commit c53315d6cf1b4bfea6ff356b4a1524778c683bb9 [browse]
Author: Carlos Amedee
Date: 2020-11-12 09:43:55 -05:00

[release-branch.go1.15-security] go1.15.5

Change-Id: Id3b116c0f54c2131111bc8afacb8d81d06f96461
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901407
Reviewed-by: Katie Hockman <katiehockman@google.com>

commit 84150d0af193a7ccd733b3c7fa5787f43125cd2d [browse]
Author: Katie Hockman
Date: 2020-11-10 15:54:12 -05:00

[release-branch.go1.15-security] math/big: fix shift for recursive division

The previous s value could cause a crash
for certain inputs.

Will check in tests and documentation improvements later.

Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting this.
Thanks to Rémy Oudompheng and Robert Griesemer for their help
developing and validating the fix.

Fixes CVE-2020-28362

Change-Id: Ibbf455c4436bcdb07c84a34fa6551fb3422356d3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899974
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit 28015462c2a83239543dc2bef651e9a5f234b633)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901065

commit ec06b6d6be568ce1591d91a0ea4f14c190d06605 [browse]
Author: Ian Lance Taylor
Date: 2020-11-02 21:31:06 -08:00

[release-branch.go1.15-security] cmd/go: in cgoflags, permit -DX1, prohibit -Wp,-D,opt

Restrict -D and -U to ASCII C identifiers, but do permit trailing digits.
When using -Wp, prohibit commas in -D values.

Thanks to Imre Rad (https://www.linkedin.com/in/imre-rad-2358749b) for reporting this.

Fixes CVE-2020-28367

Change-Id: Ibfc4dfdd6e6c258e131448e7682610c44eee9492
Reviewed-on: https://go-review.googlesource.com/c/go/+/267277
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899924
Reviewed-by: Filippo Valsorda <valsorda@google.com>

commit 32159824698a82a174b60a6845e8494ae3243102 [browse]
Author: Ian Lance Taylor
Date: 2020-11-06 09:38:38 -08:00

[release-branch.go1.15-security] cmd/go, cmd/cgo: don't let bogus symbol set cgo_ldflag

A hand-edited object file can have a symbol name that uses newline and
other normally invalid characters. The cgo tool will generate Go files
containing symbol names, unquoted. That can permit those symbol names
to inject Go code into a cgo-generated file. If that Go code uses the
//go:cgo_ldflag pragma, it can cause the C linker to run arbitrary
code when building a package. If you build an imported package we
permit arbitrary code at run time, but we don't want to permit it at
package build time. This CL prevents this in two ways.

In cgo, reject invalid symbols that contain non-printable or space
characters, or that contain anything that looks like a Go comment.

In the go tool, double check all //go:cgo_ldflag directives in
generated code, to make sure they follow the existing LDFLAG restrictions.

Thanks to Chris Brown and Tempus Ex for reporting this.

Fixes CVE-2020-28366

Change-Id: Ia1ad8f3791ea79612690fa7d26ac451d0f6df7c1
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/895832
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
(cherry picked from commit 6bc814dd2bbfeaafa41d314dd4cc591b575dfbf6)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901056
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>

commit 0e953add9656c32a788e06438cd7b533e968b7f8 [browse]
Author: Alexander Rakoczy
Date: 2020-11-05 13:12:55 -05:00

[release-branch.go1.15] go1.15.4

Change-Id: Ibcd61e2c7ef7cc6f8509dadea6c3952c5dd7016e
Reviewed-on: https://go-review.googlesource.com/c/go/+/267879
Run-TryBot: Alexander Rakoczy <alex@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Trust: Alexander Rakoczy <alex@golang.org>