Sat Feb 12 20:14:01 2022 UTC ()
Update go117 to 1.17.7 (security update).

crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.

Thanks to Guido Vranken for reporting this.

This is CVE-2022-23806 and https://go.dev/issue/50974.

math/big: prevent large memory consumption in Rat.SetString

An attacker can cause unbounded memory growth in a program using (*Rat).SetString
due to an unhandled overflow.

Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke
(@odeke_et) for reporting it.

This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.

cmd/go: prevent branches from materializing into versions

A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev")
can be considered a valid version by the go command. Materializing versions from
branches might be unexpected and bypass ACLs that limit the creation of tags but not
branches.

This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.


(bsiegert)
diff -r1.140 -r1.141 pkgsrc/lang/go/version.mk
diff -r1.5 -r1.6 pkgsrc/lang/go117/PLIST
diff -r1.12 -r1.13 pkgsrc/lang/go117/distinfo
cvs diff -r1.140 -r1.141 pkgsrc/lang/go/version.mk (expand / switch to unified diff)

--- pkgsrc/lang/go/version.mk 2022/02/12 19:52:40 1.140
+++ pkgsrc/lang/go/version.mk 2022/02/12 20:14:01 1.141
@@ -1,22 +1,22 @@ @@ -1,22 +1,22 @@
1# $NetBSD: version.mk,v 1.140 2022/02/12 19:52:40 bsiegert Exp $ 1# $NetBSD: version.mk,v 1.141 2022/02/12 20:14:01 bsiegert Exp $
2 2
3# 3#
4# If bsd.prefs.mk is included before go-package.mk in a package, then this 4# If bsd.prefs.mk is included before go-package.mk in a package, then this
5# file must be included directly in the package prior to bsd.prefs.mk. 5# file must be included directly in the package prior to bsd.prefs.mk.
6# 6#
7.include "go-vars.mk" 7.include "go-vars.mk"
8 8
9GO117_VERSION= 1.17.6 9GO117_VERSION= 1.17.7
10GO116_VERSION= 1.16.14 10GO116_VERSION= 1.16.14
11GO110_VERSION= 1.10.8 11GO110_VERSION= 1.10.8
12GO19_VERSION= 1.9.7 12GO19_VERSION= 1.9.7
13GO14_VERSION= 1.4.3 13GO14_VERSION= 1.4.3
14 14
15.include "../../mk/bsd.prefs.mk" 15.include "../../mk/bsd.prefs.mk"
16 16
17.if ${OPSYS} == "NetBSD" && ${OPSYS_VERSION} < 070000 17.if ${OPSYS} == "NetBSD" && ${OPSYS_VERSION} < 070000
18# 1.9 is the last Go version to support NetBSD 6 18# 1.9 is the last Go version to support NetBSD 6
19GO_VERSION_DEFAULT?= 19 19GO_VERSION_DEFAULT?= 19
20.elif ${OPSYS} == "Darwin" && ${OPSYS_VERSION} < 101000 20.elif ${OPSYS} == "Darwin" && ${OPSYS_VERSION} < 101000
21# go 1.11 removed support for osx 10.8 and 10.9 21# go 1.11 removed support for osx 10.8 and 10.9
22# https://github.com/golang/go/issues/23122 22# https://github.com/golang/go/issues/23122
cvs diff -r1.5 -r1.6 pkgsrc/lang/go117/Attic/PLIST (expand / switch to unified diff)

