fix CVE-2017-15041 and CVE-2017-15042

Add race subpackage
bump to 1.7.6
2017-10-10 13:44:43 +02:00 · 2017-06-29 13:31:41 +02:00 · 2017-06-02 14:40:00 +02:00 · 2017-03-16 14:25:34 +01:00 · 2017-03-16 12:39:26 +01:00 · 2017-01-28 08:58:04 +01:00
7 changed files with 519 additions and 37 deletions
--- a/.gitignore
+++ b/.gitignore
@ -37,3 +37,5 @@
 /go1.7.1.src.tar.gz
 /go1.7.3.src.tar.gz
 /go1.7.4.src.tar.gz
+/go1.7.5.src.tar.gz
+/go1.7.6.src.tar.gz
--- a/31bit-OID-asn1.patch
+++ b/31bit-OID-asn1.patch
@ -0,0 +1,83 @@
+From 94aba76639cf4d5e30975d846bb0368db8202269 Mon Sep 17 00:00:00 2001
+From: Monis Khan <mkhan@redhat.com>
+Date: Wed, 12 Apr 2017 16:00:58 -0400
+Subject: [PATCH] encoding/asn1: support 31 bit identifiers with OID
+
+The current implementation uses a max of 28 bits when decoding an
+ObjectIdentifier.  This change makes it so that an int64 is used to
+accumulate up to 35 bits.  If the resulting data would not overflow
+an int32, it is used as an int.  Thus up to 31 bits may be used to
+represent each subidentifier of an ObjectIdentifier.
+
+Fixes #19933
+
+Change-Id: I95d74b64b24cdb1339ff13421055bce61c80243c
+Reviewed-on: https://go-review.googlesource.com/40436
+Reviewed-by: Adam Langley <agl@golang.org>
+Run-TryBot: Adam Langley <agl@golang.org>
+---
+ src/encoding/asn1/asn1.go      | 15 ++++++++++++---
+ src/encoding/asn1/asn1_test.go |  3 +++
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/src/encoding/asn1/asn1.go b/src/encoding/asn1/asn1.go
+index c2c0ee420ac..65f018d0148 100644
+--- a/src/encoding/asn1/asn1.go
+++ b/src/encoding/asn1/asn1.go
+@@ -22,6 +22,7 @@ package asn1
+ import (
+ 	"errors"
+ 	"fmt"
+	"math"
+ 	"math/big"
+ 	"reflect"
+ 	"strconv"
+@@ -293,16 +294,24 @@ type Flag bool
+ // given byte slice. It returns the value and the new offset.
+ func parseBase128Int(bytes []byte, initOffset int) (ret, offset int, err error) {
+ 	offset = initOffset
+	var ret64 int64
+ 	for shifted := 0; offset < len(bytes); shifted++ {
+-		if shifted == 4 {
+		// 5 * 7 bits per byte == 35 bits of data
+		// Thus the representation is either non-minimal or too large for an int32
+		if shifted == 5 {
+ 			err = StructuralError{"base 128 integer too large"}
+ 			return
+ 		}
+-		ret <<= 7
+		ret64 <<= 7
+ 		b := bytes[offset]
+-		ret |= int(b & 0x7f)
+		ret64 |= int64(b & 0x7f)
+ 		offset++
+ 		if b&0x80 == 0 {
+			ret = int(ret64)
+			// Ensure that the returned value fits in an int on all platforms
+			if ret64 > math.MaxInt32 {
+				err = StructuralError{"base 128 integer too large"}
+			}
+ 			return
+ 		}
+ 	}
+diff --git a/src/encoding/asn1/asn1_test.go b/src/encoding/asn1/asn1_test.go
+index 9976656df89..2dd799f2362 100644
+--- a/src/encoding/asn1/asn1_test.go
+++ b/src/encoding/asn1/asn1_test.go
+@@ -7,6 +7,7 @@ package asn1
+ import (
+ 	"bytes"
+ 	"fmt"
+	"math"
+ 	"math/big"
+ 	"reflect"
+ 	"strings"
+@@ -386,6 +387,8 @@ var tagAndLengthData = []tagAndLengthTest{
+ 	{[]byte{0xa0, 0x81, 0x7f}, false, tagAndLength{}},
+ 	// Tag numbers which would overflow int32 are rejected. (The value below is 2^31.)
+ 	{[]byte{0x1f, 0x88, 0x80, 0x80, 0x80, 0x00, 0x00}, false, tagAndLength{}},
+	// Tag numbers that fit in an int32 are valid. (The value below is 2^31 - 1.)
+	{[]byte{0x1f, 0x87, 0xFF, 0xFF, 0xFF, 0x7F, 0x00}, true, tagAndLength{tag: math.MaxInt32}},
+ 	// Long tag number form may not be used for tags that fit in short form.
+ 	{[]byte{0x1f, 0x1e, 0x00}, false, tagAndLength{}},
