summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Roland Shoemaker [Thu, 27 May 2021 17:40:06 +0000 (10:40 -0700)]
[PATCH] [release-branch.go1.15] net: verify results from Lookup* are valid domain names
For the methods LookupCNAME, LookupSRV, LookupMX, LookupNS, and
LookupAddr check that the returned domain names are in fact valid DNS
names using the existing isDomainName function.
Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for
reporting this issue.
Updates #46241
Fixes #46356
Fixes CVE-2021-33195
Change-Id: I47a4f58c031cb752f732e88bbdae7f819f0af4f3
Reviewed-on: https://go-review.googlesource.com/c/go/+/323131
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
(cherry picked from commit
cdcd02842da7c004efd023881e3719105209c908)
Reviewed-on: https://go-review.googlesource.com/c/go/+/323269
Gbp-Pq: Name 0009-CVE-2021-33195-1.patch
Roland Shoemaker [Tue, 11 May 2021 18:31:31 +0000 (11:31 -0700)]
archive/zip: only preallocate File slice if reasonably sized
Since the number of files in the EOCD record isn't validated, it isn't
safe to preallocate Reader.Files using that field. A malformed archive
can indicate it contains up to 1 << 128 - 1 files. We can still safely
preallocate the slice by checking if the specified number of files in
the archive is reasonable, given the size of the archive.
Thanks to the OSS-Fuzz project for discovering this issue and to
Emmanuel Odeke for reporting it.
Updates #46242
Fixes #46396
Fixes CVE-2021-33196
Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76
Reviewed-on: https://go-review.googlesource.com/c/go/+/318909
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Joe Tsai <thebrokentoaster@gmail.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
(cherry picked from commit
74242baa4136c7a9132a8ccd9881354442788c8c)
Reviewed-on: https://go-review.googlesource.com/c/go/+/322949
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Origin: backport, https://github.com/golang/go/commit/
c92adf420a3d9a5510f9aea382d826f0c9216a10
Gbp-Pq: Name 0008-CVE-2021-33196.patch
Katie Hockman [Wed, 28 Apr 2021 18:47:48 +0000 (14:47 -0400)]
[PATCH] [release-branch.go1.15] std: update golang.org/x/net to
20210428183841-
261fb518b1ed
Steps:
go get -d golang.org/x/net@release-branch.go1.15
go mod tidy
go mod vendor
This http2 bundle does not need to be updated.
Fixes #45711
Change-Id: I085ca592dfc8d5d9c328a7979142e88e7130a813
Reviewed-on: https://go-review.googlesource.com/c/go/+/314790
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Gbp-Pq: Name 0007-CVE-2021-31525.patch
Shengjing Zhu [Fri, 5 Feb 2021 13:21:45 +0000 (21:21 +0800)]
skip userns test in schroot as well
When schroot is using overlayfs, it fails to detect it as chroot.
Gbp-Pq: Name 0006-skip-userns-test-in-schroot-as-well.patch
Balint Reczey [Mon, 31 Aug 2020 11:14:51 +0000 (13:14 +0200)]
[PATCH] cmd/dist: increase default timeout scale for arm
Forwarded: https://github.com/golang/go/issues/43002
Most developers use (faster) amd64 machines setting the test timeouts,
but test may run on slower arm ones and also different tests may suffer
different relative slowdown on the arm CPUs.
Due to those two varying factors it is safer to allow a higher timeout
scale on arm to avoid tests timing out.
Gbp-Pq: Name 0005-cmd-dist-increase-default-timeout-scale-for-arm.patch
Xiangdong Ji [Wed, 5 Aug 2020 06:02:58 +0000 (06:02 +0000)]
cmd/dist: fix build failure of misc/cgo/test on arm64
Test7978 of misc/cgo/test fails in 'dist test' on arm64 if the C compiler
is of GCC-9.4 or above and its 'outline atomics' feature is enabled, since
the internal linking hasn't yet supported "__attribute__((constructor))"
and also mis-handles hidden visibility.
Two changes are made for 'misc/cgo/test' to fix the issue:
1. passing "-tags=internal" for the internal linking PIE case.
