Hello community, here is the log from the commit of package go1.7 for openSUSE:Factory checked in at 2017-10-18 10:45:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/go1.7 (Old) and /work/SRC/openSUSE:Factory/.go1.7.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "go1.7" Wed Oct 18 10:45:57 2017 rev:6 rq:534233 version:1.7.5 Changes: -------- --- /work/SRC/openSUSE:Factory/go1.7/go1.7.changes 2017-10-13 14:08:24.524488077 +0200 +++ /work/SRC/openSUSE:Factory/.go1.7.new/go1.7.changes 2017-10-18 10:45:58.993547713 +0200 @@ -1,0 +2,16 @@ +Fri Oct 13 15:42:59 UTC 2017 - [email protected] + +- Build with gcc7-go in openSUSE:Factory +- Added path: + * gcc7-go.patch + + execute %{_bindir}/go-7 instead of %{_bindir}/go + +------------------------------------------------------------------- +Tue Oct 10 13:54:48 UTC 2017 - [email protected] + +- Add patch to fix arbitrary code execution during “go get” or “go get -d” + (CVE-2017-15041). + bsc#1062085 + + cmd-go-reject-update-of-VCS-inside-VCS.patch + +------------------------------------------------------------------- New: ---- cmd-go-reject-update-of-VCS-inside-VCS.patch gcc7-go.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ go1.7.spec ++++++ --- /var/tmp/diff_new_pack.ca7D5i/_old 2017-10-18 10:46:00.381482508 +0200 +++ /var/tmp/diff_new_pack.ca7D5i/_new 2017-10-18 10:46:00.381482508 +0200 @@ -95,7 +95,9 @@ # PATCH-FIX-OPENSUSE fix_certificates_lookup.patch [email protected] -- this patch forces Go to look for certificates only in the openSUSE/SLE locations. It also fixes certificate loading on SLE11, see https://github.com/golang/go/issues/6391 # PATCH-FIX-SUSE fix_certificates_lookup.patch [email protected] -- this patch forces Go to look for certificates only in the openSUSE/SLE locations. It also fixes certificate loading on SLE11, see https://github.com/golang/go/issues/6391 Patch7: fix_certificates_lookup.patch -# PATCH-FIX-UPSTREAM [email protected] - find /usr/bin/go-5 when bootstrapping with gcc5-go +# PATCH-FIX-UPSTREAM [email protected] - find /usr/bin/go-7 when bootstrapping with gcc7-go +Patch8: gcc7-go.patch +# PATCH-FIX-UPSTREAM [email protected] - find /usr/bin/go-6 when bootstrapping with gcc6-go Patch9: gcc6-go.patch # PATCH-FIX-OPENSUSE: Bump _MaxGomaxprocs to a larger number for NUMA machines. Patch10: runtime-bump-MaxGomaxprocs.patch @@ -103,10 +105,16 @@ Patch11: fix-carry-bug-in-x86-64-P-256-implementation.patch # PATCH-FIX-UPSTREAM net/smtp: fix PlainAuth to refuse to send passwords to non-TLS servers Patch12: net-smtp-fix-PlainAuth-to-refuse-to-send-passwords-to-non-TLS-servers.patch +# PATCH-FIX-UPSTREAM cmd/go: reject update of VCS inside VCS +Patch13: cmd-go-reject-update-of-VCS-inside-VCS.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # boostrap %if %{with_gccgo} +%if 0%{?suse_version} >= 1330 +BuildRequires: gcc7-go +%else BuildRequires: gcc6-go +%endif %else BuildRequires: go1.4 %endif @@ -168,11 +176,16 @@ %endif %patch7 -p1 %if %{with_gccgo} +%if 0%{?suse_version} >= 1330 +%patch8 -p1 +%else %patch9 -p1 %endif +%endif %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 cp %{SOURCE4} . # setup go_arch (BSD-like scheme) ++++++ cmd-go-reject-update-of-VCS-inside-VCS.patch ++++++ >From a4544a0f8af001d1fb6df0e70750f570ec49ccf9 Mon Sep 17 00:00:00 2001 From: Russ Cox <[email protected]> Date: Fri, 22 Sep 2017 12:17:21 -0400 Subject: [PATCH] [release-branch.go1.8] cmd/go: reject update of VCS inside VCS Cherry-pick of CL 68110. Change-Id: Iae84c6404ab5eeb6950faa2364f97a017c67c506 Reviewed-on: https://go-review.googlesource.com/68190 Run-TryBot: Russ Cox <[email protected]> Reviewed-by: Chris Broadfoot <[email protected]> --- src/cmd/go/get.go | 5 +++++ src/cmd/go/go_test.go | 19 +++++++++++++++++ src/cmd/go/vcs.go | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 81 insertions(+), 1 deletion(-) Index: go/src/cmd/go/get.go =================================================================== --- go.orig/src/cmd/go/get.go +++ go/src/cmd/go/get.go @@ -401,6 +401,11 @@ func downloadPackage(p *Package) error { p.build.PkgRoot = filepath.Join(list[0], "pkg") } root := filepath.Join(p.build.SrcRoot, filepath.FromSlash(rootPath)) + + if err := checkNestedVCS(vcs, root, p.build.SrcRoot); err != nil { + return err + } + // If we've considered this repository already, don't do it again. if downloadRootCache[root] { return nil Index: go/src/cmd/go/go_test.go =================================================================== --- go.orig/src/cmd/go/go_test.go +++ go/src/cmd/go/go_test.go @@ -1235,6 +1235,25 @@ func TestGetGitDefaultBranch(t *testing. tg.grepStdout(`\* another-branch`, "not on correct default branch") } +func TestAccidentalGitCheckout(t *testing.T) { + testenv.MustHaveExternalNetwork(t) + if _, err := exec.LookPath("git"); err != nil { + t.Skip("skipping because git binary not found") + } + + tg := testgo(t) + defer tg.cleanup() + tg.parallel() + tg.tempDir("src") + tg.setenv("GOPATH", tg.path(".")) + + tg.runFail("get", "-u", "vcs-test.golang.org/go/test1-svn-git") + tg.grepStderr("src[\\\\/]vcs-test.* uses git, but parent .*src[\\\\/]vcs-test.* uses svn", "get did not fail for right reason") + + tg.runFail("get", "-u", "vcs-test.golang.org/go/test2-svn-git/test2main") + tg.grepStderr("src[\\\\/]vcs-test.* uses git, but parent .*src[\\\\/]vcs-test.* uses svn", "get did not fail for right reason") +} + func TestErrorMessageForSyntaxErrorInTestGoFileSaysFAIL(t *testing.T) { tg := testgo(t) defer tg.cleanup() Index: go/src/cmd/go/vcs.go =================================================================== --- go.orig/src/cmd/go/vcs.go +++ go/src/cmd/go/vcs.go @@ -479,11 +479,28 @@ func vcsFromDir(dir, srcRoot string) (vc return nil, "", fmt.Errorf("directory %q is outside source root %q", dir, srcRoot) } + var vcsRet *vcsCmd + var rootRet string + origDir := dir for len(dir) > len(srcRoot) { for _, vcs := range vcsList { if fi, err := os.Stat(filepath.Join(dir, "."+vcs.cmd)); err == nil && fi.IsDir() { - return vcs, filepath.ToSlash(dir[len(srcRoot)+1:]), nil + root := filepath.ToSlash(dir[len(srcRoot)+1:]) + // Record first VCS we find, but keep looking, + // to detect mistakes like one kind of VCS inside another. + if vcsRet == nil { + vcsRet = vcs + rootRet = root + continue + } + // Allow .git inside .git, which can arise due to submodules. + if vcsRet == vcs && vcs.cmd == "git" { + continue + } + // Otherwise, we have one VCS inside a different VCS. + return nil, "", fmt.Errorf("directory %q uses %s, but parent %q uses %s", + filepath.Join(srcRoot, rootRet), vcsRet.cmd, filepath.Join(srcRoot, root), vcs.cmd) } } @@ -496,9 +513,48 @@ func vcsFromDir(dir, srcRoot string) (vc dir = ndir } + if vcsRet != nil { + return vcsRet, rootRet, nil + } + return nil, "", fmt.Errorf("directory %q is not using a known version control system", origDir) } +// checkNestedVCS checks for an incorrectly-nested VCS-inside-VCS +// situation for dir, checking parents up until srcRoot. +func checkNestedVCS(vcs *vcsCmd, dir, srcRoot string) error { + if len(dir) <= len(srcRoot) || dir[len(srcRoot)] != filepath.Separator { + return fmt.Errorf("directory %q is outside source root %q", dir, srcRoot) + } + + otherDir := dir + for len(otherDir) > len(srcRoot) { + for _, otherVCS := range vcsList { + if _, err := os.Stat(filepath.Join(dir, "."