From 83870e1c8ba3055c7c954d3b46367dc357793309 Mon Sep 17 00:00:00 2001 From: Sylvain Beucler Date: Fri, 21 Jan 2022 18:45:18 +0000 Subject: [PATCH 1/1] Import golang-1.7_1.7.4-2+deb9u4.debian.tar.xz [dgit import tarball golang-1.7 1.7.4-2+deb9u4 golang-1.7_1.7.4-2+deb9u4.debian.tar.xz] --- debian/changelog | 976 +++++++++++++ debian/compat | 1 + debian/control | 98 ++ debian/control.in | 94 ++ debian/copyright | 1206 +++++++++++++++++ debian/docs | 3 + debian/gbp.conf | 13 + debian/gbp.conf.in | 9 + debian/golang-X.Y-doc.dirs | 1 + debian/golang-X.Y-doc.install | 2 + debian/golang-X.Y-doc.links | 2 + debian/golang-X.Y-doc.lintian-overrides | 5 + debian/golang-X.Y-go.dirs | 2 + debian/golang-X.Y-go.install | 7 + debian/golang-X.Y-go.links | 3 + debian/golang-X.Y-go.lintian-overrides | 2 + debian/golang-X.Y-go.postinst | 13 + debian/golang-X.Y-src.install | 2 + debian/golang-X.Y-src.lintian-overrides | 4 + debian/helpers/goenv.sh | 55 + debian/patches/CVE-2017-15041.patch | 264 ++++ debian/patches/CVE-2018-16873,16874.patch | 350 +++++ debian/patches/CVE-2019-16276.patch | 162 +++ debian/patches/CVE-2019-17596.patch | 40 + debian/patches/CVE-2019-9741.patch | 217 +++ debian/patches/CVE-2020-15586.patch | 98 ++ debian/patches/CVE-2020-16845.patch | 66 + debian/patches/CVE-2021-3114.patch | 492 +++++++ debian/patches/CVE-2021-33196.patch | 131 ++ debian/patches/CVE-2021-36221.patch | 50 + debian/patches/CVE-2021-39293.patch | 81 ++ debian/patches/CVE-2021-41771.patch | 77 ++ debian/patches/CVE-2021-44716.patch | 56 + debian/patches/CVE-2021-44717.patch | 80 ++ debian/patches/cl-29995--tzdata-2016g.patch | 35 + debian/patches/cl-37964--tzdata-2017a.patch | 89 ++ debian/patches/cve-2018-7187.patch | 120 ++ debian/patches/cve-2019-6486.patch | 13 + debian/patches/series | 21 + debian/rules | 108 ++ debian/source/format | 1 + debian/source/include-binaries | 1 + debian/source/lintian-overrides | 44 + debian/source/lintian-overrides.in | 40 + debian/watch | 8 + debian/watch.in | 4 + .../gcc-amd64-darwin-exec-with-bad-dysym | Bin 0 -> 8512 bytes 47 files changed, 5146 insertions(+) create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/control.in create mode 100644 debian/copyright create mode 100644 debian/docs create mode 100644 debian/gbp.conf create mode 100644 debian/gbp.conf.in create mode 100644 debian/golang-X.Y-doc.dirs create mode 100644 debian/golang-X.Y-doc.install create mode 100644 debian/golang-X.Y-doc.links create mode 100644 debian/golang-X.Y-doc.lintian-overrides create mode 100644 debian/golang-X.Y-go.dirs create mode 100644 debian/golang-X.Y-go.install create mode 100644 debian/golang-X.Y-go.links create mode 100644 debian/golang-X.Y-go.lintian-overrides create mode 100644 debian/golang-X.Y-go.postinst create mode 100644 debian/golang-X.Y-src.install create mode 100644 debian/golang-X.Y-src.lintian-overrides create mode 100755 debian/helpers/goenv.sh create mode 100644 debian/patches/CVE-2017-15041.patch create mode 100644 debian/patches/CVE-2018-16873,16874.patch create mode 100644 debian/patches/CVE-2019-16276.patch create mode 100644 debian/patches/CVE-2019-17596.patch create mode 100644 debian/patches/CVE-2019-9741.patch create mode 100644 debian/patches/CVE-2020-15586.patch create mode 100644 debian/patches/CVE-2020-16845.patch create mode 100644 debian/patches/CVE-2021-3114.patch create mode 100644 debian/patches/CVE-2021-33196.patch create mode 100644 debian/patches/CVE-2021-36221.patch create mode 100644 debian/patches/CVE-2021-39293.patch create mode 100644 debian/patches/CVE-2021-41771.patch create mode 100644 debian/patches/CVE-2021-44716.patch create mode 100644 debian/patches/CVE-2021-44717.patch create mode 100644 debian/patches/cl-29995--tzdata-2016g.patch create mode 100644 debian/patches/cl-37964--tzdata-2017a.patch create mode 100644 debian/patches/cve-2018-7187.patch create mode 100644 debian/patches/cve-2019-6486.patch create mode 100644 debian/patches/series create mode 100755 debian/rules create mode 100644 debian/source/format create mode 100644 debian/source/include-binaries create mode 100644 debian/source/lintian-overrides create mode 100644 debian/source/lintian-overrides.in create mode 100644 debian/watch create mode 100644 debian/watch.in create mode 100644 src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..3f548aa --- /dev/null +++ b/debian/changelog @@ -0,0 +1,976 @@ +golang-1.7 (1.7.4-2+deb9u4) stretch-security; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * CVE-2021-36221: Go has a race condition that can lead to a + net/http/httputil ReverseProxy panic upon an ErrAbortHandler + abort. (Closes: #991961) + * CVE-2021-33196: in archive/zip, a crafted file count (in an archive's + header) can cause a NewReader or OpenReader panic. (Closes: #989492) + * CVE-2021-39293: follow-up fix to CVE-2021-33196 + * CVE-2021-41771: ImportedSymbols in debug/macho (for Open or OpenFat) + accesses a Memory Location After the End of a Buffer, aka an + out-of-bounds slice situation. + * CVE-2021-44716: net/http allows uncontrolled memory consumption in the + header canonicalization cache via HTTP/2 requests. + * CVE-2021-44717: Go on UNIX allows write operations to an unintended + file or unintended network connection as a consequence of erroneous + closing of file descriptor 0 after file-descriptor exhaustion. + + -- Sylvain Beucler Fri, 21 Jan 2022 19:45:18 +0100 + +golang-1.7 (1.7.4-2+deb9u3) stretch-security; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * CVE-2017-15041: Go allows "go get" remote command execution. Using + custom domains, it is possible to arrange things so that + example.com/pkg1 points to a Subversion repository but + example.com/pkg1/pkg2 points to a Git repository. If the Subversion + repository includes a Git checkout in its pkg2 directory and some + other work is done to ensure the proper ordering of operations, "go + get" can be tricked into reusing this Git checkout for the fetch of + code from pkg2. If the Subversion repository's Git checkout has + malicious commands in .git/hooks/, they will execute on the system + running "go get." + * CVE-2018-16873: the "go get" command is vulnerable to remote code + execution when executed with the -u flag and the import path of a + malicious Go package, as it may treat the parent directory as a Git + repository root, containing malicious configuration. + * CVE-2018-16874: the "go get" command is vulnerable to directory + traversal when executed with the import path of a malicious Go package + which contains curly braces (both '{' and '}' characters). The + attacker can cause an arbitrary filesystem write, which can lead to + code execution. + * CVE-2019-9741: in net/http, CRLF injection is possible if the attacker + controls a url parameter, as demonstrated by the second argument to + http.NewRequest with \r\n followed by an HTTP header or a Redis + command. + * CVE-2019-16276: Go allows HTTP Request Smuggling. + * CVE-2019-17596: Go can panic upon an attempt to process network + traffic containing an invalid DSA public key. There are several attack + scenarios, such as traffic from a client to a server that verifies + client certificates. + * CVE-2021-3114: crypto/elliptic/p224.go can generate incorrect outputs, + related to an underflow of the lowest limb during the final complete + reduction in the P-224 field. + + -- Sylvain Beucler Sat, 13 Mar 2021 15:48:57 +0100 + +golang-1.7 (1.7.4-2+deb9u2) stretch-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2020-15586 + Using the 100-continue in HTTP headers received by a net/http/Server + can lead to a data race involving the connection's buffered writer. + * CVE-2020-16845 + Certain invalid inputs to ReadUvarint or ReadVarint could cause those + functions to read an unlimited number of bytes from the ByteReader + argument before returning an error. + + -- Thorsten Alteholz Fri, 20 Nov 2020 17:03:02 +0100 + +golang-1.7 (1.7.4-2+deb9u1) stretch-security; urgency=high + + * Team upload. + * Add patch to fix CVE-2019-6486 + * Add patch to fix CVE-2018-7187 + + -- Dr. Tobias Quathamer Mon, 28 Jan 2019 22:24:55 +0100 + +golang-1.7 (1.7.4-2) unstable; urgency=medium + + * Backport CL 37964 for tzdata 2017a changes (Closes: #859583) + + -- Michael Hudson-Doyle Wed, 05 Apr 2017 11:53:49 +1200 + +golang-1.7 (1.7.4-1) unstable; urgency=medium + + * Update to 1.7.4 upstream release (Closes: #846545) + - https://groups.google.com/d/topic/golang-announce/2lP5z9i9ySY/discussion + - https://golang.org/issue/17965 (potential DoS vector in net/http) + - https://github.com/golang/go/compare/go1.7.3...go1.7.4 + + -- Tianon Gravi Fri, 02 Dec 2016 13:30:36 -0800 + +golang-1.7 (1.7.3-1) unstable; urgency=medium + + * New upstream release. + * Delete d/patches/cl-28850.patch, applied upstream. + + -- Michael Hudson-Doyle Thu, 20 Oct 2016 09:10:47 +1300 + +golang-1.7 (1.7.1-3) unstable; urgency=medium + + * Backport CL 29995 for tzdata 2016g changes (Closes: #839317) + + -- Tianon Gravi Mon, 03 Oct 2016 15:12:28 -0700 + +golang-1.7 (1.7.1-2) unstable; urgency=medium + + * Add upstream patch for s390x FTBFS + + -- Tianon Gravi Mon, 12 Sep 2016 09:32:10 -0700 + +golang-1.7 (1.7.1-1) unstable; urgency=medium + + * New upstream release. + * Re-enable tests on s390x now that gcc-6 has been fixed in unstable. + + -- Michael Hudson-Doyle Thu, 08 Sep 2016 13:04:33 +1200 + +golang-1.7 (1.7-3) unstable; urgency=medium + + * Add "s390x" to Architectures + + -- Tianon Gravi Tue, 23 Aug 2016 07:35:16 -0700 + +golang-1.7 (1.7-2) unstable; urgency=medium + + * Disable tests on armel. + + -- Michael Hudson-Doyle Tue, 16 Aug 2016 15:18:07 +1200 + +golang-1.7 (1.7-1) unstable; urgency=medium + + * New upstream release. + + -- Michael Hudson-Doyle Tue, 16 Aug 2016 11:37:34 +1200 + +golang-1.7 (1.7~rc4-1) unstable; urgency=medium + + * New upstream release. + + -- Michael Hudson-Doyle Tue, 02 Aug 2016 15:10:22 +1200 + +golang-1.7 (1.7~rc3-1) unstable; urgency=medium + + [ Tianon Gravi ] + * Remove outdated README files (README.source and README.Debian) + + [ Michael Hudson-Doyle ] + * New upstream release. + * Suppress inaccurate source-is-missing lintian warnings. + * Update Standards-Version to 3.9.8 (no changes required). + + -- Tianon Gravi Mon, 11 Jul 2016 18:31:57 -0700 + +golang-1.7 (1.7~rc2-1) unstable; urgency=medium + + * Update to 1.7rc2 upstream release. + + -- Michael Hudson-Doyle Tue, 19 Jul 2016 14:40:14 +1200 + +golang-1.7 (1.7~rc1-1) unstable; urgency=medium + + [ Paul Tagliamonte ] + * Use a secure transport for the Vcs-Git and Vcs-Browser URL + + [ Tianon Gravi ] + * Update to 1.7rc1 upstream release (new packages, not used by default; see + also src:golang-defaults) + * Update Vcs-Git to reference a particular branch + + -- Tianon Gravi Mon, 11 Jul 2016 16:10:12 -0700 + +golang-1.6 (1.6.2-2) unstable; urgency=medium + + * Update "golang-any" in "Build-Depends" to fallback to "golang-go | gccgo" + (will help with backporting) + + -- Tianon Gravi Thu, 23 Jun 2016 20:01:00 -0700 + +golang-1.6 (1.6.2-1) unstable; urgency=medium + + * Update to 1.6.2 upstream release (Closes: #825696) + * Build-Depend on golang-any instead of golang-go (Closes: #824421) + + -- Michael Hudson-Doyle Fri, 03 Jun 2016 07:50:44 -0700 + +golang-1.6 (1.6.1-1) unstable; urgency=medium + + * Build golang version-specific packages (Closes: #818415) + * Things that (conceptually at least) move to new golang version independent + golang-defaults source package: + - Man pages. + - Suggesting golang-golang-x-tools. + - Breaks/Replace-ing of old golang-go-$GOOS-$GOARCH packages. + * Stop using alternatives to manage /usr/bin/go. + * sed trickery in debian/rules to support easy changes to new golang versions. + + -- Michael Hudson-Doyle Wed, 01 Jun 2016 10:04:53 -0700 + +golang (2:1.6.1-2) unstable; urgency=medium + + * Don't strip testdata files, causes build failures on some platforms. + + -- Michael Hudson-Doyle Wed, 13 Apr 2016 15:47:46 -0700 + +golang (2:1.6.1-1) unstable; urgency=medium + + [ Michael Hudson-Doyle ] + * Breaks/Replaces: older golang-golang-x-tools, not Conflicts, to ensure + smooth upgrades. + * Strip the binaries as it has worked for the last five years or so and + upstream sees no reason to disable it. + + [ Tianon Gravi ] + * Update to 1.6.1 upstream release (Closes: #820369) + - Fix CVE-2016-3959: infinite loop in several big integer routines + + -- Tianon Gravi Tue, 12 Apr 2016 23:06:43 -0700 + +golang (2:1.6-1) unstable; urgency=medium + + * Update to 1.6 upstream release (thanks Hilko!) + - change "ar" arguments to quiet spurious warnings while using gccgo + (Closes: #807138) + - skip multicast listen test (Closes: #814849) + - skip userns tests when chrooted (Closes: #807303) + - use correct ELF header for armhf binaries (Closes: #734357) + - Update debian/rules clean for new location of generated file. + + [ Michael Hudson-Doyle ] + * Respect "nocheck" in DEB_BUILD_OPTIONS while building to skip tests + (Closes: #807290) + * Trim Build-Depends (Closes: #807299) + * Fix several minor debian/copyright issues (Closes: #807304) + * Remove inconsistently included race-built packages (Closes: #807294) + + [ Tianon Gravi ] + * Add "-k" to "run.bash" invocation so that we do a full test run every time + + -- Tianon Gravi Mon, 29 Feb 2016 16:10:32 -0800 + +golang (2:1.5.3-1) unstable; urgency=high + + * Update to 1.5.3 upstream release + - Fix CVE-2015-8618: Carry propagation in Int.Exp Montgomery code in + math/big library (Closes: #809168) + * Add "Breaks" to properly complement our "Replaces" (Closes: #810595) + + -- Tianon Gravi Thu, 14 Jan 2016 07:41:44 -0800 + +golang (2:1.5.2-1) unstable; urgency=medium + + * Update to 1.5.2 upstream release (Closes: #807136) + + -- Tianon Gravi Tue, 05 Jan 2016 19:59:22 -0800 + +golang (2:1.5.1-4) unstable; urgency=medium + + * Add Conflicts to force newer golang-go.tools too (Closes: #803559) + + -- Tianon Gravi Tue, 03 Nov 2015 21:57:54 -0800 + +golang (2:1.5.1-3) unstable; urgency=medium + + * Remove architecture qualification on golang-go Build-Depend now that + golang-go is available for more architectures. + + -- Tianon Gravi Thu, 29 Oct 2015 07:40:38 -0700 + +golang (2:1.5.1-2) unstable; urgency=medium + + * Add Conflicts to force newer golang-golang-x-tools (Closes: #802945). + + -- Tianon Gravi Tue, 27 Oct 2015 13:28:56 -0700 + +golang (2:1.5.1-1) unstable; urgency=medium + + * Upload to unstable. + * Update to 1.5.1 upstream release (see notes from experimental uploads for + what's changed). + * Skip tests on architectures where the tests fail. + + -- Tianon Gravi Sat, 24 Oct 2015 10:22:02 -0700 + +golang (2:1.4.3-3) unstable; urgency=medium + + * Fix FTBFS for non-amd64 architectures due to handling of "-race". + + -- Tianon Gravi Mon, 05 Oct 2015 02:04:07 -0700 + +golang (2:1.5.1-1~exp2) experimental; urgency=medium + + * Upload to experimental. + * Add arch-qualifiers to "golang-go" build-depends to unblock the buildds + (Closes: #800479); thanks Tim! + + -- Tianon Gravi Wed, 30 Sep 2015 11:19:26 -0700 + +golang (2:1.4.3-2) unstable; urgency=medium + + * Update Recommends/Suggests, especially to add gcc, etc. + * Refactor "debian/rules" to utilize debhelper more effectively, especially + for arch vs indep building (mostly backported from the 1.5+ changes), which + fixes the "arch:all" FTBFS. + + -- Tianon Gravi Sun, 27 Sep 2015 22:06:07 -0700 + +golang (2:1.5.1-1~exp1) experimental; urgency=low + + * Upload to experimental. + * Update to 1.5.1 upstream release (Closes: #796150). + - Compiler and runtime written entirely in Go. + - Concurrent garbage collector. + - GOMAXPROCS=runtime.NumCPU() by default. + - "internal" packages for all, not just core. + - Experimental "vendoring" support. + - Cross-compilation no longer requires a complete rebuild of the stdlib in + GOROOT, and thus the golang-go-GOHOST-GOARCH packages are removed. + * Sync debian/copyright with the Ubuntu delta. (thanks doko!) + * Remove patches that no longer apply. + * Add more supported arches to "debian/rules" code for detecting + appropriate GOARCH/GOHOSTARCH values; thanks mwhudson and tpot! + (Closes: #799907) + * Refactor "debian/rules" to utilize debhelper more effectively, especially + for arch vs indep building. + * Move "dpkg-architecture" to "GOOS"/"GOARCH" code into a simple shell script + for easier maintenance. + + -- Tianon Gravi Fri, 25 Sep 2015 14:36:53 -0700 + +golang (2:1.4.3-1) unstable; urgency=medium + + * New upstream version (https://golang.org/doc/devel/release.html#go1.4.minor) + - includes previous CVE and non-CVE security fixes, especially + TEMP-0000000-1C4729 + + -- Tianon Gravi Fri, 25 Sep 2015 00:02:31 -0700 + +golang (2:1.4.2-4) unstable; urgency=high + + * Apply backported CVE fixes (Closes: #795106). + - CVE-2015-5739: Invalid headers are parsed as valid headers + - CVE-2015-5740: RFC 7230 3.3.3 4 violation + - CVE-2015-5741: other discoveries of security-relevant RFC 7230 violations + + -- Tianon Gravi Mon, 14 Sep 2015 12:27:57 -0700 + +golang (2:1.4.2-3) unstable; urgency=medium + + * Add missing "prerm" for our new alternatives (thanks piuparts). + + -- Tianon Gravi Tue, 05 May 2015 17:38:37 -0600 + +golang (2:1.4.2-2) unstable; urgency=medium + + * Move "go" and "gofmt" into "/usr/lib/go" and use alternatives to provide + appropriate symlinks (Closes: #779503, #782301). + * Relax "golang-go.tools" relationship to Suggests (from Recommends). + * Add "go get" VCS options to Suggests for golang-go (bzr, git, mercurial, + subversion). + + -- Tianon Gravi Tue, 05 May 2015 00:37:53 -0600 + +golang (2:1.4.2-1) unstable; urgency=medium + + * New upstream version + (https://golang.org/doc/devel/release.html#go1.4.minor) + + -- Tianon Gravi Sat, 02 May 2015 10:06:34 -0600 + +golang (2:1.4.1-1~exp1) experimental; urgency=low + + * New upstream version (https://golang.org/doc/go1.4) + - all editor support files have been removed from misc/ upstream upstream, + so golang-mode, kate-syntax-go, and vim-syntax-go can no longer be + provided; see https://github.com/golang/go/wiki/IDEsAndTextEditorPlugins + for an upstream-maintained list of potential replacements + + -- Tianon Gravi Fri, 16 Jan 2015 00:52:10 -0500 + +golang (2:1.3.3-1) unstable; urgency=medium + + * New upstream version (https://code.google.com/p/go/source/list?name=go1.3.3) + - time: removed from tests now obsolete assumption about Australian tz + abbreviations + - net: temporarily skip TestAcceptIgnoreSomeErrors + - runtime: hide cgocallback_gofunc calling cgocallbackg from linker + - runtime: fix GOTRACEBACK reading on Windows, Plan 9 + - nacltest.bash: unset GOROOT + - cmd/5l, cmd/6l, cmd/8l: fix nacl binary corruption bug + * Add Paul and myself as uploaders. Many, many thanks to Michael for his work + so far on this package (and hopefully more to come). + + -- Tianon Gravi Fri, 12 Dec 2014 16:11:02 -0500 + +golang (2:1.3.2-1) unstable; urgency=medium + + * New upstream version + + -- Michael Stapelberg Fri, 26 Sep 2014 23:21:45 +0200 + +golang (2:1.3.1-1) unstable; urgency=medium + + * New upstream version + + -- Michael Stapelberg Wed, 13 Aug 2014 09:15:58 +0200 + +golang (2:1.3-4) unstable; urgency=medium + + [ Tianon Gravi ] + * update debian/watch for upstream's latest move (Closes: #756415) + * backport archive/tar patch to fix PAX headers (Closes: #756416) + + -- Michael Stapelberg Sat, 02 Aug 2014 21:02:24 +0200 + +golang (2:1.3-3) unstable; urgency=medium + + * don’t depend on emacs23, depend on emacs instead (Closes: #754013) + * install include/ in golang-src, VERSION in golang-go (Closes: #693186) + + -- Michael Stapelberg Mon, 07 Jul 2014 08:30:50 +0200 + +golang (2:1.3-2) unstable; urgency=medium + + * Add /usr/lib/go/test symlink + * Build with GO386=387 to favor the 387 floating point unit over sse2 + instructions (Closes: #753160) + * Add debian/patches/0001-backport-delete-whole-line.patch to fix a + deprecation warning about flet in the emacs part of golang-mode + (Closes: #753607) + * Migrate to emacsen >2 (Closes: #753607) + * Backport two patches to improve archive/tar performance (for docker): + debian/patches/0002-archive-tar-reuse-temporary-buffer-in-writeHeader.patch + debian/patches/0003-archive-tar-reuse-temporary-buffer-in-readHeader.patch + + -- Michael Stapelberg Thu, 03 Jul 2014 23:33:46 +0200 + +golang (2:1.3-1) unstable; urgency=medium + + * New upstream version. + * Drop patches merged upstream: + - debian/patches/add-tar-xattr-support.patch + - debian/patches/add-tar-xattr-support.patch + * Fix debian/watch (Thanks Tianon) (Closes: #748290) + * Remove dangling symlink /usr/lib/go/lib/godoc (Closes: #747968) + + -- Michael Stapelberg Thu, 19 Jun 2014 09:23:36 +0200 + +golang (2:1.2.1-2) unstable; urgency=low + + * Re-apply debian/patches/add-tar-xattr-support.patch which got lost when + uploading 1.2.1-1; sorry about that. + + -- Michael Stapelberg Sat, 08 Mar 2014 20:01:12 +0100 + +golang (2:1.2.1-1) unstable; urgency=low + + * New upstream release. + + -- Michael Stapelberg Mon, 03 Mar 2014 17:40:57 +0100 + +golang (2:1.2-3) unstable; urgency=low + + * add debian/patches/add-tar-xattr-support.patch to have xattr support in + tar (cherry-picked from upstream) (Thanks proppy) (Closes: #739586) + + -- Michael Stapelberg Mon, 24 Feb 2014 19:34:16 +0100 + +golang (2:1.2-2) unstable; urgency=low + + * add patches/add-src-pkg-debug-elf-testdata-hello.patch to provide source + for the testdata/ ELF binaries (Closes: #716853) + + -- Michael Stapelberg Tue, 31 Dec 2013 18:28:29 +0100 + +golang (2:1.2-1) unstable; urgency=low + + * New upstream release. + * drop patches/archive-tar-fix-links-and-pax.patch, it is merged upstream + * godoc(1) is now in the Debian package golang-go.tools, it was moved into a + separate repository by upstream. + * move patches/godoc-symlinks.diff to golang-go.tools + + -- Michael Stapelberg Mon, 02 Dec 2013 23:57:24 +0100 + +golang (2:1.1.2-3) unstable; urgency=low + + * cherry-pick upstream commit: archive-tar-fix-links-and-pax.patch + (Closes: #730566) + + -- Michael Stapelberg Tue, 26 Nov 2013 18:59:27 +0100 + +golang (2:1.1.2-2) unstable; urgency=low + + * Build golang-go-linux-* for each architecture (Thanks James Page) + (Closes: #719611) + * Update lintian-overrides to override statically-linked-binary and + unstripped-binary-or-object for all of golang-go + + -- Michael Stapelberg Tue, 20 Aug 2013 08:13:40 +0200 + +golang (2:1.1.2-1) unstable; urgency=low + + * New upstream release. + * Relicense debian/ under the Go license to match upstream. All copyright + holders agreed to this. (Closes: #716907) + * golang-mode: don’t install for a number of emacs versions which are not + supported upstream (Thanks Kevin Ryde) (Closes: #702511, #717521) + + -- Michael Stapelberg Tue, 13 Aug 2013 13:47:58 +0200 + +golang (2:1.1.1-4) unstable; urgency=low + + * Disable stripping, it breaks go binaries on some architectures. This drops + the golang-dbg package which would be empty now. (Thanks Robie Basak) + (Closes: #717172) + + -- Michael Stapelberg Wed, 17 Jul 2013 19:15:18 +0200 + +golang (2:1.1.1-3) unstable; urgency=low + + * Ship */runtime/cgo.a in golang-go to ensure it is present. It can only be + used on the native architecture anyway (cannot be used when + cross-compiling), so having it in golang-go-$GOOS-$GOARCH is not + necessary. Even worse, since these packages are arch: all, they will be + built precisely once, and only the runtime/cgo.a for the buildd’s native + arch will be present. (Closes: #715025) + + -- Michael Stapelberg Thu, 11 Jul 2013 20:25:52 +0200 + +golang (2:1.1.1-2) unstable; urgency=low + + [ James Page ] + * Ensure smooth upgrade path from << 2:1.1-2 (Closes: #714838) + + -- Michael Stapelberg Wed, 03 Jul 2013 18:05:58 +0200 + +golang (2:1.1.1-1) unstable; urgency=low + + * Imported Upstream version 1.1.1 + + -- Ingo Oeser Fri, 14 Jun 2013 23:25:44 +0200 + +golang (2:1.1-2) unstable; urgency=low + + [ Ondřej Surý ] + * Promote Michael to Maintainer + + [ Michael Stapelberg ] + * Build golang-go-$GOOS-$GOARCH packages for cross-compiling (Closes: #710090) + * Build race detector on linux/amd64 (only supported arch) (Closes: #710691) + * Switch compression to xz (50% smaller binaries) + + -- Michael Stapelberg Fri, 07 Jun 2013 23:18:09 +0200 + +golang (2:1.1-1) unstable; urgency=low + + * New upstream release: Go 1.1! + * Remove the long obsolete goinstall debconf question and config file. + goinstall does not exist anymore since a long time. + This also obsoletes the need for any translations + (Closes: #685923, #692478) + * Emacs go-mode auto-mode-alist entry was fixed upstream (Closes: #670371) + + -- Michael Stapelberg Tue, 14 May 2013 19:36:04 +0200 + +golang (2:1.1~hg20130405-1) experimental; urgency=low + + * Provide a new hg tip snapshot. This includes what was recently released as + Go 1.1 beta. + + -- Michael Stapelberg Fri, 05 Apr 2013 18:24:36 +0200 + +golang (2:1.1~hg20130323-1) experimental; urgency=low + + * Provide a new hg tip snapshot. + * Add debian/watch (Closes: #699698) + + -- Michael Stapelberg Sat, 23 Mar 2013 11:31:26 +0100 + +golang (2:1.1~hg20130304-2) experimental; urgency=low + + * Fix FTBFS of binary-arch only builds (as performed by buildds) + caused by 'rm' not finding jquery.js in golang-doc + (Thanks Peter Green) + + -- Michael Stapelberg Tue, 05 Mar 2013 00:49:27 +0100 + +golang (2:1.1~hg20130304-1) experimental; urgency=low + + * Provide a hg tip snapshot (2013-03-04) in Debian experimental. + Current hg tip is a good approximation to Go 1.1 and should get + some testing within Debian in order to package Go 1.1 well when + it is released. Thanks to Andrew Gerrand. + + -- Michael Stapelberg Mon, 04 Mar 2013 21:28:58 +0100 + +golang (2:1.0.2-2) unstable; urgency=low + + * Add myself to uploaders, as discussed in #683421. + * cherry-pick r820ffde8c396 (net/http: non-keepalive connections close + successfully) (Closes: #683421) + + -- Michael Stapelberg Thu, 02 Aug 2012 14:25:58 +0200 + +golang (2:1.0.2-1.1) unstable; urgency=low + + * Non-maintainer upload. (as discussed with Ondřej in #679692) + * Fix godoc-symlinks.diff (godoc didn’t find docs) (Closes: #679692) + + -- Michael Stapelberg Fri, 20 Jul 2012 17:59:38 +0200 + +golang (2:1.0.2-1) unstable; urgency=low + + [ Ondřej Surý ] + * Imported Upstream version 1.0.2 + * Update Vcs fields to reflect new git repository location + * Kill get-orig-source, since 1.0.0, the tarballs can be downloaded from + webpage + + [ Michael Stapelberg ] + * golang-mode: use debian-pkg-add-load-path-item (Closes: #664802) + * add manpages (Closes: #632964) + * Use updated pt.po from Pedro Ribeiro (Closes: #674958) + + -- Ondřej Surý Thu, 28 Jun 2012 12:14:15 +0200 + +golang (2:1.0.1-1) unstable; urgency=low + + * Imported Upstream version 1.0.1 + * Apply godoc patch to display package list correctly (Closes: #669354) + + -- Ondřej Surý Wed, 02 May 2012 15:44:59 +0200 + +golang (2:1-6) unstable; urgency=low + + * Merge upstream patch to fix homedir issue + (http://code.google.com/p/go/source/detail?r=709120aecee0) + * Disable GNU/KFreeBSD build (Closes: #668794) + + -- Ondřej Surý Wed, 18 Apr 2012 09:53:30 +0200 + +golang (2:1-5) unstable; urgency=low + + * Rewrite test conditions to make them more readable + (and fix the debian/rules to really not check on armel+kfreebsd) + * Patch upstream test to not fail on missing home directory + + -- Ondřej Surý Sun, 15 Apr 2012 12:35:53 +0200 + +golang (2:1-4) unstable; urgency=low + + * Disable tests on Debian GNU/KFreeBSD, they just hang now (Closes: #668794) + * Disable tests on armel, but the invalid instruction needs fixing in + upstream + * Create fake home directory to pass the os/user test + + -- Ondřej Surý Sun, 15 Apr 2012 10:49:09 +0200 + +golang (2:1-3) unstable; urgency=high + + * Use VERSION provided by upstream for packaging purposes + * Run tests as a part of a build process + * Install full src tree (except pkg/debug) because go command depend + on sources available + * Install sources without testdata and *_test.go + * Remove circular dependency golang-go->golang-doc->golang-go + * Make sure that timestamp on installed binaries and libraries is same + because go build/install recompiles everything if the go binary has + more recent timestamp than libraries (Closes: #668235) + + Need to update timestamps at postinst time because already created + directories can have time in the past + * Fix couple of lintian errors and warnings + + -- Ondřej Surý Wed, 11 Apr 2012 23:21:47 +0200 + +golang (2:1-2) unstable; urgency=low + + * Remove preserving of old -tools settings, there are too many options + now anyway (Closes: #666007) + + -- Ondřej Surý Fri, 06 Apr 2012 16:52:13 +0200 + +golang (2:1-1) unstable; urgency=low + + * New major upstream release Go 1 (Closes: #666942) + * Bumb epoch to 2, since 1 < 60 < 2011 (I wonder if next version will be 0 :) + * Debconf templates and debian/control reviewed by the debian-l10n- + english team as part of the Smith review project. (Closes: #663181) + * [Debconf translation updates] + + Pick existing translations from golang-weekly and do appropriate + sed magic to fit golang templates. (Closes: #666884, #666880, #666881) + + Dutch; (Jeroen Schot). (Closes: #664598) + + Czech (Michal Simunek). (Closes: #665385) + + Spanish; (Camaleón). (Closes: #666177) + + Danish (Joe Hansen). (Closes: #666526) + + -- Ondřej Surý Fri, 06 Apr 2012 16:04:17 +0200 + +golang (1:60.3-2) unstable; urgency=low + + * debconf-gettextize package templates + + -- Ondřej Surý Mon, 20 Feb 2012 22:01:10 +0100 + +golang (1:60.3-1) unstable; urgency=low + + * Imported Upstream version 60.3 + + -- Ondřej Surý Mon, 28 Nov 2011 08:46:18 +0100 + +golang (1:60.2-1) unstable; urgency=low + + * Imported Upstream version 60.2 + + -- Ondřej Surý Thu, 06 Oct 2011 08:57:00 +0200 + +golang (1:60.1-1) unstable; urgency=low + + * Imported Upstream version 60.1 + + -- Ondřej Surý Mon, 19 Sep 2011 10:18:12 +0200 + +golang (1:60-1) unstable; urgency=low + + * Imported Upstream version 60 + * Save upstream VERSION to the archive + * Use GOVERSION as generated by src/version.bash on hg archive time + * Add support for goinstall dashboard debconf question in the Debian + packaging + * Read goinstall dashboard option from debian configuration file + * Remove 005-goinstall_dont_call_home_by_default.patch; replaced by + configuration option + * Fix directory name for upstream archive checkout + + -- Ondřej Surý Tue, 13 Sep 2011 13:13:59 +0200 + +golang (1:59-1) unstable; urgency=low + + * Imported Upstream version 59 + * Refresh patches to a new release + * Fix FTBFS on ARM (Closes: #634270) + * Update version.bash to work with Debian packaging and not hg + repository + + -- Ondřej Surý Wed, 03 Aug 2011 17:04:59 +0200 + +golang (1:58.1-2) unstable; urgency=low + + * Install golang-doc package by default (Recommends from golang-tools, + Depends from golang) + + -- Ondřej Surý Mon, 18 Jul 2011 09:13:43 +0200 + +golang (1:58.1-1) unstable; urgency=low + + * Imported Upstream version 58.1 + + -- Ondřej Surý Wed, 13 Jul 2011 08:39:04 +0200 + +golang (1:58-1) unstable; urgency=low + + * Imported Upstream version 58 + + Add NEWS file with upstream API changes + * Remove patch to not update standard package, fixed in upstream + + -- Ondřej Surý Thu, 30 Jun 2011 15:36:35 +0200 + +golang (1:57.2-1) unstable; urgency=low + + * Imported Upstream version 57.2 + * More spelling fixes (Closes: #630660) + + -- Ondřej Surý Thu, 16 Jun 2011 11:10:58 +0200 + +golang (1:57.1-4) unstable; urgency=low + + * Description update to have proper articles and capitalization + (Closes: #630189) + * Add extended description about Go being experimental and that the + languager can change between releases + + -- Ondřej Surý Tue, 14 Jun 2011 21:38:11 +0200 + +golang (1:57.1-3) unstable; urgency=low + + * Fix "the Google's Go implementation" in extended description + (Closes: #627814) + * Update Vcs-* links + * Install vim ftplugin files into correct directory (Closes: #629844) + + -- Ondřej Surý Thu, 09 Jun 2011 10:10:41 +0200 + +golang (1:57.1-2) unstable; urgency=low + + * Bump standards version to 3.9.2 + * Capitalize Kate (Closes: #627036) + * Import slightly modified patch to be more clear about $GOPATH + installs for non-root users + * Remove don't install deps patch from goinstall; deprecated by + $GOPATH installs + + -- Ondřej Surý Mon, 23 May 2011 11:07:11 +0200 + +golang (1:57.1-1) unstable; urgency=low + + * Add support for dot-minor releases + * Imported Upstream version 57.1 + + -- Ondřej Surý Mon, 16 May 2011 11:45:53 +0200 + +golang (1:57-3) unstable; urgency=low + + [ Florian Weimer ] + * golang-tools: install gofix binary + + [ Ondřej Surý ] + * Add lintian-overrides for gofix binary + + -- Ondřej Surý Sat, 07 May 2011 20:41:58 +0200 + +golang (1:57-2) unstable; urgency=low + + * Remove weekly code from debian/rules + * Add golang meta-package + * Don't create tool chain symlinks twice + * Make debian/rules more generic for simpler sync between weekly + and release branches + + -- Ondřej Surý Wed, 04 May 2011 16:48:24 +0200 + +golang (1:57-1) unstable; urgency=low + + * Imported Upstream version r57 + * Bumped epoch version to 1, to convert from date based versions + to release number based version + * Allow release to migrate to testing (Closes: #624408) + * Add kate and vim syntax highlighting (Closes: #624544) + * Add -dbg package with debugging symbols + + -- Ondřej Surý Wed, 04 May 2011 01:20:07 +0200 + +golang (2011.04.27-2) unstable; urgency=low + + * Fix yet another build failure on kfreebsd (use linux userspace) + + -- Ondřej Surý Fri, 29 Apr 2011 16:22:47 +0200 + +golang (2011.04.27-1) unstable; urgency=low + + * Imported Upstream version 2011.04.27 + * Update debian/rules to allow pulling weekly upstream releases + * Don't remove RUNPATH from binaries; fixed upstream (golang#1527) + * Set GOHOSTOS and GOHOSTARCH to match dpkg-architecture variables + * Add support for kfreebsd-i386, kfreebsd-amd64, armel and armhf + architectures + + 006-fix_kfreebsd_build.patch: + - Add GNU/KFreeBSD support by replacing all uname calls by $(GOOS) + + 007-use_native_dynamic_linker_on_kfreebsd.patch: + - Use native kfreebsd dynamic linker (/lib/ld-*.so.1) + * Add information about available architectures (Closes: #623877) + * Don't strip gotest + * Add Depends: golang-go to golang-tools + * Add better support for armhf + + -- Ondřej Surý Thu, 28 Apr 2011 16:14:39 +0200 + +golang (2011.04.13-1) unstable; urgency=low + + [ Florian Weimer ] + * Delete bin directory in clean target + * Enable parallel build + * golang-src: install source files directly + * Use proper symlink targets for architecture-independent toolchain + names + * Emacs mode: indent keys in struct literals properly + + [ Ondřej Surý ] + * Imported Upstream weekly version 2011.04.13 + * Update patches to new weekly release + * Add lintian-override for gotest binary + + -- Ondřej Surý Tue, 26 Apr 2011 09:59:28 +0200 + +golang (2011.03.07.1-1) unstable; urgency=low + + * Imported Upstream version 2011.03.07.1 + * Install to /usr/lib/go + * Remove xkcd strip to get rid of CC-NC-BY + * Update golang-src.install to new upstream + * Remove 002-use_GOROOT_FINAL_in_generated_binaries.patch; merged + upstream + * Make all .go files no-executable + * Update lintian-overrides to include both types of syntax + + -- Ondřej Surý Wed, 20 Apr 2011 17:36:48 +0200 + +golang (2011.02.15-2) unstable; urgency=low + + [ Ondřej Surý ] + * Add ${misc:Depends} to golang-mode to shutup lintian + * Rehaul build system and add golang-src package with .go source files + * goinstall: do not automatically install prerequisities + * goinstall: don't report to dashboard by default + * Add a README.Debian about local modifications to goinstall + * Add warning about local modifications also directly to goinstall command + + [ Florian Weimer ] + * Fix syntax error in 004- + dont_reinstall_dependencies_in_goinstall.patch + + -- Ondřej Surý Fri, 18 Feb 2011 16:02:09 +0100 + +golang (2011.02.15-1) unstable; urgency=low + + [ Obey Arthur Liu ] + * Added pkg-google git repo to control file + + [ Florian Weimer ] + * Build golang-mode package + + [ Ondřej Surý ] + * Imported Upstream version 2011.02.15 + * Don't compress godoc documentation + * Correctly use $GOROOT_FINAL in the build chain + * Remove RPATH/RUNPATH from go binaries + + -- Ondřej Surý Fri, 18 Feb 2011 11:39:10 +0100 + +golang (2011.02.01.1-1) unstable; urgency=low + + [ Ivan Wong ] + * Initial release (Closes: #574371) + + [ Jonathan Nieder ] + * Fill out copyright file + * Rewrite debian/rules using dh driver + * debian: fix get-orig-source rule + * debian: do not install extra files on repeated build + * debian: fix reversed ‘if’ + * debian: do not leave around stale debian/env.sh+ file + * debian: Build-Depends on awk instead of gawk + * debian: add run-time dependency on perl + * debian: add build-time dependency on perl + * debian: fix setting of GOARM on arm + * debian: do not compress files in web page + * debian: install favicon + + [ Ondřej Surý ] + * Make myself a maintainer + * Add patch to allow IPv4 on IPv6 sockets (Courtesy of Florian Weimer) + * Use GOROOT_FINAL and change GOBIN to /usr/bin + * Get rid of env.sh and wrappers + * Add support for building in i386 pbuilder on amd64 architecture + * Rename source package to golang to match upstream repository name + * Add golang-doc package + * Split package into compiler, docs and tools + * Don't install quietgcc and hgpatch + * Don't generate fake gomake + * Update golang-doc package + * Export GOHOSTARCH and GOHOSTOS + * Disable build time checks + * Fail on missed installed files + * Revert s{tmp{golang-go{ change in DESTDIR + * Relicence debian/ files from versionless GPL to GPL-3 + * Move golang-doc to doc section + * Add more lintian overrides for Go binaries + * Install all 6,8,5 variants of commands + * Install golang-* symlinks for 6,8,5* commands + * Don't strip govet as well + * Remove ${shlibs:Depends} where it doesn't belong + * Move more html files to golang-doc package + * Remove codereview directory - some python code to deal with mercurial + + -- Ondřej Surý Mon, 14 Feb 2011 17:42:39 +0100 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..7f8f011 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +7 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..ee2e087 --- /dev/null +++ b/debian/control @@ -0,0 +1,98 @@ +# +# WARNING: "debian/control" is generated via "debian/rules gencontrol" (sourced from "debian/control.in") +# + +Source: golang-1.7 +Section: devel +Priority: optional +Maintainer: Go Compiler Team +Uploaders: Michael Stapelberg , + Paul Tagliamonte , + Tianon Gravi , + Michael Hudson-Doyle +Vcs-Browser: https://anonscm.debian.org/cgit/pkg-golang/golang.git +Vcs-Git: https://anonscm.debian.org/git/pkg-golang/golang.git -b golang-1.7 +Build-Depends: debhelper (>= 7.4.10), + golang-any (>= 2:1.4~) | golang-go (>= 2:1.4~) | gccgo (>= 4:5~), + netbase +Standards-Version: 3.9.8 +Homepage: https://golang.org + +Package: golang-1.7-go +Architecture: amd64 arm64 armel armhf i386 ppc64 ppc64el s390x +Depends: golang-1.7-src (>= ${source:Version}), + ${misc:Depends}, + ${perl:Depends}, + ${shlibs:Depends} +Recommends: g++, gcc, libc6-dev, pkg-config +Suggests: bzr, ca-certificates, git, mercurial, subversion +Description: Go programming language compiler, linker, compiled stdlib + The Go programming language is an open source project to make programmers more + productive. Go is expressive, concise, clean, and efficient. Its concurrency + mechanisms make it easy to write programs that get the most out of multicore + and networked machines, while its novel type system enables flexible and + modular program construction. Go compiles quickly to machine code yet has the + convenience of garbage collection and the power of run-time reflection. It's a + fast, statically typed, compiled language that feels like a dynamically typed, + interpreted language. + . + This package provides an assembler, compiler, linker, and compiled libraries + for the Go programming language. + . + Go supports cross-compilation, but as of Go 1.5, it is no longer necessary to + pre-compile the standard library inside GOROOT for cross-compilation to work. + +Package: golang-1.7-src +Architecture: amd64 arm64 armel armhf i386 ppc64 ppc64el s390x +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: Go programming language - source files + The Go programming language is an open source project to make programmers more + productive. Go is expressive, concise, clean, and efficient. Its concurrency + mechanisms make it easy to write programs that get the most out of multicore + and networked machines, while its novel type system enables flexible and + modular program construction. Go compiles quickly to machine code yet has the + convenience of garbage collection and the power of run-time reflection. It's a + fast, statically typed, compiled language that feels like a dynamically typed, + interpreted language. + . + This package provides the Go programming language source files needed for + cross-compilation. + +Package: golang-1.7-doc +Depends: golang-1.7-go, ${misc:Depends} +Architecture: all +Section: doc +Description: Go programming language - documentation + The Go programming language is an open source project to make + programmers more productive. Go is expressive, concise, clean, and + efficient. Its concurrency mechanisms make it easy to write programs + that get the most out of multicore and networked machines, while its + novel type system enables flexible and modular program construction. + Go compiles quickly to machine code yet has the convenience of + garbage collection and the power of run-time reflection. It's a fast, + statically typed, compiled language that feels like a dynamically + typed, interpreted language. + . + This package provides the documentation for the Go programming + language. You can view the formatted documentation by running "godoc + --http=:6060", and then visiting http://localhost:6060/doc/install.html. + +Package: golang-1.7 +Depends: golang-1.7-doc (>= ${source:Version}), + golang-1.7-go (>= ${source:Version}), + golang-1.7-src (>= ${source:Version}), + ${misc:Depends} +Architecture: all +Description: Go programming language compiler - metapackage + The Go programming language is an open source project to make + programmers more productive. Go is expressive, concise, clean, and + efficient. Its concurrency mechanisms make it easy to write programs + that get the most out of multicore and networked machines, while its + novel type system enables flexible and modular program construction. + Go compiles quickly to machine code yet has the convenience of + garbage collection and the power of run-time reflection. It's a + fast, statically typed, compiled language that feels like a + dynamically typed, interpreted language. + . + This package is a metapackage that, when installed, guarantees + that (most of) a full Go development environment is installed. diff --git a/debian/control.in b/debian/control.in new file mode 100644 index 0000000..a648624 --- /dev/null +++ b/debian/control.in @@ -0,0 +1,94 @@ +Source: golang-X.Y +Section: devel +Priority: optional +Maintainer: Go Compiler Team +Uploaders: Michael Stapelberg , + Paul Tagliamonte , + Tianon Gravi , + Michael Hudson-Doyle +Vcs-Browser: https://anonscm.debian.org/cgit/pkg-golang/golang.git +Vcs-Git: https://anonscm.debian.org/git/pkg-golang/golang.git -b golang-X.Y +Build-Depends: debhelper (>= 7.4.10), + golang-any (>= 2:1.4~) | golang-go (>= 2:1.4~) | gccgo (>= 4:5~), + netbase +Standards-Version: 3.9.8 +Homepage: https://golang.org + +Package: golang-X.Y-go +Architecture: amd64 arm64 armel armhf i386 ppc64 ppc64el s390x +Depends: golang-X.Y-src (>= ${source:Version}), + ${misc:Depends}, + ${perl:Depends}, + ${shlibs:Depends} +Recommends: g++, gcc, libc6-dev, pkg-config +Suggests: bzr, ca-certificates, git, mercurial, subversion +Description: Go programming language compiler, linker, compiled stdlib + The Go programming language is an open source project to make programmers more + productive. Go is expressive, concise, clean, and efficient. Its concurrency + mechanisms make it easy to write programs that get the most out of multicore + and networked machines, while its novel type system enables flexible and + modular program construction. Go compiles quickly to machine code yet has the + convenience of garbage collection and the power of run-time reflection. It's a + fast, statically typed, compiled language that feels like a dynamically typed, + interpreted language. + . + This package provides an assembler, compiler, linker, and compiled libraries + for the Go programming language. + . + Go supports cross-compilation, but as of Go 1.5, it is no longer necessary to + pre-compile the standard library inside GOROOT for cross-compilation to work. + +Package: golang-X.Y-src +Architecture: amd64 arm64 armel armhf i386 ppc64 ppc64el s390x +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: Go programming language - source files + The Go programming language is an open source project to make programmers more + productive. Go is expressive, concise, clean, and efficient. Its concurrency + mechanisms make it easy to write programs that get the most out of multicore + and networked machines, while its novel type system enables flexible and + modular program construction. Go compiles quickly to machine code yet has the + convenience of garbage collection and the power of run-time reflection. It's a + fast, statically typed, compiled language that feels like a dynamically typed, + interpreted language. + . + This package provides the Go programming language source files needed for + cross-compilation. + +Package: golang-X.Y-doc +Depends: golang-X.Y-go, ${misc:Depends} +Architecture: all +Section: doc +Description: Go programming language - documentation + The Go programming language is an open source project to make + programmers more productive. Go is expressive, concise, clean, and + efficient. Its concurrency mechanisms make it easy to write programs + that get the most out of multicore and networked machines, while its + novel type system enables flexible and modular program construction. + Go compiles quickly to machine code yet has the convenience of + garbage collection and the power of run-time reflection. It's a fast, + statically typed, compiled language that feels like a dynamically + typed, interpreted language. + . + This package provides the documentation for the Go programming + language. You can view the formatted documentation by running "godoc + --http=:6060", and then visiting http://localhost:6060/doc/install.html. + +Package: golang-X.Y +Depends: golang-X.Y-doc (>= ${source:Version}), + golang-X.Y-go (>= ${source:Version}), + golang-X.Y-src (>= ${source:Version}), + ${misc:Depends} +Architecture: all +Description: Go programming language compiler - metapackage + The Go programming language is an open source project to make + programmers more productive. Go is expressive, concise, clean, and + efficient. Its concurrency mechanisms make it easy to write programs + that get the most out of multicore and networked machines, while its + novel type system enables flexible and modular program construction. + Go compiles quickly to machine code yet has the convenience of + garbage collection and the power of run-time reflection. It's a + fast, statically typed, compiled language that feels like a + dynamically typed, interpreted language. + . + This package is a metapackage that, when installed, guarantees + that (most of) a full Go development environment is installed. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..983466b --- /dev/null +++ b/debian/copyright @@ -0,0 +1,1206 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: golang +Source: https://github.com/golang/go + +Files: * +Copyright: © 2009, 2010, The Go Authors. All rights reserved. +License: Go + +Files: include/* + src/lib9/* + src/libbio/* + src/runtime/386/* + src/libmach/* + src/runtime/arm/vlop.s + src/runtime/arm/vlrt.c + src/runtime/arm/memset.s + src/runtime/arm/memmove.s + src/runtime/amd64/memmove.s + src/runtime/amd64/memmove.s + src/math/fltasm_amd64.s + src/cmd/6c/txt.c + src/cmd/gopack/ar.c + src/cmd/ld/lib.[ch] + src/cmd/6a/a.[yh] + src/cmd/6a/lex.c + src/cmd/5g/gobj.c + src/cmd/5g/list.c + src/cmd/5g/gsubr.c + src/cmd/5g/opt.h + src/cmd/8c/* + src/cmd/goyacc/goyacc.go + src/cmd/5l/* + src/cmd/6g/reg.c + src/cmd/6g/gobj.c + src/cmd/6g/peep.c + src/cmd/6g/list.c + src/cmd/6g/gsubr.c + src/cmd/6g/opt.c + src/cmd/8l/* + src/cmd/nm/nm.c + src/cmd/gc/bits.c + src/cmd/cc/* + src/cmd/5a/* + src/cmd/8g/reg.c + src/cmd/8g/gobj.c + src/cmd/8g/peep.c + src/cmd/8g/list.c + src/cmd/8g/gsubr.c + src/cmd/8g/opt.h + src/cmd/5c/* + src/cmd/6l/* + src/cmd/8a/* +Origin: Plan 9 from User Space include/, src/lib9/, src/libmach/ + Inferno utils/include/, utils/libmach/, utils/6c/, utils/iar/, + utils/6l/, utils/6a/, utils/5c/, utils/8c/, utils/iyacc/, + utils/5l/, utils/6c/, utils/8l/, utils/nm/, utils/cc/, + utils/5a/, utils/8a/, lib9/, libkern/, libbio/ +Copyright: © 1994-1999 Lucent Technologies Inc. All rights reserved. + Portions © 1997-1999 Vita Nuova Limited + Portions © 2000-2007 Vita Nuova Holdings Limited (www.vitanuova.com) + Portions © 2001-2007 Russ Cox. All rights reserved. + Portions © 2004,2006 Bruce Ellis + Portions © 1995-2007 C H Forsyth (forsyth@terzarima.net) + Revisions © 2000-2007 Lucent Technologies Inc. and others + Portions © 2009 The Go Authors. All rights reserved. +License: X11 + +Files: src/lib9/goos.c + src/lib9/win32.c + src/lib9/Makefile + src/runtime/386/asm.s + src/runtime/386/closure.c + src/runtime/arm/asm.s + src/runtime/arm/closure.c + src/runtime/arm/cas5.s + src/libmach/fakeobj.c + src/libmach/macho.h + src/cmd/6c/doc.go + src/cmd/6c/Makefile + src/cmd/8c/doc.go + src/cmd/8c/Makefile + src/cmd/5l/doc.go + src/cmd/5l/softfloat.c + src/cmd/5l/Makefile + src/cmd/8l/doc.go + src/cmd/8l/Makefile + src/cmd/cc/doc.go + src/cmd/cc/Makefile + src/cmd/5a/doc.go + src/cmd/5a/Makefile + src/cmd/5c/doc.go + src/cmd/5c/Makefile + src/cmd/6l/doc.go + src/cmd/6l/Makefile + src/cmd/8a/doc.go + src/cmd/8a/Makefile +Copyright: © 2009, 2010, The Go Authors. All rights reserved. +License: Go + +Files: include/fmt.h + src/lib9/utf/* + src/lib9/fmt/* + src/runtime/rune.c +Copyright: © 1998-2002 by Lucent Technologies. + Portions © 2004 Google Inc. + Portions © 2009 The Go Authors. All rights reserved. +License: MIT-Inspired + The authors of this software are Rob Pike and Ken Thompson, + with contributions from Mike Burrows and Sean Dorward. + Copyright (c) 1998-2006 by Lucent Technologies. + Portions Copyright (c) 2004 Google Inc. + Portions Copyright (c) 2009 The Go Authors. All rights reserved. + Permission to use, copy, modify, and distribute this software for any + purpose without fee is hereby granted, provided that this entire notice + is included in all copies of any software which is or includes a copy + or modification of this software and in all copies of the supporting + documentation for such software. + THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED + WARRANTY. IN PARTICULAR, NEITHER THE AUTHORS NOR LUCENT TECHNOLOGIES MAKE ANY + REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY + OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. + +Files: src/lib9/utf/mkrunetype.c +Copyright: © 2009, The Go Authors. All rights reserved. +License: Go + +Files: src/cmd/cov/tree.