pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/lang



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Wed Jul 13 14:14:18 UTC 2022

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go117: Makefile PLIST distinfo

Log Message:
go117: update to 1.17.12 (security update)

This minor release includes 9 security fixes following the security policy:

net/http: improper sanitization of Transfer-Encoding header

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
a "chunked" encoding. This could potentially allow for request smuggling, but
only if combined with an intermediate server that also improperly failed to
reject the header as invalid.

This is CVE-2022-1705 and https://go.dev/issue/53188.

When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map
containing a nil value for the X-Forwarded-For header, ReverseProxy would set
the client IP as the value of the X-Forwarded-For header, contrary to its
documentation. In the more usual case where a Director function set the
X-Forwarded-For header value to nil, ReverseProxy would leave the header
unmodified as expected.

This is https://go.dev/issue/53423 and CVE-2022-32148.

Thanks to Christian Mehlmauer for reporting this issue.

compress/gzip: stack exhaustion in Reader.Read

Calling Reader.Read on an archive containing a large number of concatenated
0-length compressed files can cause a panic due to stack exhaustion.

This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

encoding/xml: stack exhaustion in Unmarshal

Calling Unmarshal on a XML document into a Go struct which has a nested field
that uses the any field tag can cause a panic due to stack exhaustion.

This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

encoding/xml: stack exhaustion in Decoder.Skip

Calling Decoder.Skip when parsing a deeply nested XML document can cause a
panic due to stack exhaustion.

The Go Security team discovered this issue, and it was independently reported
by Juho Nurminen of Mattermost.

This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can
cause a panic due to stack exhaustion.

This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

path/filepath: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

io/fs: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.

This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply
nested types or declarations can cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.


To generate a diff of this commit:
cvs rdiff -u -r1.151 -r1.152 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.6 -r1.7 pkgsrc/lang/go117/Makefile
cvs rdiff -u -r1.10 -r1.11 pkgsrc/lang/go117/PLIST
cvs rdiff -u -r1.17 -r1.18 pkgsrc/lang/go117/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.151 pkgsrc/lang/go/version.mk:1.152
--- pkgsrc/lang/go/version.mk:1.151     Thu Jun  2 18:50:40 2022
+++ pkgsrc/lang/go/version.mk   Wed Jul 13 14:14:18 2022
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.151 2022/06/02 18:50:40 bsiegert Exp $
+# $NetBSD: version.mk,v 1.152 2022/07/13 14:14:18 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -7,7 +7,7 @@
 .include "go-vars.mk"
 
 GO118_VERSION= 1.18.3
-GO117_VERSION= 1.17.11
+GO117_VERSION= 1.17.12
 GO116_VERSION= 1.16.15
 GO110_VERSION= 1.10.8
 GO19_VERSION=  1.9.7

Index: pkgsrc/lang/go117/Makefile
diff -u pkgsrc/lang/go117/Makefile:1.6 pkgsrc/lang/go117/Makefile:1.7
--- pkgsrc/lang/go117/Makefile:1.6      Tue Jun 28 11:34:12 2022
+++ pkgsrc/lang/go117/Makefile  Wed Jul 13 14:14:18 2022
@@ -1,6 +1,5 @@
-# $NetBSD: Makefile,v 1.6 2022/06/28 11:34:12 wiz Exp $
+# $NetBSD: Makefile,v 1.7 2022/07/13 14:14:18 bsiegert Exp $
 
-PKGREVISION= 1
 .include "../../lang/go/version.mk"
 .include "../../lang/go/bootstrap.mk"
 
@@ -93,6 +92,11 @@ PLIST.pty=   yes
 PLIST.route=   yes
 .endif
 
+PRINT_PLIST_AWK+=      /^bin\/go${GOVERSSUFFIX}/ { print "bin/go$${GOVERSSUFFIX}"; next; }
+PRINT_PLIST_AWK+=      /^bin\/gofmt${GOVERSSUFFIX}/ { print "bin/gofmt$${GOVERSSUFFIX}"; next; }
+PRINT_PLIST_AWK+=      /internal\/pty\.a/ { printf "%s", "$${PLIST.pty}"; }
+PRINT_PLIST_AWK+=      /x\/net\/route\.a/ { printf "%s", "$${PLIST.route}"; }
+
 post-extract:
        ${RM} -r -f ${WRKSRC}/test/fixedbugs/issue27836*
 

