diff --git a/SPECS/golang/CVE-2024-24790.patch b/SPECS/golang/CVE-2024-24790.patch new file mode 100644 index 00000000000..2e7468ee444 --- /dev/null +++ b/SPECS/golang/CVE-2024-24790.patch @@ -0,0 +1,193 @@ +diff --git a/src/net/netip/inlining_test.go b/src/net/netip/inlining_test.go +index 107fe1f083..1250c37725 100644 +--- a/src/net/netip/inlining_test.go ++++ b/src/net/netip/inlining_test.go +@@ -41,8 +41,6 @@ func TestInlining(t *testing.T) { + "Addr.Is4", + "Addr.Is4In6", + "Addr.Is6", +- "Addr.IsLoopback", +- "Addr.IsMulticast", + "Addr.IsInterfaceLocalMulticast", + "Addr.IsValid", + "Addr.IsUnspecified", +diff --git a/src/net/netip/netip.go b/src/net/netip/netip.go +index f27984ab57..310e4e5bf4 100644 +--- a/src/net/netip/netip.go ++++ b/src/net/netip/netip.go +@@ -75,6 +75,9 @@ var ( + // address ff02::1. + func IPv6LinkLocalAllNodes() Addr { return AddrFrom16([16]byte{0: 0xff, 1: 0x02, 15: 0x01}) } + ++// IPv6Loopback returns the IPv6 loopback address ::1. ++func IPv6Loopback() Addr { return AddrFrom16([16]byte{15: 0x01}) } ++ + // IPv6Unspecified returns the IPv6 unspecified address "::". + func IPv6Unspecified() Addr { return Addr{z: z6noz} } + +@@ -515,6 +518,9 @@ func (ip Addr) hasZone() bool { + + // IsLinkLocalUnicast reports whether ip is a link-local unicast address. + func (ip Addr) IsLinkLocalUnicast() bool { ++ if ip.Is4In6() { ++ ip = ip.Unmap() ++ } + // Dynamic Configuration of IPv4 Link-Local Addresses + // https://datatracker.ietf.org/doc/html/rfc3927#section-2.1 + if ip.Is4() { +@@ -530,6 +536,9 @@ func (ip Addr) IsLinkLocalUnicast() bool { + + // IsLoopback reports whether ip is a loopback address. + func (ip Addr) IsLoopback() bool { ++ if ip.Is4In6() { ++ ip = ip.Unmap() ++ } + // Requirements for Internet Hosts -- Communication Layers (3.2.1.3 Addressing) + // https://datatracker.ietf.org/doc/html/rfc1122#section-3.2.1.3 + if ip.Is4() { +@@ -545,6 +554,9 @@ func (ip Addr) IsLoopback() bool { + + // IsMulticast reports whether ip is a multicast address. + func (ip Addr) IsMulticast() bool { ++ if ip.Is4In6() { ++ ip = ip.Unmap() ++ } + // Host Extensions for IP Multicasting (4. HOST GROUP ADDRESSES) + // https://datatracker.ietf.org/doc/html/rfc1112#section-4 + if ip.Is4() { +@@ -563,7 +575,7 @@ func (ip Addr) IsMulticast() bool { + func (ip Addr) IsInterfaceLocalMulticast() bool { + // IPv6 Addressing Architecture (2.7.1. Pre-Defined Multicast Addresses) + // https://datatracker.ietf.org/doc/html/rfc4291#section-2.7.1 +- if ip.Is6() { ++ if ip.Is6() && !ip.Is4In6() { + return ip.v6u16(0)&0xff0f == 0xff01 + } + return false // zero value +@@ -571,6 +583,9 @@ func (ip Addr) IsInterfaceLocalMulticast() bool { + + // IsLinkLocalMulticast reports whether ip is a link-local multicast address. + func (ip Addr) IsLinkLocalMulticast() bool { ++ if ip.Is4In6() { ++ ip = ip.Unmap() ++ } + // IPv4 Multicast Guidelines (4. Local Network Control Block (224.0.0/24)) + // https://datatracker.ietf.org/doc/html/rfc5771#section-4 + if ip.Is4() { +@@ -599,6 +614,9 @@ func (ip Addr) IsGlobalUnicast() bool { + return false + } + ++ if ip.Is4In6() { ++ ip = ip.Unmap() ++ } + // Match package net's IsGlobalUnicast logic. Notably private IPv4 addresses + // and ULA IPv6 addresses are