[ch] +Copyright: © 2003-2007 Russ Cox, Tom Bergan, Austin Clements, + Massachusetts Institute of Technology + Portions © 2009 The Go Authors. All rights reserved. +License: X11 + +Files: src/cmd/prof/gopprof +Origin: based on src/pprof from google-perftools +Copyright: © 1998-2007, Google Inc. +License: Perftools +Notes: + This is a copy of http://google-perftools.googlecode.com/svn/trunk/src/pprof + with local modifications to handle generation of SVG images and + the Go-style pprof paths. These modifications will probably filter + back into the official source before long. + It's convenient to have a copy here because we need just the one + Perl script, not all the C++ libraries that surround it. + +Files: src/runtime/tiny/bootblock +Origin: Xv6 rev3 +Copyright: © 2006-2009 Frans Kaashoek, Robert Morris, Russ Cox, + Massachusetts Institute of Technology +License: X11 + +Files: src/debug/dwarf/testdata/typedef.macho + src/debug/dwarf/testdata/typedef.elf +Source: src/debug/dwarf/testdata/typedef.c +Copyright: © 2009, The Go Authors. All rights reserved. +License: Go + +Files: src/debug/macho/testdata/gcc-amd64-darwin-exec-debug + src/debug/macho/testdata/gcc-386-darwin-exec + src/debug/macho/testdata/gcc-amd64-darwin-exec + src/debug/elf/testdata/go-relocation-test-gcc424-x86-64.o + src/debug/elf/testdata/gcc-amd64-linux-exec + src/debug/elf/testdata/go-relocation-test-gcc441-x86.o + src/debug/elf/testdata/gcc-386-freebsd-exec + src/debug/elf/testdata/go-relocation-test-gcc441-x86-64.o +Source: src/debug/elf/testdata/hello.c +Copyright: © 2009, 2010, The Go Authors. All rights reserved. +License: Go + +Files: src/debug/elf/elf.go + src/cmd/ld/elf.h +Origin: FreeBSD src/sys/sys/elf{32,64,_common}.h, src/sys/*/include/elf.h +Copyright: © 1996-1998 John D. Polstra. All rights reserved. + © 2001 David E. O'Brien + Portions © 2009 The Go Authors. All rights reserved. +License: FreeBSD + +Files: src/math/log1p.go +Origin: Translated and simplified from FreeBSD /usr/src/lib/msun/src/s_log1p.c +Copyright: © 2010 The Go Authors. All rights reserved. + Based on code © 1993 by Sun Microsystems, Inc. All rights reserved. +License: Go +Comment: + The original C code, the long comment, and the constants + below are from FreeBSD's /usr/src/lib/msun/src/s_log1p.c + and came with this notice. The go code is a simplified + version of the original C. + . + ==================================================== + Copyright (C) 1993 by Sun Microsystems, Inc. All rights reserved. + . + Developed at SunPro, a Sun Microsystems, Inc. business. + Permission to use, copy, modify, and distribute this + software is freely granted, provided that this notice + is preserved. + +Files: src/image/jpeg/idct.go +Origin: Translated from idct.c in the MPEG-2 (ISO/IEC 13818-4) + technical report video software verifier (mpeg2decode) + version 960109 +Copyright: © 1996, MPEG Software Simulation Group. All Rights Reserved. +License: MPEG + +Files: src/exp/spacewar/pdp1.go + src/exp/spacewar/spacewar.go +Origin: Translated from the Java emulator pdp1.java in Spacewar! +Copyright: © 1996 Barry Silverman, Brian Silverman, Vadim Gerasimov. + Portions © 2009 The Go Authors. +License: Spacewar! + +Files: src/exp/spacewar/code.go +Origin: The original Spacewar! +Copyright: See license +License: PD + This file contains the assembly language and machine code for + Spacewar!, the original PDP-1 video game. It is downloaded from + http://spacewar.oversigma.com/sources/sources.zip which has + the following notice at http://spacewar.oversigma.com/: + . + Spacewar! was conceived in 1961 by Martin Graetz, Stephen Russell, + and Wayne Wiitanen. It was first realized on the PDP-1 in 1962 by + Stephen Russell, Peter Samson, Dan Edwards, and Martin Graetz, + together with Alan Kotok, Steve Piner, and Robert A Saunders. + Spacewar! is in the public domain, but this credit paragraph must + accompany all distributed versions of the program. + . + This is the original version! Martin Graetz provided us with a + printed version of the source. We typed in in again - it was about + 40 pages long - and re-assembled it with a PDP-1 assembler written + in PERL. The resulting binary runs on a PDP-1 emulator written as + a Java applet. The code is extremely faithful to the original. There + are only two changes. 1)The spaceships have been made bigger and + 2) The overall timing has been special cased to deal with varying + machine speeds. + . + The "a", "s", "d", "f" keys control one of the spaceships. The "k", + "l", ";", "'" keys control the other. The controls are spin one + way, spin the other, thrust, and fire. + . + Barry Silverman + Brian Silverman + Vadim Gerasimov + +Files: src/exp/4s/xs.go + src/exp/4s/data.go +Origin: Derived from Plan 9's /sys/src/games/xs.c +Copyright: © 2003, Lucent Technologies Inc. and others. All Rights Reserved. + Portions © 2009 The Go Authors. All Rights Reserved. +License: Plan9 + +Files: src/cmd/goyacc/units.txt +Origin: Plan9's /lib/units +Copyright: © 2003, Lucent Technologies Inc. and others. All Rights Reserved. +License: Plan9 + +Files: src/cmd/goyacc/units.y +Origin: Derived from Plan9's /sys/src/cmd/units.y +Copyright: © 2003, Lucent Technologies Inc. and others. All Rights Reserved. + Portions © 2009 The Go Authors. All Rights Reserved. +License: Plan9 + +Files: src/html/testdata/webkit/* +Origin: WebKit LayoutTests/html5lib/resources/ +Copyright: © 2009, Apple Inc. All rights reserved. +License: WebKit + +Files: src/image/png/testdata/pngsuite/* +Origin: libpng 1.2.40, contrib/pngsuite/* +Copyright: © Willem van Schaik, 1999 +License: noderivs + Permission to use, copy, and distribute these images for any purpose and + without fee is hereby granted. + +Files: lib/codereview/* +Copyright: © 2007-2009 Google Inc. +License: Apache-2.0 + +Files: lib/godoc/godoc.html +Copyright: © 2009, 2010, The Go Authors. All rights reserved. +License: CC-BY-3.0 +Comment: + Except as noted, this content is licensed under Creative Commons + Attribution 3.0 + +Files: misc/cgo/gmp/pi.go +Copyright: Brent Fulgham +Authors: contributed by The Go Authors. + based on pidigits.c (by Paolo Bonzini & Sean Bartlett, + modified by Michael Mellor) +License: Shootout + +Files: test/garbage/tree.go + test/bench/* +Copyright: Brent Fulgham +License: Shootout + +Files: favicon.ico + doc/gopher/* +Copyright: Renée French +License: CC-BY-3.0 +Comment: + The mascot and logo were designed by + Renée French , who also designed + Glenda , + the Plan 9 bunny. + The gopher is derived from one she used for an WFMU + T-shirt design some years ago. + The logo and mascot are covered by the + Creative Commons Attribution 3.0 + license. + +Files: doc/* +Copyright: © 2009, 2010, The Go Authors. All rights reserved. +License: CC-BY-3.0 +Comment: + Except as noted, this content is licensed under Creative Commons + Attribution 3.0 + +Files: doc/htmlgen.go + doc/makehtml + doc/popups.js + doc/style.css + doc/Makefile + doc/codelab/wiki/Makefile + doc/prog.sh + doc/progs/* + doc/codewalk/codewalk.css + doc/codewalk/codewalk.js + doc/codewalk/urlpoll.go + doc/talks/io2010/*.go +Copyright: © 2009, 2010, The Go Authors. All rights reserved. +License: Go + +Files: doc/talks/slidy.* +Origin: http://www.w3.org/Talks/Tools/Slidy/ +Copyright: © 2005 W3C (MIT, ERCIM, Keio), All Rights Reserved. +License: W3C +Comment: + W3C liability, trademark, document use and software licensing + rules apply, see: + . + http://www.w3.org/Consortium/Legal/copyright-documents + http://www.w3.org/Consortium/Legal/copyright-software + +Files: debian/* +Copyright: 2010 Ivan Wong + 2010 Ondřej Surý + 2012 Michael Stapelberg + 2014 Canonical Ltd + 2014 Tianon Gravi +License: Go + +License: Go + Copyright © 2009 The Go Authors. All rights reserved. + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following disclaimer + in the documentation and/or other materials provided with the + distribution. + * Neither the name of Google Inc. nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + . + Subject to the terms and conditions of this License, Google hereby + grants to You a perpetual, worldwide, non-exclusive, no-charge, + royalty-free, irrevocable (except as stated in this section) patent + license to make, have made, use, offer to sell, sell, import, and + otherwise transfer this implementation of Go, where such license + applies only to those patent claims licensable by Google that are + necessarily infringed by use of this implementation of Go. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that this + implementation of Go or a Contribution incorporated within this + implementation of Go constitutes direct or contributory patent + infringement, then any patent licenses granted to You under this + License for this implementation of Go shall terminate as of the date + such litigation is filed. + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian systems, the Apache License, Version 2.0 can be found at + /usr/share/common-licenses/Apache-2.0. + +License: X11 + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. + +License: FreeBSD + Copyright (c) 1996-1998 John D. Polstra. All rights reserved. + Copyright (c) 2001 David E. O'Brien + Portions Copyright 2009 The Go Authors. All rights reserved. + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +License: MPEG + These software programs are available to the user without any license fee or + royalty on an "as is" basis. The MPEG Software Simulation Group disclaims + any and all warranties, whether express, implied, or statuary, including any + implied warranties or merchantability or of fitness for a particular + purpose. In no event shall the copyright-holder be liable for any + incidental, punitive, or consequential damages of any kind whatsoever + arising from the use of these programs. + . + This disclaimer of warranty extends to the user of these programs and user's + customers, employees, agents, transferees, successors, and assigns. + . + The MPEG Software Simulation Group does not represent or warrant that the + programs furnished hereunder are free of infringement of any third-party + patents. + . + Commercial implementations of MPEG-1 and MPEG-2 video, including shareware, + are subject to royalty fees to patent holders. Many of these patents are + general enough such that they are unavoidable regardless of implementation + design. + +License: Perftools + Copyright (c) 1998-2007, Google Inc. + All rights reserved. + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following disclaimer + in the documentation and/or other materials provided with the + distribution. + * Neither the name of Google Inc. nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: Shootout + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + * Neither the name of "The Computer Language Benchmarks Game" nor the + name of "The Computer Language Shootout Benchmarks" nor the names of + its contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +License: WebKit + Copyright (C) 2009 Apple Inc. All rights reserved. + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + . + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS "AS IS" AND ANY + EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: Spacewar! + Copyright (c) 1996 Barry Silverman, Brian Silverman, Vadim Gerasimov. + Portions Copyright (c) 2009 The Go Authors. + . + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. + . + This package and spacewar.go implement a simple PDP-1 emulator + complete enough to run the original PDP-1 video game Spacewar! + See nacl/README for details on running them. + . + They are a translation of the Java emulator pdp1.java in + http://spacewar.oversigma.com/sources/sources.zip. + . + See also the PDP-1 handbook at http://www.dbit.com/~greeng3/pdp1/pdp1.html + . + http://spacewar.oversigma.com/readme.html begins: + . + Spacewar! was conceived in 1961 by Martin Graetz, Stephen Russell, + and Wayne Wiitanen. It was first realized on the PDP-1 in 1962 by + Stephen Russell, Peter Samson, Dan Edwards, and Martin Graetz, + together with Alan Kotok, Steve Piner, and Robert A Saunders. + Spacewar! is in the public domain, but this credit paragraph must + accompany all distributed versions of the program. + +License: Plan9 + Lucent Public License Version 1.02 + . + THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS PUBLIC LICENSE + ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES + RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT. + . + 1. DEFINITIONS + . + "Contribution" means: + . + a. in the case of Lucent Technologies Inc. ("LUCENT"), the Original Program, + and + b. in the case of each Contributor, + i. changes to the Program, and + ii. additions to the Program; + where such changes and/or additions to the Program were added to the + Program by such Contributor itself or anyone acting on such Contributor's + behalf, and the Contributor explicitly consents, in accordance with + Section 3C, to characterization of the changes and/or additions as + Contributions. + . + "Contributor" means LUCENT and any other entity that has Contributed a + Contribution to the Program. + . + "Distributor" means a Recipient that distributes the Program, modifications to + the Program, or any part thereof. + . + "Licensed Patents" mean patent claims licensable by a Contributor which are + necessarily infringed by the use or sale of its Contribution alone or when + combined with the Program. + . + "Original Program" means the original version of the software accompanying + this Agreement as released by LUCENT, including source code, object code and + documentation, if any. + . + "Program" means the Original Program and Contributions or any part thereof + . + "Recipient" means anyone who receives the Program under this Agreement, + including all Contributors. + . + 2. GRANT OF RIGHTS + . + a. Subject to the terms of this Agreement, each Contributor hereby grants + Recipient a non-exclusive, worldwide, royalty-free copyright license to + reproduce, prepare derivative works of, publicly display, publicly + perform, distribute and sublicense the Contribution of such Contributor, + if any, and such derivative works, in source code and object code form. + . + b. Subject to the terms of this Agreement, each Contributor hereby grants + Recipient a non-exclusive, worldwide, royalty-free patent license under + Licensed Patents to make, use, sell, offer to sell, import and otherwise + transfer the Contribution of such Contributor, if any, in source code and + object code form. The patent license granted by a Contributor shall also + apply to the combination of the Contribution of that Contributor and the + Program if, at the time the Contribution is added by the Contributor, + such addition of the Contribution causes such combination to be covered + by the Licensed Patents. The patent license granted by a Contributor + shall not apply to (i) any other combinations which include the + Contribution, nor to (ii) Contributions of other Contributors. No + hardware per se is licensed hereunder. + . + c. Recipient understands that although each Contributor grants the licenses + to its Contributions set forth herein, no assurances are provided by any + Contributor that the Program does not infringe the patent or other + intellectual property rights of any other entity. Each Contributor + disclaims any liability to Recipient for claims brought by any other + entity based on infringement of intellectual property rights or + otherwise. As a condition to exercising the rights and licenses granted + hereunder, each Recipient hereby assumes sole responsibility to secure + any other intellectual property rights needed, if any. For example, if a + third party patent license is required to allow Recipient to distribute + the Program, it is Recipient's responsibility to acquire that license + before distributing the Program. + . + d. Each Contributor represents that to its knowledge it has sufficient + copyright rights in its Contribution, if any, to grant the copyright + license set forth in this Agreement. + . + 3. REQUIREMENTS + . + A. Distributor may choose to distribute the Program in any form under this + Agreement or under its own license agreement, provided that: + . + a. it complies with the terms and conditions of this Agreement; + . + b. if the Program is distributed in source code or other tangible form, a + copy of this Agreement or Distributor's own license agreement is included + with each copy of the Program; and + . + c. if distributed under Distributor's own license agreement, such license + agreement: + i. effectively disclaims on behalf of all Contributors all warranties + and conditions, express and implied, including warranties or + conditions of title and non-infringement, and implied warranties or + conditions of merchantability and fitness for a particular purpose; + ii. effectively excludes on behalf of all Contributors all liability for + damages, including direct, indirect, special, incidental and + consequential damages, such as lost profits; and + iii. states that any provisions which differ from this Agreement are + offered by that Contributor alone and not by any other party. + . + B. Each Distributor must include the following in a conspicuous location in + the Program: + . + Copyright (C) 2003, Lucent Technologies Inc. and others. All Rights Reserved. + . + C. In addition, each Contributor must identify itself as the originator of its + Contribution in a manner that reasonably allows subsequent Recipients to + identify the originator of the Contribution. Also, each Contributor must agree + that the additions and/or changes are intended to be a Contribution. Once a + Contribution is contributed, it may not thereafter be revoked. + . + 4. COMMERCIAL DISTRIBUTION + . + Commercial distributors of software may accept certain responsibilities with + respect to end users, business partners and the like. While this license is + intended to facilitate the commercial use of the Program, the Distributor who + includes the Program in a commercial product offering should do so in a manner + which does not create potential liability for Contributors. Therefore, if a + Distributor includes the Program in a commercial product offering, such + Distributor ("Commercial Distributor") hereby agrees to defend and indemnify + every Contributor ("Indemnified Contributor") against any losses, damages and + costs (collectively "Losses") arising from claims, lawsuits and other legal + actions brought by a third party against the Indemnified Contributor to the + extent caused by the acts or omissions of such Commercial Distributor in + connection with its distribution of the Program in a commercial product + offering. The obligations in this section do not apply to any claims or Losses + relating to any actual or alleged intellectual property infringement. In order + to qualify, an Indemnified Contributor must: a) promptly notify the Commercial + Distributor in writing of such claim, and b) allow the Commercial Distributor + to control, and cooperate with the Commercial Distributor in, the defense and + any related settlement negotiations. The Indemnified Contributor may + participate in any such claim at its own expense. + . + For example, a Distributor might include the Program in a commercial product + offering, Product X. That Distributor is then a Commercial Distributor. If + that Commercial Distributor then makes performance claims, or offers + warranties related to Product X, those performance claims and warranties are + such Commercial Distributor's responsibility alone. Under this section, the + Commercial Distributor would have to defend claims against the Contributors + related to those performance claims and warranties, and if a court requires + any Contributor to pay any damages as a result, the Commercial Distributor + must pay those damages. + . + 5. NO WARRANTY + . + EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON AN + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR + IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE, + NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Each + Recipient is solely responsible for determining the appropriateness of using + and distributing the Program and assumes all risks associated with its + exercise of rights under this Agreement, including but not limited to the + risks and costs of program errors, compliance with applicable laws, damage to + or loss of data, programs or equipment, and unavailability or interruption of + operations. + . + 6. DISCLAIMER OF LIABILITY + . + EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY + CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION + LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE + EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY + OF SUCH DAMAGES. + . + 7. EXPORT CONTROL + . + Recipient agrees that Recipient alone is responsible for compliance with the + United States export administration regulations (and the export control laws + and regulation of any other countries). + . + 8. GENERAL + . + If any provision of this Agreement is invalid or unenforceable under + applicable law, it shall not affect the validity or enforceability of the + remainder of the terms of this Agreement, and without further action by the + parties hereto, such provision shall be reformed to the minimum extent + necessary to make such provision valid and enforceable. + . + If Recipient institutes patent litigation against a Contributor with respect + to a patent applicable to software (including a cross-claim or counterclaim in + a lawsuit), then any patent licenses granted by that Contributor to such + Recipient under this Agreement shall terminate as of the date such litigation + is filed. In addition, if Recipient institutes patent litigation against any + entity (including a cross-claim or counterclaim in a lawsuit) alleging that + the Program itself (excluding combinations of the Program with other software + or hardware) infringes such Recipient's patent(s), then such Recipient's + rights granted under Section 2(b) shall terminate as of the date such + litigation is filed. + . + All Recipient's rights under this Agreement shall terminate if it fails to + comply with any of the material terms or conditions of this Agreement and does + not cure such failure in a reasonable period of time after becoming aware of + such noncompliance. If all Recipient's rights under this Agreement terminate, + Recipient agrees to cease use and distribution of the Program as soon as + reasonably practicable. However, Recipient's obligations under this Agreement + and any licenses granted by Recipient relating to the Program shall continue + and survive. + . + LUCENT may publish new versions (including revisions) of this Agreement from + time to time. Each new version of the Agreement will be given a distinguishing + version number. The Program (including Contributions) may always be + distributed subject to the version of the Agreement under which it was + received. In addition, after a new version of the Agreement is published, + Contributor may elect to distribute the Program (including its Contributions) + under the new version. No one other than LUCENT has the right to modify this + Agreement. Except as expressly stated in Sections 2(a) and 2(b) above, + Recipient receives no rights or licenses to the intellectual property of any + Contributor under this Agreement, whether expressly, by implication, estoppel + or otherwise. All rights in the Program not expressly granted under this + Agreement are reserved. + . + This Agreement is governed by the laws of the State of New York and the + intellectual property laws of the United States of America. No party to this + Agreement will bring a legal