math/big: prevent large memory consumption in Rat.SetString
An attacker can cause unbounded memory growth in a program using (*Rat).SetString
due to an unhandled overflow.
Upstream-Status: Backport [https://go.dev/issue/50699]
CVE: CVE-2022-23772
(From OE-Core rev: e4d15040f62744265b9236ad7276f3371a9172da)
Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates
Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.
Upstream-Status: Backport [https://go.dev/issue/50974]
CVE: CVE-2022-23806
(From OE-Core rev: eb7aa0929ecd712aeeec0ff37dfb77c3da33b375)
Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This update was made with the convert-scruri.py script in scripts/contrib
This script handles two emerging issues:
1. There is uncertainty about the default branch name in git going forward.
To try and cover the different possible outcomes, add branch names to all
git:// and gitsm:// SRC_URI entries.
2. Github are dropping support for git:// protocol fetching, so remap github
urls as needed. For more details see:
https://github.blog/2021-09-01-improving-git-protocol-security-github/
(From OE-Core rev: 827a805349f9732b2a5fa9184dc7922af36de327)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
go 1.14 for windows targets does not support -buildmode=pie, disable it and use
the default buildmode instead. Support for -buildmode=pie for windows targets
is added with go 1.15 (https://golang.org/doc/go1.15) which is added to poky in
gatesgarth.
(From OE-Core rev: a1b0631c4723d2a98eb9e80ec85a00bc46276783)
Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
update minor version to 1.14.12
go1.14.8 includes security fixes to the net/http/cgi and net/http/fcgi packages.
go1.14.9 includes fixes to the compiler, linker, runtime, documentation, and the net/http and testing packages.
go1.14.10 includes fixes to the compiler, runtime, and the plugin and testing packages.
go1.14.11 includes fixes to the runtime, and the net/http and time packages.
go1.14.12 includes security fixes to the cmd/go and math/big packages.
Release notes:
https://golang.org/doc/devel/release.html#go1.14.minor
updates include fix for
CVE-2020-24553
CVE-2020-28362
CVE-2020-28366
CVE-2020-28367
Also backport patch to fix below CGO_LDFLAGS error
| Building std for target, linux/amd64.
| go build runtime/cgo: invalid flag in go:cgo_ldflag: -Wl,-O1
(From OE-Core rev: e216b2223cbe8c459348262f98b3cfbe79d12023)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Includes security Fixes for CVE-2020-14039 and CVE-2020-15586
(cherry picked from commit 97d5c2d1f2dffe2518f46bbe57cb9348eb59c633)
(cherry picked from commit 6591d269792fe864d7af4e379035f1cebc4510f5)
(cherry picked from commit c9011d04eb624aeabf5d707e88de80137bcc2eb1)
(From OE-Core rev: e33d2ddaa6c8945227a5bbf4e96d63606d0fab38)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
cgo is still not available in go for riscv64, we will re-evaluate it
once we upgrade to 1.15
Fixes
| /usr/src/debug/go-runtime/1.14.4-r0/go/src/runtime/cgo/gcc_util.c:23: undefined reference to `_cgo_sys_thread_start'
[YOCTO #13966]
(From OE-Core rev: 987d29d0b0dfa19ef6564996198f22c2b08f6ff9)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f512b3308ed6ee878c77f72b9235ada83d107dba)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dep utility must not use 'go mod' support, so we explicitly disable it.
(From OE-Core rev: e953be6c159bfed4ac69f30fa2562d217d25c254)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b34000ae3dd6e0a1d7fc332efb35c5da84cf2275)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
go compiler is including go/src/cmd modules in -dev package which is in
conflict with go-runtime-dev which provides exact same copy of this
module along with other runtime modules, as a result when both go-dev and
go-runtime-dev are included in image then it results in rootfs failures,
here lets make go depend on go-runtime and dont install the cmd module
here explicitly.
(From OE-Core rev: 1ace1655f8ae08c07c8875be53b641e7c2564ded)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These variables depend on TUNE_FEATURES variable and that creeps into
dependencies for native as well as a result, which means go-native gets
recompiled everytime machine/arch is changed.
