diff --git a/.gitignore b/.gitignore index dcf0fb0..02baa55 100644 --- a/.gitignore +++ b/.gitignore @@ -72,3 +72,4 @@ /go1.12.7.src.tar.gz /go1.13beta1.src.tar.gz /go1.13rc1.src.tar.gz +/go1.13rc2.src.tar.gz diff --git a/0001-release-branch.go1.13-net-http-update-bundled-golang.patch b/0001-release-branch.go1.13-net-http-update-bundled-golang.patch deleted file mode 100644 index b92e8c0..0000000 --- a/0001-release-branch.go1.13-net-http-update-bundled-golang.patch +++ /dev/null @@ -1,323 +0,0 @@ -From 5c379a437e904eb1f94296fa9d45276cd6e4f5a9 Mon Sep 17 00:00:00 2001 -From: Filippo Valsorda -Date: Tue, 13 Aug 2019 16:29:01 -0400 -Subject: [PATCH] [release-branch.go1.13] net/http: update bundled - golang.org/x/net/http2 to import security fix - -Update golang.org/x/net to v0.0.0-20190813141303-74dc4d7220e7 to import -the following security fix. - - commit 74dc4d7220e7acc4e100824340f3e66577424772 - Author: Filippo Valsorda - Date: Sun Aug 11 02:12:18 2019 -0400 - - http2: limit number of control frames in server send queue - - An attacker could cause servers to queue an unlimited number of PING - ACKs or RST_STREAM frames by soliciting them and not reading them, until - the program runs out of memory. - - Limit control frames in the queue to a few thousands (matching the limit - imposed by other vendors) by counting as they enter and exit the scheduler, - so the protection will work with any WriteScheduler. - - Once the limit is exceeded, close the connection, as we have no way to - communicate with the peer. - - Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b - Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552 - Reviewed-by: Brad Fitzpatrick - -This change was generated with cmd/go and cmd/bundle: - -$ go get -u golang.org/x/net -$ go mod tidy -$ go mod vendor -$ go generate net/http - -Fixes CVE-2019-9512 and CVE-2019-9514 -Fixes #33606 - -Change-Id: I464baf96175006aa101d65d3b0f6494f28a626ab -Reviewed-on: https://go-review.googlesource.com/c/go/+/190137 -Reviewed-by: Dmitri Shuralyov -(cherry picked from commit 145e193131eb486077b66009beb051aba07c52a5) -Reviewed-on: https://go-review.googlesource.com/c/go/+/191618 -Run-TryBot: Filippo Valsorda -TryBot-Result: Gobot Gobot ---- - src/go.mod | 2 +- - src/go.sum | 4 +- - src/net/http/h2_bundle.go | 56 +++++++++++++++---- - .../x/net/lif/zsys_solaris_amd64.go | 2 +- - .../golang.org/x/net/route/zsys_darwin.go | 2 +- - .../golang.org/x/net/route/zsys_dragonfly.go | 2 +- - .../x/net/route/zsys_freebsd_386.go | 2 +- - .../x/net/route/zsys_freebsd_amd64.go | 2 +- - .../x/net/route/zsys_freebsd_arm.go | 2 +- - .../golang.org/x/net/route/zsys_netbsd.go | 2 +- - .../golang.org/x/net/route/zsys_openbsd.go | 2 +- - src/vendor/modules.txt | 2 +- - 12 files changed, 58 insertions(+), 22 deletions(-) - -diff --git a/src/go.mod b/src/go.mod -index 0d7d70f014..90af2a7ea0 100644 ---- a/src/go.mod -+++ b/src/go.mod -@@ -4,7 +4,7 @@ go 1.12 - - require ( - golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 -- golang.org/x/net v0.0.0-20190607181551-461777fb6f67 -+ golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 - golang.org/x/sys v0.0.0-20190529130038-5219a1e1c5f8 // indirect - golang.org/x/text v0.3.2 // indirect - ) -diff --git a/src/go.sum b/src/go.sum -index 363ee7ae23..e358118e4c 100644 ---- a/src/go.sum -+++ b/src/go.sum -@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk - golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 h1:1wopBVtVdWnn03fZelqdXTqk7U7zPQCb+T4rbU9ZEoU= - golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= - golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= --golang.org/x/net