From 4534257a481691d56d8ecbf6b58336a69ec93ca0 Mon Sep 17 00:00:00 2001 From: bsiegert Date: Wed, 13 Apr 2016 07:12:00 +0000 Subject: Update Go to 1.6.1. Two security-related issues were recently reported, and to address these issues we have just released Go 1.6.1 and Go 1.5.4. We recommend that all users update to one of these releases (if you're not sure which, choose Go 1.6.1). The issues addressed by these releases are: On Windows, Go loads system DLLs by name with LoadLibrary, making it vulnerable to DLL preloading attacks. For instance, if a user runs a Go executable from a Downloads folder, malicious DLL files also downloaded to that folder could be loaded into that executable. This is CVE-2016-3958 and was addressed by this change: https://golang.org/cl/21428 Thanks to Taru Karttunen for identifying this issue. Go's crypto libraries passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability. This is CVE-2016-3959 and was addressed by this change: https://golang.org/cl/21533 Thanks to David Wong for identifying this issue. --- lang/go/Makefile | 3 +-- lang/go/PLIST | 4 +++- lang/go/distinfo | 11 +++++------ lang/go/patches/patch-src_crypto_dsa_dsa.go | 25 ------------------------- lang/go/version.mk | 4 ++-- 5 files changed, 11 insertions(+), 36 deletions(-) delete mode 100644 lang/go/patches/patch-src_crypto_dsa_dsa.go (limited to 'lang') diff --git a/lang/go/Makefile b/lang/go/Makefile index b6a9da3623e..fdb0bb68691 100644 --- a/lang/go/Makefile +++ b/lang/go/Makefile @@ -1,10 +1,9 @@ -# $NetBSD: Makefile,v 1.40 2016/04/08 20:00:02 bsiegert Exp $ +# $NetBSD: Makefile,v 1.41 2016/04/13 07:12:00 bsiegert Exp $ .include "version.mk" DISTNAME= go${GO_VERSION}.src PKGNAME= go-${GO_VERSION} -PKGREVISION= 1 CATEGORIES= lang MASTER_SITES= https://storage.googleapis.com/golang/ diff --git a/lang/go/PLIST b/lang/go/PLIST index 27df0026126..0e739f90fbf 100644 --- a/lang/go/PLIST +++ b/lang/go/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.22 2016/02/23 20:12:25 bsiegert Exp $ +@comment $NetBSD: PLIST,v 1.23 2016/04/13 07:12:00 bsiegert Exp $ bin/go bin/gofmt go/AUTHORS @@ -815,6 +815,7 @@ go/pkg/${GO_PLATFORM}/index/suffixarray.a go/pkg/${GO_PLATFORM}/internal/golang.org/x/net/http2/hpack.a go/pkg/${GO_PLATFORM}/internal/race.a go/pkg/${GO_PLATFORM}/internal/singleflight.a +go/pkg/${GO_PLATFORM}/internal/syscall/windows/sysdll.a go/pkg/${GO_PLATFORM}/internal/testenv.a go/pkg/${GO_PLATFORM}/internal/trace.a go/pkg/${GO_PLATFORM}/io.a @@ -2515,6 +2516,7 @@ go/src/internal/syscall/windows/registry/syscall.go go/src/internal/syscall/windows/registry/value.go go/src/internal/syscall/windows/registry/zsyscall_windows.go go/src/internal/syscall/windows/syscall_windows.go +go/src/internal/syscall/windows/sysdll/sysdll.go go/src/internal/syscall/windows/zsyscall_windows.go go/src/internal/testenv/testenv.go