pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/lang
Module Name: pkgsrc
Committed By: bsiegert
Date: Sat Jun 10 11:41:31 UTC 2023
Modified Files:
pkgsrc/lang/go: version.mk
pkgsrc/lang/go120: PLIST distinfo
Log Message:
go120: update to 1.20.5 (security)
This minor release includes 3 security fixes following the security policy:
- cmd/go: cgo code injection
The go command may generate unexpected code at build time when using cgo. This
may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories
with newline characters in their names. Modules which are retrieved using the
go command, i.e. via "go get", are not affected (modules retrieved using
GOPATH-mode, i.e. GO111MODULE=off, may be affected).
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
- runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the setuid/setgid
bit set. On Unix platforms, if a setuid/setgid binary was executed with
standard I/O file descriptors closed, opening any files could result in
unexpected content being read/written with elevated prilieges. Similarly if a
setuid/setgid program was terminated, either via panic or signal, it could
leak the contents of its registers.
Thanks to Vincent Dehors from Synacktiv for reporting this issue.
This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
- cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time when using cgo. This
may occur when running "go get" on a malicious module, or when running any
other command which builds untrusted code. This is can by triggered by linker
flags, specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29404 and CVE-2023-29405 and Go issues
https://go.dev/issue/60305 and https://go.dev/issue/60306.
To generate a diff of this commit:
cvs rdiff -u -r1.180 -r1.181 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.5 -r1.6 pkgsrc/lang/go120/PLIST pkgsrc/lang/go120/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.180 pkgsrc/lang/go/version.mk:1.181
--- pkgsrc/lang/go/version.mk:1.180 Tue Jun 6 18:49:04 2023
+++ pkgsrc/lang/go/version.mk Sat Jun 10 11:41:31 2023
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.180 2023/06/06 18:49:04 bsiegert Exp $
+# $NetBSD: version.mk,v 1.181 2023/06/10 11:41:31 bsiegert Exp $
#
# If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,7 +6,7 @@
#
.include "go-vars.mk"
-GO120_VERSION= 1.20.4
+GO120_VERSION= 1.20.5
GO119_VERSION= 1.19.10
GO118_VERSION= 1.18.10
GO14_VERSION= 1.4.3
Index: pkgsrc/lang/go120/PLIST
diff -u pkgsrc/lang/go120/PLIST:1.5 pkgsrc/lang/go120/PLIST:1.6
--- pkgsrc/lang/go120/PLIST:1.5 Fri May 5 18:33:15 2023
+++ pkgsrc/lang/go120/PLIST Sat Jun 10 11:41:31 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.5 2023/05/05 18:33:15 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.6 2023/06/10 11:41:31 bsiegert Exp $
bin/go${GOVERSSUFFIX}
bin/gofmt${GOVERSSUFFIX}
go120/CONTRIBUTING.md
@@ -1891,6 +1891,7 @@ go120/src/cmd/go/testdata/script/build_c
go120/src/cmd/go/testdata/script/build_cgo_consistent_results.txt
go120/src/cmd/go/testdata/script/build_cgo_error.txt
go120/src/cmd/go/testdata/script/build_concurrent_backend.txt
+go120/src/cmd/go/testdata/script/build_cwd_newline.txt
go120/src/cmd/go/testdata/script/build_darwin_cc_arch.txt
go120/src/cmd/go/testdata/script/build_dash_n_cgo.txt
go120/src/cmd/go/testdata/script/build_dash_o_dev_null.txt
@@ -1995,6 +1996,7 @@ go120/src/cmd/go/testdata/script/filelin
go120/src/cmd/go/testdata/script/fmt_load_errors.txt
go120/src/cmd/go/testdata/script/fsys_walk.txt
go120/src/cmd/go/testdata/script/gccgo_link_c.txt
+go120/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
