From d57e23e7bd6a8f80ace3f1d668a387cf1bc989f7 Mon Sep 17 00:00:00 2001 From: hanchao Date: Wed, 23 Mar 2022 20:51:31 +0800 Subject: [PATCH 2/2] fix patch cmd-go-internal-modfetch-do-not-short-circuit-canoni.patch reason:the above patch is to fix CVE-2022-23773, but it does not work with golang1.15, so this patch is used to fix the above issue. Conflict:NA Reference:https://go-review.googlesource.com/c/go/+/378400/ Signed-off-by: hanchao --- src/cmd/go/internal/modfetch/coderepo.go | 24 +++++------------------- 1 file changed, 5 insertions(+), 19 deletions(-) diff --git a/src/cmd/go/internal/modfetch/coderepo.go b/src/cmd/go/internal/modfetch/coderepo.go index c654b36..def62d7 100644 --- a/src/cmd/go/internal/modfetch/coderepo.go +++ b/src/cmd/go/internal/modfetch/coderepo.go @@ -456,11 +456,6 @@ func (r *codeRepo) convert(info *codehost.RevInfo, statVers string) (*RevInfo, e tagPrefix = r.codeDir + "/" } - isRetracted, err := r.retractedVersions() - if err != nil { - isRetracted = func(string) bool { return false } - } - // tagToVersion returns the version obtained by trimming tagPrefix from tag. // If the tag is invalid, retracted, or a pseudo-version, tagToVersion returns // an empty version. @@ -523,7 +518,7 @@ func (r *codeRepo) convert(info *codehost.RevInfo, statVers string) (*RevInfo, e } // Save the highest non-retracted canonical tag for the revision. // If we don't find a better match, we'll use it as the canonical version. - if tagIsCanonical && semver.Compare(highestCanonical, v) < 0 && !isRetracted(v) { + if tagIsCanonical && semver.Compare(highestCanonical, v) < 0 { if module.MatchPathMajor(v, r.pathMajor) || canUseIncompatible(v) { highestCanonical = v } @@ -536,27 +531,18 @@ func (r *codeRepo) convert(info *codehost.RevInfo, statVers string) (*RevInfo, e return checkCanonical(highestCanonical) } - // Find the highest tagged version in the revision's history, subject to - // major version and +incompatible constraints. Use that version as the - // pseudo-version base so that the pseudo-version sorts higher. Ignore - // retracted versions. - allowedMajor := func(major string) func(v string) bool { - return func(v string) bool { - return ((major == "" && canUseIncompatible(v)) || semver.Major(v) == major) && !isRetracted(v) - } - } if pseudoBase == "" { var tag string if r.pseudoMajor != "" || canUseIncompatible("") { - tag, _ = r.code.RecentTag(info.Name, tagPrefix, allowedMajor(r.pseudoMajor)) + tag, _ = r.code.RecentTag(info.Name, tagPrefix, r.pseudoMajor) } else { // Allow either v1 or v0, but not incompatible higher versions. - tag, _ = r.code.RecentTag(info.Name, tagPrefix, allowedMajor("v1")) + tag, _ = r.code.RecentTag(info.Name, tagPrefix, "v1") if tag == "" { - tag, _ = r.code.RecentTag(info.Name, tagPrefix, allowedMajor("v0")) + tag, _ = r.code.RecentTag(info.Name, tagPrefix, "v0") } } - pseudoBase, _ = tagToVersion(tag) + pseudoBase, _ = tagToVersion(tag) // empty if the tag is invalid } return checkCanonical(PseudoVersion(r.pseudoMajor, pseudoBase, info.Time, info.Short)) -- 2.30.0