gostls13.git log

commit ccb4f250bd7e382e50824c36ec5a3e1a57dcf11a [browse]
Author: Dmitri Shuralyov
Date: 2021-01-19 13:37:47 -05:00

[release-branch.go1.14-security] go1.14.14

Change-Id: Id4260bbb5aa55b7e93c0c4686f174ea7916c14db
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/957919
Reviewed-by: Roland Shoemaker <bracewell@google.com>

commit 05822ab49228c3351af1973a7d6345e5cd01083a [browse]
Author: Roland Shoemaker
Date: 2021-01-19 09:59:24 -08:00

[release-branch.go1.14-security] cmd/go: overwrite program name with full path

If the program path is resolved, replace the first argument of the
exec.Cmd, which is the bare program name with the resolved path.

Change-Id: I92cf5e6f4bb7c8fef9b59f5eab963f4e75b90d07
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/957908
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Jay Conrod <jayconrod@google.com>
(cherry picked from commit a863cb56b33a24aad88f23f1d48629dc4b4b9539)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/958253
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit 94200a92cf4d6dfdab5291f9e29785cad566faa0 [browse]
Author: Roland Shoemaker
Date: 2021-01-15 12:14:06 -08:00

[release-branch.go1.14-security] all: introduce and use internal/execabs

Introduces a wrapper around os/exec, internal/execabs, for use in
all commands. This wrapper prevents exec.LookPath and exec.Command from
running executables in the current directory.

All imports of os/exec in non-test files in cmd/ are replaced with
imports of internal/execabs.

This issue was reported by RyotaK.

Fixes CVE-2021-3115

Change-Id: I0423451a6e27ec1e1d6f3fe929ab1ef69145c08f
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/955304
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Katie Hockman <katiehockman@google.com>
(cherry picked from commit 44f09a6990ccf4db601cbf8208c89ac4e888f884)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/955309

commit bd04382057fcfadd78ccc80684ab4c942d1adf9a [browse]
Author: Russ Cox
Date: 2021-01-11 09:43:08 -05:00

[release-branch.go1.14-security] cmd/go: add test case for cgo CC setting

Change-Id: Ied986053a64447c5eac6369f6c9b69ed3d3f94d9
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/949415
Reviewed-by: Ian Lance Taylor <iant@google.com>
(cherry picked from commit e97d4ed8dcc1fed64fe44b56dfdfb0f929aabb65)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/955298
Reviewed-by: Katie Hockman <katiehockman@google.com>

commit 4bf9990a6bc8d7c44650f7f061639a2507104366 [browse]
Author: Russ Cox
Date: 2021-01-11 10:01:24 -05:00

[release-branch.go1.14-security] cmd/cgo: report exec errors a bit more clearly

Change-Id: I0e6bebf0e2e6efdef4be880e0c6c7451b938924b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/949417
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-by: Jay Conrod <jayconrod@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
(cherry picked from commit 4c2e5f85dda6ad5cc1d5be863ae62f2050f12be9)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/955296

clone the repository to get more history