--- pkgsrc/lang/go117/Attic/PLIST 2022/01/09 19:54:47 1.5
+++ pkgsrc/lang/go117/Attic/PLIST 2022/02/12 20:14:01 1.6
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1@comment $NetBSD: PLIST,v 1.5 2022/01/09 19:54:47 bsiegert Exp $ 1@comment $NetBSD: PLIST,v 1.6 2022/02/12 20:14:01 bsiegert Exp $
2bin/go${GOVERSSUFFIX} 2bin/go${GOVERSSUFFIX}
3bin/gofmt${GOVERSSUFFIX} 3bin/gofmt${GOVERSSUFFIX}
4go117/AUTHORS 4go117/AUTHORS
5go117/CONTRIBUTING.md 5go117/CONTRIBUTING.md
6go117/CONTRIBUTORS 6go117/CONTRIBUTORS
7go117/LICENSE 7go117/LICENSE
8go117/PATENTS 8go117/PATENTS
9go117/README.md 9go117/README.md
10go117/SECURITY.md 10go117/SECURITY.md
11go117/VERSION 11go117/VERSION
12go117/api/README 12go117/api/README
13go117/api/except.txt 13go117/api/except.txt
14go117/api/go1.1.txt 14go117/api/go1.1.txt
@@ -249,26 +249,27 @@ go117/misc/cgo/testgodefs/testdata/field @@ -249,26 +249,27 @@ go117/misc/cgo/testgodefs/testdata/field
249go117/misc/cgo/testgodefs/testdata/issue37479.go 249go117/misc/cgo/testgodefs/testdata/issue37479.go
250go117/misc/cgo/testgodefs/testdata/issue37621.go 250go117/misc/cgo/testgodefs/testdata/issue37621.go
251go117/misc/cgo/testgodefs/testdata/issue38649.go 251go117/misc/cgo/testgodefs/testdata/issue38649.go
252go117/misc/cgo/testgodefs/testdata/issue39534.go 252go117/misc/cgo/testgodefs/testdata/issue39534.go
253go117/misc/cgo/testgodefs/testdata/issue8478.go 253go117/misc/cgo/testgodefs/testdata/issue8478.go
254go117/misc/cgo/testgodefs/testdata/main.go 254go117/misc/cgo/testgodefs/testdata/main.go
255go117/misc/cgo/testgodefs/testgodefs_test.go 255go117/misc/cgo/testgodefs/testgodefs_test.go
256go117/misc/cgo/testplugin/altpath/testdata/common/common.go 256go117/misc/cgo/testplugin/altpath/testdata/common/common.go
257go117/misc/cgo/testplugin/altpath/testdata/plugin-mismatch/main.go 257go117/misc/cgo/testplugin/altpath/testdata/plugin-mismatch/main.go
258go117/misc/cgo/testplugin/overlaydir_test.go 258go117/misc/cgo/testplugin/overlaydir_test.go
259go117/misc/cgo/testplugin/plugin_test.go 259go117/misc/cgo/testplugin/plugin_test.go
260go117/misc/cgo/testplugin/testdata/checkdwarf/main.go 260go117/misc/cgo/testplugin/testdata/checkdwarf/main.go
261go117/misc/cgo/testplugin/testdata/common/common.go 261go117/misc/cgo/testplugin/testdata/common/common.go
 262go117/misc/cgo/testplugin/testdata/forkexec/main.go
262go117/misc/cgo/testplugin/testdata/host/host.go 263go117/misc/cgo/testplugin/testdata/host/host.go
263go117/misc/cgo/testplugin/testdata/iface/main.go 264go117/misc/cgo/testplugin/testdata/iface/main.go
264go117/misc/cgo/testplugin/testdata/iface_a/a.go 265go117/misc/cgo/testplugin/testdata/iface_a/a.go
265go117/misc/cgo/testplugin/testdata/iface_b/b.go 266go117/misc/cgo/testplugin/testdata/iface_b/b.go
266go117/misc/cgo/testplugin/testdata/iface_i/i.go 267go117/misc/cgo/testplugin/testdata/iface_i/i.go
267go117/misc/cgo/testplugin/testdata/issue18584/main.go 268go117/misc/cgo/testplugin/testdata/issue18584/main.go
268go117/misc/cgo/testplugin/testdata/issue18584/plugin.go 269go117/misc/cgo/testplugin/testdata/issue18584/plugin.go
269go117/misc/cgo/testplugin/testdata/issue18676/dynamodbstreamsevt/definition.go 270go117/misc/cgo/testplugin/testdata/issue18676/dynamodbstreamsevt/definition.go
270go117/misc/cgo/testplugin/testdata/issue18676/main.go 271go117/misc/cgo/testplugin/testdata/issue18676/main.go
271go117/misc/cgo/testplugin/testdata/issue18676/plugin.go 272go117/misc/cgo/testplugin/testdata/issue18676/plugin.go
272go117/misc/cgo/testplugin/testdata/issue19418/main.go 273go117/misc/cgo/testplugin/testdata/issue19418/main.go
273go117/misc/cgo/testplugin/testdata/issue19418/plugin.go 274go117/misc/cgo/testplugin/testdata/issue19418/plugin.go
274go117/misc/cgo/testplugin/testdata/issue19529/plugin.go 275go117/misc/cgo/testplugin/testdata/issue19529/plugin.go
@@ -10026,26 +10027,28 @@ go117/test/fixedbugs/issue4909b.go @@ -10026,26 +10027,28 @@ go117/test/fixedbugs/issue4909b.go
