From 9f470e41350b3d08ab7d62eb14d56e3f96acfe86 Mon Sep 17 00:00:00 2001
From: Go Compiler Team <team+go-compiler@tracker.debian.org>
Date: Thu, 20 Apr 2023 15:32:58 +0100
Subject: [PATCH] CVE-2020-28367

Origin: https://github.com/golang/go/commit/ff5addb6be2fb3001f0cb026c3e4931090a85664
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-04-14

From ff5addb6be2fb3001f0cb026c3e4931090a85664 Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Mon, 2 Nov 2020 21:31:06 -0800
Subject: [PATCH] [release-branch.go1.14-security] cmd/go: in cgoflags, permit
 -DX1, prohibit -Wp,-D,opt

Restrict -D and -U to ASCII C identifiers, but do permit trailing digits.
When using -Wp, prohibit commas in -D values.

Thanks to Imre Rad (https://www.linkedin.com/in/imre-rad-2358749b) for reporting this.

Fixes CVE-2020-28367

Change-Id: Ibfc4dfdd6e6c258e131448e7682610c44eee9492
Reviewed-on: https://go-review.googlesource.com/c/go/+/267277
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899923
Reviewed-by: Filippo Valsorda <valsorda@google.com>

Gbp-Pq: Name CVE-2020-28367.patch
---
 src/cmd/go/internal/work/security.go      | 4 ++--
 src/cmd/go/internal/work/security_test.go | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
index 2132c5f..731307f 100644
--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
@@ -40,7 +40,7 @@ import (
 var re = regexp.MustCompile
 
 var validCompilerFlags = []*regexp.Regexp{
-	re(`-D([A-Za-z_].*)`),
+	re(`-D([A-Za-z_][A-Za-z0-9_]*)(=[^@\-]*)?`),
 	re(`-F([^@\-].*)`),
 	re(`-I([^@\-].*)`),
 	re(`-O`),
@@ -48,7 +48,7 @@ var validCompilerFlags = []*regexp.Regexp{
 	re(`-W`),
 	re(`-W([^@,]+)`), // -Wall but not -Wa,-foo.
 	re(`-Wa,-mbig-obj`),
-	re(`-Wp,-D([A-Za-z_].*)`),
+	re(`-Wp,-D([A-Za-z_][A-Za-z0-9_]*)(=[^@,\-]*)?`),
 	re(`-ansi`),
 	re(`-f(no-)?asynchronous-unwind-tables`),
 	re(`-f(no-)?blocks`),
diff --git a/src/cmd/go/internal/work/security_test.go b/src/cmd/go/internal/work/security_test.go
index d23b6ea..3bd37d6 100644
--- a/src/cmd/go/internal/work/security_test.go
+++ b/src/cmd/go/internal/work/security_test.go
@@ -21,6 +21,7 @@ var goodCompilerFlags = [][]string{
 	{"-Osmall"},
 	{"-W"},
 	{"-Wall"},
+	{"-Wp,-Dfoo1"},
 	{"-fobjc-arc"},
 	{"-fno-objc-arc"},
 	{"-fomit-frame-pointer"},
@@ -71,6 +72,7 @@ var badCompilerFlags = [][]string{
 	{"-O@1"},
 	{"-Wa,-foo"},
 	{"-W@foo"},
+	{"-Wp,-DX,-D@X"},
 	{"-g@gdb"},
 	{"-g-gdb"},
 	{"-march=@dawn"},
-- 
2.30.2