1 files changed, 201 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch
new file mode 100644
index 0000000000..01eed9fe1b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch
@@ -0,0 +1,201 @@
+rom c160b49b6d328c86bd76ca2fff9009a71347333f Mon Sep 17 00:00:00 2001
+From: "Bryan C. Mills" <bcmills@google.com>
+Date: Fri, 12 May 2023 14:15:16 -0400
+Subject: [PATCH] [release-branch.go1.19] cmd/go: disallow package directories
+ containing newlines
+Directory or file paths containing newlines may cause tools (such as
+cmd/cgo) that emit "//line" or "#line" -directives to write part of
+the path into non-comment lines in generated source code. If those
+lines contain valid Go code, it may be injected into the resulting
+binary.
+(Note that Go import paths and file paths within module zip files
+already could not contain newlines.)
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+Updates #60167.
+Fixes #60515.
+Fixes CVE-2023-29402.
+Change-Id: If55d0400c02beb7a5da5eceac60f1abeac99f064
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1882606
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 41f9046495564fc728d6f98384ab7276450ac7e2)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902229
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904343
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Reviewed-by: Bryan Mills <bcmills@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501218
+Run-TryBot: David Chase <drchase@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Upstream-Status: Backport [https://github.com/golang/go/commit/c160b49b6d328c86bd76ca2fff9009a71347333f]
+CVE: CVE-2023-29402
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/cmd/go/internal/load/pkg.go               |   4 +
+ src/cmd/go/internal/work/exec.go              |   6 ++
+ src/cmd/go/script_test.go                     |   1 +
+ .../go/testdata/script/build_cwd_newline.txt  | 100 ++++++++++++++++++
+ 4 files changed, 111 insertions(+)
+ create mode 100644 src/cmd/go/testdata/script/build_cwd_newline.txt
+diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
+index 369a79b..d2b63b0 100644
+--- a/src/cmd/go/internal/load/pkg.go
+++ b/src/cmd/go/internal/load/pkg.go
+@@ -1697,6 +1697,10 @@ func (p *Package) load(stk *ImportStack, bp *build.Package, err error) {
+                setError(ImportErrorf(p.ImportPath, "invalid import path %q", p.ImportPath))
+                return
+        }
+       if strings.ContainsAny(p.Dir, "\r\n") {
+               setError(fmt.Errorf("invalid package directory %q", p.Dir))
+               return
+       }
+ 
+        // Build list of imported packages and full dependency list.
+        imports := make([]*Package, 0, len(p.Imports))
+diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
+index 9a9650b..050b785 100644
+--- a/src/cmd/go/internal/work/exec.go
+++ b/src/cmd/go/internal/work/exec.go
+@@ -458,6 +458,12 @@ func (b *Builder) build(a *Action) (err error) {
+                b.Print(a.Package.ImportPath + "\n")
+        }
+ 
+       if p.Error != nil {
+               // Don't try to build anything for packages with errors. There may be a
+               // problem with the inputs that makes the package unsafe to build.
+               return p.Error
+       }
+
+        if a.Package.BinaryOnly {
+                p.Stale = true
+                p.StaleReason = "binary-only packages are no longer supported"
+diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go
+index ec498bb..a1398ad 100644
+--- a/src/cmd/go/script_test.go
+++ b/src/cmd/go/script_test.go
+@@ -123,6 +123,7 @@ func (ts *testScript) setup() {
+                "devnull=" + os.DevNull,
+                "goversion=" + goVersion(ts),
+                ":=" + string(os.PathListSeparator),
+                "newline=\n",
+        }
+ 
+        if runtime.GOOS == "plan9" {
+diff --git a/src/cmd/go/testdata/script/build_cwd_newline.txt b/src/cmd/go/testdata/script/build_cwd_newline.txt
+new file mode 100644
+index 0000000..61c6966
+--- /dev/null
+++ b/src/cmd/go/testdata/script/build_cwd_newline.txt
+@@ -0,0 +1,100 @@
+[windows] skip 'filesystem normalizes / to \'
+[plan9] skip 'filesystem disallows \n in paths'
+
+# If the directory path containing a package to be built includes a newline,
+# the go command should refuse to even try to build the package.
+
+env DIR=$WORK${/}${newline}'package main'${newline}'func main() { panic("uh-oh")'${newline}'/*'
+
+mkdir $DIR
+cd $DIR
+exec pwd
+cp $WORK/go.mod ./go.mod
+cp $WORK/main.go ./main.go
+cp $WORK/main_test.go ./main_test.go
+
+! go build -o $devnull .
+stderr 'package example: invalid package directory .*uh-oh'
+
+! go build -o $devnull main.go
+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
+
+! go run .
+stderr 'package example: invalid package directory .*uh-oh'
+
+! go run main.go
+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
+
+! go test .
+stderr 'package example: invalid package directory .*uh-oh'
+
+! go test -v main.go main_test.go
+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
+
+
+# Since we do preserve $PWD (or set it appropriately) for commands, and we do
+# not resolve symlinks unnecessarily, referring to the contents of the unsafe
+# directory via a safe symlink should be ok, and should not inject the data from
+# the symlink target path.