+otherVCS.cmd)); err == nil { + // Allow expected vcs in original dir. + if otherDir == dir && otherVCS == vcs { + continue + } + // Allow .git inside .git, which can arise due to submodules. + if otherVCS == vcs && vcs.cmd == "git" { + continue + } + // Otherwise, we have one VCS inside a different VCS. + return fmt.Errorf("directory %q uses %s, but parent %q uses %s", dir, vcs.cmd, otherDir, otherVCS.cmd) + } + } + // Move to parent. + newDir := filepath.Dir(otherDir) + if len(newDir) >= len(otherDir) { + // Shouldn't happen, but just in case, stop. + break + } + otherDir = newDir + } + + return nil +} + // repoRoot represents a version control system, a repo, and a root of // where to put it on disk. type repoRoot struct { ++++++ gcc7-go.patch ++++++ diff --git a/src/cmd/dist/buildtool.go b/src/cmd/dist/buildtool.go index a535316..ea739eb 100644 --- a/src/cmd/dist/buildtool.go +++ b/src/cmd/dist/buildtool.go @@ -119,7 +119,7 @@ func bootstrapBuildTools() { // Run Go 1.4 to build binaries. Use -gcflags=-l to disable inlining to // workaround bugs in Go 1.4's compiler. See discussion thread: // https://groups.google.com/d/msg/golang-dev/Ss7mCKsvk8w/Gsq7VYI0AwAJ - run(workspace, ShowOutput|CheckExit, pathf("%s/bin/go", goroot_bootstrap), "install", "-gcflags=-l", "-v", "bootstrap/...") + run(workspace, ShowOutput|CheckExit, pathf("%s/bin/go-7", goroot_bootstrap), "install", "-gcflags=-l", "-v", "bootstrap/...") // Copy binaries into tool binary directory. for _, name := range bootstrapDirs { diff --git a/src/make.bash b/src/make.bash index 1a1412a..1b2dfd4 100755 --- a/src/make.bash +++ b/src/make.bash @@ -118,8 +118,8 @@ echo '##### Building Go bootstrap tool.' echo cmd/dist export GOROOT="$(cd .. && pwd)" GOROOT_BOOTSTRAP=${GOROOT_BOOTSTRAP:-$HOME/go1.4} -if [ ! -x "$GOROOT_BOOTSTRAP/bin/go" ]; then - echo "ERROR: Cannot find $GOROOT_BOOTSTRAP/bin/go." >&2 +if [ ! -x "$GOROOT_BOOTSTRAP/bin/go-7" ]; then + echo "ERROR: Cannot find $GOROOT_BOOTSTRAP/bin/go-7." >&2 echo "Set \$GOROOT_BOOTSTRAP to a working Go tree >= Go 1.4." >&2 exit 1 fi @@ -129,7 +129,7 @@ if [ "$GOROOT_BOOTSTRAP" == "$GOROOT" ]; then exit 1 fi rm -f cmd/dist/dist -GOROOT="$GOROOT_BOOTSTRAP" GOOS="" GOARCH="" "$GOROOT_BOOTSTRAP/bin/go" build -o cmd/dist/dist ./cmd/dist +GOROOT="$GOROOT_BOOTSTRAP" GOOS="" GOARCH="" "$GOROOT_BOOTSTRAP/bin/go-7" build -o cmd/dist/dist ./cmd/dist # -e doesn't propagate out of eval, so check success by hand. eval $(./cmd/dist/dist env -p || echo FAIL=true) diff --git a/src/make.rc b/src/make.rc index 243f83c..82bdd8d 100755 --- a/src/make.rc +++ b/src/make.rc @@ -46,13 +46,13 @@ echo cmd/dist GOROOT = `{cd .. && pwd} if(! ~ $#GOROOT_BOOTSTRAP 1) GOROOT_BOOTSTRAP = $home/go1.4 -if(! test -x $GOROOT_BOOTSTRAP/bin/go){ - echo 'ERROR: Cannot find '$GOROOT_BOOTSTRAP'/bin/go.' >[1=2] +if(! test -x $GOROOT_BOOTSTRAP/bin/go-7){ + echo 'ERROR: Cannot find '$GOROOT_BOOTSTRAP'/bin/go-7.' >[1=2] echo 'Set $GOROOT_BOOTSTRAP to a working Go tree >= Go 1.4.' >[1=2] exit bootstrap } rm -f cmd/dist/dist -GOROOT=$GOROOT_BOOTSTRAP GOOS='' GOARCH='' $GOROOT_BOOTSTRAP/bin/go build -o cmd/dist/dist ./cmd/dist +GOROOT=$GOROOT_BOOTSTRAP GOOS='' GOARCH='' $GOROOT_BOOTSTRAP/bin/go-7 build -o cmd/dist/dist ./cmd/dist eval `{./cmd/dist/dist env -9} echo
