summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Go Compiler Team [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
CVE-2021-38297
Origin: https://github.com/golang/go/commit/
4548fcc8dfd933c237f29bba6f90040a85922564
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-04-15
From
4548fcc8dfd933c237f29bba6f90040a85922564 Mon Sep 17 00:00:00 2001
From: Michael Knyszek <mknyszek@google.com>
Date: Thu, 2 Sep 2021 16:51:59 -0400
Subject: [PATCH] [release-branch.go1.16] misc/wasm, cmd/link: do not let
command line args overwrite global data
On Wasm, wasm_exec.js puts command line arguments at the beginning
of the linear memory (following the "zero page"). Currently there
is no limit for this, and a very long command line can overwrite
the program's data section. Prevent this by limiting the command
line to 4096 bytes, and in the linker ensuring the data section
starts at a high enough address (8192).
(Arguably our address assignment on Wasm is a bit confusing. This
is the minimum fix I can come up with.)
Thanks to Ben Lubar for reporting this issue.
Change by Cherry Mui <cherryyz@google.com>.
For #48797
Fixes #48799
Fixes CVE-2021-38297
Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/
1205933
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/354591
Trust: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Gbp-Pq: Name CVE-2021-38297.patch
Go Compiler Team [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
CVE-2020-28367
Origin: https://github.com/golang/go/commit/
ff5addb6be2fb3001f0cb026c3e4931090a85664
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-04-14
From
ff5addb6be2fb3001f0cb026c3e4931090a85664 Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Mon, 2 Nov 2020 21:31:06 -0800
Subject: [PATCH] [release-branch.go1.14-security] cmd/go: in cgoflags, permit
-DX1, prohibit -Wp,-D,opt
Restrict -D and -U to ASCII C identifiers, but do permit trailing digits.
When using -Wp, prohibit commas in -D values.
Thanks to Imre Rad (https://www.linkedin.com/in/imre-rad-
2358749b) for reporting this.
Fixes CVE-2020-28367
Change-Id: Ibfc4dfdd6e6c258e131448e7682610c44eee9492
Reviewed-on: https://go-review.googlesource.com/c/go/+/267277
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899923
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Gbp-Pq: Name CVE-2020-28367.patch
Filippo Valsorda [Fri, 8 Jan 2021 02:56:58 +0000 (03:56 +0100)]
Fixes CVE-2021-3114
Cherry-pick from upstream:
https://github.com/golang/go/commit/
d95ca9138026cbe40e0857d76a81a16d03230871
Gbp-Pq: Name 0012-Fix-CVE-2021-3114.patch
Katie Hockman [Tue, 4 Aug 2020 15:45:32 +0000 (11:45 -0400)]
Fix CVE-2020-16845
Cherry-picked from upstream:
https://github.com/golang/go/commit/
027d7241ce050d197e7fabea3d541ffbe3487258
Gbp-Pq: Name 0011-Fix-CVE-2020-16845.patch
Russ Cox [Mon, 13 Jul 2020 17:27:22 +0000 (13:27 -0400)]
Fix CVE-2020-15586
Cherry-picked from upstream:
https://github.com/golang/go/commit/
fa98f46741f818913a8c11b877520a548715131f
Gbp-Pq: Name 0010-Fix-CVE-2020-15586.patch
Dr. Tobias Quathamer [Fri, 31 Jan 2020 21:15:57 +0000 (22:15 +0100)]
Fix CVE-2020-7919
Cherry-picked from upstream:
https://github.com/golang/go/commit/
b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
Gbp-Pq: Name 0009-Fix-CVE-2020-7919.patch
Dr. Tobias Quathamer [Sat, 19 Oct 2019 12:03:22 +0000 (14:03 +0200)]
Fix CVE-2019-17596
Cherry-picked from upstream:
https://github.com/golang/go/commit/
2017d88dbc096381d4f348d2fb08bfb3c2b7ed73
Gbp-Pq: Name 0008-Fix-CVE-2019-17596.patch
Dr. Tobias Quathamer [Thu, 26 Sep 2019 09:46:46 +0000 (11:46 +0200)]
Fix CVE-2019-16276
Cherry-picked from upstream:
https://github.com/golang/go/commit/
6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8
Gbp-Pq: Name 0007-Fix-CVE-2019-16276.patch
Dr. Tobias Quathamer [Thu, 15 Aug 2019 19:37:24 +0000 (21:37 +0200)]
Fix CVE-2019-14809
Cherry-picked from upstream:
https://github.com/golang/go/commit/
c1d9ca70995dc232a2145e3214f94e03409f6fcc
Gbp-Pq: Name 0006-Fix-CVE-2019-14809.patch
Dr. Tobias Quathamer [Thu, 15 Aug 2019 19:34:14 +0000 (21:34 +0200)]
Fix CVE-2019-9512 and CVE-2019-9514
Cherry-picked from upstream:
https://github.com/golang/go/commit/
e152b01a468a1c18a290bf9aec52ccea7693c7f2
Gbp-Pq: Name 0005-Fix-CVE-2019-9512-and-CVE-2019-9514.patch
Anthony Fok [Fri, 28 Dec 2018 13:18:00 +0000 (06:18 -0700)]
[PATCH] unix: fix Fstatat by using fillStat_t on linux/mips64x
The stat structure on linux/mips64x differ between C library and the kernel,
as described in the stat(2) man page.
