Source: https://github.com/argoheyard/lang-net
MR: 114874
Type: Security Fix
Disposition: Backport from 701957006e
ChangeID: bd3c4f9f44dd1c45e810172087004778522d28eb
Description:
CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header.
(From OE-Core rev: 2850ef58f2a39a5ab19b1062d1b50160fec4daa8)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
math/big: prevent large memory consumption in Rat.SetString
An attacker can cause unbounded memory growth in a program using (*Rat).SetString
due to an unhandled overflow.
Upstream-Status: Backport [https://go.dev/issue/50699]
CVE: CVE-2022-23772
(From OE-Core rev: e4d15040f62744265b9236ad7276f3371a9172da)
Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates
Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.
Upstream-Status: Backport [https://go.dev/issue/50974]
CVE: CVE-2022-23806
(From OE-Core rev: eb7aa0929ecd712aeeec0ff37dfb77c3da33b375)
Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This update was made with the convert-scruri.py script in scripts/contrib
This script handles two emerging issues:
1. There is uncertainty about the default branch name in git going forward.
To try and cover the different possible outcomes, add branch names to all
git:// and gitsm:// SRC_URI entries.
2. Github are dropping support for git:// protocol fetching, so remap github
urls as needed. For more details see:
https://github.blog/2021-09-01-improving-git-protocol-security-github/
(From OE-Core rev: 827a805349f9732b2a5fa9184dc7922af36de327)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
go 1.14 for windows targets does not support -buildmode=pie, disable it and use
the default buildmode instead. Support for -buildmode=pie for windows targets
is added with go 1.15 (https://golang.org/doc/go1.15) which is added to poky in
gatesgarth.
(From OE-Core rev: a1b0631c4723d2a98eb9e80ec85a00bc46276783)
Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
update minor version to 1.14.12
go1.14.8 includes security fixes to the net/http/cgi and net/http/fcgi packages.
go1.14.9 includes fixes to the compiler, linker, runtime, documentation, and the net/http and testing packages.
go1.14.10 includes fixes to the compiler, runtime, and the plugin and testing packages.
go1.14.11 includes fixes to the runtime, and the net/http and time packages.
go1.14.12 includes security fixes to the cmd/go and math/big packages.
Release notes:
https://golang.org/doc/devel/release.html#go1.14.minor
updates include fix for
CVE-2020-24553
CVE-2020-28362
CVE-2020-28366
CVE-2020-28367
Also backport patch to fix below CGO_LDFLAGS error
| Building std for target, linux/amd64.
| go build runtime/cgo: invalid flag in go:cgo_ldflag: -Wl,-O1
(From OE-Core rev: e216b2223cbe8c459348262f98b3cfbe79d12023)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Includes security Fixes for CVE-2020-14039 and CVE-2020-15586
(cherry picked from commit 97d5c2d1f2dffe2518f46bbe57cb9348eb59c633)
(cherry picked from commit 6591d269792fe864d7af4e379035f1cebc4510f5)
(cherry picked from commit c9011d04eb624aeabf5d707e88de80137bcc2eb1)
(From OE-Core rev: e33d2ddaa6c8945227a5bbf4e96d63606d0fab38)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
cgo is still not available in go for riscv64, we will re-evaluate it
once we upgrade to 1.15
Fixes
| /usr/src/debug/go-runtime/1.14.4-r0/go/src/runtime/cgo/gcc_util.c:23: undefined reference to `_cgo_sys_thread_start'
[YOCTO #13966]
(From OE-Core rev: 987d29d0b0dfa19ef6564996198f22c2b08f6ff9)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f512b3308ed6ee878c77f72b9235ada83d107dba)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dep utility must not use 'go mod' support, so we explicitly disable it.
(From OE-Core rev: e953be6c159bfed4ac69f30fa2562d217d25c254)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b34000ae3dd6e0a1d7fc332efb35c5da84cf2275)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
go compiler is including go/src/cmd modules in -dev package which is in
conflict with go-runtime-dev which provides exact same copy of this
module along with other runtime modules, as a result when both go-dev and
go-runtime-dev are included in image then it results in rootfs failures,
here lets make go depend on go-runtime and dont install the cmd module
here explicitly.
(From OE-Core rev: 1ace1655f8ae08c07c8875be53b641e7c2564ded)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These variables depend on TUNE_FEATURES variable and that creeps into
dependencies for native as well as a result, which means go-native gets
recompiled everytime machine/arch is changed.
Fixes sstate differences found e.g.
basehash changed from 600fb6be571fa4853232a7fed78945ee19b324e54b1b94cff93ef472b6290103 to 994de861190a56064d3e186d9c411152127e230bf2f77b17e59b2c5932a41249
List of dependencies for variable TUNE_FEATURES changed from '{'TUNE_FEATURES_tune-core2-32', 'DEFAULTTUNE'}' to '{'TUNE_FEATURES_tune-armv7vethf-neon', 'DEFAULTTUNE'}'
changed items: {'TUNE_FEATURES_tune-core2-32', 'TUNE_FEATURES_tune-armv7vethf-neon'}
(From OE-Core rev: 4825eede606b075d0d529b38d6162999f1dec506)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add default values for go environment variables to go-common.inc.
Override where appropriate in other go*.inc files, and use
host/target tuples from goarch for setting CC flags.
