Thu Feb 8 19:32:17 2018 UTC ()
Update Go to 1.9.4.

By using the clang or gcc plugin mechanism, it was possible for an attacker to
trick the ���go get��� command into executing arbitrary code. The go command now
restricts the set of allowed host compiler and linker arguments in cgo source
files to a list of allowed flags, in particular disallowing -fplugin= and
-plugin=.

The issue is CVE-2018-6574 and Go issue golang.org/issue/23672. See the Go
issue for details.

Thanks to Christopher Brown of Mattermost for reporting this problem.


(bsiegert)
diff -r1.37 -r1.38 pkgsrc/lang/go/PLIST
diff -r1.56 -r1.57 pkgsrc/lang/go/distinfo
diff -r1.33 -r1.34 pkgsrc/lang/go/version.mk
cvs diff -r1.37 -r1.38 pkgsrc/lang/go/Attic/PLIST (expand / switch to unified diff)

--- pkgsrc/lang/go/Attic/PLIST 2018/01/28 11:31:03 1.37
+++ pkgsrc/lang/go/Attic/PLIST 2018/02/08 19:32:17 1.38
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1@comment $NetBSD: PLIST,v 1.37 2018/01/28 11:31:03 bsiegert Exp $ 1@comment $NetBSD: PLIST,v 1.38 2018/02/08 19:32:17 bsiegert Exp $
2bin/go 2bin/go
3bin/gofmt 3bin/gofmt
4go/AUTHORS 4go/AUTHORS
5go/CONTRIBUTING.md 5go/CONTRIBUTING.md
6go/CONTRIBUTORS 6go/CONTRIBUTORS
7go/LICENSE 7go/LICENSE
8go/PATENTS 8go/PATENTS
9go/README.md 9go/README.md
10go/VERSION 10go/VERSION
11go/api/README 11go/api/README
12go/api/except.txt 12go/api/except.txt
13go/api/go1.1.txt 13go/api/go1.1.txt
14go/api/go1.2.txt 14go/api/go1.2.txt
@@ -1779,26 +1779,28 @@ go/src/cmd/go/internal/load/testgo.go @@ -1779,26 +1779,28 @@ go/src/cmd/go/internal/load/testgo.go
1779go/src/cmd/go/internal/run/run.go 1779go/src/cmd/go/internal/run/run.go
1780go/src/cmd/go/internal/str/str.go 1780go/src/cmd/go/internal/str/str.go
1781go/src/cmd/go/internal/test/test.go 1781go/src/cmd/go/internal/test/test.go
1782go/src/cmd/go/internal/test/testflag.go 1782go/src/cmd/go/internal/test/testflag.go
1783go/src/cmd/go/internal/tool/tool.go 1783go/src/cmd/go/internal/tool/tool.go
1784go/src/cmd/go/internal/version/version.go 1784go/src/cmd/go/internal/version/version.go
1785go/src/cmd/go/internal/vet/vet.go 1785go/src/cmd/go/internal/vet/vet.go
1786go/src/cmd/go/internal/vet/vetflag.go 1786go/src/cmd/go/internal/vet/vetflag.go
1787go/src/cmd/go/internal/web/bootstrap.go 1787go/src/cmd/go/internal/web/bootstrap.go
1788go/src/cmd/go/internal/web/http.go 1788go/src/cmd/go/internal/web/http.go
1789go/src/cmd/go/internal/web/security.go 1789go/src/cmd/go/internal/web/security.go
1790go/src/cmd/go/internal/work/build.go 1790go/src/cmd/go/internal/work/build.go
1791go/src/cmd/go/internal/work/build_test.go 1791go/src/cmd/go/internal/work/build_test.go
 1792go/src/cmd/go/internal/work/security.go
 1793go/src/cmd/go/internal/work/security_test.go
1792go/src/cmd/go/internal/work/testgo.go 1794go/src/cmd/go/internal/work/testgo.go
1793go/src/cmd/go/main.go 1795go/src/cmd/go/main.go
1794go/src/cmd/go/mkalldocs.sh 1796go/src/cmd/go/mkalldocs.sh
1795go/src/cmd/go/note_test.go 1797go/src/cmd/go/note_test.go
1796go/src/cmd/go/testdata/dep_test.go 1798go/src/cmd/go/testdata/dep_test.go
1797go/src/cmd/go/testdata/example1_test.go 1799go/src/cmd/go/testdata/example1_test.go
1798go/src/cmd/go/testdata/example2_test.go 1800go/src/cmd/go/testdata/example2_test.go
1799go/src/cmd/go/testdata/failssh/ssh 1801go/src/cmd/go/testdata/failssh/ssh
1800go/src/cmd/go/testdata/flag_test.go 1802go/src/cmd/go/testdata/flag_test.go
1801go/src/cmd/go/testdata/generate/test1.go 1803go/src/cmd/go/testdata/generate/test1.go
1802go/src/cmd/go/testdata/generate/test2.go 1804go/src/cmd/go/testdata/generate/test2.go
1803go/src/cmd/go/testdata/generate/test3.go 1805go/src/cmd/go/testdata/generate/test3.go
1804go/src/cmd/go/testdata/generate/test4.go 1806go/src/cmd/go/testdata/generate/test4.go
cvs diff -r1.56 -r1.57 pkgsrc/lang/go/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/lang/go/Attic/distinfo 2018/01/28 11:31:03 1.56
+++ pkgsrc/lang/go/Attic/distinfo 2018/02/08 19:32:17 1.57
@@ -1,12 +1,12 @@ @@ -1,12 +1,12 @@
1$NetBSD: distinfo,v 1.56 2018/01/28 11:31:03 bsiegert Exp $ 1$NetBSD: distinfo,v 1.57 2018/02/08 19:32:17 bsiegert Exp $
2 2
3SHA1 (go1.9.3.src.tar.gz) = e1854548e8e2defca7d63ab752ff46f38eb7db2a 3SHA1 (go1.9.4.src.tar.gz) = 12b0ecee83525cd594f4fbf30380d4832e06f189
4RMD160 (go1.9.3.src.tar.gz) = 0088a287f3a3c4bd4c152101f684e22173c59fa4 4RMD160 (go1.9.4.src.tar.gz) = 801d6a8a57d2dc0fefba283ea1ae456b869a7398
5SHA512 (go1.9.3.src.tar.gz) = 31c564af58b78c648c9bece8fa2ed3334feb80316b07b16f6286319e26d317da90d1af0464c3a2f776a3da72d31b22b063dbc620b93114bf142a11e8a625e527 5SHA512 (go1.9.4.src.tar.gz) = 1a7c830e07507ff7b89025adfb5c713444d97301f8ad47ef2564722c1e28186e946350f07e22777fbdd6f2f589c334eb01dfd589e97cb8a86f73669547badb0b
6Size (go1.9.3.src.tar.gz) = 16385451 bytes 6Size (go1.9.4.src.tar.gz) = 16392325 bytes
7SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29 7SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29
8SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e 8SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e
9SHA1 (patch-src_cmd_link_internal_ld_elf.go) = acc8d92b7eae1b77470bd3e88af93d458695ac76 9SHA1 (patch-src_cmd_link_internal_ld_elf.go) = acc8d92b7eae1b77470bd3e88af93d458695ac76
10SHA1 (patch-src_crypto_x509_root__bsd.go) = 93a2de7c685a0919fe93f5bc99f156e105dace4d 10SHA1 (patch-src_crypto_x509_root__bsd.go) = 93a2de7c685a0919fe93f5bc99f156e105dace4d
11SHA1 (patch-src_runtime_os__netbsd.go) = 9b80de94667e3f8d8d1ae3648ab1fe43dd55d577 11SHA1 (patch-src_runtime_os__netbsd.go) = 9b80de94667e3f8d8d1ae3648ab1fe43dd55d577
12SHA1 (patch-src_runtime_rt0__netbsd__arm.s) = 45e727f4e89470505664e7c38bdb8ebd314bcaf5 12SHA1 (patch-src_runtime_rt0__netbsd__arm.s) = 45e727f4e89470505664e7c38bdb8ebd314bcaf5
cvs diff -r1.33 -r1.34 pkgsrc/lang/go/version.mk (expand / switch to unified diff)