action under this Agreement more than one year + after the cause of action arose. Each party waives its rights to a jury trial + in any resulting litigation. + +License: W3C + This work (and included software, documentation such as READMEs, or + other related items) is being provided by the copyright holders under + the following license. + . + By obtaining, using and/or copying this work, you (the licensee) + agree that you have read, understood, and will comply with the + following terms and conditions. + . + Permission to copy, modify, and distribute this software and its + documentation, with or without modification, for any purpose and + without fee or royalty is hereby granted, provided that you include + the following on ALL copies of the software and documentation or + portions thereof, including modifications: + . + * The full text of this NOTICE in a location viewable to users of + the redistributed or derivative work. + . + * Any pre-existing intellectual property disclaimers, notices, or + terms and conditions. If none exist, the W3C Software Short + Notice should be included (hypertext is preferred, text is + permitted) within the body of any redistributed or derivative + code. + . + * Notice of any changes or modifications to the files, including + the date changes were made. (We recommend you provide URIs to the + location from which the code is derived.) + . + THIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND COPYRIGHT + HOLDERS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY OR FITNESS + FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE OR + DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, + TRADEMARKS OR OTHER RIGHTS. + . + COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL + OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR + DOCUMENTATION. + . + The name and trademarks of copyright holders may NOT be used in + advertising or publicity pertaining to the software without specific, + written prior permission. Title to copyright in this software and any + associated documentation will at all times remain with copyright + holders. + . + This version: http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231 + . + This formulation of W3C's notice and license became active on December + 31 2002. This version removes the copyright ownership notice such that + this license can be used with materials other than those owned by the + W3C, reflects that ERCIM is now a host of the W3C, includes references + to this specific dated version of the license, and removes the + ambiguous grant of "use". Otherwise, this version is the same as the + previous version and is written so as to preserve the Free Software + Foundation's assessment of GPL compatibility and OSI's certification + under the Open Source Definition. + +License: CC-BY-3.0 + THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS + CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS + PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE + WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS + PROHIBITED. + . + BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND + AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS + LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU + THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH + TERMS AND CONDITIONS. + . + 1. Definitions + . + a. "Adaptation" means a work based upon the Work, or upon the Work + and other pre-existing works, such as a translation, adaptation, + derivative work, arrangement of music or other alterations of a + literary or artistic work, or phonogram or performance and + includes cinematographic adaptations or any other form in which + the Work may be recast, transformed, or adapted including in any + form recognizably derived from the original, except that a work + that constitutes a Collection will not be considered an + Adaptation for the purpose of this License. For the avoidance of + doubt, where the Work is a musical work, performance or + phonogram, the synchronization of the Work in timed-relation + with a moving image ("synching") will be considered an + Adaptation for the purpose of this License. + . + b. "Collection" means a collection of literary or artistic works, + such as encyclopedias and anthologies, or performances, + phonograms or broadcasts, or other works or subject matter other + than works listed in Section 1(f) below, which, by reason of the + selection and arrangement of their contents, constitute + intellectual creations, in which the Work is included in its + entirety in unmodified form along with one or more other + contributions, each constituting separate and independent works + in themselves, which together are assembled into a collective + whole. A work that constitutes a Collection will not be + considered an Adaptation (as defined above) for the purposes of + this License. + . + c. "Distribute" means to make available to the public the original + and copies of the Work or Adaptation, as appropriate, through + sale or other transfer of ownership. + . + d. "Licensor" means the individual, individuals, entity or entities + that offer(s) the Work under the terms of this License. + . + e. "Original Author" means, in the case of a literary or artistic + work, the individual, individuals, entity or entities who + created the Work or if no individual or entity can be + identified, the publisher; and in addition (i) in the case of a + performance the actors, singers, musicians, dancers, and other + persons who act, sing, deliver, declaim, play in, interpret or + otherwise perform literary or artistic works or expressions of + folklore; (ii) in the case of a phonogram the producer being the + person or legal entity who first fixes the sounds of a + performance or other sounds; and, (iii) in the case of + broadcasts, the organization that transmits the broadcast. + . + f. "Work" means the literary and/or artistic work offered under the + terms of this License including without limitation any + production in the literary, scientific and artistic domain, + whatever may be the mode or form of its expression including + digital form, such as a book, pamphlet and other writing; a + lecture, address, sermon or other work of the same nature; a + dramatic or dramatico-musical work; a choreographic work or + entertainment in dumb show; a musical composition with or + without words; a cinematographic work to which are assimilated + works expressed by a process analogous to cinematography; a work + of drawing, painting, architecture, sculpture, engraving or + lithography; a photographic work to which are assimilated works + expressed by a process analogous to photography; a work of + applied art; an illustration, map, plan, sketch or + three-dimensional work relative to geography, topography, + architecture or science; a performance; a broadcast; a + phonogram; a compilation of data to the extent it is protected + as a copyrightable work; or a work performed by a variety or + circus performer to the extent it is not otherwise considered a + literary or artistic work. + . + g. "You" means an individual or entity exercising rights under this + License who has not previously violated the terms of this + License with respect to the Work, or who has received express + permission from the Licensor to exercise rights under this + License despite a previous violation. + . + h. "Publicly Perform" means to perform public recitations of the + Work and to communicate to the public those public recitations, + by any means or process, including by wire or wireless means or + public digital performances; to make available to the public + Works in such a way that members of the public may access these + Works from a place and at a place individually chosen by them; + to perform the Work to the public by any means or process and + the communication to the public of the performances of the Work, + including by public digital performance; to broadcast and + rebroadcast the Work by any means including signs, sounds or + images. + . + i. "Reproduce" means to make copies of the Work by any means + including without limitation by sound or visual recordings and + the right of fixation and reproducing fixations of the Work, + including storage of a protected performance or phonogram in + digital form or other electronic medium. + . + 2. Fair Dealing Rights. Nothing in this License is intended to + reduce, limit, or restrict any uses free from copyright or rights + arising from limitations or exceptions that are provided for in + connection with the copyright protection under copyright law or other + applicable laws. + . + 3. License Grant. Subject to the terms and conditions of this License, + Licensor hereby grants You a worldwide, royalty-free, non-exclusive, + perpetual (for the duration of the applicable copyright) license to + exercise the rights in the Work as stated below: + . + a. to Reproduce the Work, to incorporate the Work into one or more + Collections, and to Reproduce the Work as incorporated in the + Collections; + . + b. to create and Reproduce Adaptations provided that any such + Adaptation, including any translation in any medium, takes + reasonable steps to clearly label, demarcate or otherwise + identify that changes were made to the original Work. For + example, a translation could be marked "The original work was + translated from English to Spanish," or a modification could + indicate "The original work has been modified."; + . + c. to Distribute and Publicly Perform the Work including as + incorporated in Collections; and, + . + d. to Distribute and Publicly Perform Adaptations. + . + e. For the avoidance of doubt: + . + i. Non-waivable Compulsory License Schemes. In those + jurisdictions in which the right to collect royalties + through any statutory or compulsory licensing scheme cannot + be waived, the Licensor reserves the exclusive right to + collect such royalties for any exercise by You of the + rights granted under this License; + . + ii. Waivable Compulsory License Schemes. In those jurisdictions + in which the right to collect royalties through any + statutory or compulsory licensing scheme can be waived, the + Licensor waives the exclusive right to collect such + royalties for any exercise by You of the rights granted + under this License; and, + . + iii. Voluntary License Schemes. The Licensor waives the right to + collect royalties, whether individually or, in the event + that the Licensor is a member of a collecting society that + administers voluntary licensing schemes, via that society, + from any exercise by You of the rights granted under this + License. + . + The above rights may be exercised in all media and formats whether + now known or hereafter devised. The above rights include the right to + make such modifications as are technically necessary to exercise the + rights in other media and formats. Subject to Section 8(f), all + rights not expressly granted by Licensor are hereby reserved. + . + 4. Restrictions. The license granted in Section 3 above is expressly + made subject to and limited by the following restrictions: + . + a. You may Distribute or Publicly Perform the Work only under the + terms of this License. You must include a copy of, or the + Uniform Resource Identifier (URI) for, this License with every + copy of the Work You Distribute or Publicly Perform. You may not + offer or impose any terms on the Work that restrict the terms of + this License or the ability of the recipient of the Work to + exercise the rights granted to that recipient under the terms of + the License. You may not sublicense the Work. You must keep + intact all notices that refer to this License and to the + disclaimer of warranties with every copy of the Work You + Distribute or Publicly Perform. When You Distribute or Publicly + Perform the Work, You may not impose any effective technological + measures on the Work that restrict the ability of a recipient of + the Work from You to exercise the rights granted to that + recipient under the terms of the License. This Section 4(a) + applies to the Work as incorporated in a Collection, but this + does not require the Collection apart from the Work itself to be + made subject to the terms of this License. If You create a + Collection, upon notice from any Licensor You must, to the + extent practicable, remove from the Collection any credit as + required by Section 4(b), as requested. If You create an + Adaptation, upon notice from any Licensor You must, to the + extent practicable, remove from the Adaptation any credit as + required by Section 4(b), as requested. + . + b. If You Distribute, or Publicly Perform the Work or any + Adaptations or Collections, You must, unless a request has been + made pursuant to Section 4(a), keep intact all copyright notices + for the Work and provide, reasonable to the medium or means You + are utilizing: (i) the name of the Original Author (or + pseudonym, if applicable) if supplied, and/or if the Original + Author and/or Licensor designate another party or parties (e.g., + a sponsor institute, publishing entity, journal) for attribution + ("Attribution Parties") in Licensor's copyright notice, terms of + service or by other reasonable means, the name of such party or + parties; (ii) the title of the Work if supplied; (iii) to the + extent reasonably practicable, the URI, if any, that Licensor + specifies to be associated with the Work, unless such URI does + not refer to the copyright notice or licensing information for + the Work; and (iv) , consistent with Section 3(b), in the case + of an Adaptation, a credit identifying the use of the Work in + the Adaptation (e.g., "French translation of the Work by + Original Author," or "Screenplay based on original Work by + Original Author"). The credit required by this Section 4 (b) may + be implemented in any reasonable manner; provided, however, that + in the case of a Adaptation or Collection, at a minimum such + credit will appear, if a credit for all contributing authors of + the Adaptation or Collection appears, then as part of these + credits and in a manner at least as prominent as the credits for + the other contributing authors. For the avoidance of doubt, You + may only use the credit required by this Section for the purpose + of attribution in the manner set out above and, by exercising + Your rights under this License, You may not implicitly or + explicitly assert or imply any connection with, sponsorship or + endorsement by the Original Author, Licensor and/or Attribution + Parties, as appropriate, of You or Your use of the Work, without + the separate, express prior written permission of the Original + Author, Licensor and/or Attribution Parties. + . + c. Except as otherwise agreed in writing by the Licensor or as may + be otherwise permitted by applicable law, if You Reproduce, + Distribute or Publicly Perform the Work either by itself or as + part of any Adaptations or Collections, You must not distort, + mutilate, modify or take other derogatory action in relation to + the Work which would be prejudicial to the Original Author's + honor or reputation. Licensor agrees that in those jurisdictions + (e.g. Japan), in which any exercise of the right granted in + Section 3(b) of this License (the right to make Adaptations) + would be deemed to be a distortion, mutilation, modification or + other derogatory action prejudicial to the Original Author's + honor and reputation, the Licensor will waive or not assert, as + appropriate, this Section, to the fullest extent permitted by + the applicable national law, to enable You to reasonably + exercise Your right under Section 3(b) of this License (right to + make Adaptations) but not otherwise. + . + 5. Representations, Warranties and Disclaimer + . + UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, + LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR + WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, + STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF + TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, + NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, + OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. + SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, + SO SUCH EXCLUSION MAY NOT APPLY TO YOU. + . + 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY + APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY + LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR + EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, + EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + . + 7. Termination + . + a. This License and the rights granted hereunder will terminate + automatically upon any breach by You of the terms of this + License. Individuals or entities who have received Adaptations + or Collections from You under this License, however, will not + have their licenses terminated provided such individuals or + entities remain in full compliance with those licenses. + Sections 1, 2, 5, 6, 7, and 8 will survive any termination of + this License. + . + b. Subject to the above terms and conditions, the license granted + here is perpetual (for the duration of the applicable copyright + in the Work). Notwithstanding the above, Licensor reserves the + right to release the Work under different license terms or to + stop distributing the Work at any time; provided, however that + any such election will not serve to withdraw this License (or + any other license that has been, or is required to be, granted + under the terms of this License), and this License will continue + in full force and effect unless terminated as stated above. + . + 8. Miscellaneous + . + a. Each time You Distribute or Publicly Perform the Work or a + Collection, the Licensor offers to the recipient a license to + the Work on the same terms and conditions as the license granted + to You under this License. + . + b. Each time You Distribute or Publicly Perform an Adaptation, + Licensor offers to the recipient a license to the original Work + on the same terms and conditions as the license granted to You + under this License. + . + c. If any provision of this License is invalid or unenforceable + under applicable law, it shall not affect the validity or + enforceability of the remainder of the terms of this License, + and without further action by the parties to this agreement, + such provision shall be reformed to the minimum extent necessary + to make such provision valid and enforceable. + . + d. No term or provision of this License shall be deemed waived and + no breach consented to unless such waiver or consent shall be in + writing and signed by the party to be charged with such waiver + or consent. + . + e. This License constitutes the entire agreement between the + parties with respect to the Work licensed here. There are no + understandings, agreements or representations with respect to + the Work not specified here. Licensor shall not be bound by any + additional provisions that may appear in any communication from + You. This License may not be modified without the mutual written + agreement of the Licensor and You. + . + f. The rights granted under, and the subject matter referenced, in + this License were drafted utilizing the terminology of the Berne + Convention for the Protection of Literary and Artistic Works (as + amended on September 28, 1979), the Rome Convention of 1961, the + WIPO Copyright Treaty of 1996, the WIPO Performances and + Phonograms Treaty of 1996 and the Universal Copyright Convention + (as revised on July 24, 1971). These rights and subject matter + take effect in the relevant jurisdiction in which the License + terms are sought to be enforced according to the corresponding + provisions of the implementation of those treaty provisions in + the applicable national law. If the standard suite of rights + granted under applicable copyright law includes additional + rights not granted under this License, such additional rights + are deemed to be included in the License; this License is not + intended to restrict the license of any rights under applicable law. diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..4ad6ffb --- /dev/null +++ b/debian/docs @@ -0,0 +1,3 @@ +AUTHORS +CONTRIBUTORS +README.md diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..a4a4323 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,13 @@ +# +# WARNING: "debian/gbp.conf" is generated via "debian/rules gencontrol" (sourced from "debian/gbp.conf.in") +# + +[DEFAULT] +debian-branch = golang-1.7 +debian-tag = debian/%(version)s +upstream-branch = upstream-1.7 +upstream-tag = upstream/%(version)s +pristine-tar = True + +[git-dch] +meta = 1 diff --git a/debian/gbp.conf.in b/debian/gbp.conf.in new file mode 100644 index 0000000..687c798 --- /dev/null +++ b/debian/gbp.conf.in @@ -0,0 +1,9 @@ +[DEFAULT] +debian-branch = golang-X.Y +debian-tag = debian/%(version)s +upstream-branch = upstream-X.Y +upstream-tag = upstream/%(version)s +pristine-tar = True + +[git-dch] +meta = 1 diff --git a/debian/golang-X.Y-doc.dirs b/debian/golang-X.Y-doc.dirs new file mode 100644 index 0000000..8c724f4 --- /dev/null +++ b/debian/golang-X.Y-doc.dirs @@ -0,0 +1 @@ +usr/share/doc/golang-X.Y-doc/html diff --git a/debian/golang-X.Y-doc.install b/debian/golang-X.Y-doc.install new file mode 100644 index 0000000..5fa12e2 --- /dev/null +++ b/debian/golang-X.Y-doc.install @@ -0,0 +1,2 @@ +doc/* /usr/share/doc/golang-X.Y-doc/html/ +favicon.ico /usr/share/doc/golang-X.Y-doc diff --git a/debian/golang-X.Y-doc.links b/debian/golang-X.Y-doc.links new file mode 100644 index 0000000..1215c30 --- /dev/null +++ b/debian/golang-X.Y-doc.links @@ -0,0 +1,2 @@ +usr/share/doc/golang-X.Y-doc/favicon.ico /usr/lib/go-X.Y/favicon.ico +usr/share/doc/golang-X.Y-doc/html /usr/lib/go-X.Y/doc diff --git a/debian/golang-X.Y-doc.lintian-overrides b/debian/golang-X.Y-doc.lintian-overrides new file mode 100644 index 0000000..f4aa785 --- /dev/null +++ b/debian/golang-X.Y-doc.lintian-overrides @@ -0,0 +1,5 @@ +# While golang-X.Y-doc ships HTML files, they are not intended to be viewed +# directly in a browser or other HTML-capable tool. Instead, they have to be +# served by using e.g. “godoc -http=:6060”, see also +# http://bugs.debian.org/702642 +golang-X.Y-doc: possible-documentation-but-no-doc-base-registration diff --git a/debian/golang-X.Y-go.dirs b/debian/golang-X.Y-go.dirs new file mode 100644 index 0000000..979785e --- /dev/null +++ b/debian/golang-X.Y-go.dirs @@ -0,0 +1,2 @@ +usr/lib/go-X.Y +usr/share/go-X.Y/src/ diff --git a/debian/golang-X.Y-go.install b/debian/golang-X.Y-go.install new file mode 100644 index 0000000..4a6b6a6 --- /dev/null +++ b/debian/golang-X.Y-go.install @@ -0,0 +1,7 @@ +VERSION /usr/lib/go-X.Y/ +bin/go /usr/lib/go-X.Y/bin/ +bin/gofmt /usr/lib/go-X.Y/bin/ +pkg/*_* /usr/lib/go-X.Y/pkg/ +pkg/include /usr/share/go-X.Y/pkg/ +pkg/obj /usr/lib/go-X.Y/pkg/ +pkg/tool /usr/lib/go-X.Y/pkg/ diff --git a/debian/golang-X.Y-go.links b/debian/golang-X.Y-go.links new file mode 100644 index 0000000..107242d --- /dev/null +++ b/debian/golang-X.Y-go.links @@ -0,0 +1,3 @@ +usr/share/go-X.Y/pkg/include /usr/lib/go-X.Y/pkg/include +usr/share/go-X.Y/src /usr/lib/go-X.Y/src +usr/share/go-X.Y/test /usr/lib/go-X.Y/test diff --git a/debian/golang-X.Y-go.lintian-overrides b/debian/golang-X.Y-go.lintian-overrides new file mode 100644 index 0000000..41817d9 --- /dev/null +++ b/debian/golang-X.Y-go.lintian-overrides @@ -0,0 +1,2 @@ +# Go always links statically. +golang-X.Y-go: statically-linked-binary diff --git a/debian/golang-X.Y-go.postinst b/debian/golang-X.Y-go.postinst new file mode 100644 index 0000000..1609572 --- /dev/null +++ b/debian/golang-X.Y-go.postinst @@ -0,0 +1,13 @@ +#!/bin/sh +set -e + +case "$1" in + configure) + # Very ugly hack to set timestamps same as /usr/lib/go-X.Y/bin/go + find /usr/lib/go-X.Y/pkg -exec touch -r /usr/lib/go-X.Y/bin/go {} \; + ;; + *) + ;; +esac + +#DEBHELPER# diff --git a/debian/golang-X.Y-src.install b/debian/golang-X.Y-src.install new file mode 100644 index 0000000..85fc76b --- /dev/null +++ b/debian/golang-X.Y-src.install @@ -0,0 +1,2 @@ +src /usr/share/go-X.Y/ +test /usr/share/go-X.Y/ diff --git a/debian/golang-X.Y-src.lintian-overrides b/debian/golang-X.Y-src.lintian-overrides new file mode 100644 index 0000000..91002bf --- /dev/null +++ b/debian/golang-X.Y-src.lintian-overrides @@ -0,0 +1,4 @@ +# golang-X.Y-src ships ELF object files as testdata for the debug/dwarf and +# debug/elf packages. +golang-X.Y-src: arch-dependent-file-in-usr-share +golang-X.Y-src: unstripped-binary-or-object diff --git a/debian/helpers/goenv.sh b/debian/helpers/goenv.sh new file mode 100755 index 0000000..ee0b737 --- /dev/null +++ b/debian/helpers/goenv.sh @@ -0,0 +1,55 @@ +#!