go: Backport fix CVE-2023-29405

Upstream-Status: Backport [https://github.com/golang/go/commit/fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4 & https://github.com/golang/go/commit/1008486a9ff979dbd21c7466eeb6abf378f9c637] (From OE-Core rev: ce213403b4e82f1b191fed4ef6494e9dee55c4f8) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Ashish Sharma <asharma@mvista.com> 2023-06-28 17:20:28 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-07-04 05:37:07 -1000
commit: 2474c30274840b37ae945dbad55cf812406fc5f7 (patch)
tree: 72e34a0461c07f3a168c4cc0f6b56fa8886afcb3 /meta/recipes-devtools/go
parent: 5ca4b2a548fccd916b4e664c6fd456752b8eeb66 (diff)
download: poky-2474c30274840b37ae945dbad55cf812406fc5f7.tar.gz
3 files changed, 152 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 2c500e8331..ed505c01b3 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -63,6 +63,8 @@ SRC_URI += "\
    file://CVE-2023-24538-3.patch \
    file://CVE-2023-24539.patch \
    file://CVE-2023-24540.patch \
+    file://CVE-2023-29405-1.patch \
+    file://CVE-2023-29405-2.patch \
 "
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
new file mode 100644
index 0000000000..70d50cc08a
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
@@ -0,0 +1,112 @@
+From fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Thu, 4 May 2023 14:06:39 -0700
+Subject: [PATCH] [release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one
+ line per flag
+The flags that we recorded in _cgo_flags did not use any quoting,
+so a flag containing embedded spaces was mishandled.
+Change the _cgo_flags format to put each flag on a separate line.
+That is a simple format that does not require any quoting.
+As far as I can tell only cmd/go uses _cgo_flags, and it is only
+used for gccgo. If this patch doesn't cause any trouble, then
+in the next release we can change to only using _cgo_flags for gccgo.
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+Updates #60306
+Fixes #60514
+Fixes CVE-2023-29405
+Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+(cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501220
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: David Chase <drchase@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+---
+Upstream-Status: Backport [https://github.com/golang/go/commit/fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4]
+CVE: CVE-2023-29405
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ src/cmd/cgo/out.go                            |  4 +++-
+ src/cmd/go/internal/work/gccgo.go             | 14 ++++++-------
+ .../go/testdata/script/gccgo_link_ldflags.txt | 20 +++++++++++++++++++
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+ create mode 100644 src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
+index d26f9e76a374a..d0c6fe3d4c2c2 100644
+--- a/src/cmd/cgo/out.go
+++ b/src/cmd/cgo/out.go
+@@ -47,7 +47,9 @@ func (p *Package) writeDefs() {
+ 
+        fflg := creat(*objDir + "_cgo_flags")
+        for k, v := range p.CgoFlags {
+-               fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, strings.Join(v, " "))
+               for _, arg := range v {
+                       fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg)
+               }
+                if k == "LDFLAGS" && !*gccgo {
+                        for _, arg := range v {
+                                fmt.Fprintf(fgo2, "//go:cgo_ldflag %q\n", arg)
+diff --git a/src/cmd/go/internal/work/gccgo.go b/src/cmd/go/internal/work/gccgo.go
+index 08a4c2d8166c7..a048b7f4eecef 100644
+--- a/src/cmd/go/internal/work/gccgo.go
+++ b/src/cmd/go/internal/work/gccgo.go
+@@ -280,14 +280,12 @@ func (tools gccgoToolchain) link(b *Builder, root *Action, out, importcfg string
+                const ldflagsPrefix = "_CGO_LDFLAGS="
+                for _, line := range strings.Split(string(flags), "\n") {
+                        if strings.HasPrefix(line, ldflagsPrefix) {
+-                               newFlags := strings.Fields(line[len(ldflagsPrefix):])
+-                               for _, flag := range newFlags {
+-                                       // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
+-                                       // but they don't mean anything to the linker so filter
+-                                       // them out.
+-                                       if flag != "-g" && !strings.HasPrefix(flag, "-O") {
+-                                               cgoldflags = append(cgoldflags, flag)
+-                                       }
+                               flag := line[len(ldflagsPrefix):]
+                               // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
+                               // but they don't mean anything to the linker so filter
+                               // them out.
+                               if flag != "-g" && !strings.HasPrefix(flag, "-O") {
+                                       cgoldflags = append(cgoldflags, flag)
+                                }
+                        }
+                }
+diff --git a/src/cmd/go/testdata/script/gccgo_link_ldflags.txt b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+new file mode 100644
+index 0000000000000..4e91ae56505b6
+--- /dev/null
+++ b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+@@ -0,0 +1,20 @@
+# Test that #cgo LDFLAGS are properly quoted.
+# The #cgo LDFLAGS below should pass a string with spaces to -L,
+# as though searching a directory with a space in its name.
+# It should not pass --nosuchoption to the external linker.
