Origin: https://github.com/golang/go/commit/
ff5addb6be2fb3001f0cb026c3e4931090a85664
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-04-14
From
ff5addb6be2fb3001f0cb026c3e4931090a85664 Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Mon, 2 Nov 2020 21:31:06 -0800
Subject: [PATCH] [release-branch.go1.14-security] cmd/go: in cgoflags, permit
-DX1, prohibit -Wp,-D,opt
Restrict -D and -U to ASCII C identifiers, but do permit trailing digits.
When using -Wp, prohibit commas in -D values.
Thanks to Imre Rad (https://www.linkedin.com/in/imre-rad-
2358749b) for reporting this.
Fixes CVE-2020-28367
Change-Id: Ibfc4dfdd6e6c258e131448e7682610c44eee9492
Reviewed-on: https://go-review.googlesource.com/c/go/+/267277
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899923
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Gbp-Pq: Name CVE-2020-28367.patch
var re = regexp.MustCompile
var validCompilerFlags = []*regexp.Regexp{
- re(`-D([A-Za-z_].*)`),
+ re(`-D([A-Za-z_][A-Za-z0-9_]*)(=[^@\-]*)?`),
re(`-F([^@\-].*)`),
re(`-I([^@\-].*)`),
re(`-O`),
re(`-W`),
re(`-W([^@,]+)`), // -Wall but not -Wa,-foo.
re(`-Wa,-mbig-obj`),
- re(`-Wp,-D([A-Za-z_].*)`),
+ re(`-Wp,-D([A-Za-z_][A-Za-z0-9_]*)(=[^@,\-]*)?`),
re(`-ansi`),
re(`-f(no-)?asynchronous-unwind-tables`),
re(`-f(no-)?blocks`),
{"-Osmall"},
{"-W"},
{"-Wall"},
+ {"-Wp,-Dfoo1"},
{"-fobjc-arc"},
{"-fno-objc-arc"},
{"-fomit-frame-pointer"},
{"-O@1"},
{"-Wa,-foo"},
{"-W@foo"},
+ {"-Wp,-DX,-D@X"},
{"-g@gdb"},
{"-g-gdb"},
{"-march=@dawn"},
projects / golang-1.11.git / commitdiff