Fixes sstate differences found e.g.
basehash changed from 600fb6be571fa4853232a7fed78945ee19b324e54b1b94cff93ef472b6290103 to 994de861190a56064d3e186d9c411152127e230bf2f77b17e59b2c5932a41249
List of dependencies for variable TUNE_FEATURES changed from '{'TUNE_FEATURES_tune-core2-32', 'DEFAULTTUNE'}' to '{'TUNE_FEATURES_tune-armv7vethf-neon', 'DEFAULTTUNE'}'
changed items: {'TUNE_FEATURES_tune-core2-32', 'TUNE_FEATURES_tune-armv7vethf-neon'}
(From OE-Core rev: 4825eede606b075d0d529b38d6162999f1dec506)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add default values for go environment variables to go-common.inc.
Override where appropriate in other go*.inc files, and use
host/target tuples from goarch for setting CC flags.
(From OE-Core rev: 1e3f040b1f68fa1f808851ecd9623544e935e9ad)
Signed-off-by: Alex Kube <alexander.j.kube@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
fix below error:
file /usr/lib64/go/src/cmd/cgo/zdefaultcc.go conflicts between attempted installs of go-dev-1.12.6-r0.core2_64 and go-runtime-dev-1.12.6-r0.core2_64
file /usr/lib64/go/src/cmd/go/internal/cfg/zdefaultcc.go conflicts between attempted installs of go-dev-1.12.6-r0.core2_64 and go-runtime-dev-1.12.6-r0.core2_64
these 2 files existed in both go-dev and go-runtime-dev
remove it from go-runtime-dev to fix the problem
(From OE-Core rev: 60dcae509a210f2cae8eda525a1b006663aef9bf)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
By default GOCACHE is set to $HOME/.cache.
Fixes:
ERROR: go-cross-dbfp4-1.12.1-r0 do_compile: Function failed: do_compile (log file is located at /workdir/build/tmp/work/x86_64-linux/go-cross-dbfp4/1.12.1-r0/temp/log.do_compile.8120)
ERROR: Logfile of failure stored in: /workdir/build/tmp/work/x86_64-linux/go-cross-dbfp4/1.12.1-r0/temp/log.do_compile.8120
Log data follows:
| DEBUG: Executing shell function do_compile
| Building Go cmd/dist using /workdir/build/tmp/work/x86_64-linux/go-cross-dbfp4/1.12.1-r0/recipe-sysroot-native/usr/lib/go.
| failed to initialize build cache at /home/pokyuser/.cache/go-build: mkdir /home/pokyuser/.cache: permission denied
| WARNING: exit code 1 from a shell command.
| ERROR: Function failed: do_compile (log file is located at /workdir/build/tmp/work/x86_64-linux/go-cross-dbfp4/1.12.1-r0/temp/log.do_compile.8120)
ERROR: Task (/workdir/repo/poky/meta/recipes-devtools/go/go-cross_1.12.bb:do_compile) failed with exit code '1'
NOTE: Tasks Summary: Attempted 23 tasks of which 16 didn't need to be rerun and 1 failed.
(From OE-Core rev: 9a6d208b9979035bbfc1def80fb6558db4bddb12)
Signed-off-by: Ricardo Ribalda Delgado <ricardo@ribalda.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There doesn't seem to be a reason to keep it in addition to 1.12 now.
(From OE-Core rev: 03bfbbb1d86f102ce23ee6ac0d4b905fc241f23c)
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Minor revisions
go1.12.1 (released 2019/03/14) includes fixes to cgo, the compiler, the go command, and the fmt, net/smtp, os, path/filepath, sync, and text/template packages. See the Go 1.12.1 milestone on our issue tracker for details.
Details
https://github.com/golang/go/issues?q=milestone%3AGo1.12.1
(From OE-Core rev: 3e04ae7283fd3cb914e4528ca1e980a07a3bb85f)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It uses gcc on build machine during go-cross-canadian bootstrap, but the
gcc version may be old and not support option '-fmacro-prefix-map' which
is one of default values of DEBUG_PREFIX_MAP.
So set default value of DEBUG_PREFIX_MAP for go-cross-canadian.
(From OE-Core rev: bd19d2b138e1a7fbfdf0b7a7dec0bc04a3aaa219)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We no longer have special "libc" for gcc so we can rely on plain
virtual/libc and reduce the complexity in the dependencies.
(From OE-Core rev: 122217b421f749b5fef52bea44ad6e04bc8f8d3a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The crosssdk dependencies are handled using the virtual/ namespace so
this name doesn't matter in the general sense. We want to be able to provide
recipe maintainer information through overrides though, so this standardises it
with the behaviour from gcc-crosssdk and ensures the maintainer overrides work.
