Hello community, here is the log from the commit of package go1.4 for openSUSE:Factory checked in at 2017-10-17 01:53:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/go1.4 (Old) and /work/SRC/openSUSE:Factory/.go1.4.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "go1.4" Tue Oct 17 01:53:45 2017 rev:3 rq:534198 version:1.4.3 Changes: -------- --- /work/SRC/openSUSE:Factory/go1.4/go1.4.changes 2017-10-09 19:48:53.389820584 +0200 +++ /work/SRC/openSUSE:Factory/.go1.4.new/go1.4.changes 2017-10-17 01:53:51.546665597 +0200 @@ -1,0 +2,8 @@ +Tue Oct 10 13:22:35 UTC 2017 - [email protected] + +- Add patch to fix arbitrary code execution during “go get” or “go get -d” + (CVE-2017-15041). + bsc#1062085 + + cmd-go-reject-update-of-VCS-inside-VCS.patch + +------------------------------------------------------------------- New: ---- cmd-go-reject-update-of-VCS-inside-VCS.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ go1.4.spec ++++++ --- /var/tmp/diff_new_pack.Op6axW/_old 2017-10-17 01:53:52.710611082 +0200 +++ /var/tmp/diff_new_pack.Op6axW/_new 2017-10-17 01:53:52.718610708 +0200 @@ -58,6 +58,8 @@ Patch10: CVE-2016-5386.patch # PATCH-FIX-UPSTREAM net/smtp: fix PlainAuth to refuse to send passwords to non-TLS servers Patch11: net-smtp-fix-PlainAuth-to-refuse-to-send-passwords-to-non-TLS-servers.patch +# PATCH-FIX-UPSTREAM cmd/go: reject update of VCS inside VCS +Patch12: cmd-go-reject-update-of-VCS-inside-VCS.patch BuildRequires: rpm # for go1.4.gdbinit, directory ownership BuildRequires: gdb @@ -115,6 +117,7 @@ %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 cp %{SOURCE5} . # setup go_arch (BSD-like scheme) ++++++ cmd-go-reject-update-of-VCS-inside-VCS.patch ++++++ >From a4544a0f8af001d1fb6df0e70750f570ec49ccf9 Mon Sep 17 00:00:00 2001 From: Russ Cox <[email protected]> Date: Fri, 22 Sep 2017 12:17:21 -0400 Subject: [PATCH] [release-branch.go1.8] cmd/go: reject update of VCS inside VCS Cherry-pick of CL 68110. Change-Id: Iae84c6404ab5eeb6950faa2364f97a017c67c506 Reviewed-on: https://go-review.googlesource.com/68190 Run-TryBot: Russ Cox <[email protected]> Reviewed-by: Chris Broadfoot <[email protected]> --- src/cmd/go/get.go | 5 +++++ src/cmd/go/go_test.go | 19 +++++++++++++++++ src/cmd/go/vcs.go | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 81 insertions(+), 1 deletion(-) Index: go/src/cmd/go/get.go =================================================================== --- go.orig/src/cmd/go/get.go +++ go/src/cmd/go/get.go @@ -319,6 +319,11 @@ func downloadPackage(p *Package) error { p.build.PkgRoot = filepath.Join(list[0], "pkg") } root := filepath.Join(p.build.SrcRoot, rootPath) + + if err := checkNestedVCS(vcs, root, p.build.SrcRoot); err != nil { + return err + } + // If we've considered this repository already, don't do it again. if downloadRootCache[root] { return nil Index: go/src/cmd/go/vcs.go =================================================================== --- go.orig/src/cmd/go/vcs.go +++ go/src/cmd/go/vcs.go @@ -432,11 +432,28 @@ func vcsForDir(p *Package) (vcs *vcsCmd, return nil, "", fmt.Errorf("directory %q is outside source root %q", dir, srcRoot) } + var vcsRet *vcsCmd + var rootRet string + origDir := dir for len(dir) > len(srcRoot) { for _, vcs := range vcsList { if fi, err := os.Stat(filepath.Join(dir, "."+vcs.cmd)); err == nil && fi.IsDir() { - return vcs, dir[len(srcRoot)+1:], nil + root := filepath.ToSlash(dir[len(srcRoot)+1:]) + // Record first VCS we find, but keep looking, + // to detect mistakes like one kind of VCS inside another. + if vcsRet == nil { + vcsRet = vcs + rootRet = root + continue + } + // Allow .git inside .git, which can arise due to submodules. + if vcsRet == vcs && vcs.cmd == "git" { + continue + } + // Otherwise, we have one VCS inside a different VCS. + return nil, "", fmt.Errorf("directory %q uses %s, but parent %q uses %s", + filepath.Join(srcRoot, rootRet), vcsRet.cmd, filepath.Join(srcRoot, root), vcs.cmd) } } @@ -449,9 +466,48 @@ func vcsForDir(p *Package) (vcs *vcsCmd, dir = ndir } + if vcsRet != nil { + return vcsRet, rootRet, nil + } + return nil, "", fmt.Errorf("directory %q is not using a known version control system", origDir) } +// checkNestedVCS checks for an incorrectly-nested VCS-inside-VCS +// situation for dir, checking parents up until srcRoot. +func checkNestedVCS(vcs *vcsCmd, dir, srcRoot string) error { + if len(dir) <= len(srcRoot) || dir[len(srcRoot)] != filepath.Separator { + return fmt.Errorf("directory %q is outside source root %q", dir, srcRoot) + } + + otherDir := dir + for len(otherDir) > len(srcRoot) { + for _, otherVCS := range vcsList { + if _, err := os.Stat(filepath.Join(dir, "."+otherVCS.cmd)); err == nil { + // Allow expected vcs in original dir. + if otherDir == dir && otherVCS == vcs { + continue + } + // Allow .git inside .git, which can arise due to submodules. + if otherVCS == vcs && vcs.cmd == "git" { + continue + } + // Otherwise, we have one VCS inside a different VCS. + return fmt.Errorf("directory %q uses %s, but parent %q uses %s", dir, vcs.cmd, otherDir, otherVCS.cmd) + } + } + // Move to parent. + newDir := filepath.Dir(otherDir) + if len(newDir) >= len(otherDir) { + // Shouldn't happen, but just in case, stop. + break + } + otherDir = newDir + } + + return nil +} + // repoRoot represents a version control system, a repo, and a root of // where to put it on disk. type repoRoot struct {
