Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package go1.18 for openSUSE:Factory checked
in at 2023-03-19 16:16:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/go1.18 (Old)
and /work/SRC/openSUSE:Factory/.go1.18.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "go1.18"
Sun Mar 19 16:16:15 2023 rev:20 rq:1072629 version:1.18.10
Changes:
--------
--- /work/SRC/openSUSE:Factory/go1.18/go1.18.changes 2023-01-11
17:14:27.635619547 +0100
+++ /work/SRC/openSUSE:Factory/.go1.18.new.31432/go1.18.changes 2023-03-19
16:16:35.979328293 +0100
@@ -1,0 +2,8 @@
+Wed Mar 1 17:04:37 UTC 2023 - Jaroslav Jindrak <jjind...@suse.com>
+
+- Fix for SG#65262, bsc#1208491:
+ * go#57855 boo#1208270 security: fix CVE-2022-41723 bsc1208491.patch
+ * go#58001 boo#1208271 security: fix CVE-2022-41724 bsc1208491-41724.patch
+ * go#58006 boo#1208272 security: fix CVE-2022-41725 bsc1208491-41725.patch
+
+-------------------------------------------------------------------
New:
----
bsc1208491-41724.patch
bsc1208491-41725.patch
bsc1208491.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ go1.18.spec ++++++
--- /var/tmp/diff_new_pack.la7ITr/_old 2023-03-19 16:16:36.639331501 +0100
+++ /var/tmp/diff_new_pack.la7ITr/_new 2023-03-19 16:16:36.643331521 +0100
@@ -150,6 +150,9 @@
Patch7: dont-force-gold-on-arm64.patch
# PATCH-FIX-UPSTREAM marguer...@opensuse.org - find /usr/bin/go-8 when
bootstrapping with gcc8-go
Patch8: gcc-go.patch
+Patch9: bsc1208491.patch
+Patch10: bsc1208491-41724.patch
+Patch11: bsc1208491-41725.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# boostrap
%if %{with gccgo}
@@ -226,6 +229,9 @@
sed -i "s/\$gcc_go_version/%{gcc_go_version}/" $RPM_SOURCE_DIR/gcc-go.patch
%patch8 -p1
%endif
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
cp %{SOURCE4} .
++++++ bsc1208491-41724.patch ++++++
++++ 2393 lines (skipped)
++++++ bsc1208491-41725.patch ++++++
++++ 642 lines (skipped)
++++++ bsc1208491.patch ++++++
>From 5c3e11bd0b5c0a86e5beffcd4339b86a902b21c3 Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <bracew...@google.com>
Date: Mon, 6 Feb 2023 10:03:44 -0800
Subject: [PATCH] [release-branch.go1.19] net/http: update bundled
golang.org/x/net/http2
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.
Fixes CVE-2022-41723
Fixes #58355
Updates #57855
Change-Id: Ie870562a6f6e44e4e8f57db6a0dde1a41a2b090c
Reviewed-on:
https://team-review.git.corp.google.com/c/golang/go-private/+/1728939
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Julie Qiu <julie...@google.com>
Reviewed-by: Tatiana Bradley <tatianabrad...@google.com>
Run-TryBot: Roland Shoemaker <bracew...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/468118
TryBot-Result: Gopher Robot <go...@golang.org>
Run-TryBot: Michael Pratt <mpr...@google.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
Reviewed-by: Than McIntosh <th...@google.com>
---
src/cmd/internal/moddeps/moddeps_test.go | 2 +-
.../golang.org/x/net/http2/hpack/hpack.go | 79 ++++++++++++-------
2 files changed, 50 insertions(+), 31 deletions(-)
Index: go/src/cmd/internal/moddeps/moddeps_test.go
===================================================================
--- go.orig/src/cmd/internal/moddeps/moddeps_test.go
+++ go/src/cmd/internal/moddeps/moddeps_test.go
@@ -34,7 +34,7 @@ import (
// See issues 36852, 41409, and 43687.
