The go command may generate unexpected code at build time when using cgo.
This may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories
with newline characters in their names. Modules which are retrieved using the go
command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode,
i.e. GO111MODULE=off, may be affected).
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29402
Upstream patches:
4dae3bbe0e
(From OE-Core rev: aeb0829e52c60a77a2135af8332435b6e2db5b3d)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The go command may execute arbitrary code at build time when using cgo.
This may occur when running "go get" on a malicious module, or when running
any other command which builds untrusted code. This is can by triggered by
linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing
embedded spaces are mishandled, allowing disallowed flags to be smuggled
through the LDFLAGS sanitization by including them in the argument of
another flag. This only affects usage of the gccgo compiler.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29405
Upstream patches:
6d8af00a63
(From OE-Core rev: 7ce6d0029effc06cff500271a124150f1a7db7b3)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The go command may execute arbitrary code at build time when using cgo.
This may occur when running "go get" on a malicious module, or when running
any other command which builds untrusted code. This is can by triggered by
linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a
number of flags which are non-optional are incorrectly considered optional,
allowing disallowed flags to be smuggled through the LDFLAGS sanitization.
This affects usage of both the gc and gccgo compilers.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29404
Upstream patches:
bbeb55f5fa
(From OE-Core rev: 3e51122f8e2b4a7cd2a1c711175e6daf59b8368b)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Angle brackets should not appear in CSS contexts, as they may affect
token boundaries (such as closing a <style> tag, resulting in
injection). Instead emit filterFailsafe, matching the behavior for other
dangerous characters.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
For #59720Fixes#59811
Fixes CVE-2023-24539
(From OE-Core rev: 0a09194f3d4ad98d0cf0d070ec0c99e7a6c8a158)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A parsed MIME header is a map[string][]string. In the common case,
a header contains many one-element []string slices. To avoid
allocating a separate slice for each key, ReadMIMEHeader looks
ahead in the input to predict the number of keys that will be
parsed, and allocates a single []string of that length.
The individual slices are then allocated out of the larger one.
The prediction of the number of header keys was done by counting
newlines in the input buffer, which does not take into account
header continuation lines (where a header key/value spans multiple
lines) or the end of the header block and the start of the body.
This could lead to a substantial amount of overallocation, for
example when the body consists of nothing but a large block of
newlines.
Fix header key count prediction to take into account the end of
the headers (indicated by a blank line) and continuation lines
(starting with whitespace).
Thanks to Jakob Ackermann (@das7pad) for reporting this issue.
Fixes CVE-2023-24534
For #58975Fixes#59267
(From OE-Core rev: 28bfa033ce965d7316a8b4296d10f3ad74d711db)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Setting a large line or column number using a //line directive can cause
integer overflow even in small source files.
Limit line and column numbers in //line directives to 2^30-1, which
is small enough to avoid int32 overflow on all reasonbly-sized files.
Fixes CVE-2023-24537
Fixes#59273
For #59180
(From OE-Core rev: 15c07dff384ce4fb0e90f4f32c182a82101a1c82)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This CVE is specific to Microsoft Windows, ignore it.
Patch fixing it (https://go-review.googlesource.com/c/go/+/446916)
also adds a redundant check to generic os/exec which
could be backported but it should not be necessary as
backport always takes a small risk to break old code.
(From OE-Core rev: ae8167754ff1c02f2d92af03de804754ea77a3e5)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
Backport from bdf07c2e16
(From OE-Core rev: f60637b3c9045656047d6ffcfaadbef5ad1d3d06)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport from go-1.19. The godebug package is needed by
the fix to CVE-2022-41725.
Mostly a cherry-pick but exceptions are noted in comments
marked "backport".
(From OE-Core rev: e5cf04f55b4849ae6db1253b39ad8b037cf01af4)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.
Backport from 5c3e11bd0b
(From OE-Core rev: 7440ebac50813e5df73da2d660a50fa97de650de)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport appropriate patches to fix CVE-2022-2879 and CVE-2022-41720.
Modified the original fix for CVE-2022-2879 to remove a testdata tarball
and any references to it since git binary diffs are not supported in
quilt.
(From OE-Core rev: a896cebe1ce2363b501723475154350acf0e0783)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
By default GOCACHE is set to $HOME/.cache.
Same issue for all other go recipes had been fixed by commit 9a6d208b:
[ go: avoid host contamination by GOCACHE ]
but that commit missed go-crosssdk recipe.