+
+[!symlink] stop 'remainder of test checks symlink behavior'
+[short] stop 'links and runs binaries'
+
+symlink $WORK${/}link -> $DIR
+
+go run $WORK${/}link${/}main.go
+! stdout panic
+! stderr panic
+stderr '^ok$'
+
+go test -v $WORK${/}link${/}main.go $WORK${/}link${/}main_test.go
+! stdout panic
+! stderr panic
+stdout '^ok$'   # 'go test' combines the test's stdout into stderr
+
+cd $WORK/link
+
+! go run $DIR${/}main.go
+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
+
+go run .
+! stdout panic
+! stderr panic
+stderr '^ok$'
+
+go run main.go
+! stdout panic
+! stderr panic
+stderr '^ok$'
+
+go test -v
+! stdout panic
+! stderr panic
+stdout '^ok$'  # 'go test' combines the test's stdout into stderr
+
+go test -v .
+! stdout panic
+! stderr panic
+stdout '^ok$'  # 'go test' combines the test's stdout into stderr
+
+
+-- $WORK/go.mod --
+module example
+go 1.19
+-- $WORK/main.go --
+package main
+
+import "C"
+
+func main() {
+       /* nothing here */
+       println("ok")
+}
+-- $WORK/main_test.go --
+package main
+
+import "testing"
+
+func TestMain(*testing.M) {
+       main()
+}
+-- 
+2.25.1

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch new file mode 100644 index 0000000000..01eed9fe1b --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch
@@ -0,0 +1,201 @@
	1	rom c160b49b6d328c86bd76ca2fff9009a71347333f Mon Sep 17 00:00:00 2001
	2	From: "Bryan C. Mills" <bcmills@google.com>
	3	Date: Fri, 12 May 2023 14:15:16 -0400
	4	Subject: [PATCH] [release-branch.go1.19] cmd/go: disallow package directories
	5	containing newlines
	6
	7	Directory or file paths containing newlines may cause tools (such as
	8	cmd/cgo) that emit "//line" or "#line" -directives to write part of
	9	the path into non-comment lines in generated source code. If those
	10	lines contain valid Go code, it may be injected into the resulting
	11	binary.
	12
	13	(Note that Go import paths and file paths within module zip files
	14	already could not contain newlines.)
	15
	16	Thanks to Juho Nurminen of Mattermost for reporting this issue.
	17
	18	Updates #60167.
	19	Fixes #60515.
	20	Fixes CVE-2023-29402.
	21
	22	Change-Id: If55d0400c02beb7a5da5eceac60f1abeac99f064
	23	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1882606
	24	Reviewed-by: Roland Shoemaker <bracewell@google.com>
	25	Run-TryBot: Roland Shoemaker <bracewell@google.com>
	26	Reviewed-by: Russ Cox <rsc@google.com>
	27	Reviewed-by: Damien Neil <dneil@google.com>
	28	(cherry picked from commit 41f9046495564fc728d6f98384ab7276450ac7e2)
	29	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902229
	30	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904343
	31	Reviewed-by: Michael Knyszek <mknyszek@google.com>
	32	Reviewed-by: Bryan Mills <bcmills@google.com>
	33	Reviewed-on: https://go-review.googlesource.com/c/go/+/501218
	34	Run-TryBot: David Chase <drchase@google.com>
	35	Auto-Submit: Michael Knyszek <mknyszek@google.com>
	36	TryBot-Result: Gopher Robot <gobot@golang.org>
	37
	38	Upstream-Status: Backport [https://github.com/golang/go/commit/c160b49b6d328c86bd76ca2fff9009a71347333f]
	39	CVE: CVE-2023-29402
	40	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	41	---
	42	src/cmd/go/internal/load/pkg.go \| 4 +
	43	src/cmd/go/internal/work/exec.go \| 6 ++
	44	src/cmd/go/script_test.go \| 1 +
	45	.../go/testdata/script/build_cwd_newline.txt \| 100 ++++++++++++++++++
	46	4 files changed, 111 insertions(+)
	47	create mode 100644 src/cmd/go/testdata/script/build_cwd_newline.txt
	48
	49	diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
	50	index 369a79b..d2b63b0 100644
	51	--- a/src/cmd/go/internal/load/pkg.go
	52	+++ b/src/cmd/go/internal/load/pkg.go
	53	@@ -1697,6 +1697,10 @@ func (p Package) load(stk ImportStack, bp *build.Package, err error) {
	54	setError(ImportErrorf(p.ImportPath, "invalid import path %q", p.ImportPath))
	55	return
	56	}
	57	+ if strings.ContainsAny(p.Dir, "\r\n") {
	58	+ setError(fmt.Errorf("invalid package directory %q", p.Dir))
	59	+ return
	60	+ }
	61
	62	// Build list of imported packages and full dependency list.
