Wed Mar 10 19:55:17 2021 UTC ()
Update go116 to 1.16.1, fixing two security issues:

   - encoding/xml: infinite loop when using xml.NewTokenDecoder with a
   custom TokenReader

The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by
xml.NewTokenDecoder may enter an infinite loop when operating on a custom
xml.TokenReader which returns an EOF in the middle of an open XML element.

Thanks to Sam Whited for reporting this issue.

This issue is CVE-2021-27918 and Go issue golang.org/issue/44913.

   - archive/zip: panic when calling Reader.Open

The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive
containing files that start with "../".

This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.


(bsiegert)
diff -r1.111 -r1.112 pkgsrc/lang/go/version.mk
diff -r1.3 -r1.4 pkgsrc/lang/go116/distinfo
cvs diff -r1.111 -r1.112 pkgsrc/lang/go/version.mk (switch to unified diff)

--- pkgsrc/lang/go/version.mk 2021/02/17 08:07:03 1.111
+++ pkgsrc/lang/go/version.mk 2021/03/10 19:55:17 1.112
@@ -1,72 +1,72 @@ @@ -1,72 +1,72 @@
1# $NetBSD: version.mk,v 1.111 2021/02/17 08:07:03 bsiegert Exp $ 1# $NetBSD: version.mk,v 1.112 2021/03/10 19:55:17 bsiegert Exp $
2 2
3# 3#
4# If bsd.prefs.mk is included before go-package.mk in a package, then this 4# If bsd.prefs.mk is included before go-package.mk in a package, then this
5# file must be included directly in the package prior to bsd.prefs.mk. 5# file must be included directly in the package prior to bsd.prefs.mk.
6# 6#
7.include "go-vars.mk" 7.include "go-vars.mk"
8 8
9GO116_VERSION= 1.16 9GO116_VERSION= 1.16.1
10GO115_VERSION= 1.15.7 10GO115_VERSION= 1.15.7
11GO114_VERSION= 1.14.14 11GO114_VERSION= 1.14.14
12GO113_VERSION= 1.13.15 12GO113_VERSION= 1.13.15
13GO110_VERSION= 1.10.8 13GO110_VERSION= 1.10.8
14GO19_VERSION= 1.9.7 14GO19_VERSION= 1.9.7
15GO14_VERSION= 1.4.3 15GO14_VERSION= 1.4.3
16 16
17.include "../../mk/bsd.prefs.mk" 17.include "../../mk/bsd.prefs.mk"
18 18
19.if ${OPSYS} == "NetBSD" && ${OS_VERSION:M6.*} 19.if ${OPSYS} == "NetBSD" && ${OS_VERSION:M6.*}
20# 1.9 is the last Go version to support NetBSD 6 20# 1.9 is the last Go version to support NetBSD 6
21GO_VERSION_DEFAULT?= 19 21GO_VERSION_DEFAULT?= 19
22.elif ${OPSYS} == "Darwin" && ${MACHINE_ARCH} == "aarch64" 22.elif ${OPSYS} == "Darwin" && ${MACHINE_ARCH} == "aarch64"
23GO_VERSION_DEFAULT?= 116 23GO_VERSION_DEFAULT?= 116
24.elif ${OPSYS} == "Darwin" && ${OS_VERSION:R} < 14 24.elif ${OPSYS} == "Darwin" && ${OS_VERSION:R} < 14
25# go 1.11 removed support for osx 10.8 and 10.9 25# go 1.11 removed support for osx 10.8 and 10.9
26# https://github.com/golang/go/issues/23122 26# https://github.com/golang/go/issues/23122
27# darwin version 13.4 is osx 10.9.5 27# darwin version 13.4 is osx 10.9.5
28GO_VERSION_DEFAULT?= 110 28GO_VERSION_DEFAULT?= 110
29.else 29.else
30GO_VERSION_DEFAULT?= 115 30GO_VERSION_DEFAULT?= 115
31.endif 31.endif
32 32
33.if !empty(GO_VERSION_DEFAULT) 33.if !empty(GO_VERSION_DEFAULT)
34GOVERSSUFFIX= ${GO_VERSION_DEFAULT} 34GOVERSSUFFIX= ${GO_VERSION_DEFAULT}
35.endif 35.endif
36 36
37# How to find the Go tool 37# How to find the Go tool
38GO= ${PREFIX}/go${GOVERSSUFFIX}/bin/go 38GO= ${PREFIX}/go${GOVERSSUFFIX}/bin/go
39 39
40# Build dependency for Go 40# Build dependency for Go
41GO_PACKAGE_DEP= go${GOVERSSUFFIX}-${GO${GOVERSSUFFIX}_VERSION}*:../../lang/go${GOVERSSUFFIX} 41GO_PACKAGE_DEP= go${GOVERSSUFFIX}-${GO${GOVERSSUFFIX}_VERSION}*:../../lang/go${GOVERSSUFFIX}
42 42
43ONLY_FOR_PLATFORM= *-*-i386 *-*-x86_64 *-*-earmv[67]hf *-*-aarch64 43ONLY_FOR_PLATFORM= *-*-i386 *-*-x86_64 *-*-earmv[67]hf *-*-aarch64
44NOT_FOR_PLATFORM= SunOS-*-i386 44NOT_FOR_PLATFORM= SunOS-*-i386
45.if ${MACHINE_ARCH} == "i386" 45.if ${MACHINE_ARCH} == "i386"
46GOARCH= 386 46GOARCH= 386
47GOCHAR= 8 47GOCHAR= 8
48.elif ${MACHINE_ARCH} == "x86_64" 48.elif ${MACHINE_ARCH} == "x86_64"
49GOARCH= amd64 49GOARCH= amd64
50GOCHAR= 6 50GOCHAR= 6
51.elif ${MACHINE_ARCH} == "earmv6hf" || ${MACHINE_ARCH} == "earmv7hf" 51.elif ${MACHINE_ARCH} == "earmv6hf" || ${MACHINE_ARCH} == "earmv7hf"
52GOARCH= arm 52GOARCH= arm
53GOCHAR= 5 53GOCHAR= 5
54.elif ${MACHINE_ARCH} == "aarch64" 54.elif ${MACHINE_ARCH} == "aarch64"
55GOARCH= arm64 55GOARCH= arm64
56GOOPT= GOARM=7 56GOOPT= GOARM=7
57# GOHOSTARCH is being misdetected as arm on NetBSD. Unclear why. 57# GOHOSTARCH is being misdetected as arm on NetBSD. Unclear why.
58GOOPT+= GOHOSTARCH=arm64 58GOOPT+= GOHOSTARCH=arm64
59.endif 59.endif
60.if ${MACHINE_ARCH} == "earmv6hf" 60.if ${MACHINE_ARCH} == "earmv6hf"
61GOOPT= GOARM=6 61GOOPT= GOARM=6
62.elif ${MACHINE_ARCH} == "earmv7hf" 62.elif ${MACHINE_ARCH} == "earmv7hf"
63GOOPT= GOARM=7 63GOOPT= GOARM=7
64.endif 64.endif
65GO_PLATFORM= ${LOWER_OPSYS}_${GOARCH} 65GO_PLATFORM= ${LOWER_OPSYS}_${GOARCH}
66PLIST_SUBST+= GO_PLATFORM=${GO_PLATFORM:Q} GOARCH=${GOARCH:Q} 66PLIST_SUBST+= GO_PLATFORM=${GO_PLATFORM:Q} GOARCH=${GOARCH:Q}
67PLIST_SUBST+= GOCHAR=${GOCHAR:Q} 67PLIST_SUBST+= GOCHAR=${GOCHAR:Q}
68 68
69PRINT_PLIST_AWK+= { sub("/${GO_PLATFORM}/", "/$${GO_PLATFORM}/") } 69PRINT_PLIST_AWK+= { sub("/${GO_PLATFORM}/", "/$${GO_PLATFORM}/") }
70 70
71TOOLS_CREATE+= go 71TOOLS_CREATE+= go
72TOOLS_PATH.go= ${GO} 72TOOLS_PATH.go= ${GO}
cvs diff -r1.3 -r1.4 pkgsrc/lang/go116/Attic/distinfo (switch to unified diff)

