Wed Jul 13 14:14:18 2022 UTC ()
go117: update to 1.17.12 (security update)

This minor release includes 9 security fixes following the security policy:

net/http: improper sanitization of Transfer-Encoding header

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
a "chunked" encoding. This could potentially allow for request smuggling, but
only if combined with an intermediate server that also improperly failed to
reject the header as invalid.

This is CVE-2022-1705 and https://go.dev/issue/53188.

When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map
containing a nil value for the X-Forwarded-For header, ReverseProxy would set
the client IP as the value of the X-Forwarded-For header, contrary to its
documentation. In the more usual case where a Director function set the
X-Forwarded-For header value to nil, ReverseProxy would leave the header
unmodified as expected.

This is https://go.dev/issue/53423 and CVE-2022-32148.

Thanks to Christian Mehlmauer for reporting this issue.

compress/gzip: stack exhaustion in Reader.Read

Calling Reader.Read on an archive containing a large number of concatenated
0-length compressed files can cause a panic due to stack exhaustion.

This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

encoding/xml: stack exhaustion in Unmarshal

Calling Unmarshal on a XML document into a Go struct which has a nested field
that uses the any field tag can cause a panic due to stack exhaustion.

This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

encoding/xml: stack exhaustion in Decoder.Skip

Calling Decoder.Skip when parsing a deeply nested XML document can cause a
panic due to stack exhaustion.

The Go Security team discovered this issue, and it was independently reported
by Juho Nurminen of Mattermost.

This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can
cause a panic due to stack exhaustion.

This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

path/filepath: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

io/fs: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.

This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply
nested types or declarations can cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.


(bsiegert)
diff -r1.151 -r1.152 pkgsrc/lang/go/version.mk
diff -r1.6 -r1.7 pkgsrc/lang/go117/Makefile
diff -r1.10 -r1.11 pkgsrc/lang/go117/PLIST
diff -r1.17 -r1.18 pkgsrc/lang/go117/distinfo
cvs diff -r1.151 -r1.152 pkgsrc/lang/go/version.mk (expand / switch to unified diff)