+
+[!cgo] skip
+
+go build
+
+[!exec:gccgo] skip
+
+go build -compiler gccgo
+
+-- go.mod --
+module m
+-- cgo.go --
+package main
+// #cgo LDFLAGS: -L "./ -Wl,--nosuchoption"
+import "C"
+func main() {}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch
new file mode 100644
index 0000000000..369eca581e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch
@@ -0,0 +1,38 @@
+From 1008486a9ff979dbd21c7466eeb6abf378f9c637 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Tue, 6 Jun 2023 12:51:17 -0700
+Subject: [PATCH] [release-branch.go1.20] cmd/cgo: correct _cgo_flags output
+For #60306
+For #60514
+Change-Id: I3f5d14aee7d7195030e8872e42b1d97aa11d3582
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501298
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: David Chase <drchase@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+---
+Upstream-Status: Backport [https://github.com/golang/go/commit/1008486a9ff979dbd21c7466eeb6abf378f9c637]
+CVE: CVE-2023-29405
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ src/cmd/cgo/out.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
+index d0c6fe3d4c2c2..a48f52105628a 100644
+--- a/src/cmd/cgo/out.go
+++ b/src/cmd/cgo/out.go
+@@ -48,7 +48,7 @@ func (p *Package) writeDefs() {
+        fflg := creat(*objDir + "_cgo_flags")
+        for k, v := range p.CgoFlags {
+                for _, arg := range v {
+-                       fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg)
+                       fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, arg)
+                }
+                if k == "LDFLAGS" && !*gccgo {
+                        for _, arg := range v {
author	Ashish Sharma <asharma@mvista.com>	2023-06-28 17:20:28 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-07-04 05:37:07 -1000
commit	2474c30274840b37ae945dbad55cf812406fc5f7 (patch)
tree	72e34a0461c07f3a168c4cc0f6b56fa8886afcb3 /meta/recipes-devtools/go
parent	5ca4b2a548fccd916b4e664c6fd456752b8eeb66 (diff)
download	poky-2474c30274840b37ae945dbad55cf812406fc5f7.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 2c500e8331..ed505c01b3 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -63,6 +63,8 @@ SRC_URI += "\
63	file://CVE-2023-24538-3.patch \	63	file://CVE-2023-24538-3.patch \
64	file://CVE-2023-24539.patch \	64	file://CVE-2023-24539.patch \
65	file://CVE-2023-24540.patch \	65	file://CVE-2023-24540.patch \
		66	file://CVE-2023-29405-1.patch \
		67	file://CVE-2023-29405-2.patch \
66	"	68	"
67		69
68	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"	70	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"


diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch new file mode 100644 index 0000000000..70d50cc08a --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
@@ -0,0 +1,112 @@
		1	From fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4 Mon Sep 17 00:00:00 2001
		2	From: Ian Lance Taylor <iant@golang.org>
		3	Date: Thu, 4 May 2023 14:06:39 -0700
		4	Subject: [PATCH] [release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one
		5	line per flag
		6
		7	The flags that we recorded in _cgo_flags did not use any quoting,
		8	so a flag containing embedded spaces was mishandled.
		9	Change the _cgo_flags format to put each flag on a separate line.
		10	That is a simple format that does not require any quoting.
		11
		12	As far as I can tell only cmd/go uses _cgo_flags, and it is only
		13	used for gccgo. If this patch doesn't cause any trouble, then
		14	in the next release we can change to only using _cgo_flags for gccgo.
