Commit 7b2a164b74 (package/go/go-bin: new host-go provider) broke the
case for prompt-less, host-only go packages, as the main host-go symbol
would not be selected.
This very same use-case was initially broken when the first go-src
provider was introduced with fa2536ec94 (package/go: make host package
a virtual package), and subsequently fixed in 99a5d51c6e (package/go:
ensure there is a host-go provider), so 7b2a164b74 is causing a
regression of a fixed regression.
Fix that the very same way it was originally fixed.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Go 1.23.0 is a major release of Go.
Most of its changes are in the implementation of the toolchain, runtime, and libraries.
https://go.dev/doc/go1.23https://go.dev/doc/devel/release#go1.23.2
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
go1.22.8 (released 2024-10-01) includes fixes to cgo, maps, and syscall.
https://go.dev/doc/devel/release#go1.22.8
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This package provides a pre-built version for the host-go virtual
package introduced in the previous commits:
- host-go-bin installs a pre-built version of the Go compiler.
By default, host-go remains built from sources to keep the same
behavior as the former version.
The menuconfig entry for host-go is updated to expose the host-go-bin
provider. The dependencies are set as such as if host-go-src does not
support the host architecture, it will automatically fall back to
host-go-bin and vice versa.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[yann.morin.1998@free.fr:
- update hashes for 1.22.7
- add hash for the source tarball
- set _DL_SUBDIR
- don't set a prompt to BR2_PACKAGE_HOST_GO_BIN_HOST_ARCH
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Expose the host-go in the menuconfig, so that user can select what go
compiler to use, without having to first enable a go package, or to
have it in the SDK without having a go package enabled.
Signed-off-by: Athaariq Ardhiansyah <foss@athaariq.my.id>
[yann.morin.1998@free.fr: rewrite commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following CVEs:
CVE-2024-34155: go/parser: stack exhaustion in all Parse* functions
CVE-2024-34156: encoding/gob: stack exhaustion in Decoder.Decode
CVE-2024-34158: go/build/constraint: stack exhaustion in Parse
https://go.dev/doc/devel/release#go1.22.7
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Even when configured for cross-compilation, the go compiler is always
able to build natively as well, and this is was we use in Buildroot to
build host go packages. This implies that when the target has
limitations, those limitations thus also apply to the host builds.
This means that, when there is no CGO linking support for the target,
the compiler is built without CGO linking support, and thus CGO linking
is also not available for the host builds.
Of course, when there is no go support for the target, the CGO linking
support only depends on the host architecture.
Add a new Kconfig symbol that repesent whether CGO linking is available
for the host; host packages can then depend on that symbol, like the
target variants do on the corresponding target symbol.
The dependencies of this symbol are a bit complicated. Fortunately,
because it is a blind symbol, we can write it with a combination of
"default y" and "depends on" statements. As mentioned, CGO for the host
is available if CGO is available for the target, but also if Go is not
available for the target at all. In addition, Go must of course be
available for the host. There are also the toolchain constraints of CGO.
We exclude MIPS64 explicitly based on BR2_HOSTARCH. For the host, we
always assume that dynamic library and threads are available so we don't
have conditions for that.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Thomas Perale <thomas.perale@mind.be>
Cc: Christian Stewart <christian@aperture.us>
Cc: Anisse Astier <anisse@astier.eu>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
The go stdlib "plugin" package relies on dlfcn.h which isn't available
when we have BR2_STATIC_LIBS=y.
Concentrate all cgo decision (including the existing threads part)
under the config option BR2_PACKAGE_HOST_GO_TARGET_CGO_LINKING_SUPPORTS
that has the proper depends.