Fstat, Lstat and Stat on linux/mips64x already converts the stat structure
using a fillStat_t function, very similar to __xstat_conv in GLIBC.
Doing the same for Fstatat before calling SYS_NEWFSTATAT fixes the
"Fstatat: returned stat does not match Stat/Lstat" error in TestFstatat.
Fixes golang/go#29401
Change-Id: I0b2a7b274acc3c7c9fc7ae2afe722dd6225da383
Reviewed-on: https://go-review.googlesource.com/c/155747
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
Gbp-Pq: Name 0004-fix-Fstatat-by-using-fillStat_t-on-linux-mips64x.patch
Michael Hudson-Doyle [Thu, 20 Sep 2018 07:20:31 +0000 (09:20 +0200)]
arm64/arm64asm: recognise new ssbb/pssbb mnemonics from objdump
Fixes golang/go#27754
Change-Id: I8fcc3bc3c718cf0d93afbd1d383df48316b522d4
Reviewed-on: https://go-review.googlesource.com/136455
Run-TryBot: Michael Hudson-Doyle <michael.hudson@canonical.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
Gbp-Pq: Name 0003-arm64-arm64asm-recognise-new-ssbb-pssbb-mnemonics-fr.patch
Dr. Tobias Quathamer [Wed, 19 Dec 2018 12:16:45 +0000 (13:16 +0100)]
Fix Lintian warnings about wrong interpreter path
The command used for this change is as follows:
grep -rH "/usr/bin/env perl" * | cut -d: -f1 | xargs -n1 sed -i -e "s,/usr/bin/env perl,/usr/bin/perl,"
Gbp-Pq: Name 0002-Fix-Lintian-warnings-about-wrong-interpreter-path.patch
Michael Stapelberg [Thu, 8 Feb 2018 09:00:00 +0000 (10:00 +0100)]
Reproducible BUILD_PATH_PREFIX_MAP
Make builds reproducible by honoring BUILD_PATH_PREFIX_MAP
Upstream has rejected the patch in this form and promised to implement an
alternative they are happy with instead. That hasn't happened yet though.
Bug: https://github.com/golang/go/issues/22491, https://github.com/golang/go/issues/16860
Forwarded: https://golang.org/cl/73291 (rejected upstream though)
Gbp-Pq: Name 0001-Reproducible-BUILD_PATH_PREFIX_MAP.patch
Sylvain Beucler [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
golang-1.11 (1.11.6-1+deb10u7) buster-security; urgency=high
* Non-maintainer upload by the LTS Security Team.
* Disable a few flaky tests on arm.
[dgit import unpatched golang-1.11 1.11.6-1+deb10u7]
Sylvain Beucler [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
Import golang-1.11_1.11.6-1+deb10u7.debian.tar.xz
[dgit import tarball golang-1.11 1.11.6-1+deb10u7 golang-1.11_1.11.6-1+deb10u7.debian.tar.xz]
Michael Hudson-Doyle [Sun, 17 Mar 2019 20:37:17 +0000 (20:37 +0000)]
Import golang-1.11_1.11.6.orig.tar.gz
[dgit import orig golang-1.11_1.11.6.orig.tar.gz]
projects / golang-1.11.git / log