+ }
--- a/CVE-2017-15041.patch
+++ b/CVE-2017-15041.patch
@ -0,0 +1,127 @@
+diff -up go/src/cmd/go/get.go.cve go/src/cmd/go/get.go
+--- go/src/cmd/go/get.go.cve	2017-05-23 20:35:22.000000000 +0200
+++ go/src/cmd/go/get.go	2017-10-10 10:25:24.485047705 +0200
+@@ -401,6 +401,11 @@ func downloadPackage(p *Package) error {
+ 		p.build.PkgRoot = filepath.Join(list[0], "pkg")
+ 	}
+ 	root := filepath.Join(p.build.SrcRoot, filepath.FromSlash(rootPath))
+
+	if err := checkNestedVCS(vcs, root, p.build.SrcRoot); err != nil {
+		return err
+	}
+
+ 	// If we've considered this repository already, don't do it again.
+ 	if downloadRootCache[root] {
+ 		return nil
+diff -up go/src/cmd/go/go_test.go.cve go/src/cmd/go/go_test.go
+--- go/src/cmd/go/go_test.go.cve	2017-05-23 20:35:22.000000000 +0200
+++ go/src/cmd/go/go_test.go	2017-10-10 10:25:24.485047705 +0200
+@@ -1235,6 +1235,25 @@ func TestGetGitDefaultBranch(t *testing.
+ 	tg.grepStdout(`\* another-branch`, "not on correct default branch")
+ }
+ 
+func TestAccidentalGitCheckout(t *testing.T) {
+	testenv.MustHaveExternalNetwork(t)
+	if _, err := exec.LookPath("git"); err != nil {
+		t.Skip("skipping because git binary not found")
+	}
+
+	tg := testgo(t)
+	defer tg.cleanup()
+	tg.parallel()
+	tg.tempDir("src")
+	tg.setenv("GOPATH", tg.path("."))
+
+	tg.runFail("get", "-u", "vcs-test.golang.org/go/test1-svn-git")
+	tg.grepStderr("src[\\\\/]vcs-test.* uses git, but parent .*src[\\\\/]vcs-test.* uses svn", "get did not fail for right reason")
+
+	tg.runFail("get", "-u", "vcs-test.golang.org/go/test2-svn-git/test2main")
+	tg.grepStderr("src[\\\\/]vcs-test.* uses git, but parent .*src[\\\\/]vcs-test.* uses svn", "get did not fail for right reason")
+}
+
+ func TestErrorMessageForSyntaxErrorInTestGoFileSaysFAIL(t *testing.T) {
+ 	tg := testgo(t)
+ 	defer tg.cleanup()
+diff -up go/src/cmd/go/vcs.go.cve go/src/cmd/go/vcs.go
+--- go/src/cmd/go/vcs.go.cve	2017-05-23 20:35:22.000000000 +0200
+++ go/src/cmd/go/vcs.go	2017-10-10 10:30:52.151621206 +0200
+@@ -479,11 +479,29 @@ func vcsFromDir(dir, srcRoot string) (vc
+ 		return nil, "", fmt.Errorf("directory %q is outside source root %q", dir, srcRoot)
+ 	}
+ 
+	var vcsRet *vcsCmd
+	var rootRet string
+
+ 	origDir := dir
+ 	for len(dir) > len(srcRoot) {
+ 		for _, vcs := range vcsList {
+ 			if fi, err := os.Stat(filepath.Join(dir, "."+vcs.cmd)); err == nil && fi.IsDir() {
+-				return vcs, filepath.ToSlash(dir[len(srcRoot)+1:]), nil
+				root := filepath.ToSlash(dir[len(srcRoot)+1:])
+				// Record first VCS we find, but keep looking,
+				// to detect mistakes like one kind of VCS inside another.
+				if vcsRet == nil {
+					vcsRet = vcs
+					rootRet = root
+					continue
+				}
+				// Allow .git inside .git, which can arise due to submodules.
+				if vcsRet == vcs && vcs.cmd == "git" {
+					continue
+				}
+				// Otherwise, we have one VCS inside a different VCS.
+				return nil, "", fmt.Errorf("directory %q uses %s, but parent %q uses %s",
+					filepath.Join(srcRoot, rootRet), vcsRet.cmd, filepath.Join(srcRoot, root), vcs.cmd)
+
+ 			}
+ 		}
+ 
+@@ -496,9 +514,48 @@ func vcsFromDir(dir, srcRoot string) (vc
+ 		dir = ndir
+ 	}
+ 
+	if vcsRet != nil {
+		return vcsRet, rootRet, nil
+	}
+
+ 	return nil, "", fmt.Errorf("directory %q is not using a known version control system", origDir)
+ }
+ 
+// checkNestedVCS checks for an incorrectly-nested VCS-inside-VCS
