mirror of
https://git.yoctoproject.org/poky
synced 2026-04-30 21:32:13 +02:00
go: Backport fix CVE-2023-29405
Upstream-Status: Backport [fa60c381ed&1008486a9f] (From OE-Core rev: ce213403b4e82f1b191fed4ef6494e9dee55c4f8) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Ashish Sharma
committed by
Steve Sakoman
Steve Sakoman
parent
5ca4b2a548
commit
2474c30274
@@ -63,6 +63,8 @@ SRC_URI += "\
|
||||
file://CVE-2023-24538-3.patch \
|
||||
file://CVE-2023-24539.patch \
|
||||
file://CVE-2023-24540.patch \
|
||||
file://CVE-2023-29405-1.patch \
|
||||
file://CVE-2023-29405-2.patch \
|
||||
"
|
||||
|
||||
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
|
||||
|
||||
112
meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
Normal file
112
meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
Normal file
@@ -0,0 +1,112 @@
|
||||
From fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4 Mon Sep 17 00:00:00 2001
|
||||
From: Ian Lance Taylor <iant@golang.org>
|
||||
Date: Thu, 4 May 2023 14:06:39 -0700
|
||||
Subject: [PATCH] [release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one
|
||||
line per flag
|
||||
|
||||
The flags that we recorded in _cgo_flags did not use any quoting,
|
||||
so a flag containing embedded spaces was mishandled.
|
||||
Change the _cgo_flags format to put each flag on a separate line.
|
||||
That is a simple format that does not require any quoting.
|
||||
|
||||
As far as I can tell only cmd/go uses _cgo_flags, and it is only
|
||||
used for gccgo. If this patch doesn't cause any trouble, then
|
||||
in the next release we can change to only using _cgo_flags for gccgo.
|
||||
|
||||
Thanks to Juho Nurminen of Mattermost for reporting this issue.
|
||||
|
||||
Updates #60306
|
||||
Fixes #60514
|
||||
Fixes CVE-2023-29405
|
||||
|
||||
Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
|
||||
Reviewed-by: Damien Neil <dneil@google.com>
|
||||
Reviewed-by: Roland Shoemaker <bracewell@google.com>
|
||||
(cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc)
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228
|
||||
Run-TryBot: Roland Shoemaker <bracewell@google.com>
|
||||
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345
|
||||
Reviewed-by: Michael Knyszek <mknyszek@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/501220
|
||||
TryBot-Result: Gopher Robot <gobot@golang.org>
|
||||
Run-TryBot: David Chase <drchase@google.com>
|
||||
Auto-Submit: Michael Knyszek <mknyszek@google.com>
|
||||
---
|
||||
Upstream-Status: Backport [https://github.com/golang/go/commit/fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4]
|
||||
CVE: CVE-2023-29405
|
||||
Signed-off-by: Ashish Sharma <asharma@mvista.com>
|
||||
|
||||
src/cmd/cgo/out.go | 4 +++-
|
||||
src/cmd/go/internal/work/gccgo.go | 14 ++++++-------
|
||||
.../go/testdata/script/gccgo_link_ldflags.txt | 20 +++++++++++++++++++
|
||||
3 files changed, 29 insertions(+), 9 deletions(-)
|
||||
create mode 100644 src/cmd/go/testdata/script/gccgo_link_ldflags.txt
|
||||
|
||||
diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
|
||||
index d26f9e76a374a..d0c6fe3d4c2c2 100644
|
||||
--- a/src/cmd/cgo/out.go
|
||||
+++ b/src/cmd/cgo/out.go
|
||||
@@ -47,7 +47,9 @@ func (p *Package) writeDefs() {
|
||||
|
||||
fflg := creat(*objDir + "_cgo_flags")
|
||||
for k, v := range p.CgoFlags {
|
||||
- fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, strings.Join(v, " "))
|
||||
+ for _, arg := range v {
|
||||
+ fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg)
|
||||
+ }
|
||||
if k == "LDFLAGS" && !*gccgo {
|
||||
for _, arg := range v {
|
||||
fmt.Fprintf(fgo2, "//go:cgo_ldflag %q\n", arg)
|
||||
diff --git a/src/cmd/go/internal/work/gccgo.go b/src/cmd/go/internal/work/gccgo.go
|
||||
index 08a4c2d8166c7..a048b7f4eecef 100644
|
||||
--- a/src/cmd/go/internal/work/gccgo.go
|
||||
+++ b/src/cmd/go/internal/work/gccgo.go
|
||||
@@ -280,14 +280,12 @@ func (tools gccgoToolchain) link(b *Builder, root *Action, out, importcfg string
|
||||
const ldflagsPrefix = "_CGO_LDFLAGS="
|
||||
for _, line := range strings.Split(string(flags), "\n") {
|
||||
if strings.HasPrefix(line, ldflagsPrefix) {
|
||||
- newFlags := strings.Fields(line[len(ldflagsPrefix):])
|
||||
- for _, flag := range newFlags {
|
||||
- // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
|
||||
- // but they don't mean anything to the linker so filter
|
||||
- // them out.