still considered "global unicast". + if ip.Is4() && (ip == IPv4Unspecified() || ip == AddrFrom4([4]byte{255, 255, 255, 255})) { +@@ -616,6 +634,10 @@ func (ip Addr) IsGlobalUnicast() bool { + // ip is in 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or fc00::/7. This is the + // same as net.IP.IsPrivate. + func (ip Addr) IsPrivate() bool { ++ if ip.Is4In6() { ++ ip = ip.Unmap() ++ } ++ + // Match the stdlib's IsPrivate logic. + if ip.Is4() { + // RFC 1918 allocates 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as +diff --git a/src/net/netip/netip_test.go b/src/net/netip/netip_test.go +index d988864827..c7e458af43 100644 +--- a/src/net/netip/netip_test.go ++++ b/src/net/netip/netip_test.go +@@ -554,10 +554,13 @@ func TestIPProperties(t *testing.T) { + ilm6 = mustIP("ff01::1") + ilmZone6 = mustIP("ff01::1%eth0") + +- private4a = mustIP("10.0.0.1") +- private4b = mustIP("172.16.0.1") +- private4c = mustIP("192.168.1.1") +- private6 = mustIP("fd00::1") ++ private4a = mustIP("10.0.0.1") ++ private4b = mustIP("172.16.0.1") ++ private4c = mustIP("192.168.1.1") ++ private6 = mustIP("fd00::1") ++ private6mapped4a = mustIP("::ffff:10.0.0.1") ++ private6mapped4b = mustIP("::ffff:172.16.0.1") ++ private6mapped4c = mustIP("::ffff:192.168.1.1") + + unspecified4 = AddrFrom4([4]byte{}) + unspecified6 = IPv6Unspecified() +@@ -584,6 +587,11 @@ func TestIPProperties(t *testing.T) { + ip: unicast4, + globalUnicast: true, + }, ++ { ++ name: "unicast v6 mapped v4Addr", ++ ip: AddrFrom16(unicast4.As16()), ++ globalUnicast: true, ++ }, + { + name: "unicast v6Addr", + ip: unicast6, +@@ -605,6 +613,12 @@ func TestIPProperties(t *testing.T) { + linkLocalMulticast: true, + multicast: true, + }, ++ { ++ name: "multicast v6 mapped v4Addr", ++ ip: AddrFrom16(multicast4.As16()), ++ linkLocalMulticast: true, ++ multicast: true, ++ }, + { + name: "multicast v6Addr", + ip: multicast6, +@@ -622,6 +636,11 @@ func TestIPProperties(t *testing.T) { + ip: llu4, + linkLocalUnicast: true, + }, ++ { ++ name: "link-local unicast v6 mapped v4Addr", ++ ip: AddrFrom16(llu4.As16()), ++ linkLocalUnicast: true, ++ }, + { + name: "link-local unicast v6Addr", + ip: llu6, +@@ -647,6 +666,11 @@ func TestIPProperties(t *testing.T) { + ip: loopback6, + loopback: true, + }, ++ { ++ name: "loopback v6 mapped v4Addr", ++ ip: AddrFrom16(IPv6Loopback().As16()), ++ loopback: true, ++ }, + { + name: "interface-local multicast v6Addr", + ip: ilm6, +@@ -683,6 +707,24 @@ func TestIPProperties(t *testing.T) { + globalUnicast: true, + private: true, + }, ++ { ++ name: "private v6 mapped v4Addr 10/8", ++ ip: private6mapped4a, ++ globalUnicast: true, ++ private: true, ++ }, ++ { ++ name: "private v6 mapped v4Addr 172.16/12", ++ ip: private6mapped4b, ++ globalUnicast: true, ++ private: true, ++ }, ++ { ++ name: "private v6 mapped v4Addr 192.168/16", ++ ip: private6mapped4c, ++ globalUnicast: true, ++ private: true, ++ }, + { + name: "unspecified v4Addr", + ip: unspecified4, diff --git a/SPECS/golang/golang-1.18.spec b/SPECS/golang/golang-1.18.spec index 12339bf6c8d..255ab8f6408 100644 --- a/SPECS/golang/golang-1.18.spec +++ b/SPECS/golang/golang-1.18.spec @@ -13,7 +13,7 @@ Summary: Go Name: golang Version: 1.18.8 -Release: 3%{?dist} +Release: 