+// situation for dir, checking parents up until srcRoot.
+func checkNestedVCS(vcs *vcsCmd, dir, srcRoot string) error {
+	if len(dir) <= len(srcRoot) || dir[len(srcRoot)] != filepath.Separator {
+		return fmt.Errorf("directory %q is outside source root %q", dir, srcRoot)
+	}
+
+	otherDir := dir
+	for len(otherDir) > len(srcRoot) {
+		for _, otherVCS := range vcsList {
+			if _, err := os.Stat(filepath.Join(dir, "."+otherVCS.cmd)); err == nil {
+				// Allow expected vcs in original dir.
+				if otherDir == dir && otherVCS == vcs {
+					continue
+				}
+				// Allow .git inside .git, which can arise due to submodules.
+				if otherVCS == vcs && vcs.cmd == "git" {
+					continue
+				}
+				// Otherwise, we have one VCS inside a different VCS.
+				return fmt.Errorf("directory %q uses %s, but parent %q uses %s", dir, vcs.cmd, otherDir, otherVCS.cmd)
+			}
+		}
+		// Move to parent.
+		newDir := filepath.Dir(otherDir)
+		if len(newDir) >= len(otherDir) {
+			// Shouldn't happen, but just in case, stop.
+			break
+		}
+		otherDir = newDir
+	}
+
+	return nil
+}
+
+ // repoRoot represents a version control system, a repo, and a root of
+ // where to put it on disk.
+ type repoRoot struct {
--- a/CVE-2017-15042.patch
+++ b/CVE-2017-15042.patch
@ -0,0 +1,144 @@
+From 4be3fc33ef512532b916aa14258087e89eb47347 Mon Sep 17 00:00:00 2001
+From: Russ Cox <rsc@golang.org>
+Date: Wed, 4 Oct 2017 13:24:49 -0400
+Subject: [PATCH] [release-branch.go1.8] net/smtp: fix PlainAuth to refuse to
+ send passwords to non-TLS servers
+
+PlainAuth originally refused to send passwords to non-TLS servers
+and was documented as such.
+
+In 2013, issue #5184 was filed objecting to the TLS requirement,
+despite the fact that it is spelled out clearly in RFC 4954.
+The only possibly legitimate use case raised was using PLAIN auth
+for connections to localhost, and the suggested fix was to let the
+server decide: if it advertises that PLAIN auth is OK, believe it.
+That approach was adopted in CL 8279043 and released in Go 1.1.
+
+Unfortunately, this is exactly wrong. The whole point of the TLS
+requirement is to make sure not to send the password to the wrong
+server or to a man-in-the-middle. Instead of implementing this rule,
+CL 8279043 blindly trusts the server, so that if a man-in-the-middle
+says "it's OK, you can send me your password," PlainAuth does.
+And the documentation was not updated to reflect any of this.
+
+This CL restores the original TLS check, as required by RFC 4954
+and as promised in the documentation for PlainAuth.
+It then carves out a documented exception for connections made
+to localhost (defined as "localhost", "127.0.0.1", or "::1").
+
+Cherry-pick of CL 68170.
+
+Change-Id: I1d3729bbd33aa2f11a03f4c000e6bb473164957b
+Reviewed-on: https://go-review.googlesource.com/68023
+Run-TryBot: Russ Cox <rsc@golang.org>
+Reviewed-by: Chris Broadfoot <cbro@golang.org>
+---
+ src/net/smtp/auth.go      | 33 ++++++++++++++++++---------------
+ src/net/smtp/smtp_test.go | 32 ++++++++++++++++++++++----------
+ 2 files changed, 40 insertions(+), 25 deletions(-)
+
+diff --git a/src/net/smtp/auth.go b/src/net/smtp/auth.go
+index 3f1339ebc56..fd1a472f930 100644
+--- a/src/net/smtp/auth.go
+++ b/src/net/smtp/auth.go
+@@ -44,26 +44,29 @@ type plainAuth struct {
+ }
+ 
+ // PlainAuth returns an Auth that implements the PLAIN authentication
+-// mechanism as defined in RFC 4616.
+-// The returned Auth uses the given username and password to authenticate
