commit bc9c580409b61af6b29f0cbd9d45bec63dbe2ccb [browse]
Author: Carlos Amedee
Date: 2020-11-12 09:43:57 -05:00

[release-branch.go1.14-security] go1.14.12

Change-Id: I8ce7093f7e119216d3a5d8941968788b70b6afaf
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901408
Reviewed-by: Katie Hockman <katiehockman@google.com>

commit f7a1fcf7a55d6b0bc97b02f5b9dd4a15d54aeafa [browse]
Author: Katie Hockman
Date: 2020-11-10 15:54:12 -05:00

[release-branch.go1.14-security] math/big: fix shift for recursive division

The previous s value could cause a crash
for certain inputs.

Will check in tests and documentation improvements later.

Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting this.
Thanks to Rémy Oudompheng and Robert Griesemer for their help
developing and validating the fix.

Fixes CVE-2020-28362

Change-Id: Ibbf455c4436bcdb07c84a34fa6551fb3422356d3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899974
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit 28015462c2a83239543dc2bef651e9a5f234b633)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901064

commit ff5addb6be2fb3001f0cb026c3e4931090a85664 [browse]
Author: Ian Lance Taylor
Date: 2020-11-02 21:31:06 -08:00

[release-branch.go1.14-security] cmd/go: in cgoflags, permit -DX1, prohibit -Wp,-D,opt

Restrict -D and -U to ASCII C identifiers, but do permit trailing digits.
When using -Wp, prohibit commas in -D values.

Thanks to Imre Rad (https://www.linkedin.com/in/imre-rad-2358749b) for reporting this.

Fixes CVE-2020-28367

Change-Id: Ibfc4dfdd6e6c258e131448e7682610c44eee9492
Reviewed-on: https://go-review.googlesource.com/c/go/+/267277
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899923
Reviewed-by: Filippo Valsorda <valsorda@google.com>

commit 57ffa7b101296229328eaec6219a7c211a4ac49b [browse]
Author: Ian Lance Taylor
Date: 2020-11-06 09:38:38 -08:00

[release-branch.go1.14-security] cmd/go, cmd/cgo: don't let bogus symbol set cgo_ldflag

A hand-edited object file can have a symbol name that uses newline and
other normally invalid characters. The cgo tool will generate Go files
containing symbol names, unquoted. That can permit those symbol names
to inject Go code into a cgo-generated file. If that Go code uses the
//go:cgo_ldflag pragma, it can cause the C linker to run arbitrary
code when building a package. If you build an imported package we
permit arbitrary code at run time, but we don't want to permit it at
package build time. This CL prevents this in two ways.

In cgo, reject invalid symbols that contain non-printable or space
characters, or that contain anything that looks like a Go comment.

In the go tool, double check all //go:cgo_ldflag directives in
generated code, to make sure they follow the existing LDFLAG restrictions.

Thanks to Chris Brown and Tempus Ex for reporting this.

Fixes CVE-2020-28366

Change-Id: Ia1ad8f3791ea79612690fa7d26ac451d0f6df7c1
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/895832
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
(cherry picked from commit 6bc814dd2bbfeaafa41d314dd4cc591b575dfbf6)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901055
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>

commit e82710b825958f30b924fc6dba1fd0a63b517199 [browse]
Author: Alexander Rakoczy
Date: 2020-11-05 13:12:54 -05:00

[release-branch.go1.14] go1.14.11

Change-Id: I1b4231179d0825113f2cbb6e84e92b3453e2ee45
Reviewed-on: https://go-review.googlesource.com/c/go/+/267878
Run-TryBot: Alexander Rakoczy <alex@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Trust: Alexander Rakoczy <alex@golang.org>