10026go117/test/fixedbugs/issue49122.go 10027go117/test/fixedbugs/issue49122.go
10027go117/test/fixedbugs/issue49249.go 10028go117/test/fixedbugs/issue49249.go
10028go117/test/fixedbugs/issue49282.go 10029go117/test/fixedbugs/issue49282.go
10029go117/test/fixedbugs/issue4932.dir/foo.go 10030go117/test/fixedbugs/issue4932.dir/foo.go
10030go117/test/fixedbugs/issue4932.dir/state.go 10031go117/test/fixedbugs/issue4932.dir/state.go
10031go117/test/fixedbugs/issue4932.dir/state2.go 10032go117/test/fixedbugs/issue4932.dir/state2.go
10032go117/test/fixedbugs/issue4932.go 10033go117/test/fixedbugs/issue4932.go
10033go117/test/fixedbugs/issue49378.go 10034go117/test/fixedbugs/issue49378.go
10034go117/test/fixedbugs/issue4964.dir/a.go 10035go117/test/fixedbugs/issue4964.dir/a.go
10035go117/test/fixedbugs/issue4964.dir/b.go 10036go117/test/fixedbugs/issue4964.dir/b.go
10036go117/test/fixedbugs/issue4964.go 10037go117/test/fixedbugs/issue4964.go
10037go117/test/fixedbugs/issue5002.go 10038go117/test/fixedbugs/issue5002.go
10038go117/test/fixedbugs/issue5056.go 10039go117/test/fixedbugs/issue5056.go
 10040go117/test/fixedbugs/issue50671.go
 10041go117/test/fixedbugs/issue50854.go
10039go117/test/fixedbugs/issue5089.go 10042go117/test/fixedbugs/issue5089.go
10040go117/test/fixedbugs/issue5105.dir/a.go 10043go117/test/fixedbugs/issue5105.dir/a.go
10041go117/test/fixedbugs/issue5105.dir/b.go 10044go117/test/fixedbugs/issue5105.dir/b.go
10042go117/test/fixedbugs/issue5105.go 10045go117/test/fixedbugs/issue5105.go
10043go117/test/fixedbugs/issue5125.dir/bug.go 10046go117/test/fixedbugs/issue5125.dir/bug.go
10044go117/test/fixedbugs/issue5125.dir/main.go 10047go117/test/fixedbugs/issue5125.dir/main.go
10045go117/test/fixedbugs/issue5125.go 10048go117/test/fixedbugs/issue5125.go
10046go117/test/fixedbugs/issue5162.go 10049go117/test/fixedbugs/issue5162.go
10047go117/test/fixedbugs/issue5172.go 10050go117/test/fixedbugs/issue5172.go
10048go117/test/fixedbugs/issue5231.go 10051go117/test/fixedbugs/issue5231.go
10049go117/test/fixedbugs/issue5244.go 10052go117/test/fixedbugs/issue5244.go
10050go117/test/fixedbugs/issue5259.dir/bug.go 10053go117/test/fixedbugs/issue5259.dir/bug.go
10051go117/test/fixedbugs/issue5259.dir/main.go 10054go117/test/fixedbugs/issue5259.dir/main.go
cvs diff -r1.12 -r1.13 pkgsrc/lang/go117/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/lang/go117/Attic/distinfo 2022/01/09 19:54:47 1.12
+++ pkgsrc/lang/go117/Attic/distinfo 2022/02/12 20:14:01 1.13
@@ -1,10 +1,10 @@ @@ -1,10 +1,10 @@
1$NetBSD: distinfo,v 1.12 2022/01/09 19:54:47 bsiegert Exp $ 1$NetBSD: distinfo,v 1.13 2022/02/12 20:14:01 bsiegert Exp $
2 2
3BLAKE2s (go1.17.6.src.tar.gz) = b605f798c26945919d47a661a264524426b5a592401dbb07bcd5fc6442273ffc 3BLAKE2s (go1.17.7.src.tar.gz) = 8f04f9f8153f9a0dbd75898a49a9d1298b84a73d486460706a75ba81f9970dac
4SHA512 (go1.17.6.src.tar.gz) = 59e5471d33e72208a3ca1ddf6c13aeb2b95a3291c0491571597197a260fb8cb74241c7bb09b44129c1e39f857ce4279f416c139b3ab2d7aded10002beb222ee2 4SHA512 (go1.17.7.src.tar.gz) = ee20a97d19e501ee2c11930548bcacfa8b1e8499bbae15659231548f4b03c13bc92bb20c4ce879f0956c02268e748c73ba56d8b140ce8f134501c33cc8b58d3c
5Size (go1.17.6.src.tar.gz) = 22191372 bytes 5Size (go1.17.7.src.tar.gz) = 22195583 bytes
6SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe 6SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
7SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7 7SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
8SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e 8SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e
9SHA1 (patch-src_crypto_x509_root__solaris.go) = cce8d78a5a3712a0e7a620ead232a779e4a4b21e 9SHA1 (patch-src_crypto_x509_root__solaris.go) = cce8d78a5a3712a0e7a620ead232a779e4a4b21e
10SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b 10SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b