+-// on TLS connections to host and act as identity. Usually identity will be
+-// left blank to act as username.
+// mechanism as defined in RFC 4616. The returned Auth uses the given
+// username and password to authenticate to host and act as identity.
+// Usually identity should be the empty string, to act as username.
+//
+// PlainAuth will only send the credentials if the connection is using TLS
+// or is connected to localhost. Otherwise authentication will fail with an
+// error, without sending the credentials.
+ func PlainAuth(identity, username, password, host string) Auth {
+ 	return &plainAuth{identity, username, password, host}
+ }
+ 
+func isLocalhost(name string) bool {
+	return name == "localhost" || name == "127.0.0.1" || name == "::1"
+}
+
+ func (a *plainAuth) Start(server *ServerInfo) (string, []byte, error) {
+-	if !server.TLS {
+-		advertised := false
+-		for _, mechanism := range server.Auth {
+-			if mechanism == "PLAIN" {
+-				advertised = true
+-				break
+-			}
+-		}
+-		if !advertised {
+-			return "", nil, errors.New("unencrypted connection")
+-		}
+	// Must have TLS, or else localhost server.
+	// Note: If TLS is not true, then we can't trust ANYTHING in ServerInfo.
+	// In particular, it doesn't matter if the server advertises PLAIN auth.
+	// That might just be the attacker saying
+	// "it's ok, you can trust me with your password."
+	if !server.TLS && !isLocalhost(server.Name) {
+		return "", nil, errors.New("unencrypted connection")
+ 	}
+ 	if server.Name != a.host {
+ 		return "", nil, errors.New("wrong host name")
+diff --git a/src/net/smtp/smtp_test.go b/src/net/smtp/smtp_test.go
+index c48fae6d5ac..15eaca524be 100644
+--- a/src/net/smtp/smtp_test.go
+++ b/src/net/smtp/smtp_test.go
+@@ -60,29 +60,41 @@ testLoop:
+ }
+ 
+ func TestAuthPlain(t *testing.T) {
+-	auth := PlainAuth("foo", "bar", "baz", "servername")
+ 
+ 	tests := []struct {
+-		server *ServerInfo
+-		err    string
+		authName string
+		server   *ServerInfo
+		err      string
+ 	}{
+ 		{
+-			server: &ServerInfo{Name: "servername", TLS: true},
+			authName: "servername",
+			server:   &ServerInfo{Name: "servername", TLS: true},
+ 		},
+ 		{
+-			// Okay; explicitly advertised by server.
+-			server: &ServerInfo{Name: "servername", Auth: []string{"PLAIN"}},
+			// OK to use PlainAuth on localhost without TLS
+			authName: "localhost",
+			server:   &ServerInfo{Name: "localhost", TLS: false},
+ 		},
+ 		{
+-			server: &ServerInfo{Name: "servername", Auth: []string{"CRAM-MD5"}},
+-			err:    "unencrypted connection",
+			// NOT OK on non-localhost, even if server says PLAIN is OK.
+			// (We don't know that the server is the real server.)
+			authName: "servername",
+			server:   &ServerInfo{Name: "servername", Auth: []string{"PLAIN"}},
+			err:      "unencrypted connection",
+ 		},
+ 		{
+-			server: &ServerInfo{Name: "attacker", TLS: true},
+-			err:    "wrong host name",
+			authName: "servername",
+			server:   &ServerInfo{Name: "servername", Auth: []string{"CRAM-MD5"}},
+			err:      "unencrypted connection",
+		},
+		{
+			authName: "servername",
+			server:   &ServerInfo{Name: "attacker", TLS: true},
+			err:      "wrong host name",
+ 		},
+ 	}
+ 	for i, tt := range tests {
+		auth := PlainAuth("foo", "bar", "baz", tt.authName)
+ 		_, _, err := auth.Start(tt.server)
+ 		got := ""
+ 		if err != nil {
--- a/golang.spec
+++ b/golang.spec
@ -48,7 +48,7 @@
 %endif