4%{?dist} License: BSD-3-Clause Vendor: Microsoft Corporation Distribution: Mariner @@ -24,10 +24,13 @@ Source1: https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz Patch0: go14_bootstrap_aarch64.patch # CVE-2022-41717 is fixed in 1.18.9 Patch1: CVE-2022-41717.patch +# CVE-2024-24790 is fixed in 1.18.8 +Patch2: CVE-2024-24790.patch Obsoletes: %{name} < %{version} Provides: %{name} = %{version} Provides: go = %{version}-%{release} + %description Go is an open source programming language that makes it easy to build simple, reliable, and efficient software. @@ -40,7 +43,7 @@ mv -v go go-bootstrap %setup -q -n go patch -Np1 --ignore-whitespace < %{PATCH1} - +patch -Np1 --ignore-whitespace < %{PATCH2} %build # Build go 1.4 bootstrap pushd %{_topdir}/BUILD/go-bootstrap/src @@ -120,6 +123,9 @@ fi %{_bindir}/* %changelog +* Mon July 29 2024 Bhagyashri Pathak bhapathak@microsoft.com - 1.18.8.4 +- Patch CVE-2024-24790 + * Mon Jan 23 2022 Nicolas Guibourge - 1.18.8-3 - Create spec file for golang 1.18 diff --git a/SPECS/golang/golang.signatures.json b/SPECS/golang/golang.signatures.json index 57bb15e14fa..eaad159e83c 100644 --- a/SPECS/golang/golang.signatures.json +++ b/SPECS/golang/golang.signatures.json @@ -1,7 +1,8 @@ { - "Signatures": { - "go1.19.12.src.tar.gz": "ee5d50e0a7fd74ba1b137cb879609aaaef9880bf72b5d1742100e38ae72bb557", - "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52", - "go1.21.11.src.tar.gz": "42aee9bf2b6956c75a7ad6aa3f0a51b5821ffeac57f5a2e733a2d6eae1e6d9d2" - } -} + "Signatures": { + "go1.17.13.src.tar.gz": "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd", + "go1.21.6.src.tar.gz": "124926a62e45f78daabbaedb9c011d97633186a33c238ffc1e25320c02046248", + "go1.22.5.src.tar.gz": "ac9c723f224969aee624bc34fd34c9e13f2a212d75c71c807de644bb46e112f6", + "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52" + } +} \ No newline at end of file diff --git a/SPECS/golang/golang.spec b/SPECS/golang/golang.spec index a28dbda0e3d..57842d0b68a 100644 --- a/SPECS/golang/golang.spec +++ b/SPECS/golang/golang.spec @@ -1,4 +1,5 @@ -%global bootstrap_compiler_version 1.19.12 +%global bootstrap_compiler_version_0 1.17.13 +%global bootstrap_compiler_version_1 1.21.6 %global goroot %{_libdir}/golang %global gopath %{_datadir}/gocode %ifarch aarch64 @@ -13,7 +14,7 @@ %define __find_requires %{nil} Summary: Go Name: golang -Version: 1.21.11 +Version: 1.22.5 Release: 1%{?dist} License: BSD-3-Clause Vendor: Microsoft Corporation @@ -22,7 +23,8 @@ Group: System Environment/Security URL: https://golang.org Source0: https://golang.org/dl/go%{version}.src.tar.gz Source1: https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz -Source2: https://dl.google.com/go/go%{bootstrap_compiler_version}.src.tar.gz +Source2: https://dl.google.com/go/go%{bootstrap_compiler_version_0}.src.tar.gz +Source3: https://dl.google.com/go/go%{bootstrap_compiler_version_1}.src.tar.gz Patch0: go14_bootstrap_aarch64.patch Obsoletes: %{name} < %{version} Provides: %{name} = %{version} @@ -41,11 +43,13 @@ mv -v go go-bootstrap %setup -q -n go %build -# (go >= 1.20 bootstraps with go >= 1.17) -# This condition makes go compiler >= 1.20 build a 3 step process: +# Go 1.22 requires the final point release of Go 1.20 or later