diff options
author | Kevin Daudt <kdaudt@alpinelinux.org> | 2020-04-21 19:55:32 +0000 |
---|---|---|
committer | Kevin Daudt <kdaudt@alpinelinux.org> | 2020-04-30 04:41:32 +0000 |
commit | 573b7537c7e1ab2732007a1d026a913613ca2d03 (patch) | |
tree | b0a15bcc8171df65db864b6d4a28d5710b7f2077 | |
parent | 25f0bae76247fa5eb76faae67f179ea8b758f828 (diff) | |
download | aports-573b7537c7e1ab2732007a1d026a913613ca2d03.tar.bz2 aports-573b7537c7e1ab2732007a1d026a913613ca2d03.tar.xz |
community/go: security upgrade to 1.13.10 (CVE-2020-7919)
Issue: alpine/aports!7067
-rw-r--r-- | community/go/APKBUILD | 26 | ||||
-rw-r--r-- | community/go/fix-rlimit-syscall-aarch64-armv7.patch | 86 |
2 files changed, 101 insertions, 11 deletions
diff --git a/community/go/APKBUILD b/community/go/APKBUILD index 7424eecb34..01eb08bd76 100644 --- a/community/go/APKBUILD +++ b/community/go/APKBUILD @@ -3,8 +3,8 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=go # go binaries are statically linked, security updates require rebuilds -pkgver=1.13.4 -pkgrel=1 +pkgver=1.13.10 +pkgrel=0 pkgdesc="Go programming language compiler" url="https://golang.org/" arch="all" @@ -17,6 +17,7 @@ source="https://golang.org/dl/go${pkgver/_/}.src.tar.gz default-buildmode-pie.patch set-external-linker.patch disable-flaky-sync-test.patch + fix-rlimit-syscall-aarch64-armv7.patch " case "$CARCH" in @@ -25,18 +26,20 @@ case "$CARCH" in esac # secfixes: +# 1.13.7-r0: +# - CVE-2020-7919 # 1.13.2-r0: -# - CVE-2019-17596 +# - CVE-2019-17596 # 1.13.1-r0: -# - CVE-2019-16276 +# - CVE-2019-16276 # 1.12.8-r0: -# - CVE-2019-9512 -# - CVE-2019-9514 -# - CVE-2019-14809 +# - CVE-2019-9512 +# - CVE-2019-9514 +# - CVE-2019-14809 # 1.11.5-r0: -# - CVE-2019-6486 +# - CVE-2019-6486 # 1.9.4-r0: -# - CVE-2018-6574 +# - CVE-2018-6574 # NOTE: building go for x86 with grsec kernel requires: # sysctl -w kernel.modify_ldt=1 @@ -137,7 +140,8 @@ package() { -exec rm -rf \{\} \+ } -sha512sums="e8155cdceca2ebefd386feef98223bbdc92d9316f7188d4ba701cf43a723b75a9bf67a1eb92ac80987b7a113a2fb6981ef235292bec7dd3964805b7c33abdbb1 go1.13.4.src.tar.gz +sha512sums="9e020dd89ab6201c4cbb893caecc0b077d5fbb2e10381e1b76a29ddc18c141d8db67a1b0f607ed915b0e9c40c4fb2c65b0319472535892534a31ad962e72fe05 go1.13.10.src.tar.gz f0c07d9979fc3165fc78158406de8440624b3f2c6f6542c9889c71efbf3d2f02a7ffee27ccba8c2630489895d331b7b9d3a606162134dcb3e8e0b9fc06b529dc default-buildmode-pie.patch faf8de430df185842902322f064254f3e9ecee0884b3075b5550c85da15ff61ea6c2bb8d0fb7cf3887abc0e40974bd73ee8f8c14da7f914dde7e9220177c4e2a set-external-linker.patch -6ce14ca43fd35520e667530af91cfcad8902d635e6dd8c04d19428299b9e29ba049120f5eebbb00717a895f052d1cc40d3f522c090786625cce726715a8218ec disable-flaky-sync-test.patch" +6ce14ca43fd35520e667530af91cfcad8902d635e6dd8c04d19428299b9e29ba049120f5eebbb00717a895f052d1cc40d3f522c090786625cce726715a8218ec disable-flaky-sync-test.patch +91298a7b74cce2405fe9774ebc67c78691fb7ffe5d34c3d22e2632900158efc6f922387f58265bb0587be1f37a91240d604d52e96c9315e7fb83e0210b274715 fix-rlimit-syscall-aarch64-armv7.patch" diff --git a/community/go/fix-rlimit-syscall-aarch64-armv7.patch b/community/go/fix-rlimit-syscall-aarch64-armv7.patch new file mode 100644 index 