projects / golang-1.11.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 763cbce) | patch
CVE-2020-28367
authorGo Compiler Team <team+go-compiler@tracker.debian.org>
Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)
committerSylvain Beucler <beuc@debian.org>
Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)
commit9f470e41350b3d08ab7d62eb14d56e3f96acfe86
tree030bec724122b70a38887c6f39f127c3f6b58fb5tree | snapshot
parent763cbce5610f52f1ac8723f8e0c0a841ca6b8ff3commit | diff
CVE-2020-28367

Origin: https://github.com/golang/go/commit/ff5addb6be2fb3001f0cb026c3e4931090a85664
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-04-14

From ff5addb6be2fb3001f0cb026c3e4931090a85664 Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Mon, 2 Nov 2020 21:31:06 -0800
Subject: [PATCH] [release-branch.go1.14-security] cmd/go: in cgoflags, permit
 -DX1, prohibit -Wp,-D,opt

Restrict -D and -U to ASCII C identifiers, but do permit trailing digits.
When using -Wp, prohibit commas in -D values.

Thanks to Imre Rad (https://www.linkedin.com/in/imre-rad-2358749b) for reporting this.

Fixes CVE-2020-28367

Change-Id: Ibfc4dfdd6e6c258e131448e7682610c44eee9492
Reviewed-on: https://go-review.googlesource.com/c/go/+/267277
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899923
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Gbp-Pq: Name CVE-2020-28367.patch
src/cmd/go/internal/work/security.go diff | blob | history
src/cmd/go/internal/work/security_test.go diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.