This should fix this build error from autobuilders:
/buildroot/build/host-go-1.19.3/src/plugin/plugin_dlopen.go:11:10: fatal error: dlfcn.h: No such file or directory
11 | #include <dlfcn.h>
Fixes:
http://autobuild.buildroot.net/results/1f4/1f4b9882986b9df723a1446493d270c29287b505http://autobuild.buildroot.net/results/a9d/a9de62374c948f773634c694a47abcaa2bc266d0
Signed-off-by: Anisse Astier <anisse@astier.eu>
Reviewed-by: Christian Stewart <christian@paral.in>
[Arnout: revert parts to v2, keeping most of the overall logic as it
was]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Fixes CVE:
CVE-2024-24791: net/http: denial of service due to improper 100-continue handling
https://go.dev/doc/devel/release#go1.22.5
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The toolchain is needed to build the final-stage go compiler, when it
should have CGO support.
However, in commit 0290c543de (package/go: new subdirectory for go
variants), the HOST_GO_DEPENDENCIES assignment was only partially split
off to the new location; part of it was left in the ole go.mk to act as
common variables. With that commit, the go package had not been renamed,
which meant that the dependencies were still correct.
But in commit fa2536ec94 (package/go: make host package a virtual
package), the 'go' package was renamed to 'go-src', and replaced by a
'go' virtual package.
The variables in the go-src package were properly renamed, and the
variables in the go virtual package were properly _not_ renamed. As a
consequence, the go-src package lost its dependency on the toolchain
when needed, while the go virtual package still had it.
However, that was not correct when CGO is enabled (i.e. when the target
has threads): go-src then fails to build:
Building Go cmd/dist using [...]/host/lib/go-1.21.8. (go1.21.8 linux/amd64)
go tool dist: cannot invoke C compiler ["[...]/host/bin/aarch64-linux-gcc"]:
fork/exec [...]/host/bin/aarch64-linux-gcc: no such file or directory
Go needs a system C compiler for use with cgo.
To set a C compiler, set CC=the-compiler.
To disable cgo, set CGO_ENABLED=0.
After some retro-thinking, the reasoning behind this was that the
toolchain would _also_ be needed when using the prebuilt go-bin, which
is indeed correct, so by having it as a dependency of the virtual
package, it would ensure the toolchain be present in both cases, when
building from scratch or when using a prebuilt go.
The oversight being that the toolchain is _also_ needed to actually
build go when CGO is enabled.
We fix this by handling the toolchain dependency for CGO by exposing it
in a variable, that can be used as a dependency in go-src, like is done
to actually enable or disable CGO support.
We still ensure that host-go still depends on it, for a future go-bin
provider.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Commit fa2536ec94 (package/go: make host package a virtual package)
introduced host-go as a host-only virtual package, which had a single
provider, the choice of which is only exposed when a (target or host)
package has selected BR2_PACKAGE_HOST_GO to indicate it needs host-go.
However, this forgot to account for prompt-less, host-only packages,
which have no way of selecting that symbol.
Having prompt-less, host-only packages is a totally unexceptional,
supported case; for example a host package can be depended upon by
another (target or host) package, or by a filesystem, and we do not
require Kconfig symbols to be exposed for those packages.
As a consequence, when not package is enabled, that can select that
symbol, we can't run 'make source' or 'make host-foo-source':
make[1]: *** No rule to make target 'host-', needed by
'[...]/build/host-go-1.22.4/.stamp_configured'. Stop.
Fix that by moving the provider symbol out of the if-block, so that
there is always a provider defined.
Now, we only have host-go-src as a provider, but the symbol is still
part of the choice that is conditional (and that _has_ to be
conditional), so the BR2_PACKAGE_HOST_GO_SRC can never be set unless
there is a package that explicitly select BR2_PACKAGE_HOST_GO.
So, drop the conditional on the default, so that there is always a
provider available.
This mirrors other similar situations, like the rust case.
Fixes: fa2536ec94
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
LGTM: Arnout Vandecappelle (Essensium/Mind) (on IRC) <arnout@mind.be>
The patch was added in commit 25991c843c (package/go-bootstrap-stage3:
fix go-bootstrap when parent dir contains invalid .git). Then all the
go-compiler packages were moved to a common sub-directory, in commit
0290c543de (package/go: new subdirectory for go variants).