--- pkgsrc/lang/go/version.mk 2022/06/02 18:50:40 1.151
+++ pkgsrc/lang/go/version.mk 2022/07/13 14:14:18 1.152
@@ -1,23 +1,23 @@ @@ -1,23 +1,23 @@
1# $NetBSD: version.mk,v 1.151 2022/06/02 18:50:40 bsiegert Exp $ 1# $NetBSD: version.mk,v 1.152 2022/07/13 14:14:18 bsiegert Exp $
2 2
3# 3#
4# If bsd.prefs.mk is included before go-package.mk in a package, then this 4# If bsd.prefs.mk is included before go-package.mk in a package, then this
5# file must be included directly in the package prior to bsd.prefs.mk. 5# file must be included directly in the package prior to bsd.prefs.mk.
6# 6#
7.include "go-vars.mk" 7.include "go-vars.mk"
8 8
9GO118_VERSION= 1.18.3 9GO118_VERSION= 1.18.3
10GO117_VERSION= 1.17.11 10GO117_VERSION= 1.17.12
11GO116_VERSION= 1.16.15 11GO116_VERSION= 1.16.15
12GO110_VERSION= 1.10.8 12GO110_VERSION= 1.10.8
13GO19_VERSION= 1.9.7 13GO19_VERSION= 1.9.7
14GO14_VERSION= 1.4.3 14GO14_VERSION= 1.4.3
15 15
16.include "../../mk/bsd.prefs.mk" 16.include "../../mk/bsd.prefs.mk"
17 17
18.if ${OPSYS} == "NetBSD" && ${OPSYS_VERSION} < 070000 18.if ${OPSYS} == "NetBSD" && ${OPSYS_VERSION} < 070000
19# 1.9 is the last Go version to support NetBSD 6 19# 1.9 is the last Go version to support NetBSD 6
20GO_VERSION_DEFAULT?= 19 20GO_VERSION_DEFAULT?= 19
21.elif ${OPSYS} == "Darwin" && ${OPSYS_VERSION} < 101000 21.elif ${OPSYS} == "Darwin" && ${OPSYS_VERSION} < 101000
22# go 1.11 removed support for osx 10.8 and 10.9 22# go 1.11 removed support for osx 10.8 and 10.9
23# https://github.com/golang/go/issues/23122 23# https://github.com/golang/go/issues/23122
cvs diff -r1.6 -r1.7 pkgsrc/lang/go117/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/lang/go117/Attic/Makefile 2022/06/28 11:34:12 1.6
+++ pkgsrc/lang/go117/Attic/Makefile 2022/07/13 14:14:18 1.7
@@ -1,16 +1,15 @@ @@ -1,16 +1,15 @@
1# $NetBSD: Makefile,v 1.6 2022/06/28 11:34:12 wiz Exp $ 1# $NetBSD: Makefile,v 1.7 2022/07/13 14:14:18 bsiegert Exp $
2 2
3PKGREVISION= 1 
4.include "../../lang/go/version.mk" 3.include "../../lang/go/version.mk"
5.include "../../lang/go/bootstrap.mk" 4.include "../../lang/go/bootstrap.mk"
6 5
7GOVERSSUFFIX= 117 6GOVERSSUFFIX= 117
8 7
9DISTNAME= go${GO${GOVERSSUFFIX}_VERSION}.src 8DISTNAME= go${GO${GOVERSSUFFIX}_VERSION}.src
10PKGNAME= go${GOVERSSUFFIX}-${GO${GOVERSSUFFIX}_VERSION} 9PKGNAME= go${GOVERSSUFFIX}-${GO${GOVERSSUFFIX}_VERSION}
