pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/lang

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Wed Jul  9 07:41:36 UTC 2025

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go123: PLIST distinfo
        pkgsrc/lang/go124: PLIST distinfo

Log Message:
go: update to 1.23.11 and 1.24.5

These minor releases include 1 security fixes following the security policy:

    cmd/go: unexpected command execution in untrusted VCS repositories

    Various uses of the Go toolchain in untrusted VCS repositories can result in
    unexpected code execution. When using the Go toolchain in directories fetched
    using various VCS tools (such as directly cloning Git or Mercurial repositories)
    can cause the toolchain to execute unexpected commands, if said directory
    contains multiple VCS configuration metadata (such as a ".hg" directory in a Git
    repository). This is due to how the Go toolchain attempts to resolve which VCS
    is being used in order to embed build information in binaries and determine
    module versions.

    The toolchain will now abort attempting to resolve which VCS is being used if it
    detects multiple VCS configuration metadata in a module directory or nested VCS
    configuration metadata (such as a ".git" directoy in a parent directory and a
    ".hg" directory in a child directory). This will not prevent the toolchain from
    building modules, but will result in binaries omitting VCS related build
    information.

    If this behavior is expected by the user, the old behavior can be re-enabled by
    setting GODEBUG=allowmultiplevcs=1. This should only be done in trusted
    repositories.

    Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for reporting
    this issue.

    This is CVE-2025-4674 and https://go.dev/issue/74380.


To generate a diff of this commit:
cvs rdiff -u -r1.232 -r1.233 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.10 -r1.11 pkgsrc/lang/go123/PLIST
cvs rdiff -u -r1.12 -r1.13 pkgsrc/lang/go123/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/lang/go124/PLIST pkgsrc/lang/go124/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.232 pkgsrc/lang/go/version.mk:1.233
--- pkgsrc/lang/go/version.mk:1.232     Fri Jun  6 13:45:14 2025
+++ pkgsrc/lang/go/version.mk   Wed Jul  9 07:41:35 2025
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.232 2025/06/06 13:45:14 bsiegert Exp $
+# $NetBSD: version.mk,v 1.233 2025/07/09 07:41:35 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,8 +6,8 @@
 #
 .include "go-vars.mk"
 
-GO124_VERSION= 1.24.4
-GO123_VERSION= 1.23.10
+GO124_VERSION= 1.24.5
+GO123_VERSION= 1.23.11
 GO122_VERSION= 1.22.12
 GO120_VERSION= 1.20.14
 GO118_VERSION= 1.18.10

Index: pkgsrc/lang/go123/PLIST
diff -u pkgsrc/lang/go123/PLIST:1.10 pkgsrc/lang/go123/PLIST:1.11
--- pkgsrc/lang/go123/PLIST:1.10        Fri Jun  6 13:45:14 2025
+++ pkgsrc/lang/go123/PLIST     Wed Jul  9 07:41:35 2025
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.10 2025/06/06 13:45:14 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.11 2025/07/09 07:41:35 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go123/CONTRIBUTING.md
@@ -635,6 +635,10 @@ go123/src/cmd/cgo/internal/testsanitizer
 go123/src/cmd/cgo/internal/testsanitizers/testdata/asan_global3_fail.go
 go123/src/cmd/cgo/internal/testsanitizers/testdata/asan_global4_fail.go
 go123/src/cmd/cgo/internal/testsanitizers/testdata/asan_global5.go
+go123/src/cmd/cgo/internal/testsanitizers/testdata/asan_global_asm/asm.s
+go123/src/cmd/cgo/internal/testsanitizers/testdata/asan_global_asm/main.go
+go123/src/cmd/cgo/internal/testsanitizers/testdata/asan_global_asm2_fail/asm.s
+go123/src/cmd/cgo/internal/testsanitizers/testdata/asan_global_asm2_fail/main.go
 go123/src/cmd/cgo/internal/testsanitizers/testdata/asan_linkerx/main.go
 go123/src/cmd/cgo/internal/testsanitizers/testdata/asan_linkerx/p/p.go
 go123/src/cmd/cgo/internal/testsanitizers/testdata/asan_unsafe_fail1.go
@@ -2786,6 +2790,7 @@ go123/src/cmd/go/testdata/script/test_ma
 go123/src/cmd/go/testdata/script/test_match_only_subtests_parallel.txt
 go123/src/cmd/go/testdata/script/test_match_only_tests.txt
 go123/src/cmd/go/testdata/script/test_minus_n.txt
+go123/src/cmd/go/testdata/script/test_multivcs.txt
 go123/src/cmd/go/testdata/script/test_n_cover_std.txt
 go123/src/cmd/go/testdata/script/test_no_run_example.txt
 go123/src/cmd/go/testdata/script/test_no_tests.txt
@@ -12354,6 +12359,8 @@ go123/test/fixedbugs/issue7310.go
 go123/test/fixedbugs/issue7316.go
 go123/test/fixedbugs/issue7346.go
 go123/test/fixedbugs/issue7366.go
+go123/test/fixedbugs/issue73748a.go
+go123/test/fixedbugs/issue73748b.go
 go123/test/fixedbugs/issue7405.go
 go123/test/fixedbugs/issue7419.go
 go123/test/fixedbugs/issue7525.go

