pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/lang Update go114 to 1.14.12 (security fix).
details: https://anonhg.NetBSD.org/pkgsrc/rev/eb69bd51e616
branches: trunk
changeset: 441922:eb69bd51e616
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Fri Nov 13 18:27:35 2020 +0000
description:
Update go114 to 1.14.12 (security fix).
- math/big: panic during recursive division of very large numbers
A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod,
ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large
inputs. For the panic to happen, the divisor or modulo argument must be larger
than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit
architectures). Multiple math/big.Rat <https://pkg.go.dev/math/big#Rat> methods
are similarly affected.
crypto/rsa.VerifyPSS <https://pkg.go.dev/crypto/rsa#VerifyPSS>,
crypto/rsa.VerifyPKCS1v15 <https://pkg.go.dev/crypto/rsa#VerifyPKCS1v15>,
and crypto/dsa.Verify <https://pkg.go.dev/crypto/dsa#Verify> may panic when
provided crafted public keys and signatures. crypto/ecdsa and
crypto/elliptic operations may only be affected if custom CurveParams
<https://pkg.go.dev/crypto/elliptic#CurveParams> with unusually large field
sizes (several times larger than the largest supported curve, P-521) are in
use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead
to a panic, even if the certificates don’t chain to a trusted root. The
chain can be delivered via a crypto/tls connection to a client, or to a
server that accepts and verifies client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept
client certificates will recover the panic and are unaffected.
Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
request or during a golang.org/x/crypto/otr conversation. Parsing a
golang.org/x/crypto/openpgp Entity or verifying a signature may crash.
Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host
key, while a server could panic if either PublicKeyCallback accepts a
malformed public key, or if IsUserAuthority accepts a certificate with a
malformed public key.
Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting this.
Thanks to Rémy Oudompheng and Robert Griesemer for their help developing
and validating the fix.
This issue is CVE-2020-28362 and Go issue golang.org/issue/42552.
- cmd/go: arbitrary code execution at build time through cgo
The go command may execute arbitrary code at build time when cgo is in use.
This may occur when running go get on a malicious package, or any other
command that builds untrusted code.
This can be caused by malicious gcc flags specified via a #cgo directive,
or by a malicious symbol name in a linked object file.
These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues
golang.org/issue/42556 and golang.org/issue/42559 respectively.
diffstat:
lang/go/version.mk | 4 ++--
lang/go114/PLIST | 3 ++-
lang/go114/distinfo | 10 +++++-----
3 files changed, 9 insertions(+), 8 deletions(-)
diffs (53 lines):
diff -r 48ba1a3958cf -r eb69bd51e616 lang/go/version.mk
--- a/lang/go/version.mk Fri Nov 13 17:05:39 2020 +0000
+++ b/lang/go/version.mk Fri Nov 13 18:27:35 2020 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.103 2020/11/08 20:38:09 bsiegert Exp $
+# $NetBSD: version.mk,v 1.104 2020/11/13 18:27:35 bsiegert Exp $
#
# If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -7,7 +7,7 @@
.include "go-vars.mk"
GO115_VERSION= 1.15.4
-GO114_VERSION= 1.14.11
+GO114_VERSION= 1.14.12
GO113_VERSION= 1.13.15
GO110_VERSION= 1.10.8
GO19_VERSION= 1.9.7
diff -r 48ba1a3958cf -r eb69bd51e616 lang/go114/PLIST
--- a/lang/go114/PLIST Fri Nov 13 17:05:39 2020 +0000
+++ b/lang/go114/PLIST Fri Nov 13 18:27:35 2020 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.6 2020/10/15 12:01:14 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.7 2020/11/13 18:27:35 bsiegert Exp $
bin/go${GOVERSSUFFIX}
bin/gofmt${GOVERSSUFFIX}
go114/AUTHORS
@@ -183,6 +183,7 @@
go114/misc/android/README
go114/misc/android/go_android_exec.go
go114/misc/arm/a
+go114/misc/cgo/errors/badsym_test.go
go114/misc/cgo/errors/errors_test.go
go114/misc/cgo/errors/ptr_test.go
go114/misc/cgo/errors/testdata/err1.go
diff -r 48ba1a3958cf -r eb69bd51e616 lang/go114/distinfo
--- a/lang/go114/distinfo Fri Nov 13 17:05:39 2020 +0000
+++ b/lang/go114/distinfo Fri Nov 13 18:27:35 2020 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.12 2020/11/08 20:12:31 bsiegert Exp $
+$NetBSD: distinfo,v 1.13 2020/11/13 18:27:35 bsiegert Exp $
-SHA1 (go1.14.11.src.tar.gz) = da0d329f0d76df968c73623ce953752f57a2a70e
-RMD160 (go1.14.11.src.tar.gz) = 8cff58cae318b50bce2538b8897654b6ec983f49
-SHA512 (go1.14.11.src.tar.gz) = 93cac0ee9f499417dfdc196eb12a91f335ec5693be59d08f9fa3fa5202f717789408077b8180ce9122079768cb94a7293875c0fab2ebef2ecf2c83a86ca0a4ec
-Size (go1.14.11.src.tar.gz) = 22552087 bytes
+SHA1 (go1.14.12.src.tar.gz) = b23a42c9085b5bcef74c23f4ffed41f16ee3a33c
+RMD160 (go1.14.12.src.tar.gz) = 161c44071a0cc8fa992dfcf7d1e42f74d241b3c0
+SHA512 (go1.14.12.src.tar.gz) = cba26b97878d5bd57d75bd1541932786779ddb7e9fa0bfb7bf003c7ae9e7bee8318c0d2108ce918453b863892b8f562e481bd0ed6cfc44e43d901522603adff2
+Size (go1.14.12.src.tar.gz) = 22553834 bytes
SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29
SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e
SHA1 (patch-src_cmd_link_internal_ld_elf.go) = 990a54e3baf239916e4c7f0c1d54240e2898601a
Home |
Main Index |
Thread Index |
Old Index