However, the patch for commit 0290c543de was sent to the mailing list
before 25991c843c was applied, so it could not have moved a file that
was only added later.
Move that file, now.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Perale <thomas.perale@mind.be>
Cc: Romain Naour <romain.naour@smile.fr>
Fixes the following CVEs:
CVE-2024-24789: archive/zip: mishandling of corrupt central directory record
CVE-2024-24790: net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.4
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Turns host-go into a virtual package, with a single providers:
- host-go-src, which builds host-go from source based on the same logic
that was previously used in package/go/go/go.mk, now moved to
package/go/go-src/go-src.mk to remove any ambiguity on the role of
the package.
In later commits, we'll add host-go-bin a prebuilt binary host go compiler
as another provider.
A similar solution is proposed for host-rust.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Makes every packages built by the Go compiler select a new variable
introduced in this patch: BR2_PACKAGE_HOST_GO.
In later commits Go compiler variant will be introduced (built from
source, pre-built binaries) and selecting BR2_PACKAGE_HOST_GO will
force to add host-go provider to the dependency list.
The same pattern is used for Rust packages.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Move every go compiler-related packages into a newly created
package/go/ subdirectory.
This subdirectory structure moves the GO_VERSION variable into the
common package/go/go.mk file. In the next commits, host-go will be
turned into a virtual-package and the common GO_VERSION force the
providers to use the same Go compiler version.
Common variables to all providers are kept in package/go/go.mk and
package/go/Config.in.host.
Also, the subdirectory structure forces the evaluation of the common
GO_VERSION before the providers access it.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes CVEs:
CVE-2024-24787: cmd/go: arbitrary code execution during build on darwin
CVE-2024-24788: net: malformed DNS message can cause infinite loop
https://go.dev/doc/devel/release#go1.22.3
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
CVE-2023-45288: http2: close connections when receiving too many headers
https://go.dev/doc/devel/release#go1.22.2
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upgrade Go to the latest v1.22.x point release, go1.22.1.
This requires go-bootstrap-stage3 at version go1.21.8:
See: https://go.dev/doc/go1.22#bootstraphttps://go.dev/doc/devel/release#go1.22.1
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Fixes the following CVEs:
CVE-2024-24783: crypto/x509: Verify panics on certificates with an unknown public key algorithm
CVE-2023-45290: net/http: memory exhaustion in Request.ParseMultipartForm
CVE-2023-45289: net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
CVE-2024-24785: html/template: errors returned from MarshalJSON methods may break template escaping
CVE-2024-24784: net/mail: comments in display names are incorrectly handled
https://go.dev/doc/devel/release#go1.21.8
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.21.7 (released 2024-02-06) includes fixes to the compiler, the go command,
the runtime, and the crypto/x509 package.
https://go.dev/doc/devel/release#go1.21.7
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.21.6 (released 2024-01-09) includes fixes to the compiler, the runtime, and
the crypto/tls, maps, and runtime/pprof packages.
https://go.dev/doc/devel/release#go1.21.6
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following CVEs:
CVE-2023-39326: net/http: limit chunked data overhead
CVE-2023-45285: cmd/go: go get may unexpectedly fallback to insecure git
https://go.dev/doc/devel/release#go1.21.5
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Go version 1.21.4 includes the following security fixes:
CVE-2023-45283: path/filepath: recognize \??\ as a Root Local Device path prefix.