--- pkgsrc/lang/go116/Attic/distinfo 2021/02/17 08:07:03 1.3
+++ pkgsrc/lang/go116/Attic/distinfo 2021/03/10 19:55:17 1.4
@@ -1,10 +1,10 @@ @@ -1,10 +1,10 @@
1$NetBSD: distinfo,v 1.3 2021/02/17 08:07:03 bsiegert Exp $ 1$NetBSD: distinfo,v 1.4 2021/03/10 19:55:17 bsiegert Exp $
2 2
3SHA1 (go1.16.src.tar.gz) = 1d2b65415c9061eeb800c888a936511d6af0d6d5 3SHA1 (go1.16.1.src.tar.gz) = ab7746ed5ec54110f5fbf4f8615a640530990111
4RMD160 (go1.16.src.tar.gz) = 1009890b7d4bbf6d8888a6f7adae8b0e42edb7ae 4RMD160 (go1.16.1.src.tar.gz) = cab008285e02e97ab3523239684f9ad0b102da6b
5SHA512 (go1.16.src.tar.gz) = 9c43e0ebb2d35c694b652cae8d4040ce3f3c8c014abd9496c92c78cc015ecea5b5331e7c2acf098d0c24dec222454ea09d834df4b6bc90d46e9feeac0ac578bf 5SHA512 (go1.16.1.src.tar.gz) = c7674be1a4a03c031d13a52e03a5e134bd2f499fe1bde3083885e363528252fce43b119974b804c8c46ec59e85337bb94e96b7a7183bdb78301898e222b3bba1
6Size (go1.16.src.tar.gz) = 20895394 bytes 6Size (go1.16.1.src.tar.gz) = 20897580 bytes
7SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe 7SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
8SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e 8SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e
9SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e 9SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e
10SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b 10SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b