0000000000..bda590afd0 --- /dev/null +++ b/community/go/fix-rlimit-syscall-aarch64-armv7.patch @@ -0,0 +1,86 @@ +Upstream: Yes +Url: https://github.com/golang/go/issues/38604 + +From a6895a6a52aa5e865b8ee055a8bf85982c91b555 Mon Sep 17 00:00:00 2001 +From: Ian Lance Taylor <iant@golang.org> +Date: Mon, 27 Apr 2020 17:43:35 -0700 +Subject: [PATCH] syscall: on linux-arm64, prefer prlimit to {g,s}etrlimit + +Reportedly some Docker images accept the prlimit64 system call, +used by syscall.prlimit, but prohibit the getrlimit and setrlimit +system calls. + +Fixes #38604 + +Change-Id: I91ff9370450b4869098cc8e335bbb7b863060508 +--- + +diff --git a/src/syscall/syscall_linux_arm64.go b/src/syscall/syscall_linux_arm64.go +index 6d3b3df..1ad9dd8 100644 +--- a/src/syscall/syscall_linux_arm64.go ++++ b/src/syscall/syscall_linux_arm64.go +@@ -28,7 +28,7 @@ + //sysnb Getegid() (egid int) + //sysnb Geteuid() (euid int) + //sysnb Getgid() (gid int) +-//sysnb Getrlimit(resource int, rlim *Rlimit) (err error) ++//sysnb getrlimit(resource int, rlim *Rlimit) (err error) + //sysnb Getuid() (uid int) + //sys Listen(s int, n int) (err error) + //sys Pread(fd int, p []byte, offset int64) (n int, err error) = SYS_PREAD64 +@@ -41,7 +41,7 @@ + //sysnb Setregid(rgid int, egid int) (err error) + //sysnb Setresgid(rgid int, egid int, sgid int) (err error) + //sysnb Setresuid(ruid int, euid int, suid int) (err error) +-//sysnb Setrlimit(resource int, rlim *Rlimit) (err error) ++//sysnb setrlimit(resource int, rlim *Rlimit) (err error) + //sysnb Setreuid(ruid int, euid int) (err error) + //sys Shutdown(fd int, how int) (err error) + //sys Splice(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int64, err error) +@@ -171,6 +171,24 @@ + return + } + ++// Getrlimit prefers the prlimit64 system call. See issue 38604. ++func Getrlimit(resource int, rlim *Rlimit) error { ++ err := prlimit(0, resource, nil, rlim) ++ if err != ENOSYS { ++ return err ++ } ++ return getrlimit(resource, rlim) ++} ++ ++// Setrlimit prefers the prlimit64 system call. See issue 38604. ++func Setrlimit(resource int, rlim *Rlimit) error { ++ err := prlimit(0, resource, rlim, nil) ++ if err != ENOSYS { ++ return err ++ } ++ return setrlimit(resource, rlim) ++} ++ + func (r *PtraceRegs) PC() uint64 { return r.Pc } + + func (r *PtraceRegs) SetPC(pc uint64) { r.Pc = pc } +diff --git a/src/syscall/zsyscall_linux_arm64.go b/src/syscall/zsyscall_linux_arm64.go +index b62383e..f20f05e 100644 +--- a/src/syscall/zsyscall_linux_arm64.go ++++ b/src/syscall/zsyscall_linux_arm64.go +@@ -1158,7 +1158,7 @@ + + // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT + +-func Getrlimit(resource int, rlim *Rlimit) (err error) { ++func getrlimit(resource int, rlim *Rlimit) (err error) { + _, _, e1 := RawSyscall(SYS_GETRLIMIT, uintptr(resource), uintptr(unsafe.Pointer(rlim)), 0) + if e1 != 0 { + err = errnoErr(e1) +@@ -1312,7 +1312,7 @@ + + // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT + +-func Setrlimit(resource int, rlim *Rlimit) (err error) { ++func setrlimit(resource int, rlim *Rlimit) (err error) { + _, _, e1 := RawSyscall(SYS_SETRLIMIT, uintptr(resource), uintptr(unsafe.Pointer(rlim)), 0) + if e1 != 0 { + err = errnoErr(e1) |