		15
		16	Thanks to Juho Nurminen of Mattermost for reporting this issue.
		17
		18	Updates #60306
		19	Fixes #60514
		20	Fixes CVE-2023-29405
		21
		22	Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3
		23	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
		24	Reviewed-by: Damien Neil <dneil@google.com>
		25	Reviewed-by: Roland Shoemaker <bracewell@google.com>
		26	(cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc)
		27	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228
		28	Run-TryBot: Roland Shoemaker <bracewell@google.com>
		29	TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
		30	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345
		31	Reviewed-by: Michael Knyszek <mknyszek@google.com>
		32	Reviewed-on: https://go-review.googlesource.com/c/go/+/501220
		33	TryBot-Result: Gopher Robot <gobot@golang.org>
		34	Run-TryBot: David Chase <drchase@google.com>
		35	Auto-Submit: Michael Knyszek <mknyszek@google.com>
		36	---
		37	Upstream-Status: Backport [https://github.com/golang/go/commit/fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4]
		38	CVE: CVE-2023-29405
		39	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		40
		41	src/cmd/cgo/out.go \| 4 +++-
		42	src/cmd/go/internal/work/gccgo.go \| 14 ++++++-------
		43	.../go/testdata/script/gccgo_link_ldflags.txt \| 20 +++++++++++++++++++
		44	3 files changed, 29 insertions(+), 9 deletions(-)
		45	create mode 100644 src/cmd/go/testdata/script/gccgo_link_ldflags.txt
		46
		47	diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
		48	index d26f9e76a374a..d0c6fe3d4c2c2 100644
		49	--- a/src/cmd/cgo/out.go
		50	+++ b/src/cmd/cgo/out.go
		51	@@ -47,7 +47,9 @@ func (p *Package) writeDefs() {
		52
		53	fflg := creat(*objDir + "_cgo_flags")
		54	for k, v := range p.CgoFlags {
		55	- fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, strings.Join(v, " "))
		56	+ for _, arg := range v {
		57	+ fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg)
		58	+ }
		59	if k == "LDFLAGS" && !*gccgo {
		60	for _, arg := range v {
		61	fmt.Fprintf(fgo2, "//go:cgo_ldflag %q\n", arg)
		62	diff --git a/src/cmd/go/internal/work/gccgo.go b/src/cmd/go/internal/work/gccgo.go
		63	index 08a4c2d8166c7..a048b7f4eecef 100644
		64	--- a/src/cmd/go/internal/work/gccgo.go
		65	+++ b/src/cmd/go/internal/work/gccgo.go
		66	@@ -280,14 +280,12 @@ func (tools gccgoToolchain) link(b Builder, root Action, out, importcfg string
		67	const ldflagsPrefix = "_CGO_LDFLAGS="
		68	for _, line := range strings.Split(string(flags), "\n") {
		69	if strings.HasPrefix(line, ldflagsPrefix) {
		70	- newFlags := strings.Fields(line[len(ldflagsPrefix):])
		71	- for _, flag := range newFlags {
		72	- // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
		73	- // but they don't mean anything to the linker so filter
		74	- // them out.
		75	- if flag != "-g" && !strings.HasPrefix(flag, "-O") {
		76	- cgoldflags = append(cgoldflags, flag)
		77	- }
		78	+ flag := line[len(ldflagsPrefix):]
		79	+ // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
		80	+ // but they don't mean anything to the linker so filter
		81	+ // them out.
		82	+ if flag != "-g" && !strings.HasPrefix(flag, "-O") {
		83	+ cgoldflags = append(cgoldflags, flag)
		84	}
		85	}
		86	}
		87	diff --git a/src/cmd/go/testdata/script/gccgo_link_ldflags.txt b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
		88	new file mode 100644
		89	index 0000000000000..4e91ae56505b6
		90	--- /dev/null
		91	+++ b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
		92	@@ -0,0 +1,20 @@
		93	+# Test that #cgo LDFLAGS are properly quoted.
		94	+# The #cgo LDFLAGS below should pass a string with spaces to -L,
		95	+# as though searching a directory with a space in its name.
		96	+# It should not pass --nosuchoption to the external linker.
		97	+
		98	+[!cgo] skip
		99	+
		100	+go build
		101	+
		102	+[!exec:gccgo] skip
		103	+
		104	+go build -compiler gccgo
		105	+
		106	+-- go.mod --
		107	+module m
		108	+-- cgo.go --
		109	+package main
		110	+// #cgo LDFLAGS: -L "./ -Wl,--nosuchoption"
		111	+import "C"
		112	+func main() {}


diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch new file mode 100644 index 0000000000..369eca581e --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch
@@ -0,0 +1,38 @@
		1	From 1008486a9ff979dbd21c7466eeb6abf378f9c637 Mon Sep 17 00:00:00 2001
		2	From: Ian Lance Taylor <iant@golang.org>
		3	Date: Tue, 6 Jun 2023 12:51:17 -0700
		4	Subject: [PATCH] [release-branch.go1.20] cmd/cgo: correct _cgo_flags output
		5
		6	For #60306
		7	For #60514
		8
		9	Change-Id: I3f5d14aee7d7195030e8872e42b1d97aa11d3582
		10	Reviewed-on: https://go-review.googlesource.com/c/go/+/501298
		11	Run-TryBot: Ian Lance Taylor <iant@golang.org>
		12	TryBot-Result: Gopher Robot <gobot@golang.org>
		13	Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
		14	Reviewed-by: David Chase <drchase@google.com>
		15	Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
		16	---
		17
		18	Upstream-Status: Backport [https://github.com/golang/go/commit/1008486a9ff979dbd21c7466eeb6abf378f9c637]
		19	CVE: CVE-2023-29405
		20	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		21
		22
		23	src/cmd/cgo/out.go \| 2 +-
		24	1 file changed, 1 insertion(+), 1 deletion(-)
		25
		26	diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
		27	index d0c6fe3d4c2c2..a48f52105628a 100644
		28	--- a/src/cmd/cgo/out.go
		29	+++ b/src/cmd/cgo/out.go
		30	@@ -48,7 +48,7 @@ func (p *Package) writeDefs() {
		31	fflg := creat(*objDir + "_cgo_flags")
		32	for k, v := range p.CgoFlags {
		33	for _, arg := range v {
		34	- fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg)
		35	+ fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, arg)
		36	}
		37	if k == "LDFLAGS" && !*gccgo {
		38	for _, arg := range v {