Wed Mar 10 19:55:17 2021 UTC ()
Update go116 to 1.16.1, fixing two security issues:

   - encoding/xml: infinite loop when using xml.NewTokenDecoder with a
   custom TokenReader

The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by
xml.NewTokenDecoder may enter an infinite loop when operating on a custom
xml.TokenReader which returns an EOF in the middle of an open XML element.

Thanks to Sam Whited for reporting this issue.

This issue is CVE-2021-27918 and Go issue golang.org/issue/44913.

   - archive/zip: panic when calling Reader.Open

The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive
containing files that start with "../".

This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.


(bsiegert)
diff -r1.111 -r1.112 pkgsrc/lang/go/version.mk
diff -r1.3 -r1.4 pkgsrc/lang/go116/distinfo
cvs diff -r1.111 -r1.112 pkgsrc/lang/go/version.mk (expand / switch to unified diff)

--- pkgsrc/lang/go/version.mk 2021/02/17 08:07:03 1.111
+++ pkgsrc/lang/go/version.mk 2021/03/10 19:55:17 1.112
@@ -1,22 +1,22 @@ @@ -1,22 +1,22 @@
1# $NetBSD: version.mk,v 1.111 2021/02/17 08:07:03 bsiegert Exp $ 1# $NetBSD: version.mk,v 1.112 2021/03/10 19:55:17 bsiegert Exp $
2 2
3# 3#
4# If bsd.prefs.mk is included before go-package.mk in a package, then this 4# If bsd.prefs.mk is included before go-package.mk in a package, then this
5# file must be included directly in the package prior to bsd.prefs.mk. 5# file must be included directly in the package prior to bsd.prefs.mk.
6# 6#
7.include "go-vars.mk" 7.include "go-vars.mk"
8 8
9GO116_VERSION= 1.16 9GO116_VERSION= 1.16.1
10GO115_VERSION= 1.15.7 10GO115_VERSION= 1.15.7
11GO114_VERSION= 1.14.14 11GO114_VERSION= 1.14.14
12GO113_VERSION= 1.13.15 12GO113_VERSION= 1.13.15
13GO110_VERSION= 1.10.8 13GO110_VERSION= 1.10.8
14GO19_VERSION= 1.9.7 14GO19_VERSION= 1.9.7
15GO14_VERSION= 1.4.3 15GO14_VERSION= 1.4.3
16 16
17.include "../../mk/bsd.prefs.mk" 17.include "../../mk/bsd.prefs.mk"
18 18
19.if ${OPSYS} == "NetBSD" && ${OS_VERSION:M6.*} 19.if ${OPSYS} == "NetBSD" && ${OS_VERSION:M6.*}
20# 1.9 is the last Go version to support NetBSD 6 20# 1.9 is the last Go version to support NetBSD 6
21GO_VERSION_DEFAULT?= 19 21GO_VERSION_DEFAULT?= 19
22.elif ${OPSYS} == "Darwin" && ${MACHINE_ARCH} == "aarch64" 22.elif ${OPSYS} == "Darwin" && ${MACHINE_ARCH} == "aarch64"
cvs diff -r1.3 -r1.4 pkgsrc/lang/go116/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/lang/go116/Attic/distinfo 2021/02/17 08:07:03 1.3
+++ pkgsrc/lang/go116/Attic/distinfo 2021/03/10 19:55:17 1.4
@@ -1,10 +1,10 @@ @@ -1,10 +1,10 @@
1$NetBSD: distinfo,v 1.3 2021/02/17 08:07:03 bsiegert Exp $ 1$NetBSD: distinfo,v 1.4 2021/03/10 19:55:17 bsiegert Exp $
2 2
3SHA1 (go1.16.src.tar.gz) = 1d2b65415c9061eeb800c888a936511d6af0d6d5 3SHA1 (go1.16.1.src.tar.gz) = ab7746ed5ec54110f5fbf4f8615a640530990111
4RMD160 (go1.16.src.tar.gz) = 1009890b7d4bbf6d8888a6f7adae8b0e42edb7ae 4RMD160 (go1.16.1.src.tar.gz) = cab008285e02e97ab3523239684f9ad0b102da6b
5SHA512 (go1.16.src.tar.gz) = 9c43e0ebb2d35c694b652cae8d4040ce3f3c8c014abd9496c92c78cc015ecea5b5331e7c2acf098d0c24dec222454ea09d834df4b6bc90d46e9feeac0ac578bf 5SHA512 (go1.16.1.src.tar.gz) = c7674be1a4a03c031d13a52e03a5e134bd2f499fe1bde3083885e363528252fce43b119974b804c8c46ec59e85337bb94e96b7a7183bdb78301898e222b3bba1
6Size (go1.16.src.tar.gz) = 20895394 bytes 6Size (go1.16.1.src.tar.gz) = 20897580 bytes
7SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe 7SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
8SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e 8SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e
9SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e 9SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e
10SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b 10SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b