v0.0.0-20190607181551-461777fb6f67 h1:rJJxsykSlULwd2P2+pg/rtnwN2FrWp4IuCxOSyS0V00= --golang.org/x/net v0.0.0-20190607181551-461777fb6f67/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -+golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH9uqVPRCUVUDhs0wnbA= -+golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= - golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= - golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= - golang.org/x/sys v0.0.0-20190529130038-5219a1e1c5f8 h1:2WjIC11WRITGlVWmyLXKjzIVj1ZwoWZ//tadeUUV6/o= -diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go -index 173622fc8b..53cc5bd1b8 100644 ---- a/src/net/http/h2_bundle.go -+++ b/src/net/http/h2_bundle.go -@@ -3611,10 +3611,11 @@ func (p *http2pipe) Done() <-chan struct{} { - } - - const ( -- http2prefaceTimeout = 10 * time.Second -- http2firstSettingsTimeout = 2 * time.Second // should be in-flight with preface anyway -- http2handlerChunkWriteSize = 4 << 10 -- http2defaultMaxStreams = 250 // TODO: make this 100 as the GFE seems to? -+ http2prefaceTimeout = 10 * time.Second -+ http2firstSettingsTimeout = 2 * time.Second // should be in-flight with preface anyway -+ http2handlerChunkWriteSize = 4 << 10 -+ http2defaultMaxStreams = 250 // TODO: make this 100 as the GFE seems to? -+ http2maxQueuedControlFrames = 10000 - ) - - var ( -@@ -3722,6 +3723,15 @@ func (s *http2Server) maxConcurrentStreams() uint32 { - return http2defaultMaxStreams - } - -+// maxQueuedControlFrames is the maximum number of control frames like -+// SETTINGS, PING and RST_STREAM that will be queued for writing before -+// the connection is closed to prevent memory exhaustion attacks. -+func (s *http2Server) maxQueuedControlFrames() int { -+ // TODO: if anybody asks, add a Server field, and remember to define the -+ // behavior of negative values. -+ return http2maxQueuedControlFrames -+} -+ - type http2serverInternalState struct { - mu sync.Mutex - activeConns map[*http2serverConn]struct{} -@@ -4065,6 +4075,7 @@ type http2serverConn struct { - sawFirstSettings bool // got the initial SETTINGS frame after the preface - needToSendSettingsAck bool - unackedSettings int // how many SETTINGS have we sent without ACKs? -+ queuedControlFrames int // control frames in the writeSched queue - clientMaxStreams uint32 // SETTINGS_MAX_CONCURRENT_STREAMS from client (our PUSH_PROMISE limit) - advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client - curClientStreams uint32 // number of open streams initiated by the client -@@ -4456,6 +4467,14 @@ func (sc *http2serverConn) serve() { - } - } - -+ // If the peer is causing us to generate a lot of control frames, -+ // but not reading them from us, assume they are trying to make us -+ // run out of memory. -+ if sc.queuedControlFrames > sc.srv.maxQueuedControlFrames() { -+ sc.vlogf("http2: too many control frames in send queue, closing connection") -+ return -+ } -+ - // Start the shutdown timer after sending a GOAWAY. When sending GOAWAY - // with no error code (graceful shutdown), don't start the timer until - // all open streams have been completed. -@@ -4657,6 +4676,14 @@ func (sc *http2serverConn) writeFrame(wr http2FrameWriteRequest) { - } - - if !ignoreWrite { -+ if wr.isControl() { -+ sc.queuedControlFrames++ -+ // For extra safety, detect wraparounds, which should not happen, -+ // and pull the plug. -+ if sc.queuedControlFrames < 0 { -+ sc.conn.Close() -+ } -+ } - sc.writeSched.Push(wr) - } - sc.scheduleFrameWrite() -@@ -4774,10 +4801,8 @@ func (sc *http2serverConn) wroteFrame(res http2frameWriteResult) { - // If a frame is already