Index: pkgsrc/lang/go117/PLIST
diff -u pkgsrc/lang/go117/PLIST:1.10 pkgsrc/lang/go117/PLIST:1.11
--- pkgsrc/lang/go117/PLIST:1.10        Thu Jun  2 18:19:26 2022
+++ pkgsrc/lang/go117/PLIST     Wed Jul 13 14:14:18 2022
@@ -1,6 +1,6 @@
-@comment $NetBSD: PLIST,v 1.10 2022/06/02 18:19:26 bsiegert Exp $
-bin/go117
-bin/gofmt117
+@comment $NetBSD: PLIST,v 1.11 2022/07/13 14:14:18 bsiegert Exp $
+bin/go${GOVERSSUFFIX}
+bin/gofmt${GOVERSSUFFIX}
 go117/AUTHORS
 go117/CONTRIBUTING.md
 go117/CONTRIBUTORS
@@ -2402,6 +2402,7 @@ go117/src/cmd/go/testdata/script/mod_dom
 go117/src/cmd/go/testdata/script/mod_dot.txt
 go117/src/cmd/go/testdata/script/mod_download.txt
 go117/src/cmd/go/testdata/script/mod_download_concurrent_read.txt
+go117/src/cmd/go/testdata/script/mod_download_git_decorate_full.txt
 go117/src/cmd/go/testdata/script/mod_download_hash.txt
 go117/src/cmd/go/testdata/script/mod_download_json.txt
 go117/src/cmd/go/testdata/script/mod_download_partial.txt
@@ -10065,6 +10066,7 @@ go117/test/fixedbugs/issue5260.go
 go117/test/fixedbugs/issue5291.dir/pkg1.go
 go117/test/fixedbugs/issue5291.dir/prog.go
 go117/test/fixedbugs/issue5291.go
+go117/test/fixedbugs/issue53454.go
 go117/test/fixedbugs/issue5358.go
 go117/test/fixedbugs/issue5373.go
 go117/test/fixedbugs/issue5470.dir/a.go

Index: pkgsrc/lang/go117/distinfo
diff -u pkgsrc/lang/go117/distinfo:1.17 pkgsrc/lang/go117/distinfo:1.18
--- pkgsrc/lang/go117/distinfo:1.17     Thu Jun  2 18:19:26 2022
+++ pkgsrc/lang/go117/distinfo  Wed Jul 13 14:14:18 2022
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.17 2022/06/02 18:19:26 bsiegert Exp $
+$NetBSD: distinfo,v 1.18 2022/07/13 14:14:18 bsiegert Exp $
 
-BLAKE2s (go1.17.11.src.tar.gz) = 56f12ee3395f5ccec66790391e18f7c4e6462531f75c5ae007637472086fe374
-SHA512 (go1.17.11.src.tar.gz) = cd08062e3357e8e73ad05572ac575b9d8b15599bdb3ea0ca743b04936fa5cca438886e6a06d6453334b8bb5fbe1ab3512657d11651f9199d2254736a6554e71d
-Size (go1.17.11.src.tar.gz) = 22197784 bytes
+BLAKE2s (go1.17.12.src.tar.gz) = 061cbbc13a599a2bba01fccd6c6686c5174f4f4f6cbac8cb515ffd233ef6ad2a
+SHA512 (go1.17.12.src.tar.gz) = d2bcea2a33723af5c2ae871f5c44694c69d37c74c62e81eddeaf4bfedf124feea2752997d3a359990071bf01f88942fc66b21cb092385946ad4ae9410854c8b9
+Size (go1.17.12.src.tar.gz) = 22205674 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e



Home | Main Index | Thread Index | Old Index