(From OE-Core rev: 1e3f040b1f68fa1f808851ecd9623544e935e9ad)
Signed-off-by: Alex Kube <alexander.j.kube@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
fix below error:
file /usr/lib64/go/src/cmd/cgo/zdefaultcc.go conflicts between attempted installs of go-dev-1.12.6-r0.core2_64 and go-runtime-dev-1.12.6-r0.core2_64
file /usr/lib64/go/src/cmd/go/internal/cfg/zdefaultcc.go conflicts between attempted installs of go-dev-1.12.6-r0.core2_64 and go-runtime-dev-1.12.6-r0.core2_64
these 2 files existed in both go-dev and go-runtime-dev
remove it from go-runtime-dev to fix the problem
(From OE-Core rev: 60dcae509a210f2cae8eda525a1b006663aef9bf)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
By default GOCACHE is set to $HOME/.cache.
Fixes:
ERROR: go-cross-dbfp4-1.12.1-r0 do_compile: Function failed: do_compile (log file is located at /workdir/build/tmp/work/x86_64-linux/go-cross-dbfp4/1.12.1-r0/temp/log.do_compile.8120)
ERROR: Logfile of failure stored in: /workdir/build/tmp/work/x86_64-linux/go-cross-dbfp4/1.12.1-r0/temp/log.do_compile.8120
Log data follows:
| DEBUG: Executing shell function do_compile
| Building Go cmd/dist using /workdir/build/tmp/work/x86_64-linux/go-cross-dbfp4/1.12.1-r0/recipe-sysroot-native/usr/lib/go.
| failed to initialize build cache at /home/pokyuser/.cache/go-build: mkdir /home/pokyuser/.cache: permission denied
| WARNING: exit code 1 from a shell command.
| ERROR: Function failed: do_compile (log file is located at /workdir/build/tmp/work/x86_64-linux/go-cross-dbfp4/1.12.1-r0/temp/log.do_compile.8120)
ERROR: Task (/workdir/repo/poky/meta/recipes-devtools/go/go-cross_1.12.bb:do_compile) failed with exit code '1'
NOTE: Tasks Summary: Attempted 23 tasks of which 16 didn't need to be rerun and 1 failed.
(From OE-Core rev: 9a6d208b9979035bbfc1def80fb6558db4bddb12)
Signed-off-by: Ricardo Ribalda Delgado <ricardo@ribalda.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There doesn't seem to be a reason to keep it in addition to 1.12 now.
(From OE-Core rev: 03bfbbb1d86f102ce23ee6ac0d4b905fc241f23c)
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Minor revisions
go1.12.1 (released 2019/03/14) includes fixes to cgo, the compiler, the go command, and the fmt, net/smtp, os, path/filepath, sync, and text/template packages. See the Go 1.12.1 milestone on our issue tracker for details.
Details
https://github.com/golang/go/issues?q=milestone%3AGo1.12.1
(From OE-Core rev: 3e04ae7283fd3cb914e4528ca1e980a07a3bb85f)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It uses gcc on build machine during go-cross-canadian bootstrap, but the
gcc version may be old and not support option '-fmacro-prefix-map' which
is one of default values of DEBUG_PREFIX_MAP.
So set default value of DEBUG_PREFIX_MAP for go-cross-canadian.
(From OE-Core rev: bd19d2b138e1a7fbfdf0b7a7dec0bc04a3aaa219)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We no longer have special "libc" for gcc so we can rely on plain
virtual/libc and reduce the complexity in the dependencies.
(From OE-Core rev: 122217b421f749b5fef52bea44ad6e04bc8f8d3a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The crosssdk dependencies are handled using the virtual/ namespace so
this name doesn't matter in the general sense. We want to be able to provide
recipe maintainer information through overrides though, so this standardises it
with the behaviour from gcc-crosssdk and ensures the maintainer overrides work.
(From OE-Core rev: da8c3728bf8bb4d4ae71e15626fc10976802185d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Go binaries were installed to ${libdir}/go/bin, and create symlink
in ${bindir}, while enabling multilib, libdir was extended (such as
/usr/lib64), but BASELIB was not (still /lib), so use
baselib (such as /lib64)) to replace
(From OE-Core rev: 8b69af74c377bc9342f631d7e6b90fe05876216c)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
While building go itself, the go build system does not support
to set `-buildmode=pie' from environment.
Add GOBUILDMODE to support it which make PIE executables the default
build mode, as PIE executables are required as of Yocto
But mips doesn't support -buildmode=pie, so skip the QA checking for
mips and its variants
(From OE-Core rev: d11cb2ea0abfca4a5958ff4647f22a5b203113e5)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Right now go-cross is changing signatures when you change TUNE for a given
architecture. In particular this breaks layer tests like:
yocto-check-layer ../meta-yocto-bsp/ --machines qemuarm beaglebone-yocto
This changes the PN addtion to something containing the tune rather than
the arch which avoids these kinds of errors. If go-cross can be tune
independent that would be nice but currently that isn't the case.
[YOCTO #12586]
(From OE-Core rev: e3c7e1703499e6a5332d9ab8a941671ec8235c4f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The current go-dep does not compile ptest successfully on mips
and mips64. So as a workaround, disable PTEST_ENABLED explicitly
to avoid error like below.
| vet config not found
(From OE-Core rev: 786322ec408e2ef5cd6fb809456e0453e5f5e162)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