 # Controls what ever we fail on failed tests
-%ifarch %{ix86} x86_64 %{arm} aarch64 %{power64}
+%ifarch %{ix86} x86_64 %{arm} aarch64 ppc64le
 %global fail_on_tests 1
 %else
 %global fail_on_tests 0
@ -61,6 +61,13 @@
 %global shared 0
 %endif

+# Pre build std lib with -race enabled
+%ifarch x86_64
+%global race 1
+%else
+%global race 0
+%endif
+
 # Fedora GOROOT
 %global goroot          /usr/lib/%{name}

@ -87,11 +94,11 @@
 %endif

 %global go_api 1.7
-%global go_version 1.7.4
+%global go_version 1.7.6

 Name:           golang
-Version:        1.7.4
-Release:        2%{?dist}
+Version:        1.7.6
+Release:        3%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
@ -134,12 +141,17 @@ Patch215:       ./go1.5-zoneinfo_testing_only.patch
 Patch216: ppc64x-overflow-1.patch
 Patch217: ppc64x-overflow-2.patch

-# Fix for https://github.com/golang/go/issues/17276
-Patch218: tzdata-fix.patch
-
 # Proposed patch by mmunday https://golang.org/cl/35262
 Patch219: s390x-expose-IfInfomsg-X__ifi_pad.patch 

+Patch220: tzdata-fix.patch
+
+# https://github.com/golang/go/commit/94aba76639cf4d5e30975d846bb0368db8202269
+Patch221: 31bit-OID-asn1.patch
+
+Patch222: CVE-2017-15041.patch
+Patch223: CVE-2017-15042.patch
+
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4

