commit: 85c73eab3c0c7c0975128301dfe1ef2427f78533 Author: Arthur Zamarin <arthurzam <AT> gentoo <DOT> org> AuthorDate: Fri Oct 17 16:54:44 2025 +0000 Commit: William Hubbs <williamh <AT> gentoo <DOT> org> CommitDate: Fri Oct 17 16:57:43 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85c73eab
dev-lang/go: add 1.25.3 with ipv6 validation fix Bug: https://bugs.gentoo.org/963930 Signed-off-by: William Hubbs <williamh <AT> gentoo.org> dev-lang/go/Manifest | 1 + dev-lang/go/files/go-1.25.3-ipv6-validation.patch | 86 ++++++++++++++ dev-lang/go/go-1.25.3.ebuild | 131 ++++++++++++++++++++++ 3 files changed, 218 insertions(+) diff --git a/dev-lang/go/Manifest b/dev-lang/go/Manifest index d5cd040803c9..2f9bb8f67f6b 100644 --- a/dev-lang/go/Manifest +++ b/dev-lang/go/Manifest @@ -1,3 +1,4 @@ DIST go1.24.7.src.tar.gz 30794506 BLAKE2B 850ffc97c83843c83d4dfb672dbe18c16b6feda5b76b70213241d583b5ef6c2c8d0bf532e15fa58cb4fceaaf1f66b52166d3badfc294ebecd1076ddd9c7a572e SHA512 656bb879244ba888af18b6e609fb2c4bc067b919827b9026c3ee44b3e2d0c7bffde262945de989880066196846b669c215da2e8c5d9adfb8491bb5d52af0d49a DIST go1.24.9.src.tar.gz 30800154 BLAKE2B 30e5ea7dac441a94bd023e152075651583b697c555da73e1581b6eef3dfdee0f7c30a774b8e9704940af60c43e97c8e8ba89b9e84d672a4805b5c969a4140ee8 SHA512 f553a6bdafa9e59d33756c99f6180dcb7e51762733f300488cdab1d42b918e0fff87fa42d714a6b667e039dd22e1ea14ef5f6e3eb1c9c215ff620d559a5c091a DIST go1.25.1.src.tar.gz 31974863 BLAKE2B a9f0d27a292b8197ed2307bcfe90af0adccaa1e0e8de0d59df5b65f57ac7dd2cbaee1905401f81af994934fa83070e42c24ff6090affe56461198e89457842c7 SHA512 e77ae799a0dcd4ded40a196c3645da5b7e808e417831d2c5441387b0fd0ed5f946b678305294c52fda0a258889225c24c6073bb0973c3531ba4aa107b6afe849 +DIST go1.25.3.src.tar.gz 31980799 BLAKE2B 4119c93544545b3e30b93ce4e1e9420447f7c9f8c68f9ef9debc8359028225e875e976aad91e390e3f0c7e5747d68d1e070280bd8376a56bd83c1894d68e6427 SHA512 91d32bbff864c06b5ee7b914d3d95c59462352a4c395adba85eaab72704a8aa4d19ac2a361ed64774dce3c8e01a8d4feadf1a788814f6d7b4072a3bdfefbb3b4 diff --git a/dev-lang/go/files/go-1.25.3-ipv6-validation.patch b/dev-lang/go/files/go-1.25.3-ipv6-validation.patch new file mode 100644 index 000000000000..4f162b2b09a9 --- /dev/null +++ b/dev-lang/go/files/go-1.25.3-ipv6-validation.patch @@ -0,0 +1,86 @@ +From 83449b7e2f261c94ea46842012c0992a3a714ce5 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <[email protected]> +Date: Wed, 08 Oct 2025 17:13:12 -0700 +Subject: [PATCH] [release-branch.go1.25] net/url: allow IP-literals with IPv4-mapped IPv6 addresses + +The security fix we applied in CL709857 was overly broad. It applied +rules from RFC 2732, which disallowed IPv4-mapped IPv6 addresses, but +these were later allowed in RFC 3986, which is the canonical URI syntax +RFC. + +Revert the portion of CL709857 which restricted IPv4-mapped addresses, +and update the related tests. + +Updates #75815 +Fixes #75832 + +Change-Id: I3192f2275ad5c386f5c15006a6716bdb5282919d +Reviewed-on: https://go-review.googlesource.com/c/go/+/710375 +LUCI-TryBot-Result: Go LUCI <[email protected]> +Reviewed-by: Ethan Lee <[email protected]> +Auto-Submit: Roland Shoemaker <[email protected]> +(cherry picked from commit 9db7e30bb42eed9912f5e7e9e3959f3b38879d5b) +--- + +diff --git a/src/net/url/url.go b/src/net/url/url.go +index 40faa7c..1c50e06 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -673,13 +673,13 @@ + + // Per RFC 3986, only a host identified by a valid + // IPv6 address can be enclosed by square brackets. +- // This excludes any IPv4 or IPv4-mapped addresses. ++ // This excludes any IPv4, but notably not IPv4-mapped addresses. + addr, err := netip.ParseAddr(unescapedHostname) + if err != nil { + return "", fmt.Errorf("invalid host: %w", err) + } +- if addr.Is4() || addr.Is4In6() { +- return "", errors.New("invalid IPv6 host") ++ if addr.Is4() { ++ return "", errors.New("invalid IP-literal") + } + return "[" + unescapedHostname + "]" + unescapedColonPort, nil + } else if i := strings.LastIndex(host, ":"); i != -1 { +diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go +index 3206558..6084fac 100644 +--- a/src/net/url/url_test.go ++++ b/src/net/url/url_test.go +@@ -726,7 +726,7 @@ + {"https://[2001:db8::1]/path";, true}, // compressed IPv6 address with path + {"https://[fe80::1%25eth0]/path?query=1";, true}, // link-local with zone, path, and query + +- {"https://[::ffff:192.0.2.1]";, false}, ++ {"https://[::ffff:192.0.2.1]";, true}, + {"https://[:1] ", false}, + {"https://[1:2:3:4:5:6:7:8:9]";, false}, + {"https://[1::1::1]";, false}, +@@ -1672,16 +1672,17 @@ + {"cache_object:foo/bar", true}, + {"cache_object/:foo/bar", false}, + +- {"http://[192.168.0.1]/";, true}, // IPv4 in brackets +- {"http://[192.168.0.1]:8080/";, true}, // IPv4 in brackets with port +- {"http://[::ffff:192.168.0.1]/";, true}, // IPv4-mapped IPv6 in brackets +- {"http://[::ffff:192.168.0.1]:8080/";, true}, // IPv4-mapped IPv6 in brackets with port +- {"http://[::ffff:c0a8:1]/";, true}, // IPv4-mapped IPv6 in brackets (hex) +- {"http://[not-an-ip]/";, true}, // invalid IP string in brackets +- {"http://[fe80::1%foo]/";, true}, // invalid zone format in brackets +- {"http://[fe80::1";, true}, // missing closing bracket +- {"http://fe80::1]/";, true}, // missing opening bracket +- {"http://[test.com]/";, true}, // domain name in brackets ++ {"http://[192.168.0.1]/";, true}, // IPv4 in brackets ++ {"http://[192.168.0.1]:8080/";, true}, // IPv4 in brackets with port ++ {"http://[::ffff:192.168.0.1]/";, false}, // IPv4-mapped IPv6 in brackets ++ {"http://[::ffff:192.168.0.1000]/";, true}, // Out of range IPv4-mapped IPv6 in brackets ++ {"http://[::ffff:192.168.0.1]:8080/";, false}, // IPv4-mapped IPv6 in brackets with port ++ {"http://[::ffff:c0a8:1]/";, false}, // IPv4-mapped IPv6 in brackets (hex) ++ {"http://[not-an-ip]/";, true}, // invalid IP string in brackets ++ {"http://[fe80::1%foo]/";, true}, // invalid zone format in brackets ++ {"http://[fe80::1";, true}, // missing closing bracket ++ {"http://fe80::1]/";, true}, // missing opening bracket ++ {"http://[test.com]/";, true}, // domain name in brackets + } + for _, tt := range tests { + u, err := Parse(tt.in) diff --git a/dev-lang/go/go-1.25.3.ebuild b/dev-lang/go/go-1.25.3.ebuild new file mode 100644 index 000000000000..a87421adb53a --- /dev/null +++ b/dev-lang/go/go-1.25.3.ebuild @@ -0,0 +1,131 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +export CBUILD=${CBUILD:-${CHOST}} +export CTARGET=${CTARGET:-${CHOST}} + +# See "Bootstrap" in release notes +GO_BOOTSTRAP_MIN=1.22.12 +MY_PV=${PV/_/} + +inherit go-env toolchain-funcs + +case ${PV} in +*9999*) + EGIT_REPO_URI="https://github.com/golang/go.git"; + inherit git-r3 + ;; +*) + SRC_URI="https://storage.googleapis.com/golang/go${MY_PV}.src.tar.gz " + S="${WORKDIR}"/go + KEYWORDS="-* ~amd64 ~arm ~arm64 ~loong ~mips ~ppc64 ~riscv ~s390 ~x86 ~amd64-linux ~x86-linux ~x64-macos ~x64-solaris" + ;; +esac + +DESCRIPTION="A concurrent garbage collected and typesafe programming language" +HOMEPAGE="https://go.dev"; + +LICENSE="BSD" +SLOT="0/${PV}" +IUSE="cpu_flags_x86_sse2" + +BDEPEND="|| ( + >=dev-lang/go-${GO_BOOTSTRAP_MIN} + >=dev-lang/go-bootstrap-${GO_BOOTSTRAP_MIN} )" + +# the *.syso files have writable/executable stacks +QA_EXECSTACK='*