|
||||
- if flag != "-g" && !strings.HasPrefix(flag, "-O") {
|
||||
- cgoldflags = append(cgoldflags, flag)
|
||||
- }
|
||||
+ flag := line[len(ldflagsPrefix):]
|
||||
+ // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
|
||||
+ // but they don't mean anything to the linker so filter
|
||||
+ // them out.
|
||||
+ if flag != "-g" && !strings.HasPrefix(flag, "-O") {
|
||||
+ cgoldflags = append(cgoldflags, flag)
|
||||
}
|
||||
}
|
||||
}
|
||||
diff --git a/src/cmd/go/testdata/script/gccgo_link_ldflags.txt b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
|
||||
new file mode 100644
|
||||
index 0000000000000..4e91ae56505b6
|
||||
--- /dev/null
|
||||
+++ b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
|
||||
@@ -0,0 +1,20 @@
|
||||
+# Test that #cgo LDFLAGS are properly quoted.
|
||||
+# The #cgo LDFLAGS below should pass a string with spaces to -L,
|
||||
+# as though searching a directory with a space in its name.
|
||||
+# It should not pass --nosuchoption to the external linker.
|
||||
+
|
||||
+[!cgo] skip
|
||||
+
|
||||
+go build
|
||||
+
|
||||
+[!exec:gccgo] skip
|
||||
+
|
||||
+go build -compiler gccgo
|
||||
+
|
||||
+-- go.mod --
|
||||
+module m
|
||||
+-- cgo.go --
|
||||
+package main
|
||||
+// #cgo LDFLAGS: -L "./ -Wl,--nosuchoption"
|
||||
+import "C"
|
||||
+func main() {}
|
||||
38
meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch
Normal file
38
meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch
Normal file
@@ -0,0 +1,38 @@
|
||||
From 1008486a9ff979dbd21c7466eeb6abf378f9c637 Mon Sep 17 00:00:00 2001
|
||||
From: Ian Lance Taylor <iant@golang.org>
|
||||
Date: Tue, 6 Jun 2023 12:51:17 -0700
|
||||
Subject: [PATCH] [release-branch.go1.20] cmd/cgo: correct _cgo_flags output
|
||||
|
||||
For #60306
|
||||
For #60514
|
||||
|
||||
Change-Id: I3f5d14aee7d7195030e8872e42b1d97aa11d3582
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/501298
|
||||
Run-TryBot: Ian Lance Taylor <iant@golang.org>
|
||||
TryBot-Result: Gopher Robot <gobot@golang.org>
|
||||
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
||||
Reviewed-by: David Chase <drchase@google.com>
|
||||
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
|
||||
---
|
||||
|
||||
Upstream-Status: Backport [https://github.com/golang/go/commit/1008486a9ff979dbd21c7466eeb6abf378f9c637]
|
||||
CVE: CVE-2023-29405
|
||||
Signed-off-by: Ashish Sharma <asharma@mvista.com>
|
||||
|
||||
|
||||
src/cmd/cgo/out.go | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
|
||||
index d0c6fe3d4c2c2..a48f52105628a 100644
|
||||
--- a/src/cmd/cgo/out.go
|
||||
+++ b/src/cmd/cgo/out.go
|
||||
@@ -48,7 +48,7 @@ func (p *Package) writeDefs() {
|
||||
fflg := creat(*objDir + "_cgo_flags")
|
||||
for k, v := range p.CgoFlags {
|
||||
for _, arg := range v {
|
||||
- fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg)
|
||||
+ fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, arg)
|
||||
}
|
||||
if k == "LDFLAGS" && !*gccgo {
|
||||
for _, arg := range v {
|
||||
Reference in New Issue
Block a user