aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/go
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/go')
-rw-r--r--meta/recipes-devtools/go/go-1.16.8.inc (renamed from meta/recipes-devtools/go/go-1.16.5.inc)10
-rw-r--r--meta/recipes-devtools/go/go-1.16/0001-encoding-xml-handle-leading-trailing-or-double-colon.patch123
-rw-r--r--meta/recipes-devtools/go/go-binary-native_1.16.8.bb (renamed from meta/recipes-devtools/go/go-binary-native_1.16.5.bb)4
-rw-r--r--meta/recipes-devtools/go/go-cross-canadian_1.16.8.bb (renamed from meta/recipes-devtools/go/go-cross-canadian_1.16.5.bb)0
-rw-r--r--meta/recipes-devtools/go/go-cross_1.16.8.bb (renamed from meta/recipes-devtools/go/go-cross_1.16.5.bb)0
-rw-r--r--meta/recipes-devtools/go/go-crosssdk_1.16.8.bb (renamed from meta/recipes-devtools/go/go-crosssdk_1.16.5.bb)0
-rw-r--r--meta/recipes-devtools/go/go-native_1.16.8.bb (renamed from meta/recipes-devtools/go/go-native_1.16.5.bb)0
-rw-r--r--meta/recipes-devtools/go/go-runtime_1.16.8.bb (renamed from meta/recipes-devtools/go/go-runtime_1.16.5.bb)0
-rw-r--r--meta/recipes-devtools/go/go_1.16.8.bb (renamed from meta/recipes-devtools/go/go_1.16.5.bb)0
9 files changed, 133 insertions, 4 deletions
diff --git a/meta/recipes-devtools/go/go-1.16.5.inc b/meta/recipes-devtools/go/go-1.16.8.inc
index bd928e44f8c..acc2300a286 100644
--- a/meta/recipes-devtools/go/go-1.16.5.inc
+++ b/meta/recipes-devtools/go/go-1.16.8.inc
@@ -1,7 +1,7 @@
require go-common.inc
GO_BASEVERSION = "1.16"
-PV = "1.16.5"
+PV = "1.16.8"
FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
@@ -16,5 +16,11 @@ SRC_URI += "\
file://0007-cmd-go-make-GOROOT-precious-by-default.patch \
file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \
+ file://0001-encoding-xml-handle-leading-trailing-or-double-colon.patch \
"
-SRC_URI[main.sha256sum] = "7bfa7e5908c7cc9e75da5ddf3066d7cbcf3fd9fa51945851325eebc17f50ba80"
+SRC_URI[main.sha256sum] = "8f2a8c24b793375b3243df82fdb0c8387486dcc8a892ca1c991aa99ace086b98"
+
+# Upstream don't believe it is a signifiant real world issue and will only
+# fix in 1.17 onwards where we can drop this.
+# https://github.com/golang/go/issues/30999#issuecomment-910470358
+CVE_CHECK_WHITELIST += "CVE-2021-29923"
diff --git a/meta/recipes-devtools/go/go-1.16/0001-encoding-xml-handle-leading-trailing-or-double-colon.patch b/meta/recipes-devtools/go/go-1.16/0001-encoding-xml-handle-leading-trailing-or-double-colon.patch
new file mode 100644
index 00000000000..3c47157d1a1
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.16/0001-encoding-xml-handle-leading-trailing-or-double-colon.patch
@@ -0,0 +1,123 @@
+From 4d014e723165f28b34458edb4aa9136e0fb4c702 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Tue, 27 Oct 2020 00:17:15 +0100
+Subject: [PATCH] encoding/xml: handle leading, trailing, or double colons in
+ names
+
+Before this change, <:name> would parse as <name>, which could cause
+issues in applications that rely on the parse-encode cycle to
+round-trip. Similarly, <x name:=""> would parse as expected but then
+have the attribute dropped when serializing because its name was empty.
+Finally, <a:b:c> would parse and get serialized incorrectly. All these
+values are invalid XML, but to minimize the impact of this change, we
+parse them whole into Name.Local.
+
+This issue was reported by Juho Nurminen of Mattermost as it leads to
+round-trip mismatches. See #43168. It's not being fixed in a security
+release because round-trip stability is not a currently supported
+security property of encoding/xml, and we don't believe these fixes
+would be sufficient to reliably guarantee it in the future.