11CATEGORIES= lang 10CATEGORIES= lang
12MASTER_SITES= https://storage.googleapis.com/golang/ 11MASTER_SITES= https://storage.googleapis.com/golang/
13 12
14MAINTAINER= bsiegert@NetBSD.org 13MAINTAINER= bsiegert@NetBSD.org
15HOMEPAGE= https://golang.org/ 14HOMEPAGE= https://golang.org/
16COMMENT= The Go programming language 15COMMENT= The Go programming language
@@ -83,26 +82,31 @@ SUBST_SED.grplist= -e 's,return getgroup @@ -83,26 +82,31 @@ SUBST_SED.grplist= -e 's,return getgroup
83 82
84PLIST_SUBST+= GOVERSSUFFIX=${GOVERSSUFFIX} 83PLIST_SUBST+= GOVERSSUFFIX=${GOVERSSUFFIX}
85 84
86PLIST_VARS+= pty route 85PLIST_VARS+= pty route
87 86
88.if ${OPSYS} != "SunOS" 87.if ${OPSYS} != "SunOS"
89PLIST.pty= yes 88PLIST.pty= yes
90.endif 89.endif
91 90
92.if ${OPSYS} != "Linux" && ${OPSYS} != "SunOS" 91.if ${OPSYS} != "Linux" && ${OPSYS} != "SunOS"
93PLIST.route= yes 92PLIST.route= yes
94.endif 93.endif
95 94
 95PRINT_PLIST_AWK+= /^bin\/go${GOVERSSUFFIX}/ { print "bin/go$${GOVERSSUFFIX}"; next; }
 96PRINT_PLIST_AWK+= /^bin\/gofmt${GOVERSSUFFIX}/ { print "bin/gofmt$${GOVERSSUFFIX}"; next; }
 97PRINT_PLIST_AWK+= /internal\/pty\.a/ { printf "%s", "$${PLIST.pty}"; }
 98PRINT_PLIST_AWK+= /x\/net\/route\.a/ { printf "%s", "$${PLIST.route}"; }
 99
96post-extract: 100post-extract:
97 ${RM} -r -f ${WRKSRC}/test/fixedbugs/issue27836* 101 ${RM} -r -f ${WRKSRC}/test/fixedbugs/issue27836*
98 102
99do-build: 103do-build:
100 cd ${WRKSRC}/src && \ 104 cd ${WRKSRC}/src && \
101 env \ 105 env \
102 GOROOT_BOOTSTRAP=${GOROOT_BOOTSTRAP:Q} \ 106 GOROOT_BOOTSTRAP=${GOROOT_BOOTSTRAP:Q} \
103 GOROOT_FINAL=${GOROOT_FINAL:Q} \ 107 GOROOT_FINAL=${GOROOT_FINAL:Q} \
104 ${GOOPT} \ 108 ${GOOPT} \
105 GOCACHE=${WRKDIR}/.cache/go-build \ 109 GOCACHE=${WRKDIR}/.cache/go-build \
106 ${BASH} ./make.bash 110 ${BASH} ./make.bash
107# for RELRO build: 111# for RELRO build:
108# cd ${WRKSRC}/src && env GOROOT_BOOTSTRAP=${GOROOT_BOOTSTRAP:Q} GOROOT_FINAL=${GOROOT_FINAL:Q} GO_LDFLAGS="-buildmode=pie" ${GOOPT} ${BASH} ./make.bash 112# cd ${WRKSRC}/src && env GOROOT_BOOTSTRAP=${GOROOT_BOOTSTRAP:Q} GOROOT_FINAL=${GOROOT_FINAL:Q} GO_LDFLAGS="-buildmode=pie" ${GOOPT} ${BASH} ./make.bash
cvs diff -r1.10 -r1.11 pkgsrc/lang/go117/Attic/PLIST (expand / switch to unified diff)

