dgit.raspbian.org Git - golang-1.11.git/log

CVE-2021-39293

Origin: https://github.com/golang/go/commit/6c480017ae600b2c90a264a922e041df04dfa785
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2022-01-21

Backport note: test case now also deals with prior detection removed
in 483d6d99256b3c486e0c99106e232b4909938328 (v1.14)

From 6c480017ae600b2c90a264a922e041df04dfa785 Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 18 Aug 2021 11:49:29 -0700
Subject: [PATCH] [release-branch.go1.16] archive/zip: prevent preallocation
check from overflowing

If the indicated directory size in the archive header is so large that
subtracting it from the archive size overflows a uint64, the check that
the indicated number of files in the archive can be effectively
bypassed. Prevent this from happening by checking that the indicated
directory size is less than the size of the archive.

Thanks to the OSS-Fuzz project for discovering this issue and to
Emmanuel Odeke for reporting it.

Fixes #47985
Updates #47801
Fixes CVE-2021-39293

Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24
Reviewed-on: https://go-review.googlesource.com/c/go/+/343434
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
(cherry picked from commit bacbc33439b124ffd7392c91a5f5d96eca8c0c0b)
Reviewed-on: https://go-review.googlesource.com/c/go/+/345409
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
Trust: Cherry Mui <cherryyz@google.com>

Gbp-Pq: Name CVE-2021-39293.patch

CVE-2021-33196

Origin: https://github.com/golang/go/commit/c92adf420a3d9a5510f9aea382d826f0c9216a10
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2022-01-21

Backport note: test case now also deals with prior detection removed
in 483d6d99256b3c486e0c99106e232b4909938328 (v1.14)

From c92adf420a3d9a5510f9aea382d826f0c9216a10 Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Tue, 11 May 2021 11:31:31 -0700
Subject: [PATCH] [release-branch.go1.15] archive/zip: only preallocate File
slice if reasonably sized

Since the number of files in the EOCD record isn't validated, it isn't
safe to preallocate Reader.Files using that field. A malformed archive
can indicate it contains up to 1 << 128 - 1 files. We can still safely
preallocate the slice by checking if the specified number of files in
the archive is reasonable, given the size of the archive.

Thanks to the OSS-Fuzz project for discovering this issue and to
Emmanuel Odeke for reporting it.

Updates #46242
Fixes #46396
Fixes CVE-2021-33196

Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76
Reviewed-on: https://go-review.googlesource.com/c/go/+/318909
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Joe Tsai <thebrokentoaster@gmail.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
(cherry picked from commit 74242baa4136c7a9132a8ccd9881354442788c8c)
Reviewed-on: https://go-review.googlesource.com/c/go/+/322949
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Gbp-Pq: Name CVE-2021-33196.patch

CVE-2021-38297

Origin: https://github.com/golang/go/commit/4548fcc8dfd933c237f29bba6f90040a85922564
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-04-15

From 4548fcc8dfd933c237f29bba6f90040a85922564 Mon Sep 17 00:00:00 2001
From: Michael Knyszek <mknyszek@google.com>
Date: Thu, 2 Sep 2021 16:51:59 -0400
Subject: [PATCH] [release-branch.go1.16] misc/wasm, cmd/link: do not let
command line args overwrite global data

On Wasm, wasm_exec.js puts command line arguments at the beginning
of the linear memory (following the "zero page"). Currently there
is no limit for this, and a very long command line can overwrite
the program's data section. Prevent this by limiting the command
line to 4096 bytes, and in the linker ensuring the data section
starts at a high enough address (8192).

(Arguably our address assignment on Wasm is a bit confusing. This
is the minimum fix I can come up with.)

Thanks to Ben Lubar for reporting this issue.

Change by Cherry Mui <cherryyz@google.com>.

For #48797
Fixes #48799
Fixes CVE-2021-38297

Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1205933
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/354591
Trust: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Gbp-Pq: Name CVE-2021-38297.patch

CVE-2020-28367

Origin: https://github.com/golang/go/commit/ff5addb6be2fb3001f0cb026c3e4931090a85664
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-04-14

From ff5addb6be2fb3001f0cb026c3e4931090a85664 Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Mon, 2 Nov 2020 21:31:06 -0800
Subject: [PATCH] [release-branch.go1.14-security] cmd/go: in cgoflags, permit
-DX1, prohibit -Wp,-D,opt

Restrict -D and -U to ASCII C identifiers, but do permit trailing digits.
When using -Wp, prohibit commas in -D values.

Thanks to Imre Rad (https://www.linkedin.com/in/imre-rad-2358749b) for reporting this.