being written, nothing happens. This will be called again - // when the frame is done being written. - // --// If a frame isn't being written we need to send one, the best frame --// to send is selected, preferring first things that aren't --// stream-specific (e.g. ACKing settings), and then finding the --// highest priority stream. -+// If a frame isn't being written and we need to send one, the best frame -+// to send is selected by writeSched. - // - // If a frame isn't being written and there's nothing else to send, we - // flush the write buffer. -@@ -4805,6 +4830,9 @@ func (sc *http2serverConn) scheduleFrameWrite() { - } - if !sc.inGoAway || sc.goAwayCode == http2ErrCodeNo { - if wr, ok := sc.writeSched.Pop(); ok { -+ if wr.isControl() { -+ sc.queuedControlFrames-- -+ } - sc.startFrameWrite(wr) - continue - } -@@ -5097,6 +5125,8 @@ func (sc *http2serverConn) processSettings(f *http2SettingsFrame) error { - if err := f.ForeachSetting(sc.processSetting); err != nil { - return err - } -+ // TODO: judging by RFC 7540, Section 6.5.3 each SETTINGS frame should be -+ // acknowledged individually, even if multiple are received before the ACK. - sc.needToSendSettingsAck = true - sc.scheduleFrameWrite() - return nil -@@ -7451,7 +7481,7 @@ func (cc *http2ClientConn) roundTrip(req *Request) (res *Response, gotErrAfterRe - req.Method != "HEAD" { - // Request gzip only, not deflate. Deflate is ambiguous and - // not as universally supported anyway. -- // See: http://www.gzip.org/zlib/zlib_faq.html#faq38 -+ // See: https://zlib.net/zlib_faq.html#faq39 - // - // Note that we don't request this for HEAD requests, - // due to a bug in nginx: -@@ -9445,7 +9475,7 @@ type http2WriteScheduler interface { - - // Pop dequeues the next frame to write. Returns false if no frames can - // be written. Frames with a given wr.StreamID() are Pop'd in the same -- // order they are Push'd. -+ // order they are Push'd. No frames should be discarded except by CloseStream. - Pop() (wr http2FrameWriteRequest, ok bool) - } - -@@ -9489,6 +9519,12 @@ func (wr http2FrameWriteRequest) StreamID() uint32 { - return wr.stream.id - } - -+// isControl reports whether wr is a control frame for MaxQueuedControlFrames -+// purposes. That includes non-stream frames and RST_STREAM frames. -+func (wr http2FrameWriteRequest) isControl() bool { -+ return wr.stream == nil -+} -+ - // DataSize returns the number of flow control bytes that must be consumed - // to write this entire frame. This is 0 for non-DATA frames. - func (wr http2FrameWriteRequest) DataSize() int { -diff --git a/src/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go b/src/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go -index b5e999bec3..d7a70d4ed9 100644 ---- a/src/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go -+++ b/src/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go -@@ -1,4 +1,4 @@ --// Created by cgo -godefs - DO NOT EDIT -+// Code generated by cmd/cgo -godefs; DO NOT EDIT. - // cgo -godefs defs_solaris.go - - package lif -diff --git a/src/vendor/golang.org/x/net/route/zsys_darwin.go b/src/vendor/golang.org/x/net/route/zsys_darwin.go -index 4e2e1ab090..19e4133f7d 100644 ---- a/src/vendor/golang.org/x/net/route/zsys_darwin.go -+++ b/src/vendor/golang.org/x/net/route/zsys_darwin.go -@@ -1,4 +1,4 @@ --// Created by cgo -godefs - DO NOT EDIT -+// Code generated by cmd/cgo -godefs; DO NOT EDIT. - // cgo -godefs defs_darwin.go - - package route -diff --git a/src/vendor/golang.org/x/net/route/zsys_dragonfly.go b/src/vendor/golang.org/x/net/route/zsys_dragonfly.go -index 719c88d11f..8ed2d4d550 100644 ---- a/src/vendor/golang.org/x/net/route/zsys_dragonfly.go -+++ b/src/vendor/golang.org/x/net/route/zsys_dragonfly.go -@@ -1,4 +1,4 @@ --// Created by cgo -godefs - DO NOT EDIT -+// Code generated by cmd/cgo -godefs; DO NOT EDIT. - // cgo -godefs defs_dragonfly.go - - package route -diff --git a/src/vendor/golang.org/x/net/route/zsys_freebsd_386.go b/src/vendor/golang.org/x/net/route/zsys_freebsd_386.go -index b03bc01f65..f36aaadb59 100644 ---- a/src/vendor/golang.org/x/net/route/zsys_freebsd_386.go -+++ b/src/vendor/golang.org/x/net/route/zsys_freebsd_386.go -@@ -1,4 +1,4 @@ --// Created by cgo -godefs - DO NOT EDIT -+// Code generated by cmd/cgo -godefs; DO NOT EDIT. - // cgo -godefs defs_freebsd.go - - package route -diff --git a/src/vendor/golang.org/x/net/route/zsys_freebsd_amd64.go b/src/vendor/golang.org/x/net/route/zsys_freebsd_amd64.go -index 0b675b3d3f..4c639b82e4 100644 ---- a/src/vendor/golang.org/x/net/route/zsys_freebsd_amd64.go -+++ b/src/vendor/golang.org/x/net/route/zsys_freebsd_amd64.go -@@ -1,4 +1,4 @@ --// Created by cgo -godefs - DO NOT EDIT -+// Code generated by cmd/cgo -godefs; DO NOT EDIT. - // cgo -godefs defs_freebsd.go - - package route -diff --git a/src/vendor/golang.org/x/net/route/zsys_freebsd_arm.go b/src/vendor/golang.org/x/net/route/zsys_freebsd_arm.go -index 58f8ea16f2..710c1472b6 100644 ---- a/src/vendor/golang.org/x/net/route/zsys_freebsd_arm.go -+++ b/src/vendor/golang.org/x/net/route/zsys_freebsd_arm.go -@@ -1,4 +1,4 @@ --// Created by cgo -godefs - DO NOT EDIT -+// Code generated by cmd/cgo -godefs; DO NOT EDIT. - // cgo -godefs defs_freebsd.go - - package route -diff --git a/src/vendor/golang.org/x/net/route/zsys_netbsd.go b/src/vendor/golang.org/x/net/route/zsys_netbsd.go -index e0df45e8b5..b4f66ca6cb 100644 ---- a/src/vendor/golang.org/x/net/route/zsys_netbsd.go -+++ b/src/vendor/golang.org/x/net/route/zsys_netbsd.go -@@ -1,4 +1,4 @@ --// Created by cgo -godefs - DO NOT EDIT -+// Code generated by cmd/cgo -godefs; DO NOT EDIT. - // cgo -godefs defs_netbsd.go - - package route -diff --git a/src/vendor/golang.org/x/net/route/zsys_openbsd.go b/src/vendor/golang.org/x/net/route/zsys_openbsd.go -index db8c8efb49..1021b4cea4 100644 ---- a/src/vendor/golang.org/x/net/route/zsys_openbsd.go -+++ b/src/vendor/golang.org/x/net/route/zsys_openbsd.go -@@ -1,4 +1,4 @@ --// Created by cgo -godefs - DO NOT EDIT -+// Code generated by cmd/cgo -godefs; DO NOT EDIT. - // cgo -godefs defs_openbsd.go - - package route -diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt -index 20f261bf83..453a312661 100644 ---- a/src/vendor/modules.txt -+++ b/src/vendor/modules.txt -@@ -7,7 +7,7 @@ golang.org/x/crypto/hkdf - golang.org/x/crypto/internal/chacha20 - golang.org/x/crypto/internal/subtle - golang.org/x/crypto/poly1305 --# golang.org/x/net v0.0.0-20190607181551-461777fb6f67 -+# golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 - golang.org/x/net/dns/dnsmessage - golang.org/x/net/http/httpguts - golang.org/x/net/http/httpproxy --- -2.21.0 - diff --git a/disable-tls13-fornow.patch b/disable-tls13-fornow.patch new file mode 100644 index 0000000..e019ef4 --- /dev/null +++ b/disable-tls13-fornow.patch @@ -0,0 +1,67 @@ +diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go +index ef0b385848..d888d1716f 100644 +--- a/src/crypto/tls/common.go ++++ b/src/crypto/tls/common.go +@@ -808,7 +808,7 @@ func (c *Config) supportedVersions(isClient bool) []uint16 { + if isClient && v < VersionTLS10 { + continue + } +- // TLS 1.3 is opt-out in Go 1.13. ++ // TLS 1.3 is opt-in in Go 1.12. + if v == VersionTLS13 && !isTLS13Supported() { + continue + } +@@ -823,11 +823,11 @@ var tls13Support struct { + cached bool + } + +-// isTLS13Supported returns whether the program enabled TLS 1.3 by not opting +-// out with GODEBUG=tls13=0. It's cached after the first execution. ++// isTLS13Supported returns whether the program opted into TLS 1.3 via ++// GODEBUG=tls13=1. It's cached after the first execution. + func isTLS13Supported() bool { + tls13Support.Do(func() { +- tls13Support.cached = goDebugString("tls13") != "0" ++ tls13Support.cached = goDebugString("tls13") == "1" + }) + return tls13Support.cached + } +diff --git a/src/crypto/tls/tls.go b/src/crypto/tls/tls.go +index ba6d5eba15..c42f909b93 100644 +--- a/src/crypto/tls/tls.go ++++ b/src/crypto/tls/tls.go +@@ -5,9 +5,14 @@ + // Package tls partially implements TLS 1.2, as specified in RFC 5246, + // and TLS 1.3, as specified in RFC 8446. + // +-// TLS 1.3 is available on an opt-out basis in Go 1.13. To disable ++// TLS 1.3 is available only on an opt-in basis in Go 1.12. To enable + // it, set the GODEBUG environment variable (comma-separated key=value +-// options) such that it includes "tls13=0". ++// options) such that it includes "tls13=1". To enable it from within ++// the process, set the environment variable before any use of TLS: ++// ++// func init() { ++// os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1") ++// } + package tls + + // BUG(agl): The crypto/tls package only implements some countermeasures +diff --git a/src/crypto/tls/tls_test.go b/src/crypto/tls/tls_test.go +index b68c074855..5003381c37 100644 +--- a/src/crypto/tls/tls_test.go ++++ b/src/crypto/tls/tls_test.go +@@ -23,6 +23,13 @@ import ( + "time" + ) + ++func init() { ++ // TLS 1.3 is opt-in for Go 1.12, but we want to run most tests with it enabled. ++ // TestTLS13Switch below tests the disabled behavior. See Issue 30055. ++ tls13Support.Do(func() {}) // defuse the sync.Once ++ tls13Support.cached = true ++} ++ + var rsaCertPEM = `-----BEGIN CERTIFICATE----- + MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV + BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX diff --git a/golang.spec b/golang.spec index 66f9ead..08caf04 100644 --- a/golang.spec +++ b/golang.spec @@ -102,11 +102,11 @@ %endif %global go_api 1.13 -%global go_version 1.13rc1 +%global go_version 1.13rc2 Name: golang Version: 1.13 -Release: 0.rc1.2%{?dist} +Release: 0.rc2.1%{?dist} Summary: The Go Programming Language # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain License: BSD and Public Domain @@ -184,7 +184,7 @@ Requires: go-srpm-macros Patch1: 0001-Don-t-use-the-bundled-tzdata-at-runtime-except-for-t.patch Patch2: 0002-syscall-expose-IfInfomsg.X__ifi_pad-on-s390x.patch Patch3: 0003-cmd-go-disable-Google-s-proxy-and-sumdb.patch -Patch4: 0001-release-branch.go1.13-net-http-update-bundled-golang.patch +Patch4: disable-tls13-fornow.patch # Having documentation separate was broken Obsoletes: %{name}-docs < 1.1-4 @@ -550,6 +550,11 @@ fi %endif %changelog +* Fri Aug 30 2019 Jakub Čajka - 1.13-0.rc2.1 +- Rebase to go1.13rc2 +- Do not enable tls1.3 by default +- Related: BZ#1737471 + * Wed Aug 28 2019 Jakub Čajka - 1.13-0.rc1.2 - Actually fix CVE-2019-9514 and CVE-2019-9512 - Related: BZ#1741816, BZ#1741827 diff --git a/sources b/sources index bc615ef..b06a78c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (go1.13rc1.src.tar.gz) = 05619b580ed910a7ffbee7c1d90f3f6b71c1bc34decea575aa106786c9f4a0c794d20440bde9a6b2a774ca8a27361b1f550d094211c52325a1ef078c5779089b +SHA512 (go1.13rc2.src.tar.gz) = 3f9b3d93398945b8dd757b574b4647802635ef9bba1cb04229d8e224d04a03a5feca888d3c740f3da9133d55fb3a2c972256c0ae176ca2938ac6ecc47aa44b0b