/bin/sh +set -e + +__goos__deb_arch_os() { + case "$1" in + kfreebsd) echo freebsd ;; + linux) echo "$1" ;; + *) echo >&2 "error: unrecongized DEB_*_ARCH_OS: $1"; exit 1 ;; + esac +} + +__goarch__deb_arch_cpu() { + case "$1" in + amd64|arm|arm64|ppc64|s390x) echo "$1" ;; + i386) echo 386 ;; + ppc64el) echo ppc64le ;; + mips64el) echo mips64le ;; + *) echo >&2 "error: unrecongized DEB_*_ARCH_CPU: $1"; exit 1 ;; + esac +} + +# build machine +# The machine the package is built on. +# +# host machine +# The machine the package is built for. + +export GOHOSTOS="$(__goos__deb_arch_os "$(dpkg-architecture -qDEB_BUILD_ARCH_OS 2>/dev/null)")" +export GOOS="$(__goos__deb_arch_os "$(dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null)")" + +export GOHOSTARCH="$(__goarch__deb_arch_cpu "$(dpkg-architecture -qDEB_BUILD_ARCH_CPU 2>/dev/null)")" +export GOARCH="$(__goarch__deb_arch_cpu "$(dpkg-architecture -qDEB_HOST_ARCH_CPU 2>/dev/null)")" + +if [ -z "$GOHOSTOS" -o -z "$GOOS" -o -z "$GOHOSTARCH" -o -z "$GOARCH" ]; then + exit 1 +fi + +# Always use the 387 floating point unit instead of sse2. This is important to +# ensure that the binaries we build (both when compiling golang on the buildds +# and when users cross-compile for 386) can actually run on older CPUs (where +# old means e.g. an AMD Athlon XP 2400+). See http://bugs.debian.org/753160 and +# https://code.google.com/p/go/issues/detail?id=8152 +export GO386=387 + +unset GOARM +if [ "$GOARCH" = 'arm' ]; then + # start with GOARM=5 for maximum compatibility (see note about GO386 above) + GOARM=5 + case "$(dpkg-architecture -qDEB_HOST_ARCH 2>/dev/null)" in + armhf) GOARM=6 ;; + esac +fi +export GOARM + +eval "$@" diff --git a/debian/patches/CVE-2017-15041.patch b/debian/patches/CVE-2017-15041.patch new file mode 100644 index 0000000..069944b --- /dev/null +++ b/debian/patches/CVE-2017-15041.patch @@ -0,0 +1,264 @@ +Origin: https://github.com/golang/go/commit/9a97c3bfe41d1ed768ea3bd3d8f0f52b8a51bb62 +Origin: https://github.com/golang/go/commit/a4544a0f8af001d1fb6df0e70750f570ec49ccf9 +Origin: https://github.com/golang/go/commit/533ee44cd45c064608ee2b833af9e86ef1cb294e +Reviewed-by: Sylvain Beucler +Last-Update: 2021-03-02 + +From 9a97c3bfe41d1ed768ea3bd3d8f0f52b8a51bb62 Mon Sep 17 00:00:00 2001 +From: Russ Cox +Date: Thu, 13 Oct 2016 13:45:31 -0400 +Subject: [PATCH] cmd/go: accept plain file for .vcs (instead of directory) + +Sometimes .git is a plain file; maybe others will follow. +This CL matches CL 21430, made in x/tools/go/vcs. + +The change in the Swift test case makes the test case +pass by changing the test to match current behavior, +which I assume is better than the reverse. +(The test only runs locally and without -short, so the +builders are not seeing this particular failure.) + +For #10322. + +Change-Id: Iccd08819a01c5609a2880b9d8a99af936e20faff +Reviewed-on: https://go-review.googlesource.com/30948 +Run-TryBot: Russ Cox +TryBot-Result: Gobot Gobot +Reviewed-by: Ian Lance Taylor +--- + +From a4544a0f8af001d1fb6df0e70750f570ec49ccf9 Mon Sep 17 00:00:00 2001 +From: Russ Cox +Date: Fri, 22 Sep 2017 12:17:21 -0400 +Subject: [PATCH] [release-branch.go1.8] cmd/go: reject update of VCS inside + VCS + +Cherry-pick of CL 68110. + +Change-Id: Iae84c6404ab5eeb6950faa2364f97a017c67c506 +Reviewed-on: https://go-review.googlesource.com/68190 +Run-TryBot: Russ Cox +Reviewed-by: Chris Broadfoot +--- + src/cmd/go/get.go | 5 ++++ + src/cmd/go/go_test.go | 19 ++++++++++++++ + src/cmd/go/vcs.go | 58 ++++++++++++++++++++++++++++++++++++++++++- + 3 files changed, 81 insertions(+), 1 deletion(-) + +From 533ee44cd45c064608ee2b833af9e86ef1cb294e Mon Sep 17 00:00:00 2001 +From: Ian Lance Taylor +Date: Tue, 10 Oct 2017 14:10:28 -0700 +Subject: [PATCH] [release-branch.go1.8] cmd/go: correct directory used in + checkNestedVCS test + +This error was not used when using git because nested git is permitted. +Add test using Mercurial, so that at least we have a test, even though +the test is not run by default. + +Fixes #22157 +Fixes #22201 + +Change-Id: If521f3c09b0754e00e56fa3cd0364764a57a43ad +Reviewed-on: https://go-review.googlesource.com/69670 +Run-TryBot: Ian Lance Taylor +TryBot-Result: Gobot Gobot +Reviewed-by: Russ Cox +Reviewed-on: https://go-review.googlesource.com/70839 +Run-TryBot: Russ Cox +Reviewed-by: Ian Lance Taylor +--- + +Index: golang-1.7-1.7.4/src/cmd/go/vcs.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/cmd/go/vcs.go ++++ golang-1.7-1.7.4/src/cmd/go/vcs.go +@@ -479,11 +479,28 @@ func vcsFromDir(dir, srcRoot string) (vc + return nil, "", fmt.Errorf("directory %q is outside source root %q", dir, srcRoot) + } + ++ var vcsRet *vcsCmd ++ var rootRet string ++ + origDir := dir + for len(dir) > len(srcRoot) { + for _, vcs := range vcsList { +- if fi, err := os.Stat(filepath.Join(dir, "."+vcs.cmd)); err == nil && fi.IsDir() { +- return vcs, filepath.ToSlash(dir[len(srcRoot)+1:]), nil ++ if _, err := os.Stat(filepath.Join(dir, "."+vcs.cmd)); err == nil { ++ root := filepath.ToSlash(dir[len(srcRoot)+1:]) ++ // Record first VCS we find, but keep looking, ++ // to detect mistakes like one kind of VCS inside another. ++ if vcsRet == nil { ++ vcsRet = vcs ++ rootRet = root ++ continue ++ } ++ // Allow .git inside .git, which can arise due to submodules. ++ if vcsRet == vcs && vcs.cmd == "git" { ++ continue ++ } ++ // Otherwise, we have one VCS inside a different VCS. ++ return nil, "", fmt.Errorf("directory %q uses %s, but parent %q uses %s", ++ filepath.Join(srcRoot, rootRet), vcsRet.cmd, filepath.Join(srcRoot, root), vcs.cmd) + } + } + +@@ -496,9 +513,48 @@ func vcsFromDir(dir, srcRoot string) (vc + dir = ndir + } + ++ if vcsRet != nil { ++ return vcsRet, rootRet, nil ++ } ++ + return nil, "", fmt.Errorf("directory %q is not using a known version control system", origDir) + } + ++// checkNestedVCS checks for an incorrectly-nested VCS-inside-VCS ++// situation for dir, checking parents up until srcRoot. ++func checkNestedVCS(vcs *vcsCmd, dir, srcRoot string) error { ++ if len(dir) <= len(srcRoot) || dir[len(srcRoot)] != filepath.Separator { ++ return fmt.Errorf("directory %q is outside source root %q", dir, srcRoot) ++ } ++ ++ otherDir := dir ++ for len(otherDir) > len(srcRoot) { ++ for _, otherVCS := range vcsList { ++ if _, err := os.Stat(filepath.Join(otherDir, "."+otherVCS.cmd)); err == nil { ++ // Allow expected vcs in original dir. ++ if otherDir == dir && otherVCS == vcs { ++ continue ++ } ++ // Allow .git inside .git, which can arise due to submodules. ++ if otherVCS == vcs && vcs.cmd == "git" { ++ continue ++ } ++ // Otherwise, we have one VCS inside a different VCS. ++ return fmt.Errorf("directory %q uses %s, but parent %q uses %s", dir, vcs.cmd, otherDir, otherVCS.cmd) ++ } ++ } ++ // Move to parent. ++ newDir := filepath.Dir(otherDir) ++ if len(newDir) >= len(otherDir) { ++ // Shouldn't happen, but just in case, stop. ++ break ++ } ++ otherDir = newDir ++ } ++ ++ return nil ++} ++ + // repoRoot represents a version control system, a repo, and a root of + // where to put it on disk. + type repoRoot struct { +Index: golang-1.7-1.7.4/src/cmd/go/vcs_test.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/cmd/go/vcs_test.go ++++ golang-1.7-1.7.4/src/cmd/go/vcs_test.go +@@ -102,7 +102,7 @@ func TestRepoRootForImportPath(t *testin + "git.openstack.org/openstack/swift.git", + &repoRoot{ + vcs: vcsGit, +- repo: "https://git.openstack.org/openstack/swift", ++ repo: "https://git.openstack.org/openstack/swift.git", + }, + }, + { +@@ -174,11 +174,23 @@ func TestFromDir(t *testing.T) { + } + defer os.RemoveAll(tempDir) + +- for _, vcs := range vcsList { ++ for j, vcs := range vcsList { + dir := filepath.Join(tempDir, "example.com", vcs.name, "."+vcs.cmd) +- err := os.MkdirAll(dir, 0755) +- if err != nil { +- t.Fatal(err) ++ if j&1 == 0 { ++ err := os.MkdirAll(dir, 0755) ++ if err != nil { ++ t.Fatal(err) ++ } ++ } else { ++ err := os.MkdirAll(filepath.Dir(dir), 0755) ++ if err != nil { ++ t.Fatal(err) ++ } ++ f, err := os.Create(dir) ++ if err != nil { ++ t.Fatal(err) ++ } ++ f.Close() + } + + want := repoRoot{ +Index: golang-1.7-1.7.4/src/cmd/go/get.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/cmd/go/get.go ++++ golang-1.7-1.7.4/src/cmd/go/get.go +@@ -401,6 +401,11 @@ func downloadPackage(p *Package) error { + p.build.PkgRoot = filepath.Join(list[0], "pkg") + } + root := filepath.Join(p.build.SrcRoot, filepath.FromSlash(rootPath)) ++ ++ if err := checkNestedVCS(vcs, root, p.build.SrcRoot); err != nil { ++ return err ++ } ++ + // If we've considered this repository already, don't do it again. + if downloadRootCache[root] { + return nil +Index: golang-1.7-1.7.4/src/cmd/go/go_test.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/cmd/go/go_test.go ++++ golang-1.7-1.7.4/src/cmd/go/go_test.go +@@ -1099,7 +1099,7 @@ func testMove(t *testing.T, vcs, url, ba + tg.runFail("get", "-d", "-u", url) + tg.grepStderr("is a custom import path for", "go get -d -u "+url+" failed for wrong reason") + tg.runFail("get", "-d", "-f", "-u", url) +- tg.grepStderr("validating server certificate|not found", "go get -d -f -u "+url+" failed for wrong reason") ++ tg.grepStderr("validating server certificate|[nN]ot [fF]ound", "go get -d -f -u "+url+" failed for wrong reason") + } + + func TestInternalPackageErrorsAreHandled(t *testing.T) { +@@ -1120,10 +1120,9 @@ func TestMoveGit(t *testing.T) { + testMove(t, "git", "rsc.io/pdf", "pdf", "rsc.io/pdf/.git/config") + } + +-// TODO(rsc): Set up a test case on bitbucket for hg. +-// func TestMoveHG(t *testing.T) { +-// testMove(t, "hg", "rsc.io/x86/x86asm", "x86", "rsc.io/x86/.hg/hgrc") +-// } ++func TestMoveHG(t *testing.T) { ++ testMove(t, "hg", "vcs-test.golang.org/go/custom-hg-hello", "custom-hg-hello", "vcs-test.golang.org/go/custom-hg-hello/.hg/hgrc") ++} + + // TODO(rsc): Set up a test case on SourceForge (?) for svn. + // func testMoveSVN(t *testing.T) { +@@ -1235,6 +1234,25 @@ func TestGetGitDefaultBranch(t *testing. + tg.grepStdout(`\* another-branch`, "not on correct default branch") + } + ++func TestAccidentalGitCheckout(t *testing.T) { ++ testenv.MustHaveExternalNetwork(t) ++ if _, err := exec.LookPath("git"); err != nil { ++ t.Skip("skipping because git binary not found") ++ } ++ ++ tg := testgo(t) ++ defer tg.cleanup() ++ tg.parallel() ++ tg.tempDir("src") ++ tg.setenv("GOPATH", tg.path(".")) ++ ++ tg.runFail("get", "-u", "vcs-test.golang.org/go/test1-svn-git") ++ tg.grepStderr("src[\\\\/]vcs-test.* uses git, but parent .*src[\\\\/]vcs-test.* uses svn", "get did not fail for right reason") ++ ++ tg.runFail("get", "-u", "vcs-test.golang.org/go/test2-svn-git/test2main") ++ tg.grepStderr("src[\\\\/]vcs-test.* uses git, but parent .*src[\\\\/]vcs-test.* uses svn", "get did not fail for right reason") ++} ++ + func TestErrorMessageForSyntaxErrorInTestGoFileSaysFAIL(t *testing.T) { + tg := testgo(t) + defer tg.cleanup() diff --git a/debian/patches/CVE-2018-16873,16874.patch b/debian/patches/CVE-2018-16873,16874.patch new file mode 100644 index 0000000..7d0d230 --- /dev/null +++ b/debian/patches/CVE-2018-16873,16874.patch @@ -0,0 +1,350 @@ +Origin: https://github.com/golang/go/commit/90d609ba6156299642d08afc06d85ab770a03972 +Origin: https://github.com/golang/go/commit/7ef6ee2c5727f0d11206b4d1866c18e6ab4785be +Origin: https://github.com/golang/go/commit/25bee965c685e3f35c10076648685e22e59fd656 +Reviewed-by: Sylvain Beucler +Last-Update: 2021-03-04 + +From 90d609ba6156299642d08afc06d85ab770a03972 Mon Sep 17 00:00:00 2001 +From: "Bryan C. Mills" +Date: Mon, 3 Dec 2018 15:12:08 -0500 +Subject: [PATCH] [release-branch.go1.10-security] cmd/go: reject 'get' of + paths containing leading dots or unsupported characters + +On some platforms, directories beginning with dot are treated as +hidden files, and filenames containing unusual characters can be +confusing for users to manipulate (and delete). + +Change-Id: I443bdeb98e4de24b8a93a75fb923f4d41052e8f7 +Reviewed-on: https://team-review.git.corp.google.com/c/368703 +Reviewed-by: Dmitri Shuralyov +--- + +From 7ef6ee2c5727f0d11206b4d1866c18e6ab4785be Mon Sep 17 00:00:00 2001 +From: "Bryan C. Mills" +Date: Tue, 4 Dec 2018 14:37:39 -0500 +Subject: [PATCH] [release-branch.go1.10-security] cmd/go/internal/get: reject + Windows shortnames as path components + +Change-Id: Ia32d8ec1fc0c4e242f50d8871c0ef3ce315f3c65 +Reviewed-on: https://team-review.git.corp.google.com/c/370573 +Reviewed-by: Dmitri Shuralyov +--- + +From 25bee965c685e3f35c10076648685e22e59fd656 Mon Sep 17 00:00:00 2001 +From: "Bryan C. Mills" +Date: Thu, 13 Dec 2018 21:42:33 -0500 +Subject: [PATCH] [release-branch.go1.10] cmd/go/internal/get: move + wildcard-trimming to before CheckImportPath +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Previously, RepoRootForImportPath trimmed certain "..." wildcards from +package patterns (even though its name suggests that the argument must +be an actual import path). It trimmed at the first path element that +was literally "..." (although wildcards in general may appear within a +larger path element), and relied on a subsequent check in +RepoRootForImportPath to catch confusing resolutions. + +However, that causes 'go get' with wildcard patterns in fresh paths to +fail as of CL 154101: a wildcard pattern is not a valid import path, +and fails the path check. (The existing Test{Vendor,Go}Get* packages +in go_test.go and vendor_test.go catch the failure, but they are all +skipped when the "-short" flag is set — including in all.bash — and we +had forgotten to run them separately.) + +We now trim the path before any element that contains a wildcard, and +perform the path check (and repo resolution) on only that prefix. It +is possible that the expanded path after fetching the repo will be +invalid, but a repository can contain directories that are not valid +import paths in general anyway. + +Fixes #29247 + +Change-Id: I70fb2f7fc6603b7d339fd6c02e8cdeacfc93fc4b +Reviewed-on: https://go-review.googlesource.com/c/154108 +Reviewed-by: Russ Cox +Reviewed-on: https://go-review.googlesource.com/c/154111 +Run-TryBot: Bryan C. Mills +Reviewed-by: Filippo Valsorda +--- + +Index: golang-1.7-1.7.4/src/cmd/go/get.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/cmd/go/get.go ++++ golang-1.7-1.7.4/src/cmd/go/get.go +@@ -183,7 +183,7 @@ var downloadCache = map[string]bool{} + var downloadRootCache = map[string]bool{} + + // download runs the download half of the get command +-// for the package named by the argument. ++// for the package or pattern named by the argument. + func download(arg string, parent *Package, stk *importStack, mode int) { + load := func(path string, mode int) *Package { + if parent == nil { +@@ -343,6 +343,23 @@ func downloadPackage(p *Package) error { + security = insecure + } + ++ // p can be either a real package, or a pseudo-package whose “import path” is ++ // actually a wildcard pattern. ++ // Trim the path at the element containing the first wildcard, ++ // and hope that it applies to the wildcarded parts too. ++ // This makes 'go get rsc.io/pdf/...' work in a fresh GOPATH. ++ importPrefix := p.ImportPath ++ if i := strings.Index(importPrefix, "..."); i >= 0 { ++ slash := strings.LastIndexByte(importPrefix[:i], '/') ++ if slash < 0 { ++ return fmt.Errorf("cannot expand ... in %q", p.ImportPath) ++ } ++ importPrefix = importPrefix[:slash] ++ } ++ if err := CheckImportPath(importPrefix); err != nil { ++ return fmt.Errorf("%s: invalid import path: %v", p.ImportPath, err) ++ } ++ + if p.build.SrcRoot != "" { + // Directory exists. Look for checkout along path to src. + vcs, rootPath, err = vcsFromDir(p.Dir, p.build.SrcRoot) +@@ -360,7 +377,7 @@ func downloadPackage(p *Package) error { + } + repo = remote + if !*getF { +- if rr, err := repoRootForImportPath(p.ImportPath, security); err == nil { ++ if rr, err := repoRootForImportPath(importPrefix, security); err == nil { + repo := rr.repo + if rr.vcs.resolveRepo != nil { + resolved, err := rr.vcs.resolveRepo(rr.vcs, dir, repo) +@@ -377,7 +394,7 @@ func downloadPackage(p *Package) error { + } else { + // Analyze the import path to determine the version control system, + // repository, and the import path for the root of the repository. +- rr, err := repoRootForImportPath(p.ImportPath, security) ++ rr, err := repoRootForImportPath(importPrefix, security) + if err != nil { + return err + } +Index: golang-1.7-1.7.4/src/cmd/go/path.go +=================================================================== +--- /dev/null ++++ golang-1.7-1.7.4/src/cmd/go/path.go +@@ -0,0 +1,191 @@ ++// Copyright 2018 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package main ++ ++import ( ++ "fmt" ++ "strings" ++ "unicode" ++ "unicode/utf8" ++) ++ ++// The following functions are copied verbatim from cmd/go/internal/module/module.go, ++// with one change to additionally reject Windows short-names. ++// ++// TODO(bcmills): After the call site for this function is backported, ++// consolidate this back down to a single copy. ++ ++// CheckImportPath checks that an import path is valid. ++func CheckImportPath(path string) error { ++ if err := checkPath(path, false); err != nil { ++ return fmt.Errorf("malformed import path %q: %v", path, err) ++ } ++ return nil ++} ++ ++// checkPath checks that a general path is valid. ++// It returns an error describing why but not mentioning path. ++// Because these checks apply to both module paths and import paths, ++// the caller is expected to add the "malformed ___ path %q: " prefix. ++// fileName indicates whether the final element of the path is a file name ++// (as opposed to a directory name). ++func checkPath(path string, fileName bool) error { ++ if !utf8.ValidString(path) { ++ return fmt.Errorf("invalid UTF-8") ++ } ++ if path == "" { ++ return fmt.Errorf("empty string") ++ } ++ if strings.Contains(path, "..") { ++ return fmt.Errorf("double dot") ++ } ++ if strings.Contains(path, "//") { ++ return fmt.Errorf("double slash") ++ } ++ if path[len(path)-1] == '/' { ++ return fmt.Errorf("trailing slash") ++ } ++ elemStart := 0 ++ for i, r := range path { ++ if r == '/' { ++ if err := checkElem(path[elemStart:i], fileName); err != nil { ++ return err ++ } ++ elemStart = i + 1 ++ } ++ } ++ if err := checkElem(path[elemStart:], fileName); err != nil { ++ return err ++ } ++ return nil ++} ++ ++// checkElem checks whether an individual path element is valid. ++// fileName indicates whether the element is a file name (not a directory name). ++func checkElem(elem string, fileName bool) error { ++ if elem == "" { ++ return fmt.Errorf("empty path element") ++ } ++ if strings.Count(elem, ".") == len(elem) { ++ return fmt.Errorf("invalid path element %q", elem) ++ } ++ if elem[0] == '.' && !fileName { ++ return fmt.Errorf("leading dot in path element") ++ } ++ if elem[len(elem)-1] == '.' { ++ return fmt.Errorf("trailing dot in path element") ++ } ++ ++ charOK := pathOK ++ if fileName { ++ charOK = fileNameOK ++ } ++ for _, r := range elem { ++ if !charOK(r) { ++ return fmt.Errorf("invalid char %q", r) ++ } ++ } ++ ++ // Windows disallows a bunch of path elements, sadly. ++ // See https://docs.microsoft.com/en-us/windows/desktop/fileio/naming-a-file ++ short := elem ++ if i := strings.Index(short, "."); i >= 0 { ++ short = short[:i] ++ } ++ for _, bad := range badWindowsNames { ++ if strings.EqualFold(bad, short) { ++ return fmt.Errorf("disallowed path element %q", elem) ++ } ++ } ++ ++ // Reject path components that look like Windows short-names. ++ // Those usually end in a tilde followed by one or more ASCII digits. ++ if tilde := strings.LastIndexByte(short, '~'); tilde >= 0 && tilde < len(short)-1 { ++ suffix := short[tilde+1:] ++ suffixIsDigits := true ++ for _, r := range suffix { ++ if r < '0' || r > '9' { ++ suffixIsDigits = false ++ break ++ } ++ } ++ if suffixIsDigits { ++ return fmt.Errorf("trailing tilde and digits in path element") ++ } ++ } ++ ++ return nil ++} ++ ++// pathOK reports whether r can appear in an import path element. ++// Paths can be ASCII letters, ASCII digits, and limited ASCII punctuation: + - . _ and ~. ++// This matches what "go get" has historically recognized in import paths. ++// TODO(rsc): We would like to allow Unicode letters, but that requires additional ++// care in the safe encoding (see note below). ++func pathOK(r rune) bool { ++ if r < utf8.RuneSelf { ++ return r == '+' || r == '-' || r == '.' || r == '_' || r == '~' || ++ '0' <= r && r <= '9' || ++ 'A' <= r && r <= 'Z' || ++ 'a' <= r && r <= 'z' ++ } ++ return false ++} ++ ++// fileNameOK reports whether r can appear in a file name. ++// For now we allow all Unicode letters but otherwise limit to pathOK plus a few more punctuation characters. ++// If we expand the set of allowed characters here, we have to ++// work harder at detecting potential case-folding and normalization collisions. ++// See note about "safe encoding" below. ++func fileNameOK(r rune) bool { ++ if r < utf8.RuneSelf { ++ // Entire set of ASCII punctuation, from which we remove characters: ++ // ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ ++ // We disallow some shell special characters: " ' * < > ? ` | ++ // (Note that some of those are disallowed by the Windows file system as well.) ++ // We also disallow path separators / : and \ (fileNameOK is only called on path element characters). ++ // We allow spaces (U+0020) in file names. ++ const allowed = "!#$%&()+,-.=@[]^_{}~ " ++ if '0' <= r && r <= '9' || 'A' <= r && r <= 'Z' || 'a' <= r && r <= 'z' { ++ return true ++ } ++ for i := 0; i < len(allowed); i++ { ++ if rune(allowed[i]) == r { ++ return true ++ } ++ } ++ return false ++ } ++ // It may be OK to add more ASCII punctuation here, but only carefully. ++ // For example Windows disallows < > \, and macOS disallows :, so we must not allow those. ++ return unicode.IsLetter(r) ++} ++ ++// badWindowsNames are the reserved file path elements on Windows. ++// See https://docs.microsoft.com/en-us/windows/desktop/fileio/naming-a-file ++var badWindowsNames = []string{ ++ "CON", ++ "PRN", ++ "AUX", ++ "NUL", ++ "COM1", ++ "COM2", ++ "COM3", ++ "COM4", ++ "COM5", ++ "COM6", ++ "COM7", ++ "COM8", ++ "COM9", ++ "LPT1", ++ "LPT2", ++ "LPT3", ++ "LPT4", ++ "LPT5", ++ "LPT6", ++ "LPT7", ++ "LPT8", ++ "LPT9", ++} +Index: golang-1.7-1.7.4/src/cmd/go/vcs.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/cmd/go/vcs.go ++++ golang-1.7-1.7.4/src/cmd/go/vcs.go +@@ -585,14 +585,7 @@ const ( + func repoRootForImportPath(importPath string, security securityMode) (*repoRoot, error) { + rr, err := repoRootFromVCSPaths(importPath, "", security, vcsPaths) + if err == errUnknownSite { +- // If there are wildcards, look up the thing before the wildcard, +- // hoping it applies to the wildcarded parts too. +- // This makes 'go get rsc.io/pdf/...' work in a fresh GOPATH. +- lookup := strings.TrimSuffix(importPath, "/...") +- if i := strings.Index(lookup, "/.../"); i >= 0 { +- lookup = lookup[:i] +- } +- rr, err = repoRootForImportDynamic(lookup, security) ++ rr, err = repoRootForImportDynamic(importPath, security) + if err != nil { + err = fmt.Errorf("unrecognized import path %q (%v)", importPath, err) + } +@@ -605,6 +598,7 @@ func repoRootForImportPath(importPath st + } + } + ++ // Should have been taken care of above, but make sure. + if err == nil && strings.Contains(importPath, "...") && strings.Contains(rr.root, "...") { + // Do not allow wildcards in the repo root. + rr = nil diff --git a/debian/patches/CVE-2019-16276.patch b/debian/patches/CVE-2019-16276.patch new file mode 100644 index 0000000..22c6035 --- /dev/null +++ b/debian/patches/CVE-2019-16276.patch @@ -0,0 +1,162 @@ +Origin: https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8 +Reviewed-by: Sylvain Beucler +Last-Update: 2021-03-12 + +From 6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8 Mon Sep 17 00:00:00 2001 +From: Filippo Valsorda +Date: Thu, 12 Sep 2019 12:37:36 -0400 +Subject: [PATCH] [release-branch.go1.12-security] net/textproto: don't + normalize headers with spaces before the colon + +RFC 7230 is clear about headers with a space before the colon, like + +X-Answer : 42 + +being invalid, but we've been accepting and normalizing them for compatibility +purposes since CL 5690059 in 2012. + +On the client side, this is harmless and indeed most browsers behave the same +to this day. On the server side, this becomes a security issue when the +behavior doesn't match that of a reverse proxy sitting in front of the server. + +For example, if a WAF accepts them without normalizing them, it might be +possible to bypass its filters, because the Go server would interpret the +header differently. Worse, if the reverse proxy coalesces requests onto a +single HTTP/1.1 connection to a Go server, the understanding of the request +boundaries can get out of sync between them, allowing an attacker to tack an +arbitrary method and path onto a request by other clients, including +authentication headers unknown to the attacker. + +This was recently presented at multiple security conferences: +https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn + +net/http servers already reject header keys with invalid characters. +Simply stop normalizing extra spaces in net/textproto, let it return them +unchanged like it does for other invalid headers, and let net/http enforce +RFC 7230, which is HTTP specific. This loses us normalization on the client +side, but there's no right answer on the client side anyway, and hiding the +issue sounds worse than letting the application decide. + +Fixes CVE-2019-16276 + +Change-Id: I6d272de827e0870da85d93df770d6a0e161bbcf1 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/549719 +Reviewed-by: Brad Fitzpatrick +(cherry picked from commit 1280b868e82bf173ea3e988be3092d160ee66082) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/558776 +Reviewed-by: Dmitri Shuralyov +--- + src/net/http/serve_test.go | 4 ++++ + src/net/http/transport_test.go | 27 +++++++++++++++++++++++++++ + src/net/textproto/reader.go | 10 ++-------- + src/net/textproto/reader_test.go | 13 ++++++------- + 4 files changed, 39 insertions(+), 15 deletions(-) + +Index: golang-1.7-1.7.4/src/net/http/serve_test.