(From OE-Core rev: da8c3728bf8bb4d4ae71e15626fc10976802185d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Go binaries were installed to ${libdir}/go/bin, and create symlink
in ${bindir}, while enabling multilib, libdir was extended (such as
/usr/lib64), but BASELIB was not (still /lib), so use
baselib (such as /lib64)) to replace
(From OE-Core rev: 8b69af74c377bc9342f631d7e6b90fe05876216c)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
While building go itself, the go build system does not support
to set `-buildmode=pie' from environment.
Add GOBUILDMODE to support it which make PIE executables the default
build mode, as PIE executables are required as of Yocto
But mips doesn't support -buildmode=pie, so skip the QA checking for
mips and its variants
(From OE-Core rev: d11cb2ea0abfca4a5958ff4647f22a5b203113e5)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Right now go-cross is changing signatures when you change TUNE for a given
architecture. In particular this breaks layer tests like:
yocto-check-layer ../meta-yocto-bsp/ --machines qemuarm beaglebone-yocto
This changes the PN addtion to something containing the tune rather than
the arch which avoids these kinds of errors. If go-cross can be tune
independent that would be nice but currently that isn't the case.
[YOCTO #12586]
(From OE-Core rev: e3c7e1703499e6a5332d9ab8a941671ec8235c4f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The current go-dep does not compile ptest successfully on mips
and mips64. So as a workaround, disable PTEST_ENABLED explicitly
to avoid error like below.
| vet config not found
(From OE-Core rev: 786322ec408e2ef5cd6fb809456e0453e5f5e162)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop 1.10 recipes in favor of 1.11
we have had reports of 1.10 not being quite
functional wth OE
(From OE-Core rev: 1cf3aee0ba0fb0c2e8b82f403384a1928a9b03f4)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
NEW FEATURES:
- Add CI tests against go1.10. Drop support for go1.8. (#1620).
- Added install.sh script. (#1533).
- List out of date projects in dep status (#1553).
- Enabled opt-in persistent caching via DEPCACHEAGE env var. (#1711).
- Allow DEPPROJECTROOT environment variable to supersede GOPATH
deduction and explicitly set the current project's root (#1883).
- dep ensure now explains what changes to the code or Gopkg.toml have
induced solving (#1912).
- Hash digests of vendor contents are now stored in Gopkg.lock, and
the contents of vendor are only rewritten on change or hash
mismatch (#1912).
- Added support for ppc64/ppc64le.
- New subcommand dep check quickly reports if imports, Gopkg.toml,
Gopkg.lock, and vendor are out of sync (#1932).
BUG FIXES:
- Excise certain git-related environment variables. (#1872)
IMPROVEMENTS:
- Add template operations support in dep status template output (#1549).
- Reduce network access by trusting local source information and only
pulling from upstream when necessary (#1250).
- Update our dependency on Masterminds/semver to follow upstream again
now that Masterminds/semver#67 is merged(#1792).
- inputs-digest was removed from Gopkg.lock (#1912).
- Hash digests of vendor contents are now stored in Gopkg.lock, and
the contents of vendor are only rewritten on change or hash
mismatch (#1912).
- Don't exclude Godeps folder (#1822).
- Add project-package relationship graph support in graphviz (#1588).
- Limit concurrency of dep status to avoid hitting open file
limits (#1923).
(From OE-Core rev: 165da89292f81d236e4e8e652500b8879c2ad9be)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* I'm not using go or go-dep, so I'm not going to fix it proplerly,
it was just bothering me in world builds
* this is reproducible only with ptest in DISTRO_FEATUREs (for aarch64
issue) and included security_flags.inc, more specifically with the PIE
flags, so alternative work around is:
SECURITY_CFLAGS_pn-go = "${SECURITY_NOPIE_CFLAGS}"
SECURITY_CFLAGS_pn-go-dep = "${SECURITY_NOPIE_CFLAGS}"
(From OE-Core rev: b689c72ad2dc84b8bb55ecbf72d95701707b9bb3)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
go1.10.3 (released 2018/06/05) includes fixes to the go command, and
the crypto/tls, crypto/x509, and strings packages. In particular, it
adds minimal support to the go command for the vgo transition.
(From OE-Core rev: 37f288d783257cb9e6c035aaab1b661b1016b4c3)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
