From 9ca117e19c457f39daa5b393556e298f12d351ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20=C4=8Cajka?= <jcajka@redhat.com>
Date: Fri, 26 Jan 2018 10:36:57 +0100
Subject: [PATCH 1/3] Rebase to 1.9.3

---
 .gitignore  |  1 +
 golang.spec | 43 +++++++++++++++++++++++++++++++++++++++++--
 sources     |  2 +-
 3 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index 0b3a44f..7edd558 100644
--- a/.gitignore
+++ b/.gitignore
@@ -45,3 +45,4 @@
 /go1.9.src.tar.gz
 /go1.9.1.src.tar.gz
 /go1.9.2.src.tar.gz
+/go1.9.3.src.tar.gz
diff --git a/golang.spec b/golang.spec
index 363fb31..59acbf5 100644
--- a/golang.spec
+++ b/golang.spec
@@ -96,10 +96,10 @@
 %endif
 
 %global go_api 1.9
-%global go_version 1.9.2
+%global go_version 1.9.3
 
 Name:           golang
-Version:        1.9.2
+Version:        1.9.3
 Release:        1%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
@@ -124,6 +124,42 @@ BuildRequires:  net-tools
 BuildRequires:  pcre-devel, glibc-static, perl-interpreter, procps-ng
 
 Provides:       go = %{version}-%{release}
+
+# go list -f {{.ImportPath}} ./src/vendor/... | sed "s:_$PWD/src/vendor/::g;s:_:.:;s:.*:Provides\: bundled(golang(&)):" && go list -f {{.ImportPath}} ./src/cmd/vendor/... | sed "s:_$PWD/src/cmd/vendor/::g;s:_:.:;s:.*:Provides\: bundled(golang(&)):"
+Provides: bundled(golang(golang.org/x/crypto/chacha20poly1305))
+Provides: bundled(golang(golang.org/x/crypto/chacha20poly1305/internal/chacha20))
+Provides: bundled(golang(golang.org/x/crypto/curve25519))
+Provides: bundled(golang(golang.org/x/crypto/poly1305))
+Provides: bundled(golang(golang.org/x/net/http2/hpack))
+Provides: bundled(golang(golang.org/x/net/idna))
+Provides: bundled(golang(golang.org/x/net/lex/httplex))
+Provides: bundled(golang(golang.org/x/net/nettest))
+Provides: bundled(golang(golang.org/x/net/proxy))
+Provides: bundled(golang(golang.org/x/text/secure))
+Provides: bundled(golang(golang.org/x/text/secure/bidirule))
+Provides: bundled(golang(golang.org/x/text/transform))
+Provides: bundled(golang(golang.org/x/text/unicode))
+Provides: bundled(golang(golang.org/x/text/unicode/bidi))
+Provides: bundled(golang(golang.org/x/text/unicode/norm))
+Provides: bundled(golang(github.com/google/pprof))
+Provides: bundled(golang(github.com/google/pprof/driver))
+Provides: bundled(golang(github.com/google/pprof/internal/binutils))
+Provides: bundled(golang(github.com/google/pprof/internal/driver))
+Provides: bundled(golang(github.com/google/pprof/internal/elfexec))
+Provides: bundled(golang(github.com/google/pprof/internal/graph))
+Provides: bundled(golang(github.com/google/pprof/internal/measurement))
+Provides: bundled(golang(github.com/google/pprof/internal/plugin))
+Provides: bundled(golang(github.com/google/pprof/internal/proftest))
+Provides: bundled(golang(github.com/google/pprof/internal/report))
+Provides: bundled(golang(github.com/google/pprof/internal/symbolizer))
+Provides: bundled(golang(github.com/google/pprof/internal/symbolz))
+Provides: bundled(golang(github.com/google/pprof/profile))
+Provides: bundled(golang(github.com/google/pprof/third.party/svg))
+Provides: bundled(golang(github.com/ianlancetaylor/demangle))
+Provides: bundled(golang(golang.org/x/arch/arm/armasm))
+Provides: bundled(golang(golang.org/x/arch/ppc64/ppc64asm))
+Provides: bundled(golang(golang.org/x/arch/x86/x86asm))
+
 Requires:       %{name}-bin = %{version}-%{release}
 Requires:       %{name}-src = %{version}-%{release}
 Requires:       go-srpm-macros
@@ -518,6 +554,9 @@ fi
 %endif
 