for bootstrap. +# And Go 1.20 requires the Go 1.17. +# This condition makes go compiler >= 1.22 build a 4 step process: # - Build the bootstrap compiler 1.4 (bootstrap bits in c) -# - Use the 1.4 compiler to build %{bootstrap_compiler_version} -# - Use the %{bootstrap_compiler_version} compiler to build go >= 1.20 compiler +# - Use the 1.4 compiler to build %{bootstrap_compiler_version_0} +# - Use the %{bootstrap_compiler_version_0} compiler to build %{bootstrap_compiler_version_1} +# - Use %{bootstrap_compiler_version_1} to build %{version} # PS: Since go compiles fairly quickly, the extra overhead is arounnd 2-3 minutes # on a reasonable machine. @@ -56,21 +60,32 @@ popd mv -v %{_topdir}/BUILD/go-bootstrap %{_libdir}/golang export GOROOT=%{_libdir}/golang -# Use go1.4 bootstrap to compile go%{bootstrap_compiler_version} (bootstrap) +# Use go1.4 bootstrap to compile go%{bootstrap_compiler_version_0} export GOROOT_BOOTSTRAP=%{_libdir}/golang -mkdir -p %{_topdir}/BUILD/go%{bootstrap_compiler_version} -tar xf %{SOURCE2} -C %{_topdir}/BUILD/go%{bootstrap_compiler_version} --strip-components=1 -pushd %{_topdir}/BUILD/go%{bootstrap_compiler_version}/src +mkdir -p %{_topdir}/BUILD/go%{bootstrap_compiler_version_0} +tar xf %{SOURCE2} -C %{_topdir}/BUILD/go%{bootstrap_compiler_version_0} --strip-components=1 +pushd %{_topdir}/BUILD/go%{bootstrap_compiler_version_0}/src CGO_ENABLED=0 ./make.bash popd - -# Nuke the older go1.4 bootstrap +# Nuke the older %{bootstrap_compiler_version_0} rm -rf %{_libdir}/golang +mv -v %{_topdir}/BUILD/go%{bootstrap_compiler_version_0} %{_libdir}/golang +export GOROOT=%{_libdir}/golang -# Make go%{bootstrap_compiler_version} as the new bootstrapper -mv -v %{_topdir}/BUILD/go1.19.12 %{_libdir}/golang -# Build current go version +# Use go%{bootstrap_compiler_version_0} bootstrap to compile go%{bootstrap_compiler_version_1} (bootstrap) +export GOROOT_BOOTSTRAP=%{_libdir}/golang +mkdir -p %{_topdir}/BUILD/go%{bootstrap_compiler_version_1} +tar xf %{SOURCE3} -C %{_topdir}/BUILD/go%{bootstrap_compiler_version_1} --strip-components=1 +pushd %{_topdir}/BUILD/go%{bootstrap_compiler_version_1}/src +CGO_ENABLED=0 ./make.bash +popd +# Nuke the older %{bootstrap_compiler_version_1} +rm -rf %{_libdir}/golang +mv -v %{_topdir}/BUILD/go%{bootstrap_compiler_version_1} %{_libdir}/golang +export GOROOT=%{_libdir}/golang + +# Use %{bootstrap_compiler_version_1} to compile %{version} export GOHOSTOS=linux export GOHOSTARCH=%{gohostarch} export GOROOT_BOOTSTRAP=%{goroot} @@ -141,6 +156,9 @@ fi %{_bindir}/* %changelog +* Mon Jul 29 2024 Bhagyashri Pathak - 1.22.5 +- Bump version to 1.22.5 + * Fri Jun 07 2024 Muhammad Falak - 1.21.11-1 - Bump version to 1.21.11 to address CVE-2024-24790 diff --git a/cgmanifest.json b/cgmanifest.json index 944690ab6cc..65b1748d742 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -4630,18 +4630,8 @@ "type": "other", "other": { "name": "golang", - "version": "1.19.12", - "downloadUrl": "https://golang.org/dl/go1.19.12.src.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "golang", - "version": "1.21.11", - "downloadUrl": "https://golang.org/dl/go1.21.11.src.tar.gz" + "version": "1.22.5", + "downloadUrl": "https://golang.org/dl/go1.22.5.src.tar.gz" } } },