gostls13.git log

commit 2117ea9737bc9cb2e30cb087b76a283f68768819 [browse]
Author: Dmitri Shuralyov
Date: 2021-01-19 13:59:33 -05:00

[release-branch.go1.15-security] go1.15.7

Change-Id: Ieec3576afa00cadf91166bf4df39037702635b86
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/957920
Reviewed-by: Roland Shoemaker <bracewell@google.com>

commit 14936d407aba84b76ec77b14f4697b31f0ac05aa [browse]
Author: Roland Shoemaker
Date: 2021-01-19 09:59:24 -08:00

[release-branch.go1.15-security] cmd/go: overwrite program name with full path

If the program path is resolved, replace the first argument of the
exec.Cmd, which is the bare program name with the resolved path.

Change-Id: I92cf5e6f4bb7c8fef9b59f5eab963f4e75b90d07
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/957908
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Jay Conrod <jayconrod@google.com>
(cherry picked from commit a863cb56b33a24aad88f23f1d48629dc4b4b9539)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/958254
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit 07e3195293ec510171d7d43ec8ac2bcb9cf00df4 [browse]
Author: Roland Shoemaker
Date: 2021-01-15 12:14:06 -08:00

[release-branch.go1.15-security] all: introduce and use internal/execabs

Introduces a wrapper around os/exec, internal/execabs, for use in
all commands. This wrapper prevents exec.LookPath and exec.Command from
running executables in the current directory.

All imports of os/exec in non-test files in cmd/ are replaced with
imports of internal/execabs.

This issue was reported by RyotaK.

Fixes CVE-2021-3115

Change-Id: I0423451a6e27ec1e1d6f3fe929ab1ef69145c08f
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/955304
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Katie Hockman <katiehockman@google.com>
(cherry picked from commit 44f09a6990ccf4db601cbf8208c89ac4e888f884)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/955308

commit b21052258ef27a7b267df21411dd4e8ddbdee5fe [browse]
Author: Russ Cox
Date: 2021-01-11 09:43:08 -05:00

[release-branch.go1.15-security] cmd/go: add test case for cgo CC setting

Change-Id: Ied986053a64447c5eac6369f6c9b69ed3d3f94d9
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/949415
Reviewed-by: Ian Lance Taylor <iant@google.com>
(cherry picked from commit e97d4ed8dcc1fed64fe44b56dfdfb0f929aabb65)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/955297
Reviewed-by: Katie Hockman <katiehockman@google.com>

commit 6632c5b8a812125784c105263551a94bd5817eda [browse]
Author: Russ Cox
Date: 2021-01-11 10:01:24 -05:00

[release-branch.go1.15-security] cmd/cgo: report exec errors a bit more clearly

Change-Id: I0e6bebf0e2e6efdef4be880e0c6c7451b938924b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/949417
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-by: Jay Conrod <jayconrod@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
(cherry picked from commit 4c2e5f85dda6ad5cc1d5be863ae62f2050f12be9)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/955295

clone the repository to get more history