Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package go1.18 for openSUSE:Factory checked in at 2023-03-19 16:16:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/go1.18 (Old) and /work/SRC/openSUSE:Factory/.go1.18.new.31432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "go1.18" Sun Mar 19 16:16:15 2023 rev:20 rq:1072629 version:1.18.10 Changes: -------- --- /work/SRC/openSUSE:Factory/go1.18/go1.18.changes 2023-01-11 17:14:27.635619547 +0100 +++ /work/SRC/openSUSE:Factory/.go1.18.new.31432/go1.18.changes 2023-03-19 16:16:35.979328293 +0100 @@ -1,0 +2,8 @@ +Wed Mar 1 17:04:37 UTC 2023 - Jaroslav Jindrak <jjind...@suse.com> + +- Fix for SG#65262, bsc#1208491: + * go#57855 boo#1208270 security: fix CVE-2022-41723 bsc1208491.patch + * go#58001 boo#1208271 security: fix CVE-2022-41724 bsc1208491-41724.patch + * go#58006 boo#1208272 security: fix CVE-2022-41725 bsc1208491-41725.patch + +------------------------------------------------------------------- New: ---- bsc1208491-41724.patch bsc1208491-41725.patch bsc1208491.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ go1.18.spec ++++++ --- /var/tmp/diff_new_pack.la7ITr/_old 2023-03-19 16:16:36.639331501 +0100 +++ /var/tmp/diff_new_pack.la7ITr/_new 2023-03-19 16:16:36.643331521 +0100 @@ -150,6 +150,9 @@ Patch7: dont-force-gold-on-arm64.patch # PATCH-FIX-UPSTREAM marguer...@opensuse.org - find /usr/bin/go-8 when bootstrapping with gcc8-go Patch8: gcc-go.patch +Patch9: bsc1208491.patch +Patch10: bsc1208491-41724.patch +Patch11: bsc1208491-41725.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # boostrap %if %{with gccgo} @@ -226,6 +229,9 @@ sed -i "s/\$gcc_go_version/%{gcc_go_version}/" $RPM_SOURCE_DIR/gcc-go.patch %patch8 -p1 %endif +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 cp %{SOURCE4} . ++++++ bsc1208491-41724.patch ++++++ ++++ 2393 lines (skipped) ++++++ bsc1208491-41725.patch ++++++ ++++ 642 lines (skipped) ++++++ bsc1208491.patch ++++++ >From 5c3e11bd0b5c0a86e5beffcd4339b86a902b21c3 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker <bracew...@google.com> Date: Mon, 6 Feb 2023 10:03:44 -0800 Subject: [PATCH] [release-branch.go1.19] net/http: update bundled golang.org/x/net/http2 Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-41723 Fixes #58355 Updates #57855 Change-Id: Ie870562a6f6e44e4e8f57db6a0dde1a41a2b090c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728939 Reviewed-by: Damien Neil <dn...@google.com> Reviewed-by: Julie Qiu <julie...@google.com> Reviewed-by: Tatiana Bradley <tatianabrad...@google.com> Run-TryBot: Roland Shoemaker <bracew...@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/468118 TryBot-Result: Gopher Robot <go...@golang.org> Run-TryBot: Michael Pratt <mpr...@google.com> Auto-Submit: Michael Pratt <mpr...@google.com> Reviewed-by: Than McIntosh <th...@google.com> --- src/cmd/internal/moddeps/moddeps_test.go | 2 +- .../golang.org/x/net/http2/hpack/hpack.go | 79 ++++++++++++------- 2 files changed, 50 insertions(+), 31 deletions(-) Index: go/src/cmd/internal/moddeps/moddeps_test.go =================================================================== --- go.orig/src/cmd/internal/moddeps/moddeps_test.go +++ go/src/cmd/internal/moddeps/moddeps_test.go @@ -34,7 +34,7 @@ import ( // See issues 36852, 41409, and 43687. // (Also see golang.org/issue/27348.) func TestAllDependencies(t *testing.T) { - t.Skip("TODO(#57008): 1.18.9 contains unreleased changes from vendored modules") + t.Skip("TODO(#58355): 1.18.9 contains unreleased changes from vendored modules") goBin := testenv.GoToolPath(t) Index: go/src/vendor/golang.org/x/net/http2/hpack/hpack.go =================================================================== --- go.orig/src/vendor/golang.org/x/net/http2/hpack/hpack.go +++ go/src/vendor/golang.org/x/net/http2/hpack/hpack.go @@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n ui var hf HeaderField wantStr := d.emitEnabled || it.indexed() + var undecodedName undecodedString if nameIdx > 0 { ihf, ok := d.at(nameIdx) if !ok { @@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n ui } hf.Name = ihf.Name } else { - hf.Name, buf, err = d.readString(buf, wantStr) + undecodedName, buf, err = d.readString(buf) if err != nil { return err } } - hf.Value, buf, err = d.readString(buf, wantStr) + undecodedValue, buf, err := d.readString(buf) if err != nil { return err } + if wantStr { + if nameIdx <= 0 { + hf.Name, err = d.decodeString(undecodedName) + if err != nil { + return err + } + } + hf.Value, err = d.decodeString(undecodedValue) + if err != nil { + return err + } + } d.buf = buf if it.indexed() { d.dynTab.add(hf) @@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uin return 0, origP, errNeedMore } -// readString decodes an hpack string from p. +// readString reads an hpack string from p. // -// wantStr is whether s will be used. If false, decompression and -// []byte->string garbage are skipped if s will be ignored -// anyway. This does mean that huffman decoding errors for non-indexed -// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server -// is returning an error anyway, and because they're not indexed, the error -// won't affect the decoding state. -func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) { +// It returns a reference to the encoded string data to permit deferring decode costs +// until after the caller verifies all data is present. +func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) { if len(p) == 0 { - return "", p, errNeedMore + return u, p, errNeedMore } isHuff := p[0]&128 != 0 strLen, p, err := readVarInt(7, p) if err != nil { - return "", p, err + return u, p, err } if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) { - return "", nil, ErrStringLength + // Returning an error here means Huffman decoding errors + // for non-indexed strings past the maximum string length + // are ignored, but the server is returning an error anyway + // and because the string is not indexed the error will not + // affect the decoding state. + return u, nil, ErrStringLength } if uint64(len(p)) < strLen { - return "", p, errNeedMore - } - if !isHuff { - if wantStr { - s = string(p[:strLen]) - } - return s, p[strLen:], nil + return u, p, errNeedMore } + u.isHuff = isHuff + u.b = p[:strLen] + return u, p[strLen:], nil +} - if wantStr { - buf := bufPool.Get().(*bytes.Buffer) - buf.Reset() // don't trust others - defer bufPool.Put(buf) - if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil { - buf.Reset() - return "", nil, err - } +type undecodedString struct { + isHuff bool + b []byte +} + +func (d *Decoder) decodeString(u undecodedString) (string, error) { + if !u.isHuff { + return string(u.b), nil + } + buf := bufPool.Get().(*bytes.Buffer) + buf.Reset() // don't trust others + var s string + err := huffmanDecode(buf, d.maxStrLen, u.b) + if err == nil { s = buf.String() - buf.Reset() // be nice to GC } - return s, p[strLen:], nil + buf.Reset() // be nice to GC + bufPool.Put(buf) + return s, err }