// (Also see golang.org/issue/27348.)
func TestAllDependencies(t *testing.T) {
- t.Skip("TODO(#57008): 1.18.9 contains unreleased changes from vendored
modules")
+ t.Skip("TODO(#58355): 1.18.9 contains unreleased changes from vendored
modules")
goBin := testenv.GoToolPath(t)
Index: go/src/vendor/golang.org/x/net/http2/hpack/hpack.go
===================================================================
--- go.orig/src/vendor/golang.org/x/net/http2/hpack/hpack.go
+++ go/src/vendor/golang.org/x/net/http2/hpack/hpack.go
@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n ui
var hf HeaderField
wantStr := d.emitEnabled || it.indexed()
+ var undecodedName undecodedString
if nameIdx > 0 {
ihf, ok := d.at(nameIdx)
if !ok {
@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n ui
}
hf.Name = ihf.Name
} else {
- hf.Name, buf, err = d.readString(buf, wantStr)
+ undecodedName, buf, err = d.readString(buf)
if err != nil {
return err
}
}
- hf.Value, buf, err = d.readString(buf, wantStr)
+ undecodedValue, buf, err := d.readString(buf)
if err != nil {
return err
}
+ if wantStr {
+ if nameIdx <= 0 {
+ hf.Name, err = d.decodeString(undecodedName)
+ if err != nil {
+ return err
+ }
+ }
+ hf.Value, err = d.decodeString(undecodedValue)
+ if err != nil {
+ return err
+ }
+ }
d.buf = buf
if it.indexed() {
d.dynTab.add(hf)
@@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uin
return 0, origP, errNeedMore
}
-// readString decodes an hpack string from p.
+// readString reads an hpack string from p.
//
-// wantStr is whether s will be used. If false, decompression and
-// []byte->string garbage are skipped if s will be ignored
-// anyway. This does mean that huffman decoding errors for non-indexed
-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
-// is returning an error anyway, and because they're not indexed, the error
-// won't affect the decoding state.
-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte,
err error) {
+// It returns a reference to the encoded string data to permit deferring
decode costs
+// until after the caller verifies all data is present.
+func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err
error) {
if len(p) == 0 {
- return "", p, errNeedMore
+ return u, p, errNeedMore
}
isHuff := p[0]&128 != 0
strLen, p, err := readVarInt(7, p)
if err != nil {
- return "", p, err
+ return u, p, err
}
if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
- return "", nil, ErrStringLength
+ // Returning an error here means Huffman decoding errors
+ // for non-indexed strings past the maximum string length
+ // are ignored, but the server is returning an error anyway
+ // and because the string is not indexed the error will not
+ // affect the decoding state.
+ return u, nil, ErrStringLength
}
if uint64(len(p)) < strLen {
- return "", p, errNeedMore
- }
- if !isHuff {
- if wantStr {
- s = string(p[:strLen])
- }
- return s, p[strLen:], nil
+ return u, p, errNeedMore
}
+ u.isHuff = isHuff
+ u.b = p[:strLen]
+ return u, p[strLen:], nil
+}
- if wantStr {
- buf := bufPool.Get().(*bytes.Buffer)
- buf.Reset() // don't trust others
- defer bufPool.Put(buf)
- if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err !=
nil {
- buf.Reset()
- return "", nil, err
- }
+type undecodedString struct {
+ isHuff bool
+ b []byte
+}
+
+func (d *Decoder) decodeString(u undecodedString) (string, error) {
+ if !u.isHuff {
+ return string(u.b), nil
+ }
+ buf := bufPool.Get().(*bytes.Buffer)
+ buf.Reset() // don't trust others
+ var s string
+ err := huffmanDecode(buf, d.maxStrLen, u.b)
+ if err == nil {
s = buf.String()
- buf.Reset() // be nice to GC
}
- return s, p[strLen:], nil
+ buf.Reset() // be nice to GC
+ bufPool.Put(buf)
+ return s, err
}
