diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch new file mode 100644 index 0000000000..70d50cc08a --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch | |||
@@ -0,0 +1,112 @@ | |||
1 | From fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ian Lance Taylor <iant@golang.org> | ||
3 | Date: Thu, 4 May 2023 14:06:39 -0700 | ||
4 | Subject: [PATCH] [release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one | ||
5 | line per flag | ||
6 | |||
7 | The flags that we recorded in _cgo_flags did not use any quoting, | ||
8 | so a flag containing embedded spaces was mishandled. | ||
9 | Change the _cgo_flags format to put each flag on a separate line. | ||
10 | That is a simple format that does not require any quoting. | ||
11 | |||
12 | As far as I can tell only cmd/go uses _cgo_flags, and it is only | ||
13 | used for gccgo. If this patch doesn't cause any trouble, then | ||
14 | in the next release we can change to only using _cgo_flags for gccgo. | ||
15 | |||
16 | Thanks to Juho Nurminen of Mattermost for reporting this issue. | ||
17 | |||
18 | Updates #60306 | ||
19 | Fixes #60514 | ||
20 | Fixes CVE-2023-29405 | ||
21 | |||
22 | Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3 | ||
23 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094 | ||
24 | Reviewed-by: Damien Neil <dneil@google.com> | ||
25 | Reviewed-by: Roland Shoemaker <bracewell@google.com> | ||
26 | (cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc) | ||
27 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228 | ||
28 | Run-TryBot: Roland Shoemaker <bracewell@google.com> | ||
29 | TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> | ||
30 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345 | ||
31 | Reviewed-by: Michael Knyszek <mknyszek@google.com> | ||
32 | Reviewed-on: https://go-review.googlesource.com/c/go/+/501220 | ||
33 | TryBot-Result: Gopher Robot <gobot@golang.org> | ||
34 | Run-TryBot: David Chase <drchase@google.com> | ||
35 | Auto-Submit: Michael Knyszek <mknyszek@google.com> | ||
36 | --- | ||
37 | Upstream-Status: Backport [https://github.com/golang/go/commit/fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4] | ||
38 | CVE: CVE-2023-29405 | ||
39 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
40 | |||
41 | src/cmd/cgo/out.go | 4 +++- | ||
42 | src/cmd/go/internal/work/gccgo.go | 14 ++++++------- | ||
43 | .../go/testdata/script/gccgo_link_ldflags.txt | 20 +++++++++++++++++++ | ||
44 | 3 files changed, 29 insertions(+), 9 deletions(-) | ||
45 | create mode 100644 src/cmd/go/testdata/script/gccgo_link_ldflags.txt | ||
46 | |||
47 | diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go | ||
48 | index d26f9e76a374a..d0c6fe3d4c2c2 100644 | ||
49 | --- a/src/cmd/cgo/out.go | ||
50 | +++ b/src/cmd/cgo/out.go | ||
51 | @@ -47,7 +47,9 @@ func (p *Package) writeDefs() { | ||
52 | |||
53 | fflg := creat(*objDir + "_cgo_flags") | ||
54 | for k, v := range p.CgoFlags { | ||
55 | - fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, strings.Join(v, " ")) | ||
56 | + for _, arg := range v { | ||
57 | + fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg) | ||
58 | + } | ||
59 | if k == "LDFLAGS" && !*gccgo { | ||
60 | for _, arg := range v { | ||
61 | fmt.Fprintf(fgo2, "//go:cgo_ldflag %q\n", arg) | ||
62 | diff --git a/src/cmd/go/internal/work/gccgo.go b/src/cmd/go/internal/work/gccgo.go | ||
63 | index 08a4c2d8166c7..a048b7f4eecef 100644 | ||
64 | --- a/src/cmd/go/internal/work/gccgo.go | ||
65 | +++ b/src/cmd/go/internal/work/gccgo.go | ||
66 | @@ -280,14 +280,12 @@ func (tools gccgoToolchain) link(b *Builder, root *Action, out, importcfg string | ||
67 | const ldflagsPrefix = "_CGO_LDFLAGS=" | ||
68 | for _, line := range strings.Split(string(flags), "\n") { | ||
69 | if strings.HasPrefix(line, ldflagsPrefix) { | ||
70 | - newFlags := strings.Fields(line[len(ldflagsPrefix):]) | ||
71 | - for _, flag := range newFlags { | ||
72 | - // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS | ||
73 | - // but they don't mean anything to the linker so filter | ||
74 | - // them out. | ||
75 | - if flag != "-g" && !strings.HasPrefix(flag, "-O") { | ||
76 | - cgoldflags = append(cgoldflags, flag) | ||
77 | - } | ||
78 | + flag := line[len(ldflagsPrefix):] | ||
79 | + // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS | ||
80 | + // but they don't mean anything to the linker so filter | ||
81 | + // them out. | ||
82 | + if flag != "-g" && !strings.HasPrefix(flag, "-O") { | ||
83 | + cgoldflags = append(cgoldflags, flag) | ||
84 | } | ||
85 | } | ||
86 | } | ||
87 | diff --git a/src/cmd/go/testdata/script/gccgo_link_ldflags.txt b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt | ||
88 | new file mode 100644 | ||
89 | index 0000000000000..4e91ae56505b6 | ||
90 | --- /dev/null | ||
91 | +++ b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt | ||
92 | @@ -0,0 +1,20 @@ | ||
93 | +# Test that #cgo LDFLAGS are properly quoted. | ||
94 | +# The #cgo LDFLAGS below should pass a string with spaces to -L, | ||
95 | +# as though searching a directory with a space in its name. | ||
96 | +# It should not pass --nosuchoption to the external linker. | ||
97 | + | ||
98 | +[!cgo] skip | ||
99 | + | ||
100 | +go build | ||
101 | + | ||
102 | +[!exec:gccgo] skip | ||
103 | + | ||
104 | +go build -compiler gccgo | ||
105 | + | ||
106 | +-- go.mod -- | ||
107 | +module m | ||
108 | +-- cgo.go -- | ||
109 | +package main | ||
110 | +// #cgo LDFLAGS: -L "./ -Wl,--nosuchoption" | ||
111 | +import "C" | ||
112 | +func main() {} | ||