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/net/http/serve_test.go ++++ golang-1.7-1.7.4/src/net/http/serve_test.go +@@ -4101,6 +4101,11 @@ func TestServerValidatesHeaders(t *testi + {"foo\xffbar: foo\r\n", 400}, // binary in header + {"foo\x00bar: foo\r\n", 400}, // binary in header + ++ // Spaces between the header key and colon are not allowed. ++ // See RFC 7230, Section 3.2.4. ++ {"Foo : bar\r\n", 400}, ++ {"Foo\t: bar\r\n", 400}, ++ + {"foo: foo foo\r\n", 200}, // LWS space is okay + {"foo: foo\tfoo\r\n", 200}, // LWS tab is okay + {"foo: foo\x00foo\r\n", 400}, // CTL 0x00 in value is bad +Index: golang-1.7-1.7.4/src/net/http/transport_test.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/net/http/transport_test.go ++++ golang-1.7-1.7.4/src/net/http/transport_test.go +@@ -3687,3 +3687,30 @@ var rgz = []byte{ + 0x00, 0x00, 0x3d, 0xb1, 0x20, 0x85, 0xfa, 0x00, + 0x00, 0x00, + } ++ ++func TestInvalidHeaderResponse(t *testing.T) { ++ setParallel(t) ++ defer afterTest(t) ++ cst := newClientServerTest(t, h1Mode, HandlerFunc(func(w ResponseWriter, r *Request) { ++ conn, buf, _ := w.(Hijacker).Hijack() ++ buf.Write([]byte("HTTP/1.1 200 OK\r\n" + ++ "Date: Wed, 30 Aug 2017 19:09:27 GMT\r\n" + ++ "Content-Type: text/html; charset=utf-8\r\n" + ++ "Content-Length: 0\r\n" + ++ "Foo : bar\r\n\r\n")) ++ buf.Flush() ++ conn.Close() ++ })) ++ defer cst.close() ++ res, err := cst.c.Get(cst.ts.URL) ++ if err != nil { ++ t.Fatal(err) ++ } ++ defer res.Body.Close() ++ if v := res.Header.Get("Foo"); v != "" { ++ t.Errorf(`unexpected "Foo" header: %q`, v) ++ } ++ if v := res.Header.Get("Foo "); v != "bar" { ++ t.Errorf(`bad "Foo " header value: %q, want %q`, v, "bar") ++ } ++} +Index: golang-1.7-1.7.4/src/net/textproto/reader.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/net/textproto/reader.go ++++ golang-1.7-1.7.4/src/net/textproto/reader.go +@@ -482,18 +482,12 @@ func (r *Reader) ReadMIMEHeader() (MIMEH + return m, err + } + +- // Key ends at first colon; should not have spaces but +- // they appear in the wild, violating specs, so we +- // remove them if present. ++ // Key ends at first colon. + i := bytes.IndexByte(kv, ':') + if i < 0 { + return m, ProtocolError("malformed MIME header line: " + string(kv)) + } +- endKey := i +- for endKey > 0 && kv[endKey-1] == ' ' { +- endKey-- +- } +- key := canonicalMIMEHeaderKey(kv[:endKey]) ++ key := canonicalMIMEHeaderKey(kv[:i]) + + // As per RFC 7230 field-name is a token, tokens consist of one or more chars. + // We could return a ProtocolError here, but better to be liberal in what we +Index: golang-1.7-1.7.4/src/net/textproto/reader_test.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/net/textproto/reader_test.go ++++ golang-1.7-1.7.4/src/net/textproto/reader_test.go +@@ -188,11 +188,10 @@ func TestLargeReadMIMEHeader(t *testing. + } + } + +-// Test that we read slightly-bogus MIME headers seen in the wild, +-// with spaces before colons, and spaces in keys. ++// TestReadMIMEHeaderNonCompliant checks that we don't normalize headers ++// with spaces before colons, and accept spaces in keys. + func TestReadMIMEHeaderNonCompliant(t *testing.T) { +- // Invalid HTTP response header as sent by an Axis security +- // camera: (this is handled by IE, Firefox, Chrome, curl, etc.) ++ // These invalid headers will be rejected by net/http according to RFC 7230. + r := reader("Foo: bar\r\n" + + "Content-Language: en\r\n" + + "SID : 0\r\n" + +@@ -202,9 +201,9 @@ func TestReadMIMEHeaderNonCompliant(t *t + want := MIMEHeader{ + "Foo": {"bar"}, + "Content-Language": {"en"}, +- "Sid": {"0"}, +- "Audio Mode": {"None"}, +- "Privilege": {"127"}, ++ "SID ": {"0"}, ++ "Audio Mode ": {"None"}, ++ "Privilege ": {"127"}, + } + if !reflect.DeepEqual(m, want) || err != nil { + t.Fatalf("ReadMIMEHeader =\n%v, %v; want:\n%v", m, err, want) diff --git a/debian/patches/CVE-2019-17596.patch b/debian/patches/CVE-2019-17596.patch new file mode 100644 index 0000000..280e775 --- /dev/null +++ b/debian/patches/CVE-2019-17596.patch @@ -0,0 +1,40 @@ +Origin: https://github.com/golang/go/commit/2017d88dbc096381d4f348d2fb08bfb3c2b7ed73 +Reviewed-by: Sylvain Beucler +Last-Update: 2021-03-12 + +From 2017d88dbc096381d4f348d2fb08bfb3c2b7ed73 Mon Sep 17 00:00:00 2001 +From: Katie Hockman +Date: Mon, 14 Oct 2019 16:42:21 -0400 +Subject: [PATCH] [release-branch.go1.12-security] crypto/dsa: prevent bad + public keys from causing panic + +dsa.Verify might currently use a nil s inverse in a +multiplication if the public key contains a non-prime Q, +causing a panic. Change this to check that the mod +inverse exists before using it. + +Fixes CVE-2019-17596 + +Change-Id: I94d5f3cc38f1b5d52d38dcb1d253c71b7fd1cae7 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/572809 +Reviewed-by: Filippo Valsorda +(cherry picked from commit 9119dfb0511326d4485b248b83d4fde19c95d0f7) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/575232 +--- + src/crypto/dsa/dsa.go | 3 +++ + 1 file changed, 3 insertions(+) + +Index: golang-1.7-1.7.4/src/crypto/dsa/dsa.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/crypto/dsa/dsa.go ++++ golang-1.7-1.7.4/src/crypto/dsa/dsa.go +@@ -259,6 +259,9 @@ func Verify(pub *PublicKey, hash []byte, + } + + w := new(big.Int).ModInverse(s, pub.Q) ++ if w == nil { ++ return false ++ } + + n := pub.Q.BitLen() + if n&7 != 0 { diff --git a/debian/patches/CVE-2019-9741.patch b/debian/patches/CVE-2019-9741.patch new file mode 100644 index 0000000..36d6369 --- /dev/null +++ b/debian/patches/CVE-2019-9741.patch @@ -0,0 +1,217 @@ +Origin: https://github.com/golang/go/commit/829c5df58694b3345cb5ea41206783c8ccf5c3ca +Origin: https://github.com/golang/go/commit/f1d662f34788f4a5f087581d0951cdf4e0f6e708 +Reviewed-by: Sylvain Beucler +Last-Update: 2021-03-12 + +From 829c5df58694b3345cb5ea41206783c8ccf5c3ca Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick +Date: Wed, 23 Jan 2019 19:09:07 +0000 +Subject: [PATCH] net/url, net/http: reject control characters in URLs + +This is a more conservative version of the reverted CL 99135 (which +was reverted in CL 137716) + +The net/url part rejects URLs with ASCII CTLs from being parsed and +the net/http part rejects writing them if a bogus url.URL is +constructed otherwise. + +Updates #27302 +Updates #22907 + +Change-Id: I09a2212eb74c63db575223277aec363c55421ed8 +Reviewed-on: https://go-review.googlesource.com/c/159157 +Run-TryBot: Brad Fitzpatrick +TryBot-Result: Gobot Gobot +Reviewed-by: Filippo Valsorda +--- + src/net/http/fs_test.go | 15 +++++++++++---- + src/net/http/http.go | 6 ++++++ + src/net/http/request.go | 7 ++++++- + src/net/http/requestwrite_test.go | 11 +++++++++++ + src/net/url/url.go | 10 ++++++++++ + src/net/url/url_test.go | 17 ++++++++++++++++- + 6 files changed, 60 insertions(+), 6 deletions(-) + +From f1d662f34788f4a5f087581d0951cdf4e0f6e708 Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick +Date: Tue, 29 Jan 2019 17:22:36 +0000 +Subject: [PATCH] net/url, net/http: relax CTL-in-URL validation to only ASCII + CTLs + +CL 159157 was doing UTF-8 decoding of URLs. URLs aren't really UTF-8, +even if sometimes they are in some contexts. + +Instead, only reject ASCII CTLs. + +Updates #27302 +Updates #22907 + +Change-Id: Ibd64efa5d3a93263d175aadf1c9f87deb4670c62 +Reviewed-on: https://go-review.googlesource.com/c/160178 +Run-TryBot: Brad Fitzpatrick +TryBot-Result: Gobot Gobot +Reviewed-by: Ian Lance Taylor +--- + src/net/http/http.go | 13 +++++++++---- + src/net/http/request.go | 2 +- + src/net/url/url.go | 15 ++++++++++----- + src/net/url/url_test.go | 6 ++++++ + 4 files changed, 26 insertions(+), 10 deletions(-) + +Index: golang-1.7-1.7.4/src/net/http/fs_test.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/net/http/fs_test.go ++++ golang-1.7-1.7.4/src/net/http/fs_test.go +@@ -580,16 +580,23 @@ func TestFileServerZeroByte(t *testing.T + ts := httptest.NewServer(FileServer(Dir("."))) + defer ts.Close() + +- res, err := Get(ts.URL + "/..\x00") ++ c, err := net.Dial("tcp", ts.Listener.Addr().String()) + if err != nil { + t.Fatal(err) + } +- b, err := ioutil.ReadAll(res.Body) ++ defer c.Close() ++ _, err = fmt.Fprintf(c, "GET /..\x00 HTTP/1.0\r\n\r\n") + if err != nil { +- t.Fatal("reading Body:", err) ++ t.Fatal(err) ++ } ++ var got bytes.Buffer ++ bufr := bufio.NewReader(io.TeeReader(c, &got)) ++ res, err := ReadResponse(bufr, nil) ++ if err != nil { ++ t.Fatal("ReadResponse: ", err) + } + if res.StatusCode == 200 { +- t.Errorf("got status 200; want an error. Body is:\n%s", string(b)) ++ t.Errorf("got status 200; want an error. Body is:\n%s", got.Bytes()) + } + } + +Index: golang-1.7-1.7.4/src/net/http/http.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/net/http/http.go ++++ golang-1.7-1.7.4/src/net/http/http.go +@@ -41,3 +41,14 @@ func removeEmptyPort(host string) string + func isNotToken(r rune) bool { + return !httplex.IsTokenRune(r) + } ++ ++// stringContainsCTLByte reports whether s contains any ASCII control character. ++func stringContainsCTLByte(s string) bool { ++ for i := 0; i < len(s); i++ { ++ b := s[i] ++ if b < ' ' || b == 0x7f { ++ return true ++ } ++ } ++ return false ++} +Index: golang-1.7-1.7.4/src/net/http/request.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/net/http/request.go ++++ golang-1.7-1.7.4/src/net/http/request.go +@@ -477,7 +477,12 @@ func (req *Request) write(w io.Writer, u + // CONNECT requests normally give just the host and port, not a full URL. + ruri = host + } +- // TODO(bradfitz): escape at least newlines in ruri? ++ if stringContainsCTLByte(ruri) { ++ return errors.New("net/http: can't write control character in Request.URL") ++ } ++ // TODO: validate r.Method too? At least it's less likely to ++ // come from an attacker (more likely to be a constant in ++ // code). + + // Wrap the writer in a bufio Writer if it's not already buffered. + // Don't always call NewWriter, as that forces a bytes.Buffer +Index: golang-1.7-1.7.4/src/net/http/requestwrite_test.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/net/http/requestwrite_test.go ++++ golang-1.7-1.7.4/src/net/http/requestwrite_test.go +@@ -486,6 +486,17 @@ var reqWriteTests = []reqWriteTest{ + "User-Agent: Go-http-client/1.1\r\n" + + "\r\n", + }, ++ ++ { ++ Req: Request{ ++ Method: "GET", ++ URL: &url.URL{ ++ Host: "www.example.com", ++ RawQuery: "new\nline", // or any CTL ++ }, ++ }, ++ WantError: errors.New("net/http: can't write control character in Request.URL"), ++ }, + } + + func TestRequestWrite(t *testing.T) { +Index: golang-1.7-1.7.4/src/net/url/url.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/net/url/url.go ++++ golang-1.7-1.7.4/src/net/url/url.go +@@ -447,6 +447,10 @@ func ParseRequestURI(rawurl string) (*UR + func parse(rawurl string, viaRequest bool) (url *URL, err error) { + var rest string + ++ if stringContainsCTLByte(rawurl) { ++ return nil, errors.New("net/url: invalid control character in URL") ++ } ++ + if rawurl == "" && viaRequest { + err = errors.New("empty url") + goto Error +@@ -929,3 +933,14 @@ func (u *URL) RequestURI() string { + } + return result + } ++ ++// stringContainsCTLByte reports whether s contains any ASCII control character. ++func stringContainsCTLByte(s string) bool { ++ for i := 0; i < len(s); i++ { ++ b := s[i] ++ if b < ' ' || b == 0x7f { ++ return true ++ } ++ } ++ return false ++} +Index: golang-1.7-1.7.4/src/net/url/url_test.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/net/url/url_test.go ++++ golang-1.7-1.7.4/src/net/url/url_test.go +@@ -1388,6 +1388,12 @@ func TestShouldEscape(t *testing.T) { + t.Errorf("shouldEscape(%q, %v) returned %v; expected %v", tt.in, tt.mode, !tt.escape, tt.escape) + } + } ++ ++ // But don't reject non-ASCII CTLs, at least for now: ++ if _, err := Parse("http://foo.com/ctl\x80"); err != nil { ++ t.Errorf("error parsing URL with non-ASCII control byte: %v", err) ++ } ++ + } + + type timeoutError struct { +@@ -1470,3 +1476,18 @@ func TestURLErrorImplementsNetError(t *t + } + } + } ++ ++func TestRejectControlCharacters(t *testing.T) { ++ tests := []string{ ++ "http://foo.com/?foo\nbar", ++ "http\r://foo.com/", ++ "http://foo\x7f.com/", ++ } ++ for _, s := range tests { ++ _, err := Parse(s) ++ const wantSub = "net/url: invalid control character in URL" ++ if got := fmt.Sprint(err); !strings.Contains(got, wantSub) { ++ t.Errorf("Parse(%q) error = %q; want substring %q", s, got, wantSub) ++ } ++ } ++} diff --git a/debian/patches/CVE-2020-15586.patch b/debian/patches/CVE-2020-15586.patch new file mode 100644 index 0000000..0016d58 --- /dev/null +++ b/debian/patches/CVE-2020-15586.patch @@ -0,0 +1,98 @@ +Index: golang-1.7-1.7.4/src/net/http/server.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/net/http/server.go 2020-11-18 17:29:38.876836177 +0100 ++++ golang-1.7-1.7.4/src/net/http/server.go 2020-11-18 17:29:38.868835775 +0100 +@@ -372,6 +372,16 @@ + wants10KeepAlive bool // HTTP/1.0 w/ Connection "keep-alive" + wantsClose bool // HTTP request has Connection "close" + ++ // canWriteContinue is a boolean value accessed as an atomic int32 ++ // that says whether or not a 100 Continue header can be written ++ // to the connection. ++ // writeContinueMu must be held while writing the header. ++ // These two fields together synchronize the body reader ++ // (the expectContinueReader, which wants to write 100 Continue) ++ // against the main writer. ++ canWriteContinue atomicBool ++ writeContinueMu sync.Mutex ++ + w *bufio.Writer // buffers output in chunks to chunkWriter + cw chunkWriter + +@@ -422,6 +432,7 @@ + + func (b *atomicBool) isSet() bool { return atomic.LoadInt32((*int32)(b)) != 0 } + func (b *atomicBool) setTrue() { atomic.StoreInt32((*int32)(b), 1) } ++func (b *atomicBool) setFalse() { atomic.StoreInt32((*int32)(b), 0) } + + // declareTrailer is called for each Trailer header when the + // response header is written. It notes that a header will need to be +@@ -684,21 +695,27 @@ + resp *response + readCloser io.ReadCloser + closed bool +- sawEOF bool ++ sawEOF atomicBool + } + + func (ecr *expectContinueReader) Read(p []byte) (n int, err error) { + if ecr.closed { + return 0, ErrBodyReadAfterClose + } +- if !ecr.resp.wroteContinue && !ecr.resp.conn.hijacked() { +- ecr.resp.wroteContinue = true +- ecr.resp.conn.bufw.WriteString("HTTP/1.1 100 Continue\r\n\r\n") +- ecr.resp.conn.bufw.Flush() ++ w := ecr.resp ++ if !w.wroteContinue && w.canWriteContinue.isSet() && !w.conn.hijacked() { ++ w.wroteContinue = true ++ w.writeContinueMu.Lock() ++ if w.canWriteContinue.isSet() { ++ w.conn.bufw.WriteString("HTTP/1.1 100 Continue\r\n\r\n") ++ w.conn.bufw.Flush() ++ w.canWriteContinue.setFalse() ++ } ++ w.writeContinueMu.Unlock() + } + n, err = ecr.readCloser.Read(p) + if err == io.EOF { +- ecr.sawEOF = true ++ ecr.sawEOF.setTrue() + } + return + } +@@ -1055,7 +1072,7 @@ + // because we don't know if the next bytes on the wire will be + // the body-following-the-timer or the subsequent request. + // See Issue 11549. +- if ecr, ok := w.req.Body.(*expectContinueReader); ok && !ecr.sawEOF { ++ if ecr, ok := w.req.Body.(*expectContinueReader); ok && !ecr.sawEOF.isSet() { + w.closeAfterReply = true + } + +@@ -1321,6 +1338,17 @@ + w.conn.server.logf("http: response.Write on hijacked connection") + return 0, ErrHijacked + } ++ ++ if w.canWriteContinue.isSet() { ++ // Body reader wants to write 100 Continue but hasn't yet. ++ // Tell it not to. The store must be done while holding the lock ++ // because the lock makes sure that there is not an active write ++ // this very moment. ++ w.writeContinueMu.Lock() ++ w.canWriteContinue.setFalse() ++ w.writeContinueMu.Unlock() ++ } ++ + if !w.wroteHeader { + w.WriteHeader(StatusOK) + } +@@ -1565,6 +1593,7 @@ + if req.ProtoAtLeast(1, 1) && req.ContentLength != 0 { + // Wrap the Body reader with one that replies on the connection + req.Body = &expectContinueReader{readCloser: req.Body, resp: w} ++ w.canWriteContinue.setTrue() + } + } else if req.Header.get("Expect") != "" { + w.sendExpectationFailed() diff --git a/debian/patches/CVE-2020-16845.patch b/debian/patches/CVE-2020-16845.patch new file mode 100644 index 0000000..edda01c --- /dev/null +++ b/debian/patches/CVE-2020-16845.patch @@ -0,0 +1,66 @@ +diff --git a/src/encoding/binary/varint.go b/src/encoding/binary/varint.go +index bcb8ac9a45..38af61075c 100644 +--- a/src/encoding/binary/varint.go ++++ b/src/encoding/binary/varint.go +@@ -106,13 +106,13 @@ var overflow = errors.New("binary: varint overflows a 64-bit integer") + func ReadUvarint(r io.ByteReader) (uint64, error) { + var x uint64 + var s uint +- for i := 0; ; i++ { ++ for i := 0; i < MaxVarintLen64; i++ { + b, err := r.ReadByte() + if err != nil { + return x, err + } + if b < 0x80 { +- if i > 9 || i == 9 && b > 1 { ++ if i == 9 && b > 1 { + return x, overflow + } + return x | uint64(b)< MaxVarintLen64 { ++ t.Errorf("ReadUvarint(%v): read more than MaxVarintLen64 bytes, got %d", buf, read) + } + } + + func TestOverflow(t *testing.T) { +- testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, -10, overflow) +- testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, -13, overflow) ++ testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, 0, -10, overflow) ++ testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, 0, -13, overflow) ++ testOverflow(t, []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, 1<<64-1, 0, overflow) // 11 bytes, should overflow + } + + func TestNonCanonicalZero(t *testing.T) { diff --git a/debian/patches/CVE-2021-3114.patch b/debian/patches/CVE-2021-3114.patch new file mode 100644 index 0000000..8914eef --- /dev/null +++ b/debian/patches/CVE-2021-3114.patch @@ -0,0 +1,492 @@ +Origin: https://github.com/golang/go/commit/5c8fd727c41e31273923c32b33d4f25855f4e123 +Reviewed-by: Sylvain Beucler +Last-Update: 2021-03-12 + +From 5c8fd727c41e31273923c32b33d4f25855f4e123 Mon Sep 17 00:00:00 2001 +From: Filippo Valsorda +Date: Fri, 8 Jan 2021 03:56:58 +0100 +Subject: [PATCH] [release-branch.go1.15-security] crypto/elliptic: fix P-224 + field reduction + +This patch fixes two independent bugs in p224Contract, the function that +performs the final complete reduction in the P-224 field. Incorrect +outputs due to these bugs were observable from a high-level +P224().ScalarMult() call. + +The first bug was in the calculation of out3GT. That mask was supposed +to be all ones if the third limb of the value is greater than the third +limb of P (out[3] > 0xffff000). Instead, it was also set if they are +equal. That meant that if the third limb was equal, the value was always +considered greater than or equal to P, even when the three bottom limbs +were all zero. There is exactly one affected value, P - 1, which would +trigger the subtraction by P even if it's lower than P already. + +The second bug was more easily hit, and is the one that caused the known +high-level incorrect output: after the conditional subtraction by P, a +potential underflow of the lowest limb was not handled. Any values that +trigger the subtraction by P (values between P and 2^224-1, and P - 1 +due to the bug above) but have a zero lowest limb would produce invalid +outputs. Those conditions apply to the intermediate representation +before the subtraction, so they are hard to trace to precise inputs. + +This patch also adds a test suite for the P-224 field arithmetic, +including a custom fuzzer that automatically explores potential edge +cases by combining limb values that have various meanings in the code. +contractMatchesBigInt in TestP224Contract finds the second bug in less +than a second without being tailored to it, and could eventually find +the first one too by combining 0, (1 << 28) - 1, and the difference of +(1 << 28) and (1 << 12). + +The incorrect P224().ScalarMult() output was found by the +elliptic-curve-differential-fuzzer project running on OSS-Fuzz and +reported by Philippe Antoine (Catena cyber). + +Fixes CVE-2021-3114 + +Change-Id: I50176602d544de3da854270d66a293bcaca57ad7 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/947792 +Reviewed-by: Katie Hockman +(cherry picked from commit 5fa534e9c7eaeaf875e53b98eac9342b0855b283) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/955175 +--- + src/crypto/elliptic/p224.go | 41 +++-- + src/crypto/elliptic/p224_test.go | 277 ++++++++++++++++++++++++++++++- + 2 files changed, 298 insertions(+), 20 deletions(-) + +Index: golang-1.7-1.7.4/src/crypto/elliptic/p224.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/crypto/elliptic/p224.go ++++ golang-1.7-1.7.4/src/crypto/elliptic/p224.go +@@ -384,10 +384,11 @@ func p224Invert(out, in *p224FieldElemen + // p224Contract converts a FieldElement to its unique, minimal form. + // + // On entry, in[i] < 2**29 +-// On exit, in[i] < 2**28 ++// On exit, out[i] < 2**28 and out < p + func p224Contract(out, in *p224FieldElement) { + copy(out[:], in[:]) + ++ // First, carry the bits above 28 to the higher limb. + for i := 0; i < 7; i++ { + out[i+1] += out[i] >> 28 + out[i] &= bottom28Bits +@@ -395,10 +396,13 @@ func p224Contract(out, in *p224FieldElem + top := out[7] >> 28 + out[7] &= bottom28Bits + ++ // Use the reduction identity to carry the overflow. ++ // ++ // a + top * 2²²⁴ = a + top * 2⁹⁶ - top + out[0] -= top + out[3] += top << 12 + +- // We may just have made out[i] negative. So we carry down. If we made ++ // We may just have made out[0] negative. So we carry down. If we made + // out[0] negative then we know that out[3] is sufficiently positive + // because we just added to it. + for i := 0; i < 3; i++ { +@@ -423,13 +427,12 @@ func p224Contract(out, in *p224FieldElem + // There are two cases to consider for out[3]: + // 1) The first time that we eliminated top, we didn't push out[3] over + // 2**28. In this case, the partial carry chain didn't change any values +- // and top is zero. ++ // and top is now zero. + // 2) We did push out[3] over 2**28 the first time that we eliminated top. +- // The first value of top was in [0..16), therefore, prior to eliminating +- // the first top, 0xfff1000 <= out[3] <= 0xfffffff. Therefore, after +- // overflowing and being reduced by the second carry chain, out[3] <= +- // 0xf000. Thus it cannot have overflowed when we eliminated top for the +- // second time. ++ // The first value of top was in [0..2], therefore, after overflowing ++ // and being reduced by the second carry chain, out[3] <= 2<<12 - 1. ++ // In both cases, out[3] cannot have overflowed when we eliminated top for ++ // the second time. + + // Again, we may just have made out[0] negative, so do the same carry down. + // As before, if we made out[0] negative then we know that out[3] is +@@ -468,12 +471,11 @@ func p224Contract(out, in *p224FieldElem + bottom3NonZero |= bottom3NonZero >> 1 + bottom3NonZero = uint32(int32(bottom3NonZero<<31) >> 31) + +- // Everything depends on the value of out[3]. +- // If it's > 0xffff000 and top4AllOnes != 0 then the whole value is >= p +- // If it's = 0xffff000 and top4AllOnes != 0 and bottom3NonZero != 0, +- // then the whole value is >= p ++ // Assuming top4AllOnes != 0, everything depends on the value of out[3]. ++ // If it's > 0xffff000 then the whole value is > p ++ // If it's = 0xffff000 and bottom3NonZero != 0, then the whole value is >= p + // If it's < 0xffff000, then the whole value is < p +- n := out[3] - 0xffff000 ++ n := 0xffff000 - out[3] + out3Equal := n + out3Equal |= out3Equal >> 16 + out3Equal |= out3Equal >> 8 +@@ -482,8 +484,8 @@ func p224Contract(out, in *p224FieldElem + out3Equal |= out3Equal >> 1 + out3Equal = ^uint32(int32(out3Equal<<31) >> 31) + +- // If out[3] > 0xffff000 then n's MSB will be zero. +- out3GT := ^uint32(int32(n) >> 31) ++ // If out[3] > 0xffff000 then n's MSB will be one. ++ out3GT := uint32(int32(n) >> 31) + + mask := top4AllOnes & ((out3Equal & bottom3NonZero) | out3GT) + out[0] -= 1 & mask +@@ -492,6 +494,15 @@ func p224Contract(out, in *p224FieldElem + out[5] -= 0xfffffff & mask + out[6] -= 0xfffffff & mask + out[7] -= 0xfffffff & mask ++ ++ // Do one final carry down, in case we made out[0] negative. One of ++ // out[0..3] needs to be positive and able to absorb the -1 or the value ++ // would have been < p, and the subtraction wouldn't have happened. ++ for i := 0; i < 3; i++ { ++ mask := uint32(int32(out[i]) >> 31) ++ out[i] += (1 << 28) & mask ++ out[i+1] -= 1 & mask ++ } + } + + // Group element functions. +Index: golang-1.7-1.7.4/src/crypto/elliptic/p224_test.