CVE-2023-45284: path/filepath: recognize device names with trailing spaces and superscripts
https://go.dev/doc/devel/release#go1.21.4
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2023-39325: rapid stream resets can cause excessive work
A malicious HTTP/2 client which rapidly creates requests and immediately
resets them can cause excessive server resource consumption. While the
total number of requests is bounded to the http2.Server.MaxConcurrentStreams
setting, resetting an in-progress request allows the attacker to create a
new request while the existing one is still executing.
go1.21.3 (released 2023-10-10) includes a security fix to the net/http
package.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2023-39323: Line directives ("//line") can be used to bypass the
restrictions on "//go:cgo_" directives, allowing blocked linker and compiler
flags to be passed during compilation. This can result in unexpected
execution of arbitrary code when running "go build".
go1.21.2 (released 2023-10-05) includes one security fixes to the cmd/go
package, as well as bug fixes to the compiler, the go command, the linker,
the runtime, and the runtime/metrics package.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When building for a target architecture that go does not support, the
installation fails with:
$ make host-go
[...]
ln -sf ../lib/go/bin/go /home/nyma7486/dev/work/5GCroCo/O/pouet/per-package/host-go/host/bin/
ln: failed to create symbolic link '/home/nyma7486/dev/work/5GCroCo/O/pouet/per-package/host-go/host/bin/': No such file or directory
Indeed, the HOST_DIR/bin is not guaranteed to exist when we install a
host package, so it needs to be explicitly created before we can create
entries in there.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Christian Stewart <christian@aperture.us>
Cc: Anisse Astier <anisse@astier.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building go with cgo support needs to build some .c files to generate target
support code, and thus calls the cross C compiler, which is failing when the
toolchain is not built before host-go:
>>> host-go 1.21.1 Building
cd .../build/host-go-1.21.1/src && GO111MODULE=off GOCACHE=.../per-package/host-go/host/share/host-go-cache GOROOT_BOOTSTRAP=.../per-package/host-go/host/lib/go-1.19.11 GOROOT_FINAL=.../per-package/host-go/host/lib/go GOROOT=".../build/host-go-1.21.1" GOBIN=".../build/host-go-1.21.1/bin" GOOS=linux CC=/usr/bin/gcc CXX=/usr/bin/g++ CGO_ENABLED=1 CC_FOR_TARGET=".../per-package/host-go/host/bin/arm-linux-gcc" CXX_FOR_TARGET=".../per-package/host-go/host/bin/arm-linux-g++" GOOS="linux" GOARCH=arm GOARM=6 GO_ASSUME_CROSSCOMPILING=1 ./make.bash
Building Go cmd/dist using .../per-package/host-go/host/lib/go-1.19.11. (go1.19.11 linux/amd64)
go tool dist: cannot invoke C compiler [".../per-package/host-go/host/bin/arm-linux-gcc"]: fork/exec .../per-package/host-go/host/bin/arm-linux-gcc: no such file or directory
Go needs a system C compiler for use with cgo.
To set a C compiler, set CC=the-compiler.
To disable cgo, set CGO_ENABLED=0.
This happens systematically with PPD, and happens without PPD when
host-go is explicitly built (by running: "make host-go").
Since only CGO support needs to compile C files, only add the toolchain
dependency in that case.
When the target is not supported by go, then there is obviously no need
to depend on the toolchain (even if we unconditionally enable cgo
support in only-for-the-host host-go).
Signed-off-by: Christian Stewart <christian@aperture.us>
[yann.morin@orange.com:
- only add the toolchain dependency for target cgo
- reword commit log
]
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Anisse Astier <anisse@astier.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.21.1 (released 2023-09-06) includes four security fixes to the cmd/go,
crypto/tls, and html/template packages, as well as bug fixes to the compiler,
the go command, the linker, the runtime, and the context, crypto/tls,
encoding/gob, encoding/xml, go/types, net/http, os, and path/filepath packages.
Security fixes:
CVE-2023-39320: cmd/go: go.mod toolchain directive allows arbitrary execution
CVE-2023-39318: html/template: improper handling of HTML-like comments within script contexts
CVE-2023-39319: html/template: improper handling of special tags within script contexts
CVE-2023-39321: crypto/tls: panic when processing post-handshake message on QUIC connections
https://go.dev/doc/devel/release#go1.21.0
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Go 1.21.0 is a major release of Go.
https://go.dev/doc/devel/release#go1.21.0
Set GOTOOLCHAIN=local to disable the new toolchain download feature. This
feature, introduced in Go 1.21.x, will automatically download pre-built compiler
binaries from Google for the toolchain version specified in go.mod. We do not
want this in Buildroot as we build from source instead: set GOTOOLCHAIN=local to
disable the feature and use the locally built toolchain.
https://go.dev/doc/toolchain
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler.