--- pkgsrc/lang/go117/Attic/PLIST 2022/06/02 18:19:26 1.10
+++ pkgsrc/lang/go117/Attic/PLIST 2022/07/13 14:14:18 1.11
@@ -1,16 +1,16 @@ @@ -1,16 +1,16 @@
1@comment $NetBSD: PLIST,v 1.10 2022/06/02 18:19:26 bsiegert Exp $ 1@comment $NetBSD: PLIST,v 1.11 2022/07/13 14:14:18 bsiegert Exp $
2bin/go117 2bin/go${GOVERSSUFFIX}
3bin/gofmt117 3bin/gofmt${GOVERSSUFFIX}
4go117/AUTHORS 4go117/AUTHORS
5go117/CONTRIBUTING.md 5go117/CONTRIBUTING.md
6go117/CONTRIBUTORS 6go117/CONTRIBUTORS
7go117/LICENSE 7go117/LICENSE
8go117/PATENTS 8go117/PATENTS
9go117/README.md 9go117/README.md
10go117/SECURITY.md 10go117/SECURITY.md
11go117/VERSION 11go117/VERSION
12go117/api/README 12go117/api/README
13go117/api/except.txt 13go117/api/except.txt
14go117/api/go1.1.txt 14go117/api/go1.1.txt
15go117/api/go1.10.txt 15go117/api/go1.10.txt
16go117/api/go1.11.txt 16go117/api/go1.11.txt
@@ -2392,26 +2392,27 @@ go117/src/cmd/go/testdata/script/mod_con @@ -2392,26 +2392,27 @@ go117/src/cmd/go/testdata/script/mod_con
2392go117/src/cmd/go/testdata/script/mod_convert_tsv.txt 2392go117/src/cmd/go/testdata/script/mod_convert_tsv.txt
2393go117/src/cmd/go/testdata/script/mod_convert_tsv_insecure.txt 2393go117/src/cmd/go/testdata/script/mod_convert_tsv_insecure.txt
2394go117/src/cmd/go/testdata/script/mod_convert_vendor_conf.txt 2394go117/src/cmd/go/testdata/script/mod_convert_vendor_conf.txt
2395go117/src/cmd/go/testdata/script/mod_convert_vendor_json.txt 2395go117/src/cmd/go/testdata/script/mod_convert_vendor_json.txt
2396go117/src/cmd/go/testdata/script/mod_convert_vendor_manifest.txt 2396go117/src/cmd/go/testdata/script/mod_convert_vendor_manifest.txt
2397go117/src/cmd/go/testdata/script/mod_convert_vendor_yml.txt 2397go117/src/cmd/go/testdata/script/mod_convert_vendor_yml.txt
2398go117/src/cmd/go/testdata/script/mod_deprecate_message.txt 2398go117/src/cmd/go/testdata/script/mod_deprecate_message.txt
2399go117/src/cmd/go/testdata/script/mod_dir.txt 2399go117/src/cmd/go/testdata/script/mod_dir.txt
2400go117/src/cmd/go/testdata/script/mod_doc.txt 2400go117/src/cmd/go/testdata/script/mod_doc.txt
2401go117/src/cmd/go/testdata/script/mod_domain_root.txt 2401go117/src/cmd/go/testdata/script/mod_domain_root.txt
2402go117/src/cmd/go/testdata/script/mod_dot.txt 2402go117/src/cmd/go/testdata/script/mod_dot.txt
2403go117/src/cmd/go/testdata/script/mod_download.txt 2403go117/src/cmd/go/testdata/script/mod_download.txt
2404go117/src/cmd/go/testdata/script/mod_download_concurrent_read.txt 2404go117/src/cmd/go/testdata/script/mod_download_concurrent_read.txt
 2405go117/src/cmd/go/testdata/script/mod_download_git_decorate_full.txt
2405go117/src/cmd/go/testdata/script/mod_download_hash.txt 2406go117/src/cmd/go/testdata/script/mod_download_hash.txt
2406go117/src/cmd/go/testdata/script/mod_download_json.txt 2407go117/src/cmd/go/testdata/script/mod_download_json.txt
2407go117/src/cmd/go/testdata/script/mod_download_partial.txt 2408go117/src/cmd/go/testdata/script/mod_download_partial.txt
2408go117/src/cmd/go/testdata/script/mod_download_replace_file.txt 2409go117/src/cmd/go/testdata/script/mod_download_replace_file.txt
2409go117/src/cmd/go/testdata/script/mod_e.txt 2410go117/src/cmd/go/testdata/script/mod_e.txt
2410go117/src/cmd/go/testdata/script/mod_edit.txt 2411go117/src/cmd/go/testdata/script/mod_edit.txt
2411go117/src/cmd/go/testdata/script/mod_edit_go.txt 2412go117/src/cmd/go/testdata/script/mod_edit_go.txt
2412go117/src/cmd/go/testdata/script/mod_edit_no_modcache.txt 2413go117/src/cmd/go/testdata/script/mod_edit_no_modcache.txt
2413go117/src/cmd/go/testdata/script/mod_empty_err.txt 2414go117/src/cmd/go/testdata/script/mod_empty_err.txt
2414go117/src/cmd/go/testdata/script/mod_enabled.txt 2415go117/src/cmd/go/testdata/script/mod_enabled.txt
2415go117/src/cmd/go/testdata/script/mod_file_proxy.txt 2416go117/src/cmd/go/testdata/script/mod_file_proxy.txt
2416go117/src/cmd/go/testdata/script/mod_find.txt 2417go117/src/cmd/go/testdata/script/mod_find.txt
2417go117/src/cmd/go/testdata/script/mod_fs_patterns.txt 2418go117/src/cmd/go/testdata/script/mod_fs_patterns.txt
