packages/golang
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
golang/0021-golang-fix-CVE-2020-28367.patch
jingrui d2049ce1ac golang: sync cve fix 
Signed-off-by: jingrui <jingrui@huawei.com>
2021-01-18 17:40:01 +08:00

68 lines
2.2 KiB
Diff
Raw Blame History

From ac9a264a575bbbc9de2374a65a6c8fd50c32000d Mon Sep 17 00:00:00 2001
From: liuzekun <liuzekun@huawei.com>
Date: Mon, 30 Nov 2020 22:18:43 -0500
Subject: [PATCH] golang: fix CVE-2020-28367
Upstream: https://github.com/golang/go/commit/da7aa86917811a571e6634b45a457f918b8e6561
cmd/go: in cgoflags, permit -DX1, prohibit -Wp,-D,opt
Restrict -D and -U to ASCII C identifiers, but do permit trailing digits.
When using -Wp, prohibit commas in -D values.
Change-Id: Ibfc4dfdd6e6c258e131448e7682610c44eee9492
Reviewed-on: https://go-review.googlesource.com/c/go/+/267277
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
---
src/cmd/go/internal/work/security.go | 4 ++--
src/cmd/go/internal/work/security_test.go | 2 ++
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
index 0d8da21..b00c21e 100644
--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
@@ -42,7 +42,7 @@ import (
var re = lazyregexp.New
var validCompilerFlags = []*lazyregexp.Regexp{
- re(`-D([A-Za-z_].*)`),
+ re(`-D([A-Za-z_][A-Za-z0-9_]*)(=[^@\-]*)?`),
re(`-F([^@\-].*)`),
re(`-I([^@\-].*)`),
re(`-O`),
@@ -50,7 +50,7 @@ var validCompilerFlags = []*lazyregexp.Regexp{
re(`-W`),
re(`-W([^@,]+)`), // -Wall but not -Wa,-foo.
re(`-Wa,-mbig-obj`),
- re(`-Wp,-D([A-Za-z_].*)`),
+ re(`-Wp,-D([A-Za-z_][A-Za-z0-9_]*)(=[^@,\-]*)?`),
re(`-ansi`),
re(`-f(no-)?asynchronous-unwind-tables`),
re(`-f(no-)?blocks`),
diff --git a/src/cmd/go/internal/work/security_test.go b/src/cmd/go/internal/work/security_test.go
index fd8caea..eac029d 100644
--- a/src/cmd/go/internal/work/security_test.go
+++ b/src/cmd/go/internal/work/security_test.go
@@ -21,6 +21,7 @@ var goodCompilerFlags = [][]string{
{"-Osmall"},
{"-W"},
{"-Wall"},
+ {"-Wp,-Dfoo1"},
{"-fobjc-arc"},
{"-fno-objc-arc"},
{"-fomit-frame-pointer"},
@@ -70,6 +71,7 @@ var badCompilerFlags = [][]string{
{"-I-dir"},
{"-O@1"},
{"-Wa,-foo"},
+ {"-Wp,-DX,-D@X"},
{"-W@foo"},
{"-g@gdb"},
{"-g-gdb"},
--
2.19.1
Reference in New Issue View Git Blame Copy Permalink