 %changelog
+* Fri Jan 26 2018 Jakub Čajka <jcajka@redhat.com> - 1.9.3-1
+- Rebase to 1.9.3
+
 * Thu Oct 26 2017 Jakub Čajka <jcajka@redhat.com> - 1.9.2-1
 - Rebase to 1.9.2
 - execute correctly pie tests
diff --git a/sources b/sources
index 757bcda..f19f9a1 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (go1.9.2.src.tar.gz) = 1034098575c317eeaf648629690a4dea0c479a69c3b80d9917f6b96c8781ce79c0f29859f667dc4e07d47a44972aa09bd0163a458f897cf45f9d09eb03e4abb5
+SHA512 (go1.9.3.src.tar.gz) = 31c564af58b78c648c9bece8fa2ed3334feb80316b07b16f6286319e26d317da90d1af0464c3a2f776a3da72d31b22b063dbc620b93114bf142a11e8a625e527

From 5abf0c8166f62eb45111b6bb3474d171984ddad9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20=C4=8Cajka?= <jcajka@redhat.com>
Date: Thu, 8 Feb 2018 15:04:08 +0100
Subject: [PATCH 2/3] Rebase to 1.9.4 Fix CVE-2018-6574 Resolves: BZ#1543561,
 BZ#1543562

---
 .gitignore  | 1 +
 golang.spec | 9 +++++++--
 sources     | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index 7edd558..cc45de7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,3 +46,4 @@
 /go1.9.1.src.tar.gz
 /go1.9.2.src.tar.gz
 /go1.9.3.src.tar.gz
+/go1.9.4.src.tar.gz
diff --git a/golang.spec b/golang.spec
index 59acbf5..f086f33 100644
--- a/golang.spec
+++ b/golang.spec
@@ -96,10 +96,10 @@
 %endif
 
 %global go_api 1.9
-%global go_version 1.9.3
+%global go_version 1.9.4
 
 Name:           golang
-Version:        1.9.3
+Version:        1.9.4
 Release:        1%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
@@ -554,6 +554,11 @@ fi
 %endif
 
 %changelog
+* Thu Feb 08 2018 Jakub Čajka <jcajka@redhat.com> - 1.9.4-1
+- Rebase to 1.9.4
+- Fix CVE-2018-6574
+- Resolves: BZ#1543561, BZ#1543562
+
 * Fri Jan 26 2018 Jakub Čajka <jcajka@redhat.com> - 1.9.3-1
 - Rebase to 1.9.3
 
diff --git a/sources b/sources
index f19f9a1..06e4a51 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (go1.9.3.src.tar.gz) = 31c564af58b78c648c9bece8fa2ed3334feb80316b07b16f6286319e26d317da90d1af0464c3a2f776a3da72d31b22b063dbc620b93114bf142a11e8a625e527
+SHA512 (go1.9.4.src.tar.gz) = 1a7c830e07507ff7b89025adfb5c713444d97301f8ad47ef2564722c1e28186e946350f07e22777fbdd6f2f589c334eb01dfd589e97cb8a86f73669547badb0b

From 6e78911a79e379e519188b43d3d5d01eca39b70b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20=C4=8Cajka?= <jcajka@redhat.com>
Date: Sun, 4 Mar 2018 10:24:11 +0100
Subject: [PATCH 3/3] Fix CVE-2018-7187 Resolves: BZ#1546386, BZ#1546388

---
 CVE-2018-7187.patch | 124 ++++++++++++++++++++++++++++++++++++++++++++
 golang.spec         |  10 +++-
 2 files changed, 133 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2018-7187.patch