@ -248,6 +260,17 @@ Summary:        Golang shared object libraries
 %{summary}.
 %endif

+%if %{race}
+%package        race
+Summary:        Golang std library with -race enabled
+%{?scl:Requires: %scl_runtime}
+
+Requires:       %{name} = %{version}-%{release}
+
+%description    race
+%{summary}
+%endif
+
 %prep
 %setup -q -n go

@ -265,10 +288,14 @@ Summary:        Golang shared object libraries
 %patch216 -p1
 %patch217 -p1

-%patch218 -p1
-
 %patch219 -p1

+%patch220 -p1
+%patch221 -p1
+
+%patch222 -p1
+%patch223 -p1
+
 %build
 # print out system information
 uname -a
@ -310,6 +337,10 @@ popd
 GOROOT=$(pwd) PATH=$(pwd)/bin:$PATH go install -buildmode=shared std
 %endif

+%if %{race}
+GOROOT=$(pwd) PATH=$(pwd)/bin:$PATH go install -race std
+%endif
+
 %install
 rm -rf $RPM_BUILD_ROOT

@ -332,11 +363,12 @@ cwd=$(pwd)
 src_list=$cwd/go-src.list
 pkg_list=$cwd/go-pkg.list
 shared_list=$cwd/go-shared.list
+race_list=$cwd/go-race.list
 misc_list=$cwd/go-misc.list
 docs_list=$cwd/go-docs.list
 tests_list=$cwd/go-tests.list
-rm -f $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list
-touch $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list
+rm -f $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list $race_list
+touch $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list $race_list
 pushd $RPM_BUILD_ROOT%{goroot}
    find src/ -type d -a \( ! -name testdata -a ! -ipath '*/testdata/*' \) -printf '%%%dir %{goroot}/%p\n' >> $src_list
    find src/ ! -type d -a \( ! -ipath '*/testdata/*' -a ! -name '*_test*.go' \) -printf '%{goroot}/%p\n' >> $src_list
@ -367,6 +399,13 @@ pushd $RPM_BUILD_ROOT%{goroot}
 	find pkg/*_dynlink/ ! -type d -printf '%{goroot}/%p\n' >> $shared_list
 %endif

+%if %{race}
+
+    find pkg/*_race/ -type d -printf '%%%dir %{goroot}/%p\n' >> $race_list
+    find pkg/*_race/ ! -type d -printf '%{goroot}/%p\n' >> $race_list
+
+%endif
+
    find test/ -type d -printf '%%%dir %{goroot}/%p\n' >> $tests_list
    find test/ ! -type d -printf '%{goroot}/%p\n' >> $tests_list
    find src/ -type d -a \( -name testdata -o -ipath '*/testdata/*' \) -printf '%%%dir %{goroot}/%p\n' >> $tests_list
@ -484,7 +523,31 @@ fi
 %files -f go-shared.list shared
 %endif

