Sun Feb 2 09:36:41 2020 UTC ()
Update go113 to 1.13.7 (security release).

Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte

On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.

The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.

Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue.

The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of
golang.org/x/crypto/cryptobyte.


(bsiegert)
diff -r1.79 -r1.80 pkgsrc/lang/go/version.mk
diff -r1.2 -r1.3 pkgsrc/lang/go113/distinfo
cvs diff -r1.79 -r1.80 pkgsrc/lang/go/version.mk (expand / switch to unified diff)

--- pkgsrc/lang/go/version.mk 2020/02/02 09:26:39 1.79
+++ pkgsrc/lang/go/version.mk 2020/02/02 09:36:40 1.80
@@ -1,22 +1,22 @@ @@ -1,22 +1,22 @@
1# $NetBSD: version.mk,v 1.79 2020/02/02 09:26:39 bsiegert Exp $ 1# $NetBSD: version.mk,v 1.80 2020/02/02 09:36:40 bsiegert Exp $
2 2
3# 3#
4# If bsd.prefs.mk is included before go-package.mk in a package, then this 4# If bsd.prefs.mk is included before go-package.mk in a package, then this
5# file must be included directly in the package prior to bsd.prefs.mk. 5# file must be included directly in the package prior to bsd.prefs.mk.
6# 6#
7.include "go-vars.mk" 7.include "go-vars.mk"
8 8
9GO113_VERSION= 1.13.6 9GO113_VERSION= 1.13.7
10GO112_VERSION= 1.12.16 10GO112_VERSION= 1.12.16
11GO111_VERSION= 1.11.13 11GO111_VERSION= 1.11.13
12GO110_VERSION= 1.10.8 12GO110_VERSION= 1.10.8
13GO19_VERSION= 1.9.7 13GO19_VERSION= 1.9.7
14GO14_VERSION= 1.4.3 14GO14_VERSION= 1.4.3
15GO_VERSION= ${GO110_VERSION} 15GO_VERSION= ${GO110_VERSION}
16 16
17.include "../../mk/bsd.prefs.mk" 17.include "../../mk/bsd.prefs.mk"
18 18
19.if ${OPSYS} == "NetBSD" && ${OS_VERSION:M6.*} 19.if ${OPSYS} == "NetBSD" && ${OS_VERSION:M6.*}
20# 1.9 is the last Go version to support NetBSD 6 20# 1.9 is the last Go version to support NetBSD 6
21GO_VERSION_DEFAULT?= 19 21GO_VERSION_DEFAULT?= 19
22.elif ${OPSYS} == "Darwin" && ${OS_VERSION:R} < 14 22.elif ${OPSYS} == "Darwin" && ${OS_VERSION:R} < 14
cvs diff -r1.2 -r1.3 pkgsrc/lang/go113/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/lang/go113/Attic/distinfo 2020/01/10 12:40:43 1.2
+++ pkgsrc/lang/go113/Attic/distinfo 2020/02/02 09:36:40 1.3
@@ -1,12 +1,12 @@ @@ -1,12 +1,12 @@
1$NetBSD: distinfo,v 1.2 2020/01/10 12:40:43 bsiegert Exp $ 1$NetBSD: distinfo,v 1.3 2020/02/02 09:36:40 bsiegert Exp $
2 2
3SHA1 (go1.13.6.src.tar.gz) = 3f1b16df7ed16c5bd8042335d29b02aea190e458 3SHA1 (go1.13.7.src.tar.gz) = e3105840934d432cce55789b408150631aac9158
4RMD160 (go1.13.6.src.tar.gz) = c3d56b0d5ee667c5117ff47f8ac9c96f8ec888aa 4RMD160 (go1.13.7.src.tar.gz) = 265bdcf28deca6726ea44b9b6a3521959b31ba0f
5SHA512 (go1.13.6.src.tar.gz) = dffb6e06eea0b1541901dfbed8d28e8cc1eac3184dc40a19ed3637737df796a67a2e7170b228e1003d36b14e6f0f13bb8be9d2a702834a9c06228d1821659528 5SHA512 (go1.13.7.src.tar.gz) = f87dd04befbe32c7ff1eb617a756fcc7d85e4236d4b063bbf6091d8911ef147c070808f7f7db536e7a3b3990f61f6fb4666e665217b0807e7e0703e00c5491fa
6Size (go1.13.6.src.tar.gz) = 21631050 bytes 6Size (go1.13.7.src.tar.gz) = 21631267 bytes
7SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29 7SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29
8SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e 8SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e
9SHA1 (patch-src_cmd_link_internal_ld_elf.go) = 990a54e3baf239916e4c7f0c1d54240e2898601a 9SHA1 (patch-src_cmd_link_internal_ld_elf.go) = 990a54e3baf239916e4c7f0c1d54240e2898601a
10SHA1 (patch-src_crypto_x509_root__bsd.go) = 93a2de7c685a0919fe93f5bc99f156e105dace4d 10SHA1 (patch-src_crypto_x509_root__bsd.go) = 93a2de7c685a0919fe93f5bc99f156e105dace4d
11SHA1 (patch-src_runtime_os__netbsd.go) = 9b80de94667e3f8d8d1ae3648ab1fe43dd55d577 11SHA1 (patch-src_runtime_os__netbsd.go) = 9b80de94667e3f8d8d1ae3648ab1fe43dd55d577
12SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b 12SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b