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/crypto/elliptic/p224_test.go ++++ golang-1.7-1.7.4/src/crypto/elliptic/p224_test.go +@@ -6,7 +6,10 @@ package elliptic + + import ( + "math/big" ++ "math/rand" ++ "reflect" + "testing" ++ "testing/quick" + ) + + var toFromBigTests = []string{ +@@ -21,16 +24,16 @@ func p224AlternativeToBig(in *p224FieldE + ret := new(big.Int) + tmp := new(big.Int) + +- for i := uint(0); i < 8; i++ { ++ for i := len(in) - 1; i >= 0; i-- { ++ ret.Lsh(ret, 28) + tmp.SetInt64(int64(in[i])) +- tmp.Lsh(tmp, 28*i) + ret.Add(ret, tmp) + } +- ret.Mod(ret, p224.P) ++ ret.Mod(ret, P224().Params().P) + return ret + } + +-func TestToFromBig(t *testing.T) { ++func TestP224ToFromBig(t *testing.T) { + for i, test := range toFromBigTests { + n, _ := new(big.Int).SetString(test, 16) + var x p224FieldElement +@@ -41,7 +44,304 @@ func TestToFromBig(t *testing.T) { + } + q := p224AlternativeToBig(&x) + if n.Cmp(q) != 0 { +- t.Errorf("#%d: %x != %x (alternative)", i, n, m) ++ t.Errorf("#%d: %x != %x (alternative)", i, n, q) + } + } + } ++ ++// quickCheckConfig32 will make each quickcheck test run (32 * -quickchecks) ++// times. The default value of -quickchecks is 100. ++var quickCheckConfig32 = &quick.Config{MaxCountScale: 32} ++ ++// weirdLimbs can be combined to generate a range of edge-case field elements. ++var weirdLimbs = [...]uint32{ ++ 0, 1, (1 << 29) - 1, ++ (1 << 12), (1 << 12) - 1, ++ (1 << 28), (1 << 28) - 1, ++} ++ ++func generateLimb(rand *rand.Rand) uint32 { ++ const bottom29Bits = 0x1fffffff ++ n := rand.Intn(len(weirdLimbs) + 3) ++ switch n { ++ case len(weirdLimbs): ++ // Random value. ++ return uint32(rand.Int31n(1 << 29)) ++ case len(weirdLimbs) + 1: ++ // Sum of two values. ++ k := generateLimb(rand) + generateLimb(rand) ++ return k & bottom29Bits ++ case len(weirdLimbs) + 2: ++ // Difference of two values. ++ k := generateLimb(rand) - generateLimb(rand) ++ return k & bottom29Bits ++ default: ++ return weirdLimbs[n] ++ } ++} ++ ++func (p224FieldElement) Generate(rand *rand.Rand, size int) reflect.Value { ++ return reflect.ValueOf(p224FieldElement{ ++ weirdLimbs[rand.Intn(len(weirdLimbs))], ++ weirdLimbs[rand.Intn(len(weirdLimbs))], ++ weirdLimbs[rand.Intn(len(weirdLimbs))], ++ weirdLimbs[rand.Intn(len(weirdLimbs))], ++ weirdLimbs[rand.Intn(len(weirdLimbs))], ++ weirdLimbs[rand.Intn(len(weirdLimbs))], ++ weirdLimbs[rand.Intn(len(weirdLimbs))], ++ weirdLimbs[rand.Intn(len(weirdLimbs))], ++ }) ++} ++ ++func isInBounds(x *p224FieldElement) bool { ++ return Len32(x[0]) <= 29 && ++ Len32(x[1]) <= 29 && ++ Len32(x[2]) <= 29 && ++ Len32(x[3]) <= 29 && ++ Len32(x[4]) <= 29 && ++ Len32(x[5]) <= 29 && ++ Len32(x[6]) <= 29 && ++ Len32(x[7]) <= 29 ++} ++ ++func TestP224Mul(t *testing.T) { ++ mulMatchesBigInt := func(a, b, out p224FieldElement) bool { ++ var tmp p224LargeFieldElement ++ p224Mul(&out, &a, &b, &tmp) ++ ++ exp := new(big.Int).Mul(p224AlternativeToBig(&a), p224AlternativeToBig(&b)) ++ exp.Mod(exp, P224().Params().P) ++ got := p224AlternativeToBig(&out) ++ if exp.Cmp(got) != 0 || !isInBounds(&out) { ++ t.Logf("a = %x", a) ++ t.Logf("b = %x", b) ++ t.Logf("p224Mul(a, b) = %x = %v", out, got) ++ t.Logf("a * b = %v", exp) ++ return false ++ } ++ ++ return true ++ } ++ ++ a := p224FieldElement{0xfffffff, 0xfffffff, 0xf00ffff, 0x20f, 0x0, 0x0, 0x0, 0x0} ++ b := p224FieldElement{1, 0, 0, 0, 0, 0, 0, 0} ++ if !mulMatchesBigInt(a, b, p224FieldElement{}) { ++ t.Fail() ++ } ++ ++ if err := quick.Check(mulMatchesBigInt, quickCheckConfig32); err != nil { ++ t.Error(err) ++ } ++} ++ ++func TestP224Square(t *testing.T) { ++ squareMatchesBigInt := func(a, out p224FieldElement) bool { ++ var tmp p224LargeFieldElement ++ p224Square(&out, &a, &tmp) ++ ++ exp := p224AlternativeToBig(&a) ++ exp.Mul(exp, exp) ++ exp.Mod(exp, P224().Params().P) ++ got := p224AlternativeToBig(&out) ++ if exp.Cmp(got) != 0 || !isInBounds(&out) { ++ t.Logf("a = %x", a) ++ t.Logf("p224Square(a, b) = %x = %v", out, got) ++ t.Logf("a * a = %v", exp) ++ return false ++ } ++ ++ return true ++ } ++ ++ if err := quick.Check(squareMatchesBigInt, quickCheckConfig32); err != nil { ++ t.Error(err) ++ } ++} ++ ++func TestP224Add(t *testing.T) { ++ addMatchesBigInt := func(a, b, out p224FieldElement) bool { ++ p224Add(&out, &a, &b) ++ ++ exp := new(big.Int).Add(p224AlternativeToBig(&a), p224AlternativeToBig(&b)) ++ exp.Mod(exp, P224().Params().P) ++ got := p224AlternativeToBig(&out) ++ if exp.Cmp(got) != 0 { ++ t.Logf("a = %x", a) ++ t.Logf("b = %x", b) ++ t.Logf("p224Add(a, b) = %x = %v", out, got) ++ t.Logf("a + b = %v", exp) ++ return false ++ } ++ ++ return true ++ } ++ ++ if err := quick.Check(addMatchesBigInt, quickCheckConfig32); err != nil { ++ t.Error(err) ++ } ++} ++ ++func TestP224Reduce(t *testing.T) { ++ reduceMatchesBigInt := func(a p224FieldElement) bool { ++ out := a ++ // TODO: generate higher values for functions like p224Reduce that are ++ // expected to work with higher input bounds. ++ p224Reduce(&out) ++ ++ exp := p224AlternativeToBig(&a) ++ got := p224AlternativeToBig(&out) ++ if exp.Cmp(got) != 0 || !isInBounds(&out) { ++ t.Logf("a = %x = %v", a, exp) ++ t.Logf("p224Reduce(a) = %x = %v", out, got) ++ return false ++ } ++ ++ return true ++ } ++ ++ if err := quick.Check(reduceMatchesBigInt, quickCheckConfig32); err != nil { ++ t.Error(err) ++ } ++} ++ ++func TestP224Contract(t *testing.T) { ++ contractMatchesBigInt := func(a, out p224FieldElement) bool { ++ p224Contract(&out, &a) ++ ++ exp := p224AlternativeToBig(&a) ++ got := p224AlternativeToBig(&out) ++ if exp.Cmp(got) != 0 { ++ t.Logf("a = %x = %v", a, exp) ++ t.Logf("p224Contract(a) = %x = %v", out, got) ++ return false ++ } ++ ++ // Check that out < P. ++ for i := range p224P { ++ k := 8 - i - 1 ++ if out[k] > p224P[k] { ++ t.Logf("p224Contract(a) = %x", out) ++ return false ++ } ++ if out[k] < p224P[k] { ++ return true ++ } ++ } ++ t.Logf("p224Contract(a) = %x", out) ++ return false ++ } ++ ++ if !contractMatchesBigInt(p224P, p224FieldElement{}) { ++ t.Error("p224Contract(p) is broken") ++ } ++ pMinus1 := p224FieldElement{0, 0, 0, 0xffff000, 0xfffffff, 0xfffffff, 0xfffffff, 0xfffffff} ++ if !contractMatchesBigInt(pMinus1, p224FieldElement{}) { ++ t.Error("p224Contract(p - 1) is broken") ++ } ++ // Check that we can handle input above p, but lowest limb zero. ++ a := p224FieldElement{0, 1, 0, 0xffff000, 0xfffffff, 0xfffffff, 0xfffffff, 0xfffffff} ++ if !contractMatchesBigInt(a, p224FieldElement{}) { ++ t.Error("p224Contract(p + 2²⁸) is broken") ++ } ++ // Check that we can handle input above p, but lowest three limbs zero. ++ b := p224FieldElement{0, 0, 0, 0xffff001, 0xfffffff, 0xfffffff, 0xfffffff, 0xfffffff} ++ if !contractMatchesBigInt(b, p224FieldElement{}) { ++ t.Error("p224Contract(p + 2⁸⁴) is broken") ++ } ++ ++ if err := quick.Check(contractMatchesBigInt, quickCheckConfig32); err != nil { ++ t.Error(err) ++ } ++} ++ ++func TestP224IsZero(t *testing.T) { ++ if got := p224IsZero(&p224FieldElement{}); got != 1 { ++ t.Errorf("p224IsZero(0) = %d, expected 1", got) ++ } ++ if got := p224IsZero((*p224FieldElement)(&p224P)); got != 1 { ++ t.Errorf("p224IsZero(p) = %d, expected 1", got) ++ } ++ if got := p224IsZero(&p224FieldElement{1}); got != 0 { ++ t.Errorf("p224IsZero(1) = %d, expected 0", got) ++ } ++ ++ isZeroMatchesBigInt := func(a p224FieldElement) bool { ++ isZero := p224IsZero(&a) ++ ++ big := p224AlternativeToBig(&a) ++ if big.Sign() == 0 && isZero != 1 { ++ return false ++ } ++ if big.Sign() != 0 && isZero != 0 { ++ return false ++ } ++ return true ++ } ++ ++ if err := quick.Check(isZeroMatchesBigInt, quickCheckConfig32); err != nil { ++ t.Error(err) ++ } ++} ++ ++func TestP224Invert(t *testing.T) { ++ var out p224FieldElement ++ ++ p224Invert(&out, &p224FieldElement{}) ++ if got := p224IsZero(&out); got != 1 { ++ t.Errorf("p224Invert(0) = %x, expected 0", out) ++ } ++ ++ p224Invert(&out, (*p224FieldElement)(&p224P)) ++ if got := p224IsZero(&out); got != 1 { ++ t.Errorf("p224Invert(p) = %x, expected 0", out) ++ } ++ ++ p224Invert(&out, &p224FieldElement{1}) ++ p224Contract(&out, &out) ++ if out != (p224FieldElement{1}) { ++ t.Errorf("p224Invert(1) = %x, expected 1", out) ++ } ++ ++ var tmp p224LargeFieldElement ++ a := p224FieldElement{1, 2, 3, 4, 5, 6, 7, 8} ++ p224Invert(&out, &a) ++ p224Mul(&out, &out, &a, &tmp) ++ p224Contract(&out, &out) ++ if out != (p224FieldElement{1}) { ++ t.Errorf("p224Invert(a) * a = %x, expected 1", out) ++ } ++} ++ ++ ++// Backport for CVE-2021-3114 ++var len8tab = [256]uint8{ ++ 0x00, 0x01, 0x02, 0x02, 0x03, 0x03, 0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, ++ 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, ++ 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, ++ 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, ++ 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, ++ 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, ++ 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, ++ 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, ++ 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, ++ 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, ++ 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, ++ 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, ++ 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, ++ 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, ++ 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, ++ 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, ++} ++ ++// Len32 returns the minimum number of bits required to represent x; the result is 0 for x == 0. ++func Len32(x uint32) (n int) { ++ if x >= 1<<16 { ++ x >>= 16 ++ n = 16 ++ } ++ if x >= 1<<8 { ++ x >>= 8 ++ n += 8 ++ } ++ return n + int(len8tab[x]) ++} diff --git a/debian/patches/CVE-2021-33196.patch b/debian/patches/CVE-2021-33196.patch new file mode 100644 index 0000000..5a5b898 --- /dev/null +++ b/debian/patches/CVE-2021-33196.patch @@ -0,0 +1,131 @@ +Origin: https://github.com/golang/go/commit/c92adf420a3d9a5510f9aea382d826f0c9216a10 +Reviewed-by: Sylvain Beucler +Last-Update: 2022-01-21 + +Backport note: test case now also deals with prior detection removed +in 483d6d99256b3c486e0c99106e232b4909938328 (v1.14) + +From c92adf420a3d9a5510f9aea382d826f0c9216a10 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 11 May 2021 11:31:31 -0700 +Subject: [PATCH] [release-branch.go1.15] archive/zip: only preallocate File + slice if reasonably sized + +Since the number of files in the EOCD record isn't validated, it isn't +safe to preallocate Reader.Files using that field. A malformed archive +can indicate it contains up to 1 << 128 - 1 files. We can still safely +preallocate the slice by checking if the specified number of files in +the archive is reasonable, given the size of the archive. + +Thanks to the OSS-Fuzz project for discovering this issue and to +Emmanuel Odeke for reporting it. + +Updates #46242 +Fixes #46396 +Fixes CVE-2021-33196 + +Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76 +Reviewed-on: https://go-review.googlesource.com/c/go/+/318909 +Trust: Roland Shoemaker +Trust: Katie Hockman +Trust: Joe Tsai +Run-TryBot: Roland Shoemaker +TryBot-Result: Go Bot +Reviewed-by: Katie Hockman +Reviewed-by: Joe Tsai +(cherry picked from commit 74242baa4136c7a9132a8ccd9881354442788c8c) +Reviewed-on: https://go-review.googlesource.com/c/go/+/322949 +Reviewed-by: Filippo Valsorda +--- + src/archive/zip/reader.go | 10 +++++- + src/archive/zip/reader_test.go | 59 ++++++++++++++++++++++++++++++++++ + 2 files changed, 68 insertions(+), 1 deletion(-) + +Index: golang-1.8-1.8.1/src/archive/zip/reader.go +=================================================================== +--- golang-1.8-1.8.1.orig/src/archive/zip/reader.go ++++ golang-1.8-1.8.1/src/archive/zip/reader.go +@@ -84,7 +84,15 @@ func (z *Reader) init(r io.ReaderAt, siz + return fmt.Errorf("archive/zip: TOC declares impossible %d files in %d byte zip", end.directoryRecords, size) + } + z.r = r +- z.File = make([]*File, 0, end.directoryRecords) ++ // Since the number of directory records is not validated, it is not ++ // safe to preallocate z.File without first checking that the specified ++ // number of files is reasonable, since a malformed archive may ++ // indicate it contains up to 1 << 128 - 1 files. Since each file has a ++ // header which will be _at least_ 30 bytes we can safely preallocate ++ // if (data size / 30) >= end.directoryRecords. ++ if (uint64(size)-end.directorySize)/30 >= end.directoryRecords { ++ z.File = make([]*File, 0, end.directoryRecords) ++ } + z.Comment = end.comment + rs := io.NewSectionReader(r, 0, size) + if _, err = rs.Seek(int64(end.directoryOffset), io.SeekStart); err != nil { +Index: golang-1.8-1.8.1/src/archive/zip/reader_test.go +=================================================================== +--- golang-1.8-1.8.1.orig/src/archive/zip/reader_test.go ++++ golang-1.8-1.8.1/src/archive/zip/reader_test.go +@@ -857,3 +857,62 @@ func TestIssue12449(t *testing.T) { + t.Errorf("Error reading the archive: %v", err) + } + } ++ ++func TestCVE202133196(t *testing.T) { ++ // Archive that indicates it has 1 << 128 -1 files, ++ // this would previously cause a panic due to attempting ++ // to allocate a slice with 1 << 128 -1 elements. ++ data := []byte{ ++ 0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x08, 0x08, ++ 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x02, ++ 0x03, 0x62, 0x61, 0x65, 0x03, 0x04, 0x00, 0x00, ++ 0xff, 0xff, 0x50, 0x4b, 0x07, 0x08, 0xbe, 0x20, ++ 0x5c, 0x6c, 0x09, 0x00, 0x00, 0x00, 0x03, 0x00, ++ 0x00, 0x00, 0x50, 0x4b, 0x01, 0x02, 0x14, 0x00, ++ 0x14, 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0xbe, 0x20, 0x5c, 0x6c, 0x09, 0x00, ++ 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x03, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x01, 0x02, 0x03, 0x50, 0x4b, 0x06, 0x06, 0x2c, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, ++ 0x00, 0x2d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0x31, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x50, 0x4b, 0x06, 0x07, 0x00, ++ 0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50, ++ 0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0xff, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0x00, 0x00, ++ } ++ _, err := NewReader(bytes.NewReader(data), int64(len(data))) ++ if err != ErrFormat && !strings.Contains(err.Error(), "TOC declares impossible") { ++ t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat) ++ } ++ ++ // Also check that an archive containing a handful of empty ++ // files doesn't cause an issue ++ b := bytes.NewBuffer(nil) ++ w := NewWriter(b) ++ for i := 0; i < 5; i++ { ++ _, err := w.Create("") ++ if err != nil { ++ t.Fatalf("Writer.Create failed: %s", err) ++ } ++ } ++ if err := w.Close(); err != nil { ++ t.Fatalf("Writer.Close failed: %s", err) ++ } ++ r, err := NewReader(bytes.NewReader(b.Bytes()), int64(b.Len())) ++ if err != nil { ++ t.Fatalf("NewReader failed: %s", err) ++ } ++ if len(r.File) != 5 { ++ t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File)) ++ } ++} diff --git a/debian/patches/CVE-2021-36221.patch b/debian/patches/CVE-2021-36221.patch new file mode 100644 index 0000000..979911e --- /dev/null +++ b/debian/patches/CVE-2021-36221.patch @@ -0,0 +1,50 @@ +Origin: https://github.com/golang/go/commit/b7a85e0003cedb1b48a1fd3ae5b746ec6330102e +Reviewed-by: Sylvain Beucler +Last-Update: 2022-01-21 + +From b7a85e0003cedb1b48a1fd3ae5b746ec6330102e Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 7 Jul 2021 16:34:34 -0700 +Subject: [PATCH] net/http/httputil: close incoming ReverseProxy request body + +Reading from an incoming request body after the request handler aborts +with a panic can cause a panic, becuse http.Server does not (contrary +to its documentation) close the request body in this case. + +Always close the incoming request body in ReverseProxy.ServeHTTP to +ensure that any in-flight outgoing requests using the body do not +read from it. + +Updates #46866 +Fixes CVE-2021-36221 + +Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df +Reviewed-on: https://go-review.googlesource.com/c/go/+/333191 +Trust: Damien Neil +Reviewed-by: Brad Fitzpatrick +Reviewed-by: Filippo Valsorda +--- + src/net/http/httputil/reverseproxy.go | 9 +++++ + src/net/http/httputil/reverseproxy_test.go | 39 ++++++++++++++++++++++ + 2 files changed, 48 insertions(+) + +Index: golang-1.7-1.7.4/src/net/http/httputil/reverseproxy.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/net/http/httputil/reverseproxy.go ++++ golang-1.7-1.7.4/src/net/http/httputil/reverseproxy.go +@@ -149,6 +149,15 @@ func (p *ReverseProxy) ServeHTTP(rw http + + outreq := new(http.Request) + *outreq = *req // includes shallow copies of maps, but okay ++ if outreq.Body != nil { ++ // Reading from the request body after returning from a handler is not ++ // allowed, and the RoundTrip goroutine that reads the Body can outlive ++ // this handler. This can lead to a crash if the handler panics (see ++ // Issue 46866). Although calling Close doesn't guarantee there isn't ++ // any Read in flight after the handle returns, in practice it's safe to ++ // read after closing it. ++ defer outreq.Body.Close() ++ } + + if closeNotifier, ok := rw.(http.CloseNotifier); ok { + if requestCanceler, ok := transport.(requestCanceler); ok { diff --git a/debian/patches/CVE-2021-39293.patch b/debian/patches/CVE-2021-39293.patch new file mode 100644 index 0000000..ab1676a --- /dev/null +++ b/debian/patches/CVE-2021-39293.patch @@ -0,0 +1,81 @@ +Origin: https://github.com/golang/go/commit/6c480017ae600b2c90a264a922e041df04dfa785 +Reviewed-by: Sylvain Beucler +Last-Update: 2022-01-21 + +Backport note: test case now also deals with prior detection removed +in 483d6d99256b3c486e0c99106e232b4909938328 (v1.14) + +From 6c480017ae600b2c90a264a922e041df04dfa785 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Wed, 18 Aug 2021 11:49:29 -0700 +Subject: [PATCH] [release-branch.go1.16] archive/zip: prevent preallocation + check from overflowing + +If the indicated directory size in the archive header is so large that +subtracting it from the archive size overflows a uint64, the check that +the indicated number of files in the archive can be effectively +bypassed. Prevent this from happening by checking that the indicated +directory size is less than the size of the archive. + +Thanks to the OSS-Fuzz project for discovering this issue and to +Emmanuel Odeke for reporting it. + +Fixes #47985 +Updates #47801 +Fixes CVE-2021-39293 + +Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24 +Reviewed-on: https://go-review.googlesource.com/c/go/+/343434 +Trust: Roland Shoemaker +Run-TryBot: Roland Shoemaker +TryBot-Result: Go Bot +Reviewed-by: Russ Cox +(cherry picked from commit bacbc33439b124ffd7392c91a5f5d96eca8c0c0b) +Reviewed-on: https://go-review.googlesource.com/c/go/+/345409 +Reviewed-by: Emmanuel Odeke +Run-TryBot: Emmanuel Odeke +Trust: Cherry Mui +--- + src/archive/zip/reader.go | 2 +- + src/archive/zip/reader_test.go | 18 ++++++++++++++++++ + 2 files changed, 19 insertions(+), 1 deletion(-) + +Index: golang-1.8-1.8.1/src/archive/zip/reader.go +=================================================================== +--- golang-1.8-1.8.1.orig/src/archive/zip/reader.go ++++ golang-1.8-1.8.1/src/archive/zip/reader.go +@@ -90,7 +90,7 @@ func (z *Reader) init(r io.ReaderAt, siz + // indicate it contains up to 1 << 128 - 1 files. Since each file has a + // header which will be _at least_ 30 bytes we can safely preallocate + // if (data size / 30) >= end.directoryRecords. +- if (uint64(size)-end.directorySize)/30 >= end.directoryRecords { ++ if end.directorySize < uint64(size) && (uint64(size)-end.directorySize)/30 >= end.directoryRecords { + z.File = make([]*File, 0, end.directoryRecords) + } + z.Comment = end.comment +Index: golang-1.8-1.8.1/src/archive/zip/reader_test.go +=================================================================== +--- golang-1.8-1.8.1.orig/src/archive/zip/reader_test.go ++++ golang-1.8-1.8.1/src/archive/zip/reader_test.go +@@ -916,3 +916,21 @@ func TestCVE202133196(t *testing.T) { + t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File)) + } + } ++ ++func TestCVE202139293(t *testing.T) { ++ // directory size is so large, that the check in Reader.init ++ // overflows when subtracting from the archive size, causing ++ // the pre-allocation check to be bypassed. ++ data := []byte{ ++ 0x50, 0x4b, 0x06, 0x06, 0x05, 0x06, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b, ++ 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, ++ 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b, ++ 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, ++ 0x00, 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, ++ 0xff, 0x50, 0xfe, 0x00, 0xff, 0x00, 0x3a, 0x00, 0x00, 0x00, 0xff, ++ } ++ _, err := NewReader(bytes.NewReader(data), int64(len(data))) ++ if err != ErrFormat && !strings.Contains(err.Error(), "TOC declares impossible") { ++ t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat) ++ } ++} diff --git a/debian/patches/CVE-2021-41771.patch b/debian/patches/CVE-2021-41771.patch new file mode 100644 index 0000000..ce59e8e --- /dev/null +++ b/debian/patches/CVE-2021-41771.patch @@ -0,0 +1,77 @@ +Origin: https://github.com/golang/go/commit/d19c5bdb24e093a2d5097b7623284eb02726cede +Reviewed-by: Sylvain Beucler +Last-Update: 2022-01-21 + +From d19c5bdb24e093a2d5097b7623284eb02726cede Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 14 Oct 2021 13:02:01 -0700 +Subject: [PATCH] [release-branch.go1.16] debug/macho: fail on invalid dynamic + symbol table command +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fail out when loading a file that contains a dynamic symbol table +command that indicates a larger number of symbols than exist in the +loaded symbol table. + +Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for +reporting this issue. + +Updates #48990 +Fixes #48991 +Fixes CVE-2021-41771 + +Change-Id: Ic3d6e6529241afcc959544b326b21b663262bad5 +Reviewed-on: https://go-review.googlesource.com/c/go/+/355990 +Reviewed-by: Julie Qiu +Reviewed-by: Katie Hockman +Reviewed-by: Emmanuel Odeke +Run-TryBot: Roland Shoemaker +TryBot-Result: Go Bot +Trust: Katie Hockman +(cherry picked from commit 61536ec03063b4951163bd09609c86d82631fa27) +Reviewed-on: https://go-review.googlesource.com/c/go/+/359454 +Reviewed-by: Dmitri Shuralyov +--- + src/debug/macho/file.go | 9 +++++++++ + src/debug/macho/file_test.go | 7 +++++++ + .../testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64 | 1 + + 3 files changed, 17 insertions(+) + create mode 100644 src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64 + +Index: golang-1.7-1.7.4/src/debug/macho/file.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/debug/macho/file.go ++++ golang-1.7-1.7.4/src/debug/macho/file.go +@@ -299,6 +299,15 @@ func NewFile(r io.ReaderAt) (*File, erro + if err := binary.Read(b, bo, &hdr); err != nil { + return nil, err + } ++ if hdr.Iundefsym > uint32(len(f.Symtab.Syms)) { ++ return nil, &FormatError{offset, fmt.Sprintf( ++ "undefined symbols index in dynamic symbol table command is greater than symbol table length (%d > %d)", ++ hdr.Iundefsym, len(f.Symtab.Syms)), nil} ++ } else if hdr.Iundefsym+hdr.Nundefsym > uint32(len(f.Symtab.Syms)) { ++ return nil, &FormatError{offset, fmt.Sprintf( ++ "number of undefined symbols after index in dynamic symbol table command is greater than symbol table length (%d > %d)", ++ hdr.Iundefsym+hdr.Nundefsym, len(f.Symtab.Syms)), nil} ++ } + dat := make([]byte, hdr.Nindirectsyms*4) + if _, err := r.ReadAt(dat, int64(hdr.Indirectsymoff)); err != nil { + return nil, err +Index: golang-1.7-1.7.4/src/debug/macho/file_test.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/debug/macho/file_test.go ++++ golang-1.7-1.7.4/src/debug/macho/file_test.go +@@ -208,3 +208,10 @@ func TestOpenFatFailure(t *testing.T) { + t.Errorf("OpenFat %s: got %v, want nil", filename, ff) + } + } ++ ++func TestOpenBadDysymCmd(t *testing.T) { ++ _, err := Open("testdata/gcc-amd64-darwin-exec-with-bad-dysym") ++ if err == nil { ++ t.Fatal("openObscured did not fail when opening a file with an invalid dynamic symbol table command") ++ } ++} diff --git a/debian/patches/CVE-2021-44716.patch b/debian/patches/CVE-2021-44716.patch new file mode 100644 index 0000000..1681d46 --- /dev/null +++ b/debian/patches/CVE-2021-44716.patch @@ -0,0 +1,56 @@ +Origin: https://github.com/golang/net/commit/491a49abca63de5e07ef554052d180a1b5fe2d70 +Reviewed-by: Sylvain Beucler +Last-Update: 2022-01-21 + +From 491a49abca63de5e07ef554052d180a1b5fe2d70 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Mon, 6 Dec 2021 14:31:43 -0800 +Subject: [PATCH] http2: cap the size of the server's canonical header cache + +The HTTP/2 server keeps a per-connection cache mapping header keys +to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the +maximum size of this cache to prevent a peer sending many unique +header keys from causing unbounded memory growth. + +Cap chosen arbitrarily at 32 entries. Since this cache does not +include common headers (e.g., "content-type"), 32 seems like more +than enough for almost all normal uses. + +Fixes #50058 +Fixes CVE-2021-44716 + +Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827 +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/net/+/369794 +Trust: Filippo Valsorda +Run-TryBot: Filippo Valsorda +Trust: Damien Neil +Reviewed-by: Russ Cox +Reviewed-by: Filippo Valsorda +TryBot-Result: Gopher Robot +--- + http2/server.go | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +Index: golang-1.7-1.7.4/src/net/http/h2_bundle.