@@ -10055,26 +10056,27 @@ go117/test/fixedbugs/issue5125.go @@ -10055,26 +10056,27 @@ go117/test/fixedbugs/issue5125.go
10055go117/test/fixedbugs/issue5162.go 10056go117/test/fixedbugs/issue5162.go
10056go117/test/fixedbugs/issue5172.go 10057go117/test/fixedbugs/issue5172.go
10057go117/test/fixedbugs/issue5231.go 10058go117/test/fixedbugs/issue5231.go
10058go117/test/fixedbugs/issue5244.go 10059go117/test/fixedbugs/issue5244.go
10059go117/test/fixedbugs/issue5259.dir/bug.go 10060go117/test/fixedbugs/issue5259.dir/bug.go
10060go117/test/fixedbugs/issue5259.dir/main.go 10061go117/test/fixedbugs/issue5259.dir/main.go
10061go117/test/fixedbugs/issue5259.go 10062go117/test/fixedbugs/issue5259.go
10062go117/test/fixedbugs/issue5260.dir/a.go 10063go117/test/fixedbugs/issue5260.dir/a.go
10063go117/test/fixedbugs/issue5260.dir/b.go 10064go117/test/fixedbugs/issue5260.dir/b.go
10064go117/test/fixedbugs/issue5260.go 10065go117/test/fixedbugs/issue5260.go
10065go117/test/fixedbugs/issue5291.dir/pkg1.go 10066go117/test/fixedbugs/issue5291.dir/pkg1.go
10066go117/test/fixedbugs/issue5291.dir/prog.go 10067go117/test/fixedbugs/issue5291.dir/prog.go
10067go117/test/fixedbugs/issue5291.go 10068go117/test/fixedbugs/issue5291.go
 10069go117/test/fixedbugs/issue53454.go
10068go117/test/fixedbugs/issue5358.go 10070go117/test/fixedbugs/issue5358.go
10069go117/test/fixedbugs/issue5373.go 10071go117/test/fixedbugs/issue5373.go
10070go117/test/fixedbugs/issue5470.dir/a.go 10072go117/test/fixedbugs/issue5470.dir/a.go
10071go117/test/fixedbugs/issue5470.dir/b.go 10073go117/test/fixedbugs/issue5470.dir/b.go
10072go117/test/fixedbugs/issue5470.go 10074go117/test/fixedbugs/issue5470.go
10073go117/test/fixedbugs/issue5493.go 10075go117/test/fixedbugs/issue5493.go
10074go117/test/fixedbugs/issue5515.go 10076go117/test/fixedbugs/issue5515.go
10075go117/test/fixedbugs/issue5581.go 10077go117/test/fixedbugs/issue5581.go
10076go117/test/fixedbugs/issue5607.go 10078go117/test/fixedbugs/issue5607.go
10077go117/test/fixedbugs/issue5609.go 10079go117/test/fixedbugs/issue5609.go
10078go117/test/fixedbugs/issue5614.dir/rethinkgo.go 10080go117/test/fixedbugs/issue5614.dir/rethinkgo.go
10079go117/test/fixedbugs/issue5614.dir/x.go 10081go117/test/fixedbugs/issue5614.dir/x.go
10080go117/test/fixedbugs/issue5614.dir/y.go 10082go117/test/fixedbugs/issue5614.dir/y.go
cvs diff -r1.17 -r1.18 pkgsrc/lang/go117/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/lang/go117/Attic/distinfo 2022/06/02 18:19:26 1.17
+++ pkgsrc/lang/go117/Attic/distinfo 2022/07/13 14:14:18 1.18
@@ -1,10 +1,10 @@ @@ -1,10 +1,10 @@
1$NetBSD: distinfo,v 1.17 2022/06/02 18:19:26 bsiegert Exp $ 1$NetBSD: distinfo,v 1.18 2022/07/13 14:14:18 bsiegert Exp $
2 2
3BLAKE2s (go1.17.11.src.tar.gz) = 56f12ee3395f5ccec66790391e18f7c4e6462531f75c5ae007637472086fe374 3BLAKE2s (go1.17.12.src.tar.gz) = 061cbbc13a599a2bba01fccd6c6686c5174f4f4f6cbac8cb515ffd233ef6ad2a
4SHA512 (go1.17.11.src.tar.gz) = cd08062e3357e8e73ad05572ac575b9d8b15599bdb3ea0ca743b04936fa5cca438886e6a06d6453334b8bb5fbe1ab3512657d11651f9199d2254736a6554e71d 4SHA512 (go1.17.12.src.tar.gz) = d2bcea2a33723af5c2ae871f5c44694c69d37c74c62e81eddeaf4bfedf124feea2752997d3a359990071bf01f88942fc66b21cb092385946ad4ae9410854c8b9
5Size (go1.17.11.src.tar.gz) = 22197784 bytes 5Size (go1.17.12.src.tar.gz) = 22205674 bytes
6SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe 6SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
7SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7 7SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
8SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e 8SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e
9SHA1 (patch-src_crypto_x509_root__solaris.go) = cce8d78a5a3712a0e7a620ead232a779e4a4b21e 9SHA1 (patch-src_crypto_x509_root__solaris.go) = cce8d78a5a3712a0e7a620ead232a779e4a4b21e
10SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b 10SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b