Fixes CVE-2023-29409: restrict RSA keys in certificates to <= 8192 bits
Extremely large RSA keys in certificate chains can cause a client/server to
expend significant CPU time verifying signatures. Limit this by restricting the
size of RSA keys transmitted during handshakes to <= 8192 bits.
Based on a survey of publicly trusted RSA keys, there are currently only three
certificates in circulation with keys larger than this, and all three appear to
be test certificates that are not actively deployed. It is possible there are
larger keys in use in private PKIs, but we target the web PKI, so causing
breakage here in the interests of increasing the default safety of users of
crypto/tls seems reasonable.
https://go.dev/doc/devel/release#go1.20.7
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Building host-go within docker fails:
error obtaining VCS status: exit status 128
Use -buildvcs=false to disable VCS stamping.
Reproduction of the issue:
mkdir go-issue-61620
cd ./go-issue-61620
wget https://go.dev/dl/go1.19.11.src.tar.gz
mkdir go-bootstrap
tar -xf go1.19.11.src.tar.gz -C ./go-bootstrap --strip-components=1
cd ./go-bootstrap/src/
bash make.bash
cd ../../
wget https://go.dev/dl/go1.20.6.src.tar.gz
mkdir go
tar -xf go1.20.6.src.tar.gz -C ./go/ --strip-components=1
printf "gitdir: ../../does/not/exist/.git" > ./.git
cd ./go/src/
GOROOT_BOOTSTRAP=$(pwd)/../../go-bootstrap/ bash make.bash
The error only occurs when the .git that git detects in the parent directory of
the GOROOT_BOOTSTRAP is invalid or not present causing errors when running `git`
commands within GOROOT_BOOTSTRAP.
Report: https://lists.buildroot.org/pipermail/buildroot/2023-July/671344.html
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/4725186525
Upstream issue: https://github.com/golang/go/issues/61620
Upstream PR: https://github.com/golang/go/pull/61621
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Adjust comments in the Go package to improve clarity:
Config.in.host:
- Add comment mentioning list of supported architectures.
go.mk:
- Reword comment re: copying src/ to host/
- the previously linked issue is not relevant.
- instead: mention that src/ is needed for stdlib.
- Adjust comment re: adjusting file timestamps.
- mention this is needed to avoid rebuilding stdlib
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Go 1.20 requires a minimum version of go 1.17.13 to bootstrap.
https://go.dev/doc/go1.20#bootstrap
As Go 1.4 was the previous version that could be compiled with C, there is now
no way to bootstrap go with a C compiler, unless we use a two-stage bootstrap:
- build host-go-bootstrap-1.4-20170531
- build host-go-bootstrap-1.19.10 with host-go-bootstrap-1.4-20170531
- build host-go-1.20 with host-go-bootstrap-1.19.9
This is implemented in this commit first, before upgrading host-go to 1.20.
Note: the .patch files from package/go version 1.19.x are not necessary for
package/go-bootstrap-stage2 and have not been included there.
Previous discussion of possible alternatives:
https://lore.kernel.org/all/CA+h8R2rtcynkCBsz=_9yANOEguyPCOcQDj8_ns+cv8RS8+8t9A@mail.gmail.com/https://lore.kernel.org/all/20220525234312.643dfc03@windsurf/T/
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
go1.19.11 (released 2023-07-11) includes a security fix to the net/http package,
as well as bug fixes to cgo, the cover tool, the go command, the runtime, and
the go/printer package.
CVE-2023-29406 and Go issue https://go.dev/issue/60374
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
- cmd/go: cgo code injection
The go command may generate unexpected code at build time when using cgo.