go120/src/cmd/go/testdata/script/gccgo_m.txt
go120/src/cmd/go/testdata/script/gccgo_mangle.txt
go120/src/cmd/go/testdata/script/gcflags_patterns.txt
@@ -2359,6 +2361,7 @@ go120/src/cmd/go/testdata/script/mod_sta
go120/src/cmd/go/testdata/script/mod_std_vendor.txt
go120/src/cmd/go/testdata/script/mod_string_alias.txt
go120/src/cmd/go/testdata/script/mod_sum_ambiguous.txt
+go120/src/cmd/go/testdata/script/mod_sum_issue56222.txt
go120/src/cmd/go/testdata/script/mod_sum_lookup.txt
go120/src/cmd/go/testdata/script/mod_sum_readonly.txt
go120/src/cmd/go/testdata/script/mod_sum_replaced.txt
@@ -6460,6 +6463,7 @@ go120/src/net/file_plan9.go
go120/src/net/file_stub.go
go120/src/net/file_test.go
go120/src/net/file_unix.go
+go120/src/net/file_unix_test.go
go120/src/net/file_windows.go
go120/src/net/hook.go
go120/src/net/hook_plan9.go
@@ -7316,10 +7320,8 @@ go120/src/runtime/export_debug_test.go
go120/src/runtime/export_debuglog_test.go
go120/src/runtime/export_linux_test.go
go120/src/runtime/export_mmap_test.go
-go120/src/runtime/export_openbsd_test.go
go120/src/runtime/export_pipe2_test.go
go120/src/runtime/export_pipe_test.go
-go120/src/runtime/export_solaris_test.go
go120/src/runtime/export_test.go
go120/src/runtime/export_unix2_test.go
go120/src/runtime/export_unix_test.go
@@ -7524,8 +7526,6 @@ go120/src/runtime/msize.go
go120/src/runtime/mspanset.go
go120/src/runtime/mstats.go
go120/src/runtime/mwbbuf.go
-go120/src/runtime/nbpipe_fcntl_libc_test.go
-go120/src/runtime/nbpipe_fcntl_unix_test.go
go120/src/runtime/nbpipe_pipe.go
go120/src/runtime/nbpipe_pipe2.go
go120/src/runtime/nbpipe_pipe_test.go
@@ -7771,6 +7771,12 @@ go120/src/runtime/runtime_test.go
go120/src/runtime/runtime_unix_test.go
go120/src/runtime/rwmutex.go
go120/src/runtime/rwmutex_test.go
+go120/src/runtime/security_aix.go
+go120/src/runtime/security_issetugid.go
+go120/src/runtime/security_linux.go
+go120/src/runtime/security_nonunix.go
+go120/src/runtime/security_test.go
+go120/src/runtime/security_unix.go
go120/src/runtime/select.go
go120/src/runtime/sema.go
go120/src/runtime/sema_test.go
@@ -8001,6 +8007,7 @@ go120/src/runtime/testdata/testprognet/m
go120/src/runtime/testdata/testprognet/net.go
go120/src/runtime/testdata/testprognet/signal.go
go120/src/runtime/testdata/testprognet/signalexec.go
+go120/src/runtime/testdata/testsuid/main.go
go120/src/runtime/testdata/testwinlib/main.c
go120/src/runtime/testdata/testwinlib/main.go
go120/src/runtime/testdata/testwinlibsignal/dummy.go
Index: pkgsrc/lang/go120/distinfo
diff -u pkgsrc/lang/go120/distinfo:1.5 pkgsrc/lang/go120/distinfo:1.6
--- pkgsrc/lang/go120/distinfo:1.5 Fri May 5 18:33:15 2023
+++ pkgsrc/lang/go120/distinfo Sat Jun 10 11:41:31 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.5 2023/05/05 18:33:15 bsiegert Exp $
+$NetBSD: distinfo,v 1.6 2023/06/10 11:41:31 bsiegert Exp $
-BLAKE2s (go1.20.4.src.tar.gz) = fe3bbdd7cce52b89e3ce260e926ae7b79388b55d026c8f2c8e6039fff92133d3
-SHA512 (go1.20.4.src.tar.gz) = 43898325bab48c24e533f360a2c7de356a8a56946602e727b5bcd4a62ff4f64fd750e2650032f7e0525b0699e40e506d79446e16838f097e6bdc2a16f10d81be
-Size (go1.20.4.src.tar.gz) = 26185429 bytes
+BLAKE2s (go1.20.5.src.tar.gz) = a739ed4608461945d17e7198d148bfb9ebee68c72debb61fda6059b5d45e3a46
+SHA512 (go1.20.5.src.tar.gz) = 94cecb366cd9d9722b53e52ea3b0a5715a9e9dc21da0273dd3db9354557f71b9501b018125ef073dacc2e59125335f436cea1151cd8df0d60e2ad513f841905c
+Size (go1.20.5.src.tar.gz) = 26192951 bytes
SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35
Home |
Main Index |
Thread Index |
Old Index