Fixes CVE-2020-28367

Change-Id: Ibfc4dfdd6e6c258e131448e7682610c44eee9492
Reviewed-on: https://go-review.googlesource.com/c/go/+/267277
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899923
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Gbp-Pq: Name CVE-2020-28367.patch

Fixes CVE-2021-3114

Cherry-pick from upstream:
https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871

Gbp-Pq: Name 0012-Fix-CVE-2021-3114.patch

Fix CVE-2020-16845

Cherry-picked from upstream:
https://github.com/golang/go/commit/027d7241ce050d197e7fabea3d541ffbe3487258

Gbp-Pq: Name 0011-Fix-CVE-2020-16845.patch

Fix CVE-2020-15586

Cherry-picked from upstream:
https://github.com/golang/go/commit/fa98f46741f818913a8c11b877520a548715131f

Gbp-Pq: Name 0010-Fix-CVE-2020-15586.patch

Fix CVE-2020-7919

Cherry-picked from upstream:
https://github.com/golang/go/commit/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574

Gbp-Pq: Name 0009-Fix-CVE-2020-7919.patch

Fix CVE-2019-17596

Cherry-picked from upstream:
https://github.com/golang/go/commit/2017d88dbc096381d4f348d2fb08bfb3c2b7ed73

Gbp-Pq: Name 0008-Fix-CVE-2019-17596.patch

Fix CVE-2019-16276

Cherry-picked from upstream:
https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8

Gbp-Pq: Name 0007-Fix-CVE-2019-16276.patch

Fix CVE-2019-14809

Cherry-picked from upstream:
https://github.com/golang/go/commit/c1d9ca70995dc232a2145e3214f94e03409f6fcc

Gbp-Pq: Name 0006-Fix-CVE-2019-14809.patch

Fix CVE-2019-9512 and CVE-2019-9514

Cherry-picked from upstream:
https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2

Gbp-Pq: Name 0005-Fix-CVE-2019-9512-and-CVE-2019-9514.patch

[PATCH] unix: fix Fstatat by using fillStat_t on linux/mips64x

The stat structure on linux/mips64x differ between C library and the kernel,
as described in the stat(2) man page.

Fstat, Lstat and Stat on linux/mips64x already converts the stat structure
using a fillStat_t function, very similar to __xstat_conv in GLIBC.
Doing the same for Fstatat before calling SYS_NEWFSTATAT fixes the
"Fstatat: returned stat does not match Stat/Lstat" error in TestFstatat.

Fixes golang/go#29401

Change-Id: I0b2a7b274acc3c7c9fc7ae2afe722dd6225da383
Reviewed-on: https://go-review.googlesource.com/c/155747
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
Gbp-Pq: Name 0004-fix-Fstatat-by-using-fillStat_t-on-linux-mips64x.patch

arm64/arm64asm: recognise new ssbb/pssbb mnemonics from objdump

Fixes golang/go#27754

Change-Id: I8fcc3bc3c718cf0d93afbd1d383df48316b522d4
Reviewed-on: https://go-review.googlesource.com/136455
Run-TryBot: Michael Hudson-Doyle <michael.hudson@canonical.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
Gbp-Pq: Name 0003-arm64-arm64asm-recognise-new-ssbb-pssbb-mnemonics-fr.patch

Fix Lintian warnings about wrong interpreter path

The command used for this change is as follows:

grep -rH "/usr/bin/env perl" * | cut -d: -f1 | xargs -n1 sed -i -e "s,/usr/bin/env perl,/usr/bin/perl,"

Gbp-Pq: Name 0002-Fix-Lintian-warnings-about-wrong-interpreter-path.patch

Reproducible BUILD_PATH_PREFIX_MAP

Make builds reproducible by honoring BUILD_PATH_PREFIX_MAP
Upstream has rejected the patch in this form and promised to implement an
alternative they are happy with instead. That hasn't happened yet though.

Bug: https://github.com/golang/go/issues/22491, https://github.com/golang/go/issues/16860
Forwarded: https://golang.org/cl/73291 (rejected upstream though)

Gbp-Pq: Name 0001-Reproducible-BUILD_PATH_PREFIX_MAP.patch

golang-1.11 (1.11.6-1+deb10u7) buster-security; urgency=high

* Non-maintainer upload by the LTS Security Team.
* Disable a few flaky tests on arm.

[dgit import unpatched golang-1.11 1.11.6-1+deb10u7]

Import golang-1.11_1.11.6-1+deb10u7.debian.tar.xz

[dgit import tarball golang-1.11 1.11.6-1+deb10u7 golang-1.11_1.11.6-1+deb10u7.debian.tar.xz]

Import golang-1.11_1.11.6.orig.tar.gz

[dgit import orig golang-1.11_1.11.6.orig.tar.gz]