	63	imports := make([]*Package, 0, len(p.Imports))
	64	diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
	65	index 9a9650b..050b785 100644
	66	--- a/src/cmd/go/internal/work/exec.go
	67	+++ b/src/cmd/go/internal/work/exec.go
	68	@@ -458,6 +458,12 @@ func (b Builder) build(a Action) (err error) {
	69	b.Print(a.Package.ImportPath + "\n")
	70	}
	71
	72	+ if p.Error != nil {
	73	+ // Don't try to build anything for packages with errors. There may be a
	74	+ // problem with the inputs that makes the package unsafe to build.
	75	+ return p.Error
	76	+ }
	77	+
	78	if a.Package.BinaryOnly {
	79	p.Stale = true
	80	p.StaleReason = "binary-only packages are no longer supported"
	81	diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go
	82	index ec498bb..a1398ad 100644
	83	--- a/src/cmd/go/script_test.go
	84	+++ b/src/cmd/go/script_test.go
	85	@@ -123,6 +123,7 @@ func (ts *testScript) setup() {
	86	"devnull=" + os.DevNull,
	87	"goversion=" + goVersion(ts),
	88	":=" + string(os.PathListSeparator),
	89	+ "newline=\n",
	90	}
	91
	92	if runtime.GOOS == "plan9" {
	93	diff --git a/src/cmd/go/testdata/script/build_cwd_newline.txt b/src/cmd/go/testdata/script/build_cwd_newline.txt
	94	new file mode 100644
	95	index 0000000..61c6966
	96	--- /dev/null
	97	+++ b/src/cmd/go/testdata/script/build_cwd_newline.txt
	98	@@ -0,0 +1,100 @@
	99	+[windows] skip 'filesystem normalizes / to \'
	100	+[plan9] skip 'filesystem disallows \n in paths'
	101	+
	102	+# If the directory path containing a package to be built includes a newline,
	103	+# the go command should refuse to even try to build the package.
	104	+
	105	+env DIR=$WORK${/}${newline}'package main'${newline}'func main() { panic("uh-oh")'${newline}'/*'
	106	+
	107	+mkdir $DIR
	108	+cd $DIR
	109	+exec pwd
	110	+cp $WORK/go.mod ./go.mod
	111	+cp $WORK/main.go ./main.go
	112	+cp $WORK/main_test.go ./main_test.go
	113	+
	114	+! go build -o $devnull .
	115	+stderr 'package example: invalid package directory .*uh-oh'
	116	+
	117	+! go build -o $devnull main.go
	118	+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
	119	+
	120	+! go run .
	121	+stderr 'package example: invalid package directory .*uh-oh'
	122	+
	123	+! go run main.go
	124	+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
	125	+
	126	+! go test .
	127	+stderr 'package example: invalid package directory .*uh-oh'
	128	+
	129	+! go test -v main.go main_test.go
	130	+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
	131	+
	132	+
	133	+# Since we do preserve $PWD (or set it appropriately) for commands, and we do
	134	+# not resolve symlinks unnecessarily, referring to the contents of the unsafe
	135	+# directory via a safe symlink should be ok, and should not inject the data from
	136	+# the symlink target path.
	137	+
	138	+[!symlink] stop 'remainder of test checks symlink behavior'
	139	+[short] stop 'links and runs binaries'
	140	+
	141	+symlink $WORK${/}link -> $DIR
	142	+
	143	+go run $WORK${/}link${/}main.go
	144	+! stdout panic
	145	+! stderr panic
	146	+stderr '^ok$'
	147	+
	148	+go test -v $WORK${/}link${/}main.go $WORK${/}link${/}main_test.go
	149	+! stdout panic
	150	+! stderr panic
	151	+stdout '^ok$' # 'go test' combines the test's stdout into stderr
	152	+
	153	+cd $WORK/link
	154	+
	155	+! go run $DIR${/}main.go
	156	+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
	157	+
	158	+go run .
	159	+! stdout panic
	160	+! stderr panic
	161	+stderr '^ok$'
	162	+
	163	+go run main.go
	164	+! stdout panic
	165	+! stderr panic
	166	+stderr '^ok$'
	167	+
	168	+go test -v
	169	+! stdout panic
	170	+! stderr panic
	171	+stdout '^ok$' # 'go test' combines the test's stdout into stderr
	172	+
	173	+go test -v .
	174	+! stdout panic
	175	+! stderr panic
	176	+stdout '^ok$' # 'go test' combines the test's stdout into stderr
	177	+
	178	+
	179	+-- $WORK/go.mod --
	180	+module example
	181	+go 1.19
	182	+-- $WORK/main.go --
	183	+package main
	184	+
	185	+import "C"
	186	+
	187	+func main() {
	188	+ /* nothing here */
	189	+ println("ok")
	190	+}
	191	+-- $WORK/main_test.go --
	192	+package main
	193	+
	194	+import "testing"
	195	+
	196	+func TestMain(*testing.M) {
	197	+ main()
	198	+}
	199	--
	200	2.25.1
	201