+%if %{race}
+%files -f go-race.list race
+%endif
+
 %changelog
+* Tue Oct 10 2017 Jakub Čajka <jcajka@redhat.com> - 1.7.6-3
+- fix CVE-2017-15041 and CVE-2017-15042
+
+* Thu Jun 29 2017 Jakub Čajka <jcajka@redhat.com> - 1.7.6-2
+- add race subpackage
+
+* Fri Jun 02 2017 Jakub Čajka <jcajka@redhat.com> - 1.7.6-1
+- bump to 1.7.6
+- fix CVE-2017-8932
+- add support for 31 OID in asn1 
+- Resolves: BZ#1455191
+
+* Thu Mar 16 2017 Jakub Čajka <jcajka@redhat.com> - 1.7.5-2
+- disable failure in tests on ppc64
+- include fix for tzdata-2017a
+
+* Fri Jan 27 2017 Jakub Čajka <jcajka@redhat.com> - 1.7.5-1
+- bump to go1.7.5
+- Resolves: BZ#1417002
+
 * Fri Jan 20 2017 Jakub Čajka <jcajka@redhat.com> - 1.7.4-2
 - Resolves: BZ#1404679
 - expose IfInfomsg.X__ifi_pad on s390x
--- a/2
+++ b/2
@ -1 +1 @@
-49c1076428a5d3b5ad7ac65233fcca2f  go1.7.4.src.tar.gz
+SHA512 (go1.7.6.src.tar.gz) = b01846bfb17bf91a9c493c4d6c43bbe7e17270b9e8a229a2be4032b78ef9395f5512917ea9faab74a120c755bbd53bbd816b033caadcbb7679e91702b37f8c7f
--- a/tzdata-fix.patch
+++ b/tzdata-fix.patch
@ -1,34 +1,97 @@
-From c5434f2973a87acff76bac359236e690d632ce95 Mon Sep 17 00:00:00 2001
+From 8890527476e25747f063377d637b106db0008329 Mon Sep 17 00:00:00 2001
 From: Alberto Donizetti <alb.donizetti@gmail.com>
-Date: Thu, 29 Sep 2016 13:59:10 +0200
-Subject: [PATCH] time: update test for tzdata-2016g
+Date: Thu, 9 Mar 2017 13:20:54 +0100
+Subject: [PATCH] [release-branch.go1.8] time: make the ParseInLocation test
+ more robust

-Fixes #17276
+The tzdata 2017a update (2017-02-28) changed the abbreviation of the
+Asia/Baghdad time zone (used in TestParseInLocation) from 'AST' to the
+numeric '+03'.

-Change-Id: I0188cf9bc5fdb48c71ad929cc54206d03e0b96e4
-Reviewed-on: https://go-review.googlesource.com/29995
-Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
-Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
+Update the test so that it skips the checks if we're using a recent
+tzdata release.
+
+Fixes #19457
+
+Change-Id: I45d705a5520743a611bdd194dc8f8d618679980c
+Reviewed-on: https://go-review.googlesource.com/37964
+Reviewed-by: Ian Lance Taylor <iant@golang.org>
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
 TryBot-Result: Gobot Gobot <gobot@golang.org>
+(cherry picked from commit 91563ced5897faf729a34be7081568efcfedda31)
+Reviewed-on: https://go-review.googlesource.com/37991
+Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
 ---
- src/time/time_test.go | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
+ src/time/format_test.go | 41 +++++++++++++++++++++++++++++++----------
+ 1 file changed, 31 insertions(+), 10 deletions(-)

-diff --git a/src/time/time_test.go b/src/time/time_test.go
-index 68236fd..2e47d08 100644
--- a/src/time/time_test.go
-+++ b/src/time/time_test.go
-@@ -943,8 +943,11 @@ func TestLoadFixed(t *testing.T) {
- 	// but Go and most other systems use "east is positive".
- 	// So GMT+1 corresponds to -3600 in the Go zone, not +3600.
- 	name, offset := Now().In(loc).Zone()
-	if name != "GMT+1" || offset != -1*60*60 {
-		t.Errorf("Now().In(loc).Zone() = %q, %d, want %q, %d", name, offset, "GMT+1", -1*60*60)
-+	// The zone abbreviation is "-01" since tzdata-2016g, and "GMT+1"
-+	// on earlier versions; we accept both. (Issue #17276).
-+	if !(name == "GMT+1" || name == "-01") || offset != -1*60*60 {
-+		t.Errorf("Now().In(loc).Zone() = %q, %d, want %q or %q, %d",
-+			name, offset, "GMT+1", "-01", -1*60*60)
+diff --git a/src/time/format_test.go b/src/time/format_test.go
+index 219c2ca..d0013bc 100644
+--- a/src/time/format_test.go
+++ b/src/time/format_test.go
+@@ -245,27 +245,45 @@ func TestParseDayOutOfRange(t *testing.T) {
 	}
 }
 