(From OE-Core rev: 803b754c64c8ee923cc02c17cf80798c93e3811c)
Signed-off-by: Robert Andersson <robert.m.andersson@atlascopco.com>
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit e5fd10c647ac4baad65f9efa964c3380aad7dd10)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update to latest v1.17.x release.
Contains fix for CVE-2022-32189.
go.git$ git log --oneline go1.17.12^..go1.17.13
15da892a49 (tag: go1.17.13, origin/release-branch.go1.17) [release-branch.go1.17] go1.17.13
703c8ab7e5 [release-branch.go1.17] math/big: check buffer lengths in GobDecode
d9242f7a8c [release-branch.go1.17] cmd/compile: do not use special literal assignment if LHS is address-taken
489c148578 [release-branch.go1.17] cmd/compile: fix prove pass when upper condition is <= maxint
66c60f076c [release-branch.go1.17] runtime: clear timerModifiedEarliest when last timer is deleted
c25b12fb81 [release-branch.go1.17] runtime: use saved LR when unwinding through morestack
1ed3c127da (tag: go1.17.12) [release-branch.go1.17] go1.17.12
(From OE-Core rev: 5acea6ee55d36987609bfa38b579ba86ca1879d1)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
go1.17.9 (released 2022-04-12) includes security fixes to the crypto/elliptic and
encoding/pem packages, as well as bug fixes to the linker and runtime.
go1.17.10 (released 2022-05-10) includes security fixes to the syscall package,
as well as bug fixes to the compiler, runtime, and the crypto/x509 and
net/http/httptest packages.
(From OE-Core rev: bcbfff47e212627b355c54ab782f38708ed12d4c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is no reason to include a path in foo[dirs] if it is also in
foo[cleandirs] (except if it is the last path in foo[dirs]).
(From OE-Core rev: 9f610748f760b2d58d5250b55ae4b268909f33ef)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Commit 9985b17a30bb ("go: correctly set debug-prefix-map and build
directory") has changed CGO_LDFLAGS to the manually crafted version of
LDFLAGS to strip out DEBUG_PREFIX_MAP contents.
However this manually crafted version includes ${SECURITY_LDFLAGS}.
If security_flags.inc is not included, the variable is not defined, thus
CGO_LDFLAGS will include the '${SECURITY_LDFLAGS}' literally. When
building the recipe, the build would break with the follwing message:
aarch64-linaro-linux-gcc: error: ${SECURITY_LDFLAGS}: No such file or directory
So, instead of manually specifying variable contents, perform the
expected action: filter offending arguments out of LDFLAGS.
Cc: Alexander Kanavin <alex.kanavin@gmail.com>
(From OE-Core rev: e7d2d68679c1980d9e889d96c3eab49589f5b832)
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Go has its own system for creating temporary build
sub-directories with randomized names, and setting
up debug-prefix-map on the fly to prevent those
directories leaking into target binaries. OE's own
settings were clashing with it, so this change
carefully avoids the two stepping on each other.
Additionally, the top level build directory cannot
be named 'go-something'.
(From OE-Core rev: 9985b17a30bb9b9f1bc82a44662687db5cead66e)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
go writes build-specific ids into binaries it produces
and has a custom system for calculating them from
file hashes, environment variables and other inputs
(not that dissimilar to sstate cache, actually). This can
go wrong :) in various ways (for purposes of reproducibility
in particular), so this enables useful logs to see what
happens and why.
(From OE-Core rev: a587be1d18fc55fe57d1aa5aa7c9e26af887109e)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The release includes fixes for CVE-2021-41771 and CVE-2021-41772
(From OE-Core rev: 69c68f470e8e12456a4d9abf2d1c33b857e4ea37)
Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This reverts commit 4118415d4b.
This was found to be unnecessary, and broke upstream version checks.
(From OE-Core rev: cee436d1eb94663f3604c80b6ad87292f6901498)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
golang.org/dl is resolving to this anyway
(From OE-Core rev: 8470e38ac1d9f9bb6d8a4ee43724af452d080057)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
go-dep was an effort for dependency management before go modules, which
since 2020 has been deprecated in favor of go modules. Since its not
developed any longer and go mdules is officially supported, this should
be retired from OE-core as well.
(From OE-Core rev: 1e7ed44d87034446f1d07692c9378c3b0a8a9dd3)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Otavio Salvador <otavio.salvador@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
go1.16 has added CGO support for riscv64 arch
(From OE-Core rev: 8e078238312948e8c7b09c66ba7a186512e995d3)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
