infinite loop in parsing

  Calling any of the Parse functions on Go source code which contains //line
  directives with very large line numbers can cause an infinite loop due to
  integer overflow.

  Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

  This is CVE-2023-24537 and Go issue https://go.dev/issue/59180.

- html/template: backticks not treated as string delimiters

  Templates did not properly consider backticks (`) as Javascript string
  delimiters, and as such did not escape them as expected. Backticks are used,
  since ES6, for JS template literals. If a template contained a Go template
  action within a Javascript template literal, the contents of the action could
  be used to terminate the literal, injecting arbitrary Javascript code into
  the Go template.

  As ES6 template literals are rather complex, and themselves can do string
  interpolation, we've decided to simply disallow Go template actions from
  being used inside of them (e.g. "var a = {{.}}"), since there is no obviously
  safe way to allow this behavior. This takes the same approach as
  github.com/google/safehtml.  Template.Parse will now return an Error when it
  encounters templates like this, with a currently unexported ErrorCode with a
  value of 12. This ErrorCode will be exported in the next major release.

  Users who rely on this behavior can re-enable it using the GODEBUG flag
  jstmpllitinterp=1, with the caveat that backticks will now be escaped. This
  should be used with caution.

  Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this
  issue.

  This is CVE-2023-24538 and Go issue https://go.dev/issue/59234.

- net/http, net/textproto: denial of service from excessive memory allocation

  HTTP and MIME header parsing could allocate large amounts of memory, even
  when parsing small inputs.

  Certain unusual patterns of input data could cause the common function used
  to parse HTTP and MIME headers to allocate substantially more memory than
  required to hold the parsed headers. An attacker can exploit this behavior to
  cause an HTTP server to allocate large amounts of memory from a small
  request, potentially leading to memory exhaustion and a denial of service.

  Header parsing now correctly allocates only the memory required to hold
  parsed headers.

  Thanks to Jakob Ackermann (@das7pad) for discovering this issue.

  This is CVE-2023-24534 and Go issue https://go.dev/issue/58975.

- net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption

  Multipart form parsing can consume large amounts of CPU and memory when
  processing form inputs containing very large numbers of parts. This stems
  from several causes:

  mime/multipart.Reader.ReadForm limits the total memory a parsed multipart
  form can consume. ReadForm could undercount the amount of memory consumed,
  leading it to accept larger inputs than intended.  Limiting total memory does
  not account for increased pressure on the garbage collector from large
  numbers of small allocations in forms with many parts.  ReadForm could
  allocate a large number of short-lived buffers, further increasing pressure
  on the garbage collector.  The combination of these factors can permit an
  attacker to cause an program that parses multipart forms to consume large
  amounts of CPU and memory, potentially resulting in a denial of service. This
  affects programs that use mime/multipart.Reader.ReadForm, as well as form
  parsing in the net/http package with the Request methods FormFile, FormValue,
  ParseMultipartForm, and PostFormValue.

  ReadForm now does a better job of estimating the memory consumption of parsed
  forms, and performs many fewer short-lived allocations.

  In addition, mime/multipart.Reader now imposes the following limits on the
  size of parsed forms:

  Forms parsed with ReadForm may contain no more than 1000 parts. This limit
  may be adjusted with the environment variable GODEBUG=multipartmaxparts=.
  Form parts parsed with NextPart and NextRawPart may contain no more than
  10,000 header fields. In addition, forms parsed with ReadForm may contain no
  more than 10,000 header fields across all parts. This limit may be adjusted
  with the environment variable GODEBUG=multipartmaxheaders=.  Thanks to Jakob
  Ackermann (@das7pad) for discovering this issue.

  This is CVE-2023-24536 and Go issue https://go.dev/issue/59153.


To generate a diff of this commit:
cvs rdiff -u -r1.175 -r1.176 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/go119/PLIST
cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/go119/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.175 pkgsrc/lang/go/version.mk:1.176
--- pkgsrc/lang/go/version.mk:1.175     Wed Mar  8 13:14:58 2023
+++ pkgsrc/lang/go/version.mk   Tue Apr  4 18:22:14 2023
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.175 2023/03/08 13:14:58 bsiegert Exp $
+# $NetBSD: version.mk,v 1.176 2023/04/04 18:22:14 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -7,7 +7,7 @@
 .include "go-vars.mk"
 
 GO120_VERSION= 1.20.2
-GO119_VERSION= 1.19.7
+GO119_VERSION= 1.19.8
 GO118_VERSION= 1.18.10
 GO14_VERSION=  1.4.3
 

Index: pkgsrc/lang/go119/PLIST
diff -u pkgsrc/lang/go119/PLIST:1.7 pkgsrc/lang/go119/PLIST:1.8
--- pkgsrc/lang/go119/PLIST:1.7 Thu Feb 16 13:55:55 2023
+++ pkgsrc/lang/go119/PLIST     Tue Apr  4 18:22:14 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.7 2023/02/16 13:55:55 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.8 2023/04/04 18:22:14 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go119/CONTRIBUTING.md
@@ -2544,6 +2544,7 @@ go119/src/cmd/go/testdata/script/cgo_pat
 go119/src/cmd/go/testdata/script/cgo_path_space_quote.txt
 go119/src/cmd/go/testdata/script/cgo_stale.txt
 go119/src/cmd/go/testdata/script/cgo_stale_precompiled.txt
+go119/src/cmd/go/testdata/script/cgo_suspect_flag_force_external.txt
 go119/src/cmd/go/testdata/script/cgo_syso_issue29253.txt
 go119/src/cmd/go/testdata/script/cgo_undef.txt
 go119/src/cmd/go/testdata/script/clean_binary.txt

Index: pkgsrc/lang/go119/distinfo
diff -u pkgsrc/lang/go119/distinfo:1.9 pkgsrc/lang/go119/distinfo:1.10
--- pkgsrc/lang/go119/distinfo:1.9      Wed Mar  8 13:14:59 2023
+++ pkgsrc/lang/go119/distinfo  Tue Apr  4 18:22:14 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.9 2023/03/08 13:14:59 bsiegert Exp $
+$NetBSD: distinfo,v 1.10 2023/04/04 18:22:14 bsiegert Exp $
 
-BLAKE2s (go1.19.7.src.tar.gz) = f3a78d0c99bf153166e4f5869efba139d65fc2ae4954279f09e26392e5790702
-SHA512 (go1.19.7.src.tar.gz) = e6f0df2d381a424cf43e8ea0306a58a46a96464cff4665ca3da73f713d4f039687a6c9659cef577000b1fadca7c1a2114fac34ffb2017d6335f537ac235de823
-Size (go1.19.7.src.tar.gz) = 26550385 bytes
+BLAKE2s (go1.19.8.src.tar.gz) = 80e7ca6822b2a04bf8837aca9ece2c1a15587aa2f6d859b4b2dc119b4f815a1c
+SHA512 (go1.19.8.src.tar.gz) = d7ecbae3034211d7c64df4c0fce6894bae3e7e8de20bd2aa9f24b39cc040fa64d8a3bea311582cf4455a981dc3c8f319141f7f357db4eebd27d4451fee05727a
+Size (go1.19.8.src.tar.gz) = 26553006 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35



Home | Main Index | Thread Index | Old Index