--- pkgsrc/lang/go/version.mk 2018/01/30 17:05:21 1.33
+++ pkgsrc/lang/go/version.mk 2018/02/08 19:32:17 1.34
@@ -1,20 +1,20 @@ @@ -1,20 +1,20 @@
1# $NetBSD: version.mk,v 1.33 2018/01/30 17:05:21 jperkin Exp $ 1# $NetBSD: version.mk,v 1.34 2018/02/08 19:32:17 bsiegert Exp $
2 2
3SSP_SUPPORTED= no 3SSP_SUPPORTED= no
4 4
5.include "../../mk/bsd.prefs.mk" 5.include "../../mk/bsd.prefs.mk"
6 6
7GO_VERSION= 1.9.3 7GO_VERSION= 1.9.4
8GO14_VERSION= 1.4.3 8GO14_VERSION= 1.4.3
9 9
10ONLY_FOR_PLATFORM= *-*-i386 *-*-x86_64 *-*-earmv[67]hf 10ONLY_FOR_PLATFORM= *-*-i386 *-*-x86_64 *-*-earmv[67]hf
11NOT_FOR_PLATFORM= SunOS-*-i386 11NOT_FOR_PLATFORM= SunOS-*-i386
12.if ${MACHINE_ARCH} == "i386" 12.if ${MACHINE_ARCH} == "i386"
13GOARCH= 386 13GOARCH= 386
14GOCHAR= 8 14GOCHAR= 8
15.elif ${MACHINE_ARCH} == "x86_64" 15.elif ${MACHINE_ARCH} == "x86_64"
16GOARCH= amd64 16GOARCH= amd64
17GOCHAR= 6 17GOCHAR= 6
18.elif ${MACHINE_ARCH} == "earmv6hf" || ${MACHINE_ARCH} == "earmv7hf" 18.elif ${MACHINE_ARCH} == "earmv6hf" || ${MACHINE_ARCH} == "earmv7hf"
19GOARCH= arm 19GOARCH= arm
20GOCHAR= 5 20GOCHAR= 5