From 3c269c6de22a6ad5d47fb2ee60671b751f21fbb7 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 25 2021 00:15:46 +0000 Subject: import golang-1.16.7-1.module+el8.5.0+12246+1aac4e3f --- diff --git a/.gitignore b/.gitignore index 3334520..ceb3ab9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/go-go-1.16.6-3-openssl-fips.tar.gz +SOURCES/go-go-1.16.7-1-openssl-fips.tar.gz diff --git a/.golang.metadata b/.golang.metadata index 771796a..413c971 100644 --- a/.golang.metadata +++ b/.golang.metadata @@ -1 +1 @@ -97a713b08ed6438c1b488c29fb4c1b2d654831c8 SOURCES/go-go-1.16.6-3-openssl-fips.tar.gz +e693273f254789980a55720bd48ac8741d446f21 SOURCES/go-go-1.16.7-1-openssl-fips.tar.gz diff --git a/SOURCES/reject-leading-zeros.patch b/SOURCES/reject-leading-zeros.patch new file mode 100644 index 0000000..24fa6c8 --- /dev/null +++ b/SOURCES/reject-leading-zeros.patch @@ -0,0 +1,109 @@ +diff --git a/doc/go1.16.html b/doc/go1.16.html +index 0beb62d..fc6b668 100644 +--- a/doc/go1.16.html ++++ b/doc/go1.16.html +@@ -891,6 +891,14 @@ func TestFoo(t *testing.T) { + is missing; this is common on musl-based systems and makes + Go programs match the behavior of C programs on those systems. +

++

++ The ParseIP and ParseCIDR ++ functions now reject IPv4 addresses which contain decimal components with leading zeros. ++ These components were always interpreted as decimal, but some operating systems treat them as octal. ++ This mismatch could hypothetically lead to security issues if a Go application was used to validate IP addresses ++ which were then used in their original form with non-Go applications which interpreted components as octal. Generally, ++ it is advisable to always re-encoded values after validation, which avoids this class of parser misalignment issues. ++

