1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch
new file mode 100644
index 0000000000..613c91706b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch
@@ -0,0 +1,55 @@
+From 5e0a62c44fbaff6443bffe67911370bc0ea25f6d Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Wed, 20 Sep 2023 16:16:29 -0700
+Subject: [PATCH] cmd/compile: use absolute file name in isCgo check
+For #23672
+Fixes #63211
+Fixes CVE-2023-39323
+Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/534158
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Ian Lance Taylor <iant@google.com>
+Upstream-Status: Backport
+CVE: CVE-2023-39323
+Reference to upstream patch:
+https://github.com/golang/go/commit/e7c142a19d8b3944c2f1b9ab7fd94c63d8d0c555
+Backport patch to fix CVE-2023-39323 and drop the modifications of test codes.
+Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
+---
+ src/cmd/compile/internal/noder/noder.go | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/src/cmd/compile/internal/noder/noder.go b/src/cmd/compile/internal/noder/noder.go
+index 5fcad096c2..f35e065a31 100644
+--- a/src/cmd/compile/internal/noder/noder.go
+++ b/src/cmd/compile/internal/noder/noder.go
+@@ -1690,8 +1690,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P
+ // contain cgo directives, and for security reasons
+ // (primarily misuse of linker flags), other files are not.
+ // See golang.org/issue/23672.
+// Note that cmd/go ignores files whose names start with underscore,
+// so the only _cgo_ files we will see from cmd/go are generated by cgo.
+// It's easy to bypass this check by calling the compiler directly;
+// we only protect against uses by cmd/go.
+ func isCgoGeneratedFile(pos syntax.Pos) bool {
+-       return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Filename()))), "_cgo_")
+       // We need the absolute file, independent of //line directives,
+       // so we call pos.Base().Pos().Base().
+       return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Pos().Base().Filename()))), "_cgo_")
+ }
+ 
+ // safeArg reports whether arg is a "safe" command-line argument,
+-- 
+2.34.1

diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch new file mode 100644 index 0000000000..613c91706b --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch
@@ -0,0 +1,55 @@
	1	From 5e0a62c44fbaff6443bffe67911370bc0ea25f6d Mon Sep 17 00:00:00 2001
	2	From: Ian Lance Taylor <iant@golang.org>
	3	Date: Wed, 20 Sep 2023 16:16:29 -0700
	4	Subject: [PATCH] cmd/compile: use absolute file name in isCgo check
	5
	6	For #23672
	7	Fixes #63211
	8	Fixes CVE-2023-39323
	9
	10	Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
	11	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
	12	Reviewed-by: Matthew Dempsky <mdempsky@google.com>
	13	Reviewed-by: Roland Shoemaker <bracewell@google.com>
	14	Reviewed-on: https://go-review.googlesource.com/c/go/+/534158
	15	Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
	16	Reviewed-by: Ian Lance Taylor <iant@google.com>
	17	LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
	18	Auto-Submit: Ian Lance Taylor <iant@google.com>
	19
	20	Upstream-Status: Backport
	21	CVE: CVE-2023-39323
	22
	23	Reference to upstream patch:
	24	https://github.com/golang/go/commit/e7c142a19d8b3944c2f1b9ab7fd94c63d8d0c555
	25
	26	Backport patch to fix CVE-2023-39323 and drop the modifications of test codes.
	27
	28	Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
	29	---
	30	src/cmd/compile/internal/noder/noder.go \| 8 +++++++-
	31	1 file changed, 7 insertions(+), 1 deletion(-)
	32
	33	diff --git a/src/cmd/compile/internal/noder/noder.go b/src/cmd/compile/internal/noder/noder.go
	34	index 5fcad096c2..f35e065a31 100644
	35	--- a/src/cmd/compile/internal/noder/noder.go
	36	+++ b/src/cmd/compile/internal/noder/noder.go
	37	@@ -1690,8 +1690,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P
	38	// contain cgo directives, and for security reasons
	39	// (primarily misuse of linker flags), other files are not.
	40	// See golang.org/issue/23672.
	41	+// Note that cmd/go ignores files whose names start with underscore,
	42	+// so the only _cgo_ files we will see from cmd/go are generated by cgo.
	43	+// It's easy to bypass this check by calling the compiler directly;
	44	+// we only protect against uses by cmd/go.
	45	func isCgoGeneratedFile(pos syntax.Pos) bool {
	46	- return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Filename()))), "_cgo_")
	47	+ // We need the absolute file, independent of //line directives,
	48	+ // so we call pos.Base().Pos().Base().
	49	+ return strings.HasPrefix(filepath.Base(filepath.Clean(fileh(pos.Base().Pos().Base().Filename()))), "_cgo_")
	50	}
	51
	52	// safeArg reports whether arg is a "safe" command-line argument,
	53	--
	54	2.34.1
	55