+
+Fixes CVE-2020-29509
+Fixes CVE-2020-29511
+Updates #43168
+
+Change-Id: I68321c4d867305046f664347192948a889af3c7f
+Reviewed-on: https://go-review.googlesource.com/c/go/+/277892
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Trust: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+
+CVE: CVE-2020-29509 CVE-2020-29511
+Upstream-Status: Backport [4d014e723165f28b34458edb4aa9136e0fb4c702]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ src/encoding/xml/xml.go | 5 ++--
+ src/encoding/xml/xml_test.go | 56 ++++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+), 2 deletions(-)
+
+diff --git a/src/encoding/xml/xml.go b/src/encoding/xml/xml.go
+index 384d6ad4b8..c902f1295a 100644
+--- a/src/encoding/xml/xml.go
++++ b/src/encoding/xml/xml.go
+@@ -1156,8 +1156,9 @@ func (d *Decoder) nsname() (name Name, ok bool) {
+ if !ok {
+ return
+ }
+- i := strings.Index(s, ":")
+- if i < 0 {
++ if strings.Count(s, ":") > 1 {
++ name.Local = s
++ } else if i := strings.Index(s, ":"); i < 1 || i > len(s)-2 {
+ name.Local = s
+ } else {
+ name.Space = s[0:i]
+diff --git a/src/encoding/xml/xml_test.go b/src/encoding/xml/xml_test.go
+index 5a10f5309d..47d0c39167 100644
+--- a/src/encoding/xml/xml_test.go
++++ b/src/encoding/xml/xml_test.go
+@@ -1003,3 +1003,59 @@ func TestTokenUnmarshaler(t *testing.T) {
+ d := NewTokenDecoder(tokReader{})
+ d.Decode(&Failure{})
+ }
++
++func testRoundTrip(t *testing.T, input string) {
++ d := NewDecoder(strings.NewReader(input))
++ var tokens []Token
++ var buf bytes.Buffer
++ e := NewEncoder(&buf)
++ for {
++ tok, err := d.Token()
++ if err == io.EOF {
++ break
++ }
++ if err != nil {
++ t.Fatalf("invalid input: %v", err)
++ }
++ if err := e.EncodeToken(tok); err != nil {
++ t.Fatalf("failed to re-encode input: %v", err)
++ }
++ tokens = append(tokens, CopyToken(tok))
++ }
++ if err := e.Flush(); err != nil {
++ t.Fatal(err)
++ }
++
++ d = NewDecoder(&buf)
++ for {
++ tok, err := d.Token()
++ if err == io.EOF {
++ break
++ }
++ if err != nil {
++ t.Fatalf("failed to decode output: %v", err)
++ }
++ if len(tokens) == 0 {
++ t.Fatalf("unexpected token: %#v", tok)
++ }
++ a, b := tokens[0], tok
++ if !reflect.DeepEqual(a, b) {
++ t.Fatalf("token mismatch: %#v vs %#v", a, b)
++ }
++ tokens = tokens[1:]
++ }
++ if len(tokens) > 0 {
++ t.Fatalf("lost tokens: %#v", tokens)
++ }
++}
++
++func TestRoundTrip(t *testing.T) {
++ tests := map[string]string{
++ "leading colon": `<::Test ::foo="bar"><:::Hello></:::Hello><Hello></Hello></::Test>`,
++ "trailing colon": `<foo abc:="x"></foo>`,
++ "double colon": `<x:y:foo></x:y:foo>`,
++ }
++ for name, input := range tests {
++ t.Run(name, func(t *testing.T) { testRoundTrip(t, input) })
++ }
++}
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-binary-native_1.16.5.bb b/meta/recipes-devtools/go/go-binary-native_1.16.8.bb
index b3e2b6a60ee..926222089d0 100644
--- a/meta/recipes-devtools/go/go-binary-native_1.16.5.bb
+++ b/meta/recipes-devtools/go/go-binary-native_1.16.8.bb
@@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
PROVIDES = "go-native"
SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}"
-SRC_URI[go_linux_amd64.sha256sum] = "b12c23023b68de22f74c0524f10b753e7b08b1504cb7e417eccebdd3fae49061"
-SRC_URI[go_linux_arm64.sha256sum] = "d5446b46ef6f36fdffa852f73dfbbe78c1ddf010b99fa4964944b9ae8b4d6799"
+SRC_URI[go_linux_amd64.sha256sum] = "f32501aeb8b7b723bc7215f6c373abb6981bbc7e1c7b44e9f07317e1a300dce2"
+SRC_URI[go_linux_arm64.sha256sum] = "430dbe185417204f6788913197ab3b189b6deae9c9b524f262858e53dab239c2"
UPSTREAM_CHECK_URI = "https://golang.org/dl/"
UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.16.5.bb b/meta/recipes-devtools/go/go-cross-canadian_1.16.8.bb
index 7ac9449e476..7ac9449e476 100644
--- a/meta/recipes-devtools/go/go-cross-canadian_1.16.5.bb
+++ b/meta/recipes-devtools/go/go-cross-canadian_1.16.8.bb
diff --git a/meta/recipes-devtools/go/go-cross_1.16.5.bb b/meta/recipes-devtools/go/go-cross_1.16.8.bb
index 80b5a03f6ca..80b5a03f6ca 100644
--- a/meta/recipes-devtools/go/go-cross_1.16.5.bb
+++ b/meta/recipes-devtools/go/go-cross_1.16.8.bb
diff --git a/meta/recipes-devtools/go/go-crosssdk_1.16.5.bb b/meta/recipes-devtools/go/go-crosssdk_1.16.8.bb
index 1857c8a5772..1857c8a5772 100644
--- a/meta/recipes-devtools/go/go-crosssdk_1.16.5.bb
+++ b/meta/recipes-devtools/go/go-crosssdk_1.16.8.bb
diff --git a/meta/recipes-devtools/go/go-native_1.16.5.bb b/meta/recipes-devtools/go/go-native_1.16.8.bb
index f14892cdb0c..f14892cdb0c 100644
--- a/meta/recipes-devtools/go/go-native_1.16.5.bb
+++ b/meta/recipes-devtools/go/go-native_1.16.8.bb
diff --git a/meta/recipes-devtools/go/go-runtime_1.16.5.bb b/meta/recipes-devtools/go/go-runtime_1.16.8.bb
index 63464a15014..63464a15014 100644
--- a/meta/recipes-devtools/go/go-runtime_1.16.5.bb
+++ b/meta/recipes-devtools/go/go-runtime_1.16.8.bb
diff --git a/meta/recipes-devtools/go/go_1.16.5.bb b/meta/recipes-devtools/go/go_1.16.8.bb
index 4e9e0ebec83..4e9e0ebec83 100644
--- a/meta/recipes-devtools/go/go_1.16.5.bb
+++ b/meta/recipes-devtools/go/go_1.16.8.bb