This may result in unexpected behavior when running a go program which
uses cgo.
This may occur when running an untrusted module which contains directories
with newline characters in their names. Modules which are retrieved using
the go command, i.e. via "go get", are not affected (modules retrieved
using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
- runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the
setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was
executed with standard I/O file descriptors closed, opening any files
could result in unexpected content being read/written with elevated
prilieges. Similarly if a setuid/setgid program was terminated, either
via panic or signal, it could leak the contents of its registers.
Thanks to Vincent Dehors from Synacktiv for reporting this issue.
This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
- cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time when using cgo.
This may occur when running "go get" on a malicious module, or when
running any other command which builds untrusted code. This is can by
triggered by linker flags, specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29404 and CVE-2023-29405 and Go issues
https://go.dev/issue/60305 and https://go.dev/issue/60306.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.19.9 (released 2023-05-02) includes three security fixes to the
html/template package, as well as bug fixes to the compiler, the runtime, and
the crypto/subtle, crypto/tls, net/http, and syscall packages.
CVE-2023-24539: html/template: improper sanitization of CSS values
CVE-2023-24540: html/template: improper handling of JavaScript whitespace
CVE-2023-29400: html/template: improper handling of empty HTML attributes
https://go.dev/doc/devel/release#go1.19.9https://github.com/golang/go/issues?q=milestone%3AGo1.19.9+label%3ACherryPickApproved
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.19.8 (released 2023-04-04) includes security fixes to the go/parser,
html/template, mime/multipart, net/http, and net/textproto packages, as well as
bug fixes to the compiler, the linker, the runtime, and the time package.
Fixes security vulnerabilities:
go/parser: infinite loop in parsing (CVE-2023-24537)
html/template: backticks not treated as string delimiters (CVE-2023-24538)
net/http, net/textproto: denial of service from excessive memory
allocation (CVE-2023-24534)
net/http, net/textproto, mime/multipart: denial of service from excessive
resource consumption (CVE-2023-24536)
https://go.dev/doc/devel/release#go1.19.8https://github.com/golang/go/issues?q=milestone%3AGo1.19.8+label%3ACherryPickApproved
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.19.7 (released 2023-03-07) includes a security fix to the
crypto/elliptic package, as well as bug fixes to the linker, the runtime,
and the crypto/x509 and syscall packages.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.19.6 (released 2023-02-14) includes security fixes to the crypto/tls,
mime/multipart, net/http, and path/filepath packages, as well as bug fixes to
the go command, the linker, the runtime, and the crypto/x509, net/http, and time
packages. See the Go 1.19.6 milestone on the Go issue tracker for details.
CVE-2022-41725: net/http, mime/multipart: denial of service from excessive resource consumption
CVE-2022-41724: crypto/tls: large handshake records may cause panics
CVE-2022-41723: net/http: avoid quadratic complexity in HPACK decoding
https://go.dev/doc/devel/release#go1.19.minor
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go mod vendor caches downloaded modules to the Go module cache, which
defaults to $GOPATH/pkg/mod - But can be overridden with the GOMODCACHE
environment variable:
https://go.dev/ref/mod#module-cache
So explicitly set GOMODCACHE= for reproducibility.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The go mod vendor call in support/download/go-post-process accesses the go
cache, so pass GOCACHE= in the environment to ensure our cache directory is
used.
The go cache defaults to ~/.cache/go-build if not set, so this fixes builds
where that location (or GOCACHE if set in the environment) is not writable:
rm -rf ~/.cache/go-build
chmod -w ~/.cache
make docker-compose-source
..
failed to initialize build cache at /home/peko/.cache/go-build: mkdir /home/peko/.cache/go-build: permission denied
make[1]: *** [package/pkg-generic.mk:189: /home/peko/source/buildroot/output/build/docker-compose-2.14.0/.stamp_downloaded] Error 1
We use two different cache directories for target and host builds, but the
download/vendoring should be independent of the architecture, so use the
target variant even for host-only packages for simplicity.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