+ + + +diff --git a/src/net/hosts_test.go b/src/net/hosts_test.go +index f850e2f..19c4399 100644 +--- a/src/net/hosts_test.go ++++ b/src/net/hosts_test.go +@@ -36,7 +36,7 @@ var lookupStaticHostTests = []struct { + }, + }, + { +- "testdata/ipv4-hosts", // see golang.org/issue/8996 ++ "testdata/ipv4-hosts", + []staticHostEntry{ + {"localhost", []string{"127.0.0.1", "127.0.0.2", "127.0.0.3"}}, + {"localhost.localdomain", []string{"127.0.0.3"}}, +@@ -102,7 +102,7 @@ var lookupStaticAddrTests = []struct { + }, + }, + { +- "testdata/ipv4-hosts", // see golang.org/issue/8996 ++ "testdata/ipv4-hosts", + []staticHostEntry{ + {"127.0.0.1", []string{"localhost"}}, + {"127.0.0.2", []string{"localhost"}}, +diff --git a/src/net/ip.go b/src/net/ip.go +index c00fe8e..007f3f7 100644 +--- a/src/net/ip.go ++++ b/src/net/ip.go +@@ -552,6 +552,10 @@ func parseIPv4(s string) IP { + if !ok || n > 0xFF { + return nil + } ++ if c > 1 && s[0] == '0' { ++ // Reject non-zero components with leading zeroes. ++ return nil ++ } + s = s[c:] + p[i] = byte(n) + } +diff --git a/src/net/ip_test.go b/src/net/ip_test.go +index a5fc5e6..585381d 100644 +--- a/src/net/ip_test.go ++++ b/src/net/ip_test.go +@@ -20,9 +20,7 @@ var parseIPTests = []struct { + }{ + {"127.0.1.2", IPv4(127, 0, 1, 2)}, + {"127.0.0.1", IPv4(127, 0, 0, 1)}, +- {"127.001.002.003", IPv4(127, 1, 2, 3)}, + {"::ffff:127.1.2.3", IPv4(127, 1, 2, 3)}, +- {"::ffff:127.001.002.003", IPv4(127, 1, 2, 3)}, + {"::ffff:7f01:0203", IPv4(127, 1, 2, 3)}, + {"0:0:0:0:0000:ffff:127.1.2.3", IPv4(127, 1, 2, 3)}, + {"0:0:0:0:000000:ffff:127.1.2.3", IPv4(127, 1, 2, 3)}, +@@ -42,6 +40,11 @@ var parseIPTests = []struct { + {"fe80::1%911", nil}, + {"", nil}, + {"a1:a2:a3:a4::b1:b2:b3:b4", nil}, // Issue 6628 ++ {"127.001.002.003", nil}, ++ {"::ffff:127.001.002.003", nil}, ++ {"123.000.000.000", nil}, ++ {"1.2..4", nil}, ++ {"0123.0.0.1", nil}, + } + + func TestParseIP(t *testing.T) { +@@ -357,6 +360,7 @@ var parseCIDRTests = []struct { + {"0.0.-2.0/32", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.-2.0/32"}}, + {"0.0.0.-3/32", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.0.-3/32"}}, + {"0.0.0.0/-0", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.0.0/-0"}}, ++ {"127.000.000.001/32", nil, nil, &ParseError{Type: "CIDR address", Text: "127.000.000.001/32"}}, + {"", nil, nil, &ParseError{Type: "CIDR address", Text: ""}}, + } + +diff --git a/src/net/testdata/ipv4-hosts b/src/net/testdata/ipv4-hosts +index 5208bb4..6b99675 100644 +--- a/src/net/testdata/ipv4-hosts ++++ b/src/net/testdata/ipv4-hosts +@@ -1,12 +1,8 @@ + # See https://tools.ietf.org/html/rfc1123. +-# +-# The literal IPv4 address parser in the net package is a relaxed +-# one. It may accept a literal IPv4 address in dotted-decimal notation +-# with leading zeros such as "001.2.003.4". + + # internet address and host name + 127.0.0.1 localhost # inline comment separated by tab +-127.000.000.002 localhost # inline comment separated by space ++127.0.0.2 localhost # inline comment separated by space + + # internet address, host name and aliases +-127.000.000.003 localhost localhost.localdomain ++127.0.0.3 localhost localhost.localdomain diff --git a/SPECS/golang.spec b/SPECS/golang.spec index e45fb19..d266a66 100644 --- a/SPECS/golang.spec +++ b/SPECS/golang.spec @@ -96,12 +96,12 @@ %endif %global go_api 1.16 -%global go_version 1.16.6 -%global pkg_release 3 +%global go_version 1.16.7 +%global pkg_release 1 Name: golang Version: %{go_version} -Release: 2%{?dist} +Release: 1%{?dist} Summary: The Go Programming Language # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain License: BSD and Public Domain @@ -145,6 +145,11 @@ Patch221: fix_TestScript_list_std.patch # rhbz#1889437 Patch223: golang-1.15-warnCN.patch +# Fix incorrect parsing of extraneous zeros in net/ip +# https://bugzilla.redhat.com/show_bug.cgi?id=1993316 +# https://go-review.googlesource.com/c/go/+/325829 +Patch1993316: reject-leading-zeros.patch + Patch1939923: skip_test_rhbz1939923.patch # Fix FIPS mode memory leaks @@ -247,6 +252,8 @@ Requires: %{name} = %{version}-%{release} %patch1939923 -p1 +%patch1993316 -p1 + %patch1951877 -p1 @@ -516,6 +523,12 @@ cd .. %endif %changelog +* Tue Aug 17 2021 David Benoit - 1.16.7-1 +- Rebase to Go 1.16.7 +- Resolves: rhbz#1994079 +- Add reject leading zeros patch +- Resolves: rhbz#1993314 + * Wed Jul 21 2021 Derek Parker - 1.16.6-2 - Fix TestBoringServerCurves failure when run by itself - Resolves: rhbz#1976168