Index: pkgsrc/lang/go123/distinfo
diff -u pkgsrc/lang/go123/distinfo:1.12 pkgsrc/lang/go123/distinfo:1.13
--- pkgsrc/lang/go123/distinfo:1.12     Fri Jun  6 13:45:14 2025
+++ pkgsrc/lang/go123/distinfo  Wed Jul  9 07:41:35 2025
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.12 2025/06/06 13:45:14 bsiegert Exp $
+$NetBSD: distinfo,v 1.13 2025/07/09 07:41:35 bsiegert Exp $
 
 BLAKE2s (80344887818a2321296ce7fa71cca8ca2520611d.diff) = 80c77c55780bbd3b61f54698a5790169566a5c1c142ea9cf6b3de4ff261375f6
 SHA512 (80344887818a2321296ce7fa71cca8ca2520611d.diff) = a72fe9c2bba6191df1fb796fe55cc0fea2eb1809f7a4f148230a8be798e3b6820405e48a92a57da59d8fbe23d7d624b49cef9761852a62b4e81ba9dcaa7deaa6
 Size (80344887818a2321296ce7fa71cca8ca2520611d.diff) = 3273 bytes
-BLAKE2s (go1.23.10.src.tar.gz) = 15ae1f8f571ac69bfb71a67724772d1e0ab0a2e2efb66af17b067e5a22a91e30
-SHA512 (go1.23.10.src.tar.gz) = 20639185b05720aa8bb295c54e3eaa7cf56739763544d28ce14a6f0323bf890900d5fad13086032291fbefad4482f1442772875bbdf16a94e2286eb405c8f327
-Size (go1.23.10.src.tar.gz) = 28183775 bytes
+BLAKE2s (go1.23.11.src.tar.gz) = 1dcbc120e60fe40f920bb440fbcf914434b085115d0c716cc6b7303267d13a59
+SHA512 (go1.23.11.src.tar.gz) = 108b86d384de01617b7c58fba8a2c6446f6d1e8d07b720de2c49854e664c8c2660f6a3700827bf77cb7f018f78c7f3dc4f9c9f3a8fba8ca5e91cadde2df98a95
+Size (go1.23.11.src.tar.gz) = 28185977 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Index: pkgsrc/lang/go124/PLIST
diff -u pkgsrc/lang/go124/PLIST:1.5 pkgsrc/lang/go124/PLIST:1.6
--- pkgsrc/lang/go124/PLIST:1.5 Fri Jun  6 13:45:14 2025
+++ pkgsrc/lang/go124/PLIST     Wed Jul  9 07:41:35 2025
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.5 2025/06/06 13:45:14 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.6 2025/07/09 07:41:35 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go124/CONTRIBUTING.md
@@ -647,6 +647,10 @@ go124/src/cmd/cgo/internal/testsanitizer
 go124/src/cmd/cgo/internal/testsanitizers/testdata/asan_global3_fail.go
 go124/src/cmd/cgo/internal/testsanitizers/testdata/asan_global4_fail.go
 go124/src/cmd/cgo/internal/testsanitizers/testdata/asan_global5.go
+go124/src/cmd/cgo/internal/testsanitizers/testdata/asan_global_asm/asm.s
+go124/src/cmd/cgo/internal/testsanitizers/testdata/asan_global_asm/main.go