2. skipping Test7978 on arm64 for the internal linking cases.
This CL fixes 'dist test' failure only, user is expected to pass the option
'-mno-outline-atomics' via CGO_CFLAGS if running into the same problem when
building cgo program using internal linking.
Updates #39466
Change-Id: I2011bb051cae7c43eb0f1c78c7f4fbdb94bf78a6
Gbp-Pq: Name 0004-cmd-dist-fix-build-failure-of-misc-cgo-test-on-arm64.patch
YunQiang Su [Tue, 9 Jun 2020 04:09:58 +0000 (04:09 +0000)]
cmd/go, cmd/cgo: pass -mfp32 and -mhard/soft-float to MIPS GCC
For mips32 currently, we are using FP32, while the gcc may be FPXX,
which may generate .MIPS.abiflags and .gnu.attributes section with
value as FPXX. So the kernel will treat the exe as FPXX, and may
choose to use FR=1 FPU mode for it.
Currently, in Go, we use 2 lwc1 to load both half of a double value
to a pair of even-odd FPR. This behavior can only work with FR=0 mode.
In FR=1 mode, all of 32 FPR are 64bit. If we lwc1 the high-half of a double
value to an odd FPR, and try to use the previous even FPR to compute, the
real high-half of even FPR will be unpredicatable.
We set -mfp32 to force the gcc generate FP32 code and section value.
More details about FP32/FPXX/FP64 are explained in:
https://web.archive.org/web/
20180828210612/https://dmz-portal.mips.com/wiki/MIPS_O32_ABI_-_FR0_and_FR1_Interlinking
When GOMIPS/GOMIPS64 is set as softfloat, we should also pass
-msoft-float to gcc.
Here we also add -mno-odd-spreg option, since Loongson's CPU cannot use
odd-number FR in FR=0 mode.
Fixes #39435
Change-Id: I54026ad416a815fe43a9261ebf6d02e5519c3930
Gbp-Pq: Name 0003-cmd-go-cmd-cgo-pass-mfp32-and-mhard-soft-float-to-MI.patch
Dr. Tobias Quathamer [Thu, 1 Aug 2019 11:50:48 +0000 (13:50 +0200)]
Fix Lintian warnings about wrong interpreter path
The command used for this change is as follows:
grep -rH "/usr/bin/env perl" * | cut -d: -f1 | xargs -n1 sed -i -e "s,/usr/bin/env perl,/usr/bin/perl,"
Gbp-Pq: Name 0002-Fix-Lintian-warnings-about-wrong-interpreter-path.patch
Dr. Tobias Quathamer [Wed, 19 Dec 2018 13:25:06 +0000 (14:25 +0100)]
Disable test for UserHomeDir.
On Debian buildds, the user home dir does not exist, so this test fails.
Gbp-Pq: Name 0001-Disable-test-for-UserHomeDir.patch
Shengjing Zhu [Sat, 5 Jun 2021 11:36:34 +0000 (12:36 +0100)]
golang-1.15 (1.15.9-5) unstable; urgency=medium
* Team upload.
* Backport patches for CVE-2021-33195 CVE-2021-33197 CVE-2021-33198
+ CVE-2021-33195: net: Lookup functions may return invalid host names
+ CVE-2021-33197: net/http/httputil: ReverseProxy forwards Connection
headers if first one is empty
+ CVE-2021-33198: math/big: (*Rat).SetString with "1.770p02041010010011001001"
crashes with "makeslice: len out of range"
[dgit import unpatched golang-1.15 1.15.9-5]
Shengjing Zhu [Sat, 5 Jun 2021 11:36:34 +0000 (12:36 +0100)]
Import golang-1.15_1.15.9-5.debian.tar.xz
[dgit import tarball golang-1.15 1.15.9-5 golang-1.15_1.15.9-5.debian.tar.xz]
Shengjing Zhu [Thu, 11 Mar 2021 15:43:18 +0000 (15:43 +0000)]
Import golang-1.15_1.15.9.orig.tar.gz
[dgit import orig golang-1.15_1.15.9.orig.tar.gz]
projects / golang-1.15.git / log