+// TestParseInLocation checks that the Parse and ParseInLocation
+// functions do not get confused by the fact that AST (Arabia Standard
+// Time) and AST (Atlantic Standard Time) are different time zones,
+// even though they have the same abbreviation.
+//
+// ICANN has been slowly phasing out invented abbreviation in favor of
+// numeric time zones (for example, the Asia/Baghdad time zone
+// abbreviation got changed from AST to +03 in the 2017a tzdata
+// release); but we still want to make sure that the time package does
+// not get confused on systems with slightly older tzdata packages.
+ func TestParseInLocation(t *testing.T) {
+-	// Check that Parse (and ParseInLocation) understand that
+-	// Feb 01 AST (Arabia Standard Time) and Feb 01 AST (Atlantic Standard Time)
+-	// are in different time zones even though both are called AST
+ 
+ 	baghdad, err := LoadLocation("Asia/Baghdad")
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+ 
+-	t1, err := ParseInLocation("Jan 02 2006 MST", "Feb 01 2013 AST", baghdad)
+	var t1, t2 Time
+
+	t1, err = ParseInLocation("Jan 02 2006 MST", "Feb 01 2013 AST", baghdad)
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+-	t2 := Date(2013, February, 1, 00, 00, 00, 0, baghdad)
+-	if t1 != t2 {
+-		t.Fatalf("ParseInLocation(Feb 01 2013 AST, Baghdad) = %v, want %v", t1, t2)
+-	}
+
+ 	_, offset := t1.Zone()
+-	if offset != 3*60*60 {
+-		t.Fatalf("ParseInLocation(Feb 01 2013 AST, Baghdad).Zone = _, %d, want _, %d", offset, 3*60*60)
+
+	// A zero offset means that ParseInLocation did not recognize the
+	// 'AST' abbreviation as matching the current location (Baghdad,
+	// where we'd expect a +03 hrs offset); likely because we're using
+	// a recent tzdata release (2017a or newer).
+	// If it happens, skip the Baghdad test.
+	if offset != 0 {
+		t2 = Date(2013, February, 1, 00, 00, 00, 0, baghdad)
+		if t1 != t2 {
+			t.Fatalf("ParseInLocation(Feb 01 2013 AST, Baghdad) = %v, want %v", t1, t2)
+		}
+		if offset != 3*60*60 {
+			t.Fatalf("ParseInLocation(Feb 01 2013 AST, Baghdad).Zone = _, %d, want _, %d", offset, 3*60*60)
+		}
+ 	}
+ 
+ 	blancSablon, err := LoadLocation("America/Blanc-Sablon")
+@@ -273,6 +291,9 @@ func TestParseInLocation(t *testing.T) {
+ 		t.Fatal(err)
+ 	}
+ 
+	// In this case 'AST' means 'Atlantic Standard Time', and we
+	// expect the abbreviation to correctly match the american
+	// location.
+ 	t1, err = ParseInLocation("Jan 02 2006 MST", "Feb 01 2013 AST", blancSablon)
+ 	if err != nil {
+ 		t.Fatal(err)
Author	SHA1	Message	Date
Jakub Čajka	4fce154566	fix CVE-2017-15041 and CVE-2017-15042	2017-10-10 13:44:43 +02:00
Jakub Čajka	fbbbf12bd3	Add race subpackage	2017-06-29 13:31:41 +02:00
Jakub Čajka	9285c4304e	bump to 1.7.6 fix CVE-2017-8932 add support for 31 OID in asn1 Resolves: BZ#1455191	2017-06-02 14:40:00 +02:00
Jakub Čajka	6974f956bc	Fix for tzdata 2017a	2017-03-16 14:25:34 +01:00
Jakub Čajka	8a9e12846a	Disable failure in tests on ppc64	2017-03-16 12:39:26 +01:00
Jakub Čajka	ae693342f0	bump to go1.7.5 Resolves: BZ#1417002	2017-01-28 08:58:04 +01:00