diff --git a/CVE-2018-7187.patch b/CVE-2018-7187.patch
new file mode 100644
index 0000000..591ba32
--- /dev/null
+++ b/CVE-2018-7187.patch
@@ -0,0 +1,124 @@
+From c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Thu, 15 Feb 2018 15:57:13 -0800
+Subject: [PATCH] cmd/go: restrict meta imports to valid schemes
+
+Before this change, when using -insecure, we permitted any meta import
+repo root as long as it contained "://". When not using -insecure, we
+restrict meta import repo roots to be valid URLs. People may depend on
+that somehow, so permit meta import repo roots to be invalid URLs, but
+require them to have valid schemes per RFC 3986.
+
+Fixes #23867
+
+Change-Id: Iac666dfc75ac321bf8639dda5b0dba7c8840922d
+Reviewed-on: https://go-review.googlesource.com/94603
+Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
+---
+ src/cmd/go/internal/get/vcs.go      | 34 +++++++++++++++++++++++++++--
+ src/cmd/go/internal/get/vcs_test.go | 43 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 75 insertions(+), 2 deletions(-)
+
+diff --git a/src/cmd/go/internal/get/vcs.go b/src/cmd/go/internal/get/vcs.go
+index ee6b16a1369..dced0ed8db5 100644
+--- a/src/cmd/go/internal/get/vcs.go
++++ b/src/cmd/go/internal/get/vcs.go
+@@ -809,8 +809,8 @@ func repoRootForImportDynamic(importPath string, security web.SecurityMode) (*re
+ 		}
+ 	}
+ 
+-	if !strings.Contains(mmi.RepoRoot, "://") {
+-		return nil, fmt.Errorf("%s: invalid repo root %q; no scheme", urlStr, mmi.RepoRoot)
++	if err := validateRepoRootScheme(mmi.RepoRoot); err != nil {
++		return nil, fmt.Errorf("%s: invalid repo root %q: %v", urlStr, mmi.RepoRoot, err)
+ 	}
+ 	rr := &repoRoot{
+ 		vcs:      vcsByCmd(mmi.VCS),
+@@ -824,6 +824,36 @@ func repoRootForImportDynamic(importPath string, security web.SecurityMode) (*re
+ 	return rr, nil
+ }
+ 
++// validateRepoRootScheme returns an error if repoRoot does not seem
++// to have a valid URL scheme. At this point we permit things that
++// aren't valid URLs, although later, if not using -insecure, we will
++// restrict repoRoots to be valid URLs. This is only because we've
++// historically permitted them, and people may depend on that.
++func validateRepoRootScheme(repoRoot string) error {
++	end := strings.Index(repoRoot, "://")
++	if end <= 0 {
++		return errors.New("no scheme")
++	}
++
++	// RFC 3986 section 3.1.
++	for i := 0; i < end; i++ {
++		c := repoRoot[i]
++		switch {
++		case 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z':
++			// OK.
++		case '0' <= c && c <= '9' || c == '+' || c == '-' || c == '.':
++			// OK except at start.
++			if i == 0 {
++				return errors.New("invalid scheme")
++			}
++		default:
++			return errors.New("invalid scheme")
++		}
++	}
++
++	return nil
++}
++
+ var fetchGroup singleflight.Group
+ var (
+ 	fetchCacheMu sync.Mutex
+diff --git a/src/cmd/go/internal/get/vcs_test.go b/src/cmd/go/internal/get/vcs_test.go
+index 2cb611fabd8..ece78b563ce 100644
+--- a/src/cmd/go/internal/get/vcs_test.go
++++ b/src/cmd/go/internal/get/vcs_test.go
+@@ -416,3 +416,46 @@ func TestMatchGoImport(t *testing.T) {
+ 		}
+ 	}
+ }
++
++func TestValidateRepoRootScheme(t *testing.T) {
++	tests := []struct {
++		root string
++		err  string
++	}{
++		{
++			root: "",
++			err:  "no scheme",
++		},
++		{
++			root: "http://",
++			err:  "",
++		},
++		{
++			root: "a://",
++			err:  "",
++		},
++		{
++			root: "a#://",
++			err:  "invalid scheme",
++		},
++		{
++			root: "-config://",
++			err:  "invalid scheme",
++		},
++	}
++
++	for _, test := range tests {
++		err := validateRepoRootScheme(test.root)
++		if err == nil {
++			if test.err != "" {
++				t.Errorf("validateRepoRootScheme(%q) = nil, want %q", test.root, test.err)
++			}
++		} else if test.err == "" {
++			if err != nil {
++				t.Errorf("validateRepoRootScheme(%q) = %q, want nil", test.root, test.err)
++			}
++		} else if err.Error() != test.err {
++			t.Errorf("validateRepoRootScheme(%q) = %q, want %q", test.root, err, test.err)
++		}
++	}
++}
diff --git a/golang.spec b/golang.spec
index f086f33..4e6be96 100644
--- a/golang.spec
+++ b/golang.spec
@@ -100,7 +100,7 @@
 
 Name:           golang
 Version:        1.9.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
@@ -183,6 +183,8 @@ Patch221: use-buildmode-pie-for-pie-testing.patch
 # https://github.com/hyangah/go/commit/3502496d03bcd842fd7aac95ec0d7096d581cd26
 Patch222: use-no-pie-where-needed.patch
 
+Patch223: CVE-2018-7187.patch
+
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
 
@@ -319,6 +321,8 @@ Requires:       %{name} = %{version}-%{release}
 %patch221 -p1 -b pie
 %patch222 -p1
 
+%patch223 -p1
+
 cp %{SOURCE1} ./src/runtime/
 
 %build
@@ -554,6 +558,10 @@ fi
 %endif
 
 %changelog
+* Sat Mar 03 2018 Jakub Čajka <jcajka@redhat.com> - 1.9.4-2
+- Fix CVE-2018-7187
+- Resolves: BZ#1546386, BZ#1546388
+
 * Thu Feb 08 2018 Jakub Čajka <jcajka@redhat.com> - 1.9.4-1
 - Rebase to 1.9.4
 - Fix CVE-2018-6574