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/net/http/h2_bundle.go ++++ golang-1.7-1.7.4/src/net/http/h2_bundle.go +@@ -3287,7 +3287,15 @@ func (sc *http2serverConn) canonicalHead + sc.canonHeader = make(map[string]string) + } + cv = CanonicalHeaderKey(v) +- sc.canonHeader[v] = cv ++ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of ++ // entries in the canonHeader cache. This should be larger than the number ++ // of unique, uncommon header keys likely to be sent by the peer, while not ++ // so high as to permit unreaasonable memory usage if the peer sends an unbounded ++ // number of unique header keys. ++ const maxCachedCanonicalHeaders = 32 ++ if len(sc.canonHeader) < maxCachedCanonicalHeaders { ++ sc.canonHeader[v] = cv ++ } + return cv + } + diff --git a/debian/patches/CVE-2021-44717.patch b/debian/patches/CVE-2021-44717.patch new file mode 100644 index 0000000..3ccb113 --- /dev/null +++ b/debian/patches/CVE-2021-44717.patch @@ -0,0 +1,80 @@ +Origin: https://github.com/golang/go/commit/44a3fb49d99cc8a4de4925b69650f97bb07faf1d +Reviewed-by: Sylvain Beucler +Last-Update: 2022-01-21 + +From 44a3fb49d99cc8a4de4925b69650f97bb07faf1d Mon Sep 17 00:00:00 2001 +From: Russ Cox +Date: Wed, 8 Dec 2021 18:05:11 -0500 +Subject: [PATCH] [release-branch.go1.16] syscall: fix ForkLock spurious + close(0) on pipe failure + +Pipe (and therefore forkLockPipe) does not make any guarantees +about the state of p after a failed Pipe(p). Avoid that assumption +and the too-clever goto, so that we don't accidentally Close a real fd +if the failed pipe leaves p[0] or p[1] set >= 0. + +Updates #50057 +Fixes CVE-2021-44717 + +Change-Id: Iff8e19a6efbba0c73cc8b13ecfae381c87600bb4 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1291270 +Reviewed-by: Ian Lance Taylor +Reviewed-on: https://go-review.googlesource.com/c/go/+/370514 +Trust: Filippo Valsorda +Run-TryBot: Filippo Valsorda +TryBot-Result: Gopher Robot +Reviewed-by: Alex Rakoczy +--- + src/syscall/exec_unix.go | 20 ++++++-------------- + 1 file changed, 6 insertions(+), 14 deletions(-) + +Index: golang-1.7-1.7.4/src/syscall/exec_unix.go +=================================================================== +--- golang-1.7-1.7.4.orig/src/syscall/exec_unix.go ++++ golang-1.7-1.7.4/src/syscall/exec_unix.go +@@ -143,9 +143,6 @@ func forkExec(argv0 string, argv []strin + sys = &zeroSysProcAttr + } + +- p[0] = -1 +- p[1] = -1 +- + // Convert args to C form. + argv0p, err := BytePtrFromString(argv0) + if err != nil { +@@ -186,14 +183,17 @@ func forkExec(argv0 string, argv []strin + + // Allocate child status pipe close on exec. + if err = forkExecPipe(p[:]); err != nil { +- goto error ++ ForkLock.Unlock() ++ return 0, err + } + + // Kick off child. + pid, err1 = forkAndExecInChild(argv0p, argvp, envvp, chroot, dir, attr, sys, p[1]) + if err1 != 0 { +- err = Errno(err1) +- goto error ++ Close(p[0]) ++ Close(p[1]) ++ ForkLock.Unlock() ++ return 0, Errno(err1) + } + ForkLock.Unlock() + +@@ -220,14 +220,6 @@ func forkExec(argv0 string, argv []strin + + // Read got EOF, so pipe closed on exec, so exec succeeded. + return pid, nil +- +-error: +- if p[0] >= 0 { +- Close(p[0]) +- Close(p[1]) +- } +- ForkLock.Unlock() +- return 0, err + } + + // Combination of fork and exec, careful to be thread safe. diff --git a/debian/patches/cl-29995--tzdata-2016g.patch b/debian/patches/cl-29995--tzdata-2016g.patch new file mode 100644 index 0000000..6c60949 --- /dev/null +++ b/debian/patches/cl-29995--tzdata-2016g.patch @@ -0,0 +1,35 @@ +From c5434f2973a87acff76bac359236e690d632ce95 Mon Sep 17 00:00:00 2001 +From: Alberto Donizetti +Date: Thu, 29 Sep 2016 13:59:10 +0200 +Subject: [PATCH] time: update test for tzdata-2016g +Origin: https://golang.org/cl/29995 +Bug: https://golang.org/issue/17276 +Applied-Upstream: 1.8 + +Fixes #17276 + +Change-Id: I0188cf9bc5fdb48c71ad929cc54206d03e0b96e4 +Reviewed-on: https://go-review.googlesource.com/29995 +Reviewed-by: Brad Fitzpatrick +Run-TryBot: Brad Fitzpatrick +TryBot-Result: Gobot Gobot +--- + src/time/time_test.go | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/src/time/time_test.go ++++ b/src/time/time_test.go +@@ -939,8 +939,11 @@ + // but Go and most other systems use "east is positive". + // So GMT+1 corresponds to -3600 in the Go zone, not +3600. + name, offset := Now().In(loc).Zone() +- if name != "GMT+1" || offset != -1*60*60 { +- t.Errorf("Now().In(loc).Zone() = %q, %d, want %q, %d", name, offset, "GMT+1", -1*60*60) ++ // The zone abbreviation is "-01" since tzdata-2016g, and "GMT+1" ++ // on earlier versions; we accept both. (Issue #17276). ++ if !(name == "GMT+1" || name == "-01") || offset != -1*60*60 { ++ t.Errorf("Now().In(loc).Zone() = %q, %d, want %q or %q, %d", ++ name, offset, "GMT+1", "-01", -1*60*60) + } + } + diff --git a/debian/patches/cl-37964--tzdata-2017a.patch b/debian/patches/cl-37964--tzdata-2017a.patch new file mode 100644 index 0000000..3dd936f --- /dev/null +++ b/debian/patches/cl-37964--tzdata-2017a.patch @@ -0,0 +1,89 @@ +From 91563ced5897faf729a34be7081568efcfedda31 Mon Sep 17 00:00:00 2001 +From: Alberto Donizetti +Date: Thu, 09 Mar 2017 13:20:54 +0100 +Subject: [PATCH] time: make the ParseInLocation test more robust + +The tzdata 2017a update (2017-02-28) changed the abbreviation of the +Asia/Baghdad time zone (used in TestParseInLocation) from 'AST' to the +numeric '+03'. + +Update the test so that it skips the checks if we're using a recent +tzdata release. + +Fixes #19457 + +Change-Id: I45d705a5520743a611bdd194dc8f8d618679980c +Reviewed-on: https://go-review.googlesource.com/37964 +Reviewed-by: Ian Lance Taylor +Run-TryBot: Ian Lance Taylor +TryBot-Result: Gobot Gobot +--- + +--- a/src/time/format_test.go ++++ b/src/time/format_test.go +@@ -244,27 +244,45 @@ + } + } + ++// TestParseInLocation checks that the Parse and ParseInLocation ++// functions do not get confused by the fact that AST (Arabia Standard ++// Time) and AST (Atlantic Standard Time) are different time zones, ++// even though they have the same abbreviation. ++// ++// ICANN has been slowly phasing out invented abbreviation in favor of ++// numeric time zones (for example, the Asia/Baghdad time zone ++// abbreviation got changed from AST to +03 in the 2017a tzdata ++// release); but we still want to make sure that the time package does ++// not get confused on systems with slightly older tzdata packages. + func TestParseInLocation(t *testing.T) { +- // Check that Parse (and ParseInLocation) understand that +- // Feb 01 AST (Arabia Standard Time) and Feb 01 AST (Atlantic Standard Time) +- // are in different time zones even though both are called AST + + baghdad, err := LoadLocation("Asia/Baghdad") + if err != nil { + t.Fatal(err) + } + +- t1, err := ParseInLocation("Jan 02 2006 MST", "Feb 01 2013 AST", baghdad) ++ var t1, t2 Time ++ ++ t1, err = ParseInLocation("Jan 02 2006 MST", "Feb 01 2013 AST", baghdad) + if err != nil { + t.Fatal(err) + } +- t2 := Date(2013, February, 1, 00, 00, 00, 0, baghdad) +- if t1 != t2 { +- t.Fatalf("ParseInLocation(Feb 01 2013 AST, Baghdad) = %v, want %v", t1, t2) +- } ++ + _, offset := t1.Zone() +- if offset != 3*60*60 { +- t.Fatalf("ParseInLocation(Feb 01 2013 AST, Baghdad).Zone = _, %d, want _, %d", offset, 3*60*60) ++ ++ // A zero offset means that ParseInLocation did not recognize the ++ // 'AST' abbreviation as matching the current location (Baghdad, ++ // where we'd expect a +03 hrs offset); likely because we're using ++ // a recent tzdata release (2017a or newer). ++ // If it happens, skip the Baghdad test. ++ if offset != 0 { ++ t2 = Date(2013, February, 1, 00, 00, 00, 0, baghdad) ++ if t1 != t2 { ++ t.Fatalf("ParseInLocation(Feb 01 2013 AST, Baghdad) = %v, want %v", t1, t2) ++ } ++ if offset != 3*60*60 { ++ t.Fatalf("ParseInLocation(Feb 01 2013 AST, Baghdad).Zone = _, %d, want _, %d", offset, 3*60*60) ++ } + } + + blancSablon, err := LoadLocation("America/Blanc-Sablon") +@@ -272,6 +290,9 @@ + t.Fatal(err) + } + ++ // In this case 'AST' means 'Atlantic Standard Time', and we ++ // expect the abbreviation to correctly match the american ++ // location. + t1, err = ParseInLocation("Jan 02 2006 MST", "Feb 01 2013 AST", blancSablon) + if err != nil { + t.Fatal(err) diff --git a/debian/patches/cve-2018-7187.patch b/debian/patches/cve-2018-7187.patch new file mode 100644 index 0000000..7fad456 --- /dev/null +++ b/debian/patches/cve-2018-7187.patch @@ -0,0 +1,120 @@ +From c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc Mon Sep 17 00:00:00 2001 +From: Ian Lance Taylor +Date: Thu, 15 Feb 2018 15:57:13 -0800 +Subject: [PATCH] cmd/go: restrict meta imports to valid schemes + +Before this change, when using -insecure, we permitted any meta import +repo root as long as it contained "://". When not using -insecure, we +restrict meta import repo roots to be valid URLs. People may depend on +that somehow, so permit meta import repo roots to be invalid URLs, but +require them to have valid schemes per RFC 3986. + +Fixes #23867 + +Change-Id: Iac666dfc75ac321bf8639dda5b0dba7c8840922d +Reviewed-on: https://go-review.googlesource.com/94603 +Reviewed-by: Brad Fitzpatrick +--- + src/cmd/go/vcs.go | 34 +++++++++++++++++++++-- + src/cmd/go/vcs_test.go | 43 +++++++++++++++++++++++++++++ + 2 files changed, 75 insertions(+), 2 deletions(-) + +--- a/src/cmd/go/vcs.go ++++ b/src/cmd/go/vcs.go +@@ -691,8 +691,8 @@ + } + } + +- if !strings.Contains(mmi.RepoRoot, "://") { +- return nil, fmt.Errorf("%s: invalid repo root %q; no scheme", urlStr, mmi.RepoRoot) ++ if err := validateRepoRootScheme(mmi.RepoRoot); err != nil { ++ return nil, fmt.Errorf("%s: invalid repo root %q: %v", urlStr, mmi.RepoRoot, err) + } + rr := &repoRoot{ + vcs: vcsByCmd(mmi.VCS), +@@ -705,6 +705,36 @@ + return rr, nil + } + ++// validateRepoRootScheme returns an error if repoRoot does not seem ++// to have a valid URL scheme. At this point we permit things that ++// aren't valid URLs, although later, if not using -insecure, we will ++// restrict repoRoots to be valid URLs. This is only because we've ++// historically permitted them, and people may depend on that. ++func validateRepoRootScheme(repoRoot string) error { ++ end := strings.Index(repoRoot, "://") ++ if end <= 0 { ++ return errors.New("no scheme") ++ } ++ ++ // RFC 3986 section 3.1. ++ for i := 0; i < end; i++ { ++ c := repoRoot[i] ++ switch { ++ case 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z': ++ // OK. ++ case '0' <= c && c <= '9' || c == '+' || c == '-' || c == '.': ++ // OK except at start. ++ if i == 0 { ++ return errors.New("invalid scheme") ++ } ++ default: ++ return errors.New("invalid scheme") ++ } ++ } ++ ++ return nil ++} ++ + var fetchGroup singleflight.Group + var ( + fetchCacheMu sync.Mutex +--- a/src/cmd/go/vcs_test.go ++++ b/src/cmd/go/vcs_test.go +@@ -321,3 +321,46 @@ + } + } + } ++ ++func TestValidateRepoRootScheme(t *testing.T) { ++ tests := []struct { ++ root string ++ err string ++ }{ ++ { ++ root: "", ++ err: "no scheme", ++ }, ++ { ++ root: "http://", ++ err: "", ++ }, ++ { ++ root: "a://", ++ err: "", ++ }, ++ { ++ root: "a#://", ++ err: "invalid scheme", ++ }, ++ { ++ root: "-config://", ++ err: "invalid scheme", ++ }, ++ } ++ ++ for _, test := range tests { ++ err := validateRepoRootScheme(test.root) ++ if err == nil { ++ if test.err != "" { ++ t.Errorf("validateRepoRootScheme(%q) = nil, want %q", test.root, test.err) ++ } ++ } else if test.err == "" { ++ if err != nil { ++ t.Errorf("validateRepoRootScheme(%q) = %q, want nil", test.root, test.err) ++ } ++ } else if err.Error() != test.err { ++ t.Errorf("validateRepoRootScheme(%q) = %q, want %q", test.root, err, test.err) ++ } ++ } ++} diff --git a/debian/patches/cve-2019-6486.patch b/debian/patches/cve-2019-6486.patch new file mode 100644 index 0000000..97c438d --- /dev/null +++ b/debian/patches/cve-2019-6486.patch @@ -0,0 +1,13 @@ +--- a/src/crypto/elliptic/elliptic.go ++++ b/src/crypto/elliptic/elliptic.go +@@ -210,8 +210,9 @@ + + x3 := new(big.Int).Mul(alpha, alpha) + beta8 := new(big.Int).Lsh(beta, 3) ++ beta8.Mod(beta8, curve.P) + x3.Sub(x3, beta8) +- for x3.Sign() == -1 { ++ if x3.Sign() == -1 { + x3.Add(x3, curve.P) + } + x3.Mod(x3, curve.P) diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..a42c479 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,21 @@ +cl-29995--tzdata-2016g.patch +cl-37964--tzdata-2017a.patch +cve-2019-6486.patch +cve-2018-7187.patch + +CVE-2020-16845.patch +CVE-2020-15586.patch + +CVE-2017-15041.patch +CVE-2018-16873,16874.patch +CVE-2019-9741.patch +CVE-2019-16276.patch +CVE-2019-17596.patch +CVE-2021-3114.patch + +CVE-2021-36221.patch +CVE-2021-33196.patch +CVE-2021-39293.patch +CVE-2021-41771.patch +CVE-2021-44716.patch +CVE-2021-44717.patch diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..1f31c97 --- /dev/null +++ b/debian/rules @@ -0,0 +1,108 @@ +#!/usr/bin/make -f +# This file is in the public domain. +# You may freely use, modify, distribute, and relicense it. + +export GOVER := $(shell perl -w -mDpkg::Version -e 'Dpkg::Version->new(`dpkg-parsechangelog -SVersion`)->version() =~ /^([0-9]+\.[0-9]+)/ && print("$$1\n")') + +export GOROOT := $(CURDIR) +export GOROOT_FINAL := /usr/lib/go-$(GOVER) + +DEB_HOST_ARCH := $(shell dpkg-architecture -qDEB_HOST_ARCH 2>/dev/null) +RUN_TESTS := true +# armel: ??? +# ppc64: ??? +ifneq (,$(filter armel ppc64,$(DEB_HOST_ARCH))) + RUN_TESTS := false +endif +ifneq (,$(findstring nocheck,$(DEB_BUILD_OPTIONS))) + RUN_TESTS := false +endif + +%: + +dh --parallel $(opt_no_act) $@ + +gencontrol: + for file in control gbp.conf source/lintian-overrides watch; do \ + { \ + echo '#'; \ + echo '# WARNING: "debian/'$$file'" is generated via "debian/rules gencontrol" (sourced from "debian/'$$file'.in")'; \ + echo '#'; \ + echo; \ + sed -e 's/X.Y/$(GOVER)/g' debian/$$file.in; \ + } > debian/$$file; \ + done + +override_dh_auto_clean: gencontrol + # remove autogenerated files + rm -f \ + src/cmd/cgo/zdefaultcc.go \ + src/cmd/go/zdefaultcc.go \ + src/cmd/internal/obj/zbootstrap.go \ + src/runtime/internal/sys/zversion.go + # remove built objects + rm -rf bin pkg + @set -e; cd debian; for x in golang-X.Y-*; do \ + rm -f -v golang-$(GOVER)-$${x##golang-X.Y-}; \ + done + +override_dh_prep: + dh_prep + @set -e; cd debian; for x in golang-X.Y-*; do \ + sed -e 's/X.Y/$(GOVER)/g' $$x > golang-$(GOVER)-$${x##golang-X.Y-}; \ + done + + +override_dh_auto_test-arch: +ifeq (true, $(RUN_TESTS)) + set -ex; \ + cd src; \ + export PATH="$(GOROOT)/bin:$$PATH"; \ + eval "$$(go tool dist env)"; \ + bash run.bash -k -no-rebuild; + # -k keep going even when error occurred + # -no-rebuild don't rebuild std and cmd packages + + # On linux/amd64 run.bash installs some race enabled standard library + # packages. Delete them again to avoid accidentally including them in + # the package. + set -ex; \ + export PATH="$(GOROOT)/bin:$$PATH"; \ + eval "$$(go tool dist env)"; \ + rm -rf "$(GOROOT)/pkg/$${GOOS}_$${GOARCH}_race/" +else + # skip the tests on platforms where they fail +endif + +override_dh_compress-indep: + dh_compress -Xusr/share/doc/golang-doc/html -Xusr/share/doc/golang-doc/godoc + +override_dh_install-indep: + dh_install --fail-missing + +override_dh_install-arch: + dh_install --fail-missing + # Remove Plan9 rc(1) scripts + find debian/golang-$(GOVER)-src/usr/share/go-$(GOVER)/src -type f -name '*.rc' -delete + # Remove empty /usr/share/go-$(GOVER)/src from golang-$(GOVER)-go, it is provided by golang-$(GOVER)-src + find debian/golang-$(GOVER)-go/usr/share/go-$(GOVER)/src -type d -delete + # Touch built and installed files and directories to have same timestamp + touch debian/golang-$(GOVER)-go/usr/lib/go-$(GOVER)/pkg + find debian/golang-$(GOVER)-go/usr/lib/go-$(GOVER)/pkg -exec touch -r $(CURDIR)/debian/golang-$(GOVER)-go/usr/lib/go-$(GOVER)/pkg {} \; + +override_dh_strip: + dh_strip -Xtestdata + +override_dh_shlibdeps: + dh_shlibdeps -Xtestdata -Xtest + +override_dh_auto_build-arch: + [ -f VERSION ] || echo "debian snapshot +$$(dpkg-parsechangelog -SVersion)" > VERSION + export GOROOT_BOOTSTRAP=$$(env -i go env GOROOT) \ + && cd src \ + && $(CURDIR)/debian/helpers/goenv.sh \ + bash ./make.bash --no-banner + +opt_no_act := +ifneq (,$(findstring n,$(MAKEFLAGS))) + opt_no_act := --no-act +endif diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/source/include-binaries b/debian/source/include-binaries new file mode 100644 index 0000000..57f2582 --- /dev/null +++ b/debian/source/include-binaries @@ -0,0 +1 @@ +src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides new file mode 100644 index 0000000..a63b958 --- /dev/null +++ b/debian/source/lintian-overrides @@ -0,0 +1,44 @@ +# +# WARNING: "debian/source/lintian-overrides" is generated via "debian/rules gencontrol" (sourced from "debian/source/lintian-overrides.in") +# + +golang-1.7 source: source-contains-prebuilt-binary src/debug/dwarf/testdata/typedef.elf +golang-1.7 source: source-contains-prebuilt-binary src/debug/elf/testdata/gcc-amd64-linux-exec +golang-1.7 source: source-contains-prebuilt-binary src/debug/elf/testdata/go-relocation-test-gcc441-x86.obj +golang-1.7 source: source-contains-prebuilt-binary src/debug/elf/testdata/gcc-386-freebsd-exec +golang-1.7 source: source-contains-prebuilt-binary src/debug/elf/testdata/gcc-amd64-openbsd-debug-with-rela.obj +golang-1.7 source: source-contains-prebuilt-windows-binary src/debug/pe/testdata/gcc-386-mingw-exec +golang-1.7 source: source-contains-prebuilt-binary src/debug/elf/testdata/go-relocation-test-gcc424-x86-64.obj +golang-1.7 source: source-contains-prebuilt-binary src/debug/elf/testdata/go-relocation-test-gcc441-x86-64.obj +golang-1.7 source: source-contains-prebuilt-windows-binary src/debug/pe/testdata/gcc-386-mingw-obj +golang-1.7 source: source-contains-prebuilt-binary src/runtime/race/race_linux_amd64.syso + +# All these files are compiled from src/debug/elf/testdata/hello.c +# with various toolchain and options to be used as test data for the +# elf parser. +golang-1.7 source: source-is-missing src/debug/elf/testdata/compressed-32.obj +golang-1.7 source: source-is-missing src/debug/elf/testdata/compressed-64.obj +golang-1.7 source: source-is-missing src/debug/elf/testdata/gcc-386-freebsd-exec +golang-1.7 source: source-is-missing src/debug/elf/testdata/go-relocation-test-clang-arm.obj +golang-1.7 source: source-is-missing src/debug/elf/testdata/go-relocation-test-clang-x86.obj +golang-1.7 source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc424-x86-64.obj +golang-1.7 source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc441-x86-64.obj +golang-1.7 source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc441-x86.obj +golang-1.7 source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc482-aarch64.obj +golang-1.7 source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc482-ppc64le.obj +golang-1.7 source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc492-arm.obj +golang-1.7 source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc492-mips64.obj +golang-1.7 source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc493-mips64le.obj +golang-1.7 source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc5-ppc.obj +golang-1.7 source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc531-s390x.obj +golang-1.7 source: source-is-missing src/debug/elf/testdata/zdebug-test-gcc484-x86-64.obj + +# These files are compiled from src/debug/dwarf/testdata/line2.c with clang and gcc. +golang-1.7 source: source-is-missing src/debug/dwarf/testdata/line-clang.elf +golang-1.7 source: source-is-missing src/debug/dwarf/testdata/line-gcc.elf + +# Compiled from src/debug/dwarf/testdata/typedef.c with dwarf version 4. +golang-1.7 source: source-is-missing src/debug/dwarf/testdata/typedef.elf4 + +# This is not a typo. +golang-1.7 source: unknown-file-in-debian-source lintian-overrides.in diff --git a/debian/source/lintian-overrides.in b/debian/source/lintian-overrides.in new file mode 100644 index 0000000..f0918ac --- /dev/null +++ b/debian/source/lintian-overrides.in @@ -0,0 +1,40 @@ +golang-X.Y source: source-contains-prebuilt-binary src/debug/dwarf/testdata/typedef.elf +golang-X.Y source: source-contains-prebuilt-binary src/debug/elf/testdata/gcc-amd64-linux-exec +golang-X.Y source: source-contains-prebuilt-binary src/debug/elf/testdata/go-relocation-test-gcc441-x86.obj +golang-X.Y source: source-contains-prebuilt-binary src/debug/elf/testdata/gcc-386-freebsd-exec +golang-X.Y source: source-contains-prebuilt-binary src/debug/elf/testdata/gcc-amd64-openbsd-debug-with-rela.obj +golang-X.Y source: source-contains-prebuilt-windows-binary src/debug/pe/testdata/gcc-386-mingw-exec +golang-X.Y source: source-contains-prebuilt-binary src/debug/elf/testdata/go-relocation-test-gcc424-x86-64.obj +golang-X.Y source: source-contains-prebuilt-binary src/debug/elf/testdata/go-relocation-test-gcc441-x86-64.obj +golang-X.Y source: source-contains-prebuilt-windows-binary src/debug/pe/testdata/gcc-386-mingw-obj +golang-X.Y source: source-contains-prebuilt-binary src/runtime/race/race_linux_amd64.syso + +# All these files are compiled from src/debug/elf/testdata/hello.c +# with various toolchain and options to be used as test data for the +# elf parser. +golang-X.Y source: source-is-missing src/debug/elf/testdata/compressed-32.obj +golang-X.Y source: source-is-missing src/debug/elf/testdata/compressed-64.obj +golang-X.Y source: source-is-missing src/debug/elf/testdata/gcc-386-freebsd-exec +golang-X.Y source: source-is-missing src/debug/elf/testdata/go-relocation-test-clang-arm.obj +golang-X.Y source: source-is-missing src/debug/elf/testdata/go-relocation-test-clang-x86.obj +golang-X.Y source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc424-x86-64.obj +golang-X.Y source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc441-x86-64.obj +golang-X.Y source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc441-x86.obj +golang-X.Y source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc482-aarch64.obj +golang-X.Y source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc482-ppc64le.obj +golang-X.Y source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc492-arm.obj +golang-X.Y source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc492-mips64.obj +golang-X.Y source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc493-mips64le.obj +golang-X.Y source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc5-ppc.obj +golang-X.Y source: source-is-missing src/debug/elf/testdata/go-relocation-test-gcc531-s390x.obj +golang-X.Y source: source-is-missing src/debug/elf/testdata/zdebug-test-gcc484-x86-64.obj + +# These files are compiled from src/debug/dwarf/testdata/line2.c with clang and gcc. +golang-X.Y source: source-is-missing src/debug/dwarf/testdata/line-clang.elf +golang-X.Y source: source-is-missing src/debug/dwarf/testdata/line-gcc.elf + +# Compiled from src/debug/dwarf/testdata/typedef.c with dwarf version 4. +golang-X.Y source: source-is-missing src/debug/dwarf/testdata/typedef.elf4 + +# This is not a typo. +golang-X.Y source: unknown-file-in-debian-source lintian-overrides.in diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..3f5a893 --- /dev/null +++ b/debian/watch @@ -0,0 +1,8 @@ +# +# WARNING: "debian/watch" is generated via "debian/rules gencontrol" (sourced from "debian/watch.in") +# + +version=3 +opts=\ +uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/,\ + http://golang.org/dl/ .*/go(1.7\S*)\.src\.tar\.gz diff --git a/debian/watch.in b/debian/watch.in new file mode 100644 index 0000000..1566c7c --- /dev/null +++ b/debian/watch.in @@ -0,0 +1,4 @@ +version=3 +opts=\ +uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/,\ + http://golang.org/dl/ .*/go(X.Y\S*)\.src\.tar\.gz diff --git a/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym b/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym new file mode 100644 index 0000000000000000000000000000000000000000..ee6704622fdc94a84bea5fd60a661d7dd9b9e823 GIT binary patch literal 8512 zcmeHMO=whC6u!@lI%4X>F$^Z)gIt?+tP5bdxe72W~m1Rj9oyi=|_E`0Iztth->YCi4A`oiEre4*jF zrRtpW$MIGbUY{DL9hNw@l+L`o>gFm=cUBy4UEy)hDYS7mwgu@D zna~LKFS4(Ce?$99T#YSdG3VuW;-%aj?}VNL9387&VGX=?xwzwr7!EjT9hE2P4gfJ5ny?M?w_84nNm%;qJDz{8P>_w`GsB>v zl*cF~9+$9c@J8dN+YQgD41X9245H1CVZbn87%&VN1`Gp+0mHyvFmO%Soj>iRhfnR> zHpGu3&%^rN-;M~`j&ZFlZJPS{JENqgzMX#T_A)>~L)=jW}nP|q^cF^p`cao7EiUWQcWrN?5IwmFhj1T)`{q5PZy$?jVNp8YfW_e1Gjv-P)I6n$xHA zRSvyWQXA6$N{FP=oJ*u*I^R(`sWkI;j_W-4uF5AFXT&gI7%&VN1`Gp+0mFb{z%XDK zFbo(53RDCsm%#Iv(w!vWH<0;A4T#_uo@?O6B?QD_iINAHnXS0pWLm z&(IjJzYnmEJ%E903ZHd)+PW^+fNcq@TXI9c9kW@#JdCDwTCfP&ExPAR)gmh8y7=BL z0n4k+YC)E3wJ(}=Atz=t?p#6X1ypfm-L1`4Sq_)7GB2H$Q)qe)AaX_2@1;{+D7m$& Wkd<7iDjHtS_26uk@LO+sSnPi#ZuXr3 literal 0 HcmV?d00001 -- 2.30.2