+go124/src/cmd/cgo/internal/testsanitizers/testdata/asan_global_asm2_fail/asm.s
+go124/src/cmd/cgo/internal/testsanitizers/testdata/asan_global_asm2_fail/main.go
 go124/src/cmd/cgo/internal/testsanitizers/testdata/asan_linkerx/main.go
 go124/src/cmd/cgo/internal/testsanitizers/testdata/asan_linkerx/p/p.go
 go124/src/cmd/cgo/internal/testsanitizers/testdata/asan_unsafe_fail1.go
@@ -2840,6 +2844,7 @@ go124/src/cmd/go/testdata/script/test_ma
 go124/src/cmd/go/testdata/script/test_match_only_subtests_parallel.txt
 go124/src/cmd/go/testdata/script/test_match_only_tests.txt
 go124/src/cmd/go/testdata/script/test_minus_n.txt
+go124/src/cmd/go/testdata/script/test_multivcs.txt
 go124/src/cmd/go/testdata/script/test_n_cover_std.txt
 go124/src/cmd/go/testdata/script/test_no_run_example.txt
 go124/src/cmd/go/testdata/script/test_no_tests.txt
@@ -13242,6 +13247,8 @@ go124/test/fixedbugs/issue7310.go
 go124/test/fixedbugs/issue7316.go
 go124/test/fixedbugs/issue7346.go
 go124/test/fixedbugs/issue7366.go
+go124/test/fixedbugs/issue73748a.go
+go124/test/fixedbugs/issue73748b.go
 go124/test/fixedbugs/issue7405.go
 go124/test/fixedbugs/issue7419.go
 go124/test/fixedbugs/issue7525.go
Index: pkgsrc/lang/go124/distinfo
diff -u pkgsrc/lang/go124/distinfo:1.5 pkgsrc/lang/go124/distinfo:1.6
--- pkgsrc/lang/go124/distinfo:1.5      Fri Jun  6 13:45:14 2025
+++ pkgsrc/lang/go124/distinfo  Wed Jul  9 07:41:36 2025
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.5 2025/06/06 13:45:14 bsiegert Exp $
+$NetBSD: distinfo,v 1.6 2025/07/09 07:41:36 bsiegert Exp $
 
-BLAKE2s (go1.24.4.src.tar.gz) = 1338f7e0026c21a04feceefe7ccfbcb2c69102162cb26915852aa18b9a707470
-SHA512 (go1.24.4.src.tar.gz) = b785583fc53d62094b2de793a0e3281a26d2de17897a35b378fc2d13cb912ca473c37a7bae54a50660141809d5d0a70a97663d406cf30d7f0221ecbb5ffddec6
-Size (go1.24.4.src.tar.gz) = 30788576 bytes
+BLAKE2s (go1.24.5.src.tar.gz) = c6e8ca8692a0f6fdadfa9e1484a345017480d48aced9c40387cb344857aea29d
+SHA512 (go1.24.5.src.tar.gz) = 917cd6ac83e3370227da40f8490697e8638847e9279ed1806044a173d3b52829c67c429990db92d8aadcfba6a37bfc00114c1ecec3ac387a781bb7edc8dcab22
+Size (go1.24.5.src.tar.gz) = 30792943 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35
Home | Main Index | Thread Index | Old Index