From 66a92c4de7426b0fa8fc79f409395dd963ae6fed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20=C4=8Cajka?= Date: Wed, 4 Apr 2018 10:10:28 +0200 Subject: [PATCH] Rebase to 1.10.1 Resolves: BZ#1562270 --- .gitignore | 1 + CVE-2018-7187.patch | 124 -------------------------------------------- golang.spec | 14 ++--- sources | 2 +- 4 files changed, 9 insertions(+), 132 deletions(-) delete mode 100644 CVE-2018-7187.patch diff --git a/.gitignore b/.gitignore index 03efc44..4cbb603 100644 --- a/.gitignore +++ b/.gitignore @@ -50,3 +50,4 @@ /go1.10rc1.src.tar.gz /go1.10rc2.src.tar.gz /go1.10.src.tar.gz +/go1.10.1.src.tar.gz diff --git a/CVE-2018-7187.patch b/CVE-2018-7187.patch deleted file mode 100644 index 591ba32..0000000 --- a/CVE-2018-7187.patch +++ /dev/null @@ -1,124 +0,0 @@ -From c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc Mon Sep 17 00:00:00 2001 -From: Ian Lance Taylor -Date: Thu, 15 Feb 2018 15:57:13 -0800 -Subject: [PATCH] cmd/go: restrict meta imports to valid schemes - -Before this change, when using -insecure, we permitted any meta import -repo root as long as it contained "://". When not using -insecure, we -restrict meta import repo roots to be valid URLs. People may depend on -that somehow, so permit meta import repo roots to be invalid URLs, but -require them to have valid schemes per RFC 3986. - -Fixes #23867 - -Change-Id: Iac666dfc75ac321bf8639dda5b0dba7c8840922d -Reviewed-on: https://go-review.googlesource.com/94603 -Reviewed-by: Brad Fitzpatrick ---- - src/cmd/go/internal/get/vcs.go | 34 +++++++++++++++++++++++++++-- - src/cmd/go/internal/get/vcs_test.go | 43 +++++++++++++++++++++++++++++++++++++ - 2 files changed, 75 insertions(+), 2 deletions(-) - -diff --git a/src/cmd/go/internal/get/vcs.go b/src/cmd/go/internal/get/vcs.go -index ee6b16a1369..dced0ed8db5 100644 ---- a/src/cmd/go/internal/get/vcs.go -+++ b/src/cmd/go/internal/get/vcs.go -@@ -809,8 +809,8 @@ func repoRootForImportDynamic(importPath string, security web.SecurityMode) (*re - } - } - -- if !strings.Contains(mmi.RepoRoot, "://") { -- return nil, fmt.Errorf("%s: invalid repo root %q; no scheme", urlStr, mmi.RepoRoot) -+ if err := validateRepoRootScheme(mmi.RepoRoot); err != nil { -+ return nil, fmt.Errorf("%s: invalid repo root %q: %v", urlStr, mmi.RepoRoot, err) - } - rr := &repoRoot{ - vcs: vcsByCmd(mmi.VCS), -@@ -824,6 +824,36 @@ func repoRootForImportDynamic(importPath string, security web.SecurityMode) (*re - return rr, nil - } - -+// validateRepoRootScheme returns an error if repoRoot does not seem -+// to have a valid URL scheme. At this point we permit things that -+// aren't valid URLs, although later, if not using -insecure, we will -+// restrict repoRoots to be valid URLs. This is only because we've -+// historically permitted them, and people may depend on that. -+func validateRepoRootScheme(repoRoot string) error { -+ end := strings.Index(repoRoot, "://") -+ if end <= 0 { -+ return errors.New("no scheme") -+ } -+ -+ // RFC 3986 section 3.1. -+ for i := 0; i < end; i++ { -+ c := repoRoot[i] -+ switch { -+ case 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z': -+ // OK. -+ case '0' <= c && c <= '9' || c == '+' || c == '-' || c == '.': -+ // OK except at start. -+ if i == 0 { -+ return errors.New("invalid scheme") -+ } -+ default: -+ return errors.New("invalid scheme") -+ } -+ } -+ -+ return nil -+} -+ - var fetchGroup singleflight.Group - var ( - fetchCacheMu sync.Mutex -diff --git a/src/cmd/go/internal/get/vcs_test.go b/src/cmd/go/internal/get/vcs_test.go -index 2cb611fabd8..ece78b563ce 100644 ---- a/src/cmd/go/internal/get/vcs_test.go -+++ b/src/cmd/go/internal/get/vcs_test.go -@@ -416,3 +416,46 @@ func TestMatchGoImport(t *testing.T) { - } - } - } -+ -+func TestValidateRepoRootScheme(t *testing.T) { -+ tests := []struct { -+ root string -+ err string -+ }{ -+ { -+ root: "", -+ err: "no scheme", -+ }, -+ { -+ root: "http://", -+ err: "", -+ }, -+ { -+ root: "a://", -+ err: "", -+ }, -+ { -+ root: "a#://", -+ err: "invalid scheme", -+ }, -+ { -+ root: "-config://", -+ err: "invalid scheme", -+ }, -+ } -+ -+ for _, test := range tests { -+ err := validateRepoRootScheme(test.root) -+ if err == nil { -+ if test.err != "" { -+ t.Errorf("validateRepoRootScheme(%q) = nil, want %q", test.root, test.err) -+ } -+ } else if test.err == "" { -+ if err != nil { -+ t.Errorf("validateRepoRootScheme(%q) = %q, want nil", test.root, test.err) -+ } -+ } else if err.Error() != test.err { -+ t.Errorf("validateRepoRootScheme(%q) = %q, want %q", test.root, err, test.err) -+ } -+ } -+} diff --git a/golang.spec b/golang.spec index 6da4d5c..c97f8aa 100644 --- a/golang.spec +++ b/golang.spec @@ -102,11 +102,11 @@ %endif %global go_api 1.10 -%global go_version 1.10 +%global go_version 1.10.1 Name: golang -Version: 1.10 -Release: 2%{?dist} +Version: 1.10.1 +Release: 1%{?dist} Summary: The Go Programming Language # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain License: BSD and Public Domain @@ -185,8 +185,6 @@ Patch219: s390x-expose-IfInfomsg-X__ifi_pad.patch # Proposed patch by jcajka https://golang.org/cl/86541 Patch221: golang-1.10-pkgconfig-fix.patch -Patch222: CVE-2018-7187.patch - # Having documentation separate was broken Obsoletes: %{name}-docs < 1.1-4 @@ -315,8 +313,6 @@ Requires: %{name} = %{version}-%{release} %patch221 -p1 -%patch222 -p1 - cp %{SOURCE1} ./src/runtime/ %build @@ -552,6 +548,10 @@ fi %endif %changelog +* Wed Apr 04 2018 Jakub Čajka - 1.10.1-1 +- Rebase to 1.10.1 +- Resolves: BZ#1562270 + * Sat Mar 03 2018 Jakub Čajka - 1.10-2 - Fix CVE-2018-7187 - Resolves: BZ#1546386, BZ#1546388 diff --git a/sources b/sources index af2085f..ade4700 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (go1.10.src.tar.gz) = 59f089e1ffb2d3aba5ada329d4f0d1181c3c4f01fa64f19d0b753f8a989cb59cf290ad88d215cadc18ef99aba8518e44c9bc258c07eaffc834c55e4a37bd4651 +SHA512 (go1.10.1.src.tar.gz) = 13f6b0643a4f92eeca04444b9fa10de38fc3427daea9aa3227cf9a5738ffee1a3f2e355ba5faf711b8506f7de118bdcd3b9064b65407a22613523e29ffd73415