go/src/internal/trace/goroutines.go diff --git a/lang/go/distinfo b/lang/go/distinfo index 78867b5b46f..b1577e4527e 100644 --- a/lang/go/distinfo +++ b/lang/go/distinfo @@ -1,12 +1,11 @@ -$NetBSD: distinfo,v 1.34 2016/04/08 20:00:02 bsiegert Exp $ +$NetBSD: distinfo,v 1.35 2016/04/13 07:12:00 bsiegert Exp $ -SHA1 (go1.6.src.tar.gz) = 3282b6cb1e491662f7067544605d8cbf6f016553 -RMD160 (go1.6.src.tar.gz) = 9ed6feb79610d4ef0b9c2113dfddce72ff26ae7a -SHA512 (go1.6.src.tar.gz) = 59e9d72a80558fd5e3f176e068897a45333b36e35f6c00393647941a70e741168e65941b6059397378020c3b78ec3471a48809682f7efd97cf33eec6325fc3e8 -Size (go1.6.src.tar.gz) = 12613308 bytes +SHA1 (go1.6.1.src.tar.gz) = aa8f912f2534c8faa5c5b6d278e7cb3a4f4d238c +RMD160 (go1.6.1.src.tar.gz) = cf261ac91523982d0d6980a297bccb3fdbcd718c +SHA512 (go1.6.1.src.tar.gz) = 31ea2504f8ab0fd709005275d0c2129b6cdb4e5d34d6e2b435b23480674b135d1bff8de863b1e01201e757523f4dc28b6ebefeb87d7e855f2509a6837e436fab +Size (go1.6.1.src.tar.gz) = 12615799 bytes SHA1 (patch-lib_time_update.bash) = bcf565b97ae7898a9e5cef7686fe42c69bc0bba1 SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29 SHA1 (patch-src_cmd_go_pkg.go) = ccc470577951bd00741c39229599c0c06be52d0a -SHA1 (patch-src_crypto_dsa_dsa.go) = ed2bdfeab0205f8fdddd7a765f150b0ce832d7a7 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0eca1eafa967268ae9b224be4aeda347ebc91901 SHA1 (patch-src_syscall_syscall__solaris.go) = 436371947897dcba574a6dfecc6bbcd04f6e25b2 diff --git a/lang/go/patches/patch-src_crypto_dsa_dsa.go b/lang/go/patches/patch-src_crypto_dsa_dsa.go deleted file mode 100644 index 29123c1a8c9..00000000000 --- a/lang/go/patches/patch-src_crypto_dsa_dsa.go +++ /dev/null @@ -1,25 +0,0 @@ -$NetBSD: patch-src_crypto_dsa_dsa.go,v 1.1 2016/04/08 20:00:02 bsiegert Exp $ - -Fix for CVE-2016-3959: - -crypto/dsa: eliminate invalid PublicKey early - -For PublicKey.P == 0, Verify will fail. Don't even try. - -Change-Id: I1009f2b3dead8d0041626c946633acb10086d8c8 -Reviewed-on: https://go-review.googlesource.com/21533 -Reviewed-by: Brad Fitzpatrick - ---- src/crypto/dsa/dsa.go.orig 2016-02-17 20:35:21.000000000 +0000 -+++ src/crypto/dsa/dsa.go -@@ -249,6 +249,10 @@ func Sign(rand io.Reader, priv *PrivateK - func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool { - // FIPS 186-3, section 4.7 - -+ if pub.P.Sign() == 0 { -+ return false -+ } -+ - if r.Sign() < 1 || r.Cmp(pub.Q) >= 0 { - return false - } diff --git a/lang/go/version.mk b/lang/go/version.mk index afd07b3c418..25df9be7fa7 100644 --- a/lang/go/version.mk +++ b/lang/go/version.mk @@ -1,8 +1,8 @@ -# $NetBSD: version.mk,v 1.12 2016/02/23 20:12:25 bsiegert Exp $ +# $NetBSD: version.mk,v 1.13 2016/04/13 07:12:00 bsiegert Exp $ .include "../../mk/bsd.prefs.mk" -GO_VERSION= 1.6 +GO_VERSION= 1.6.1 GO14_VERSION= 1.4.3 ONLY_FOR_PLATFORM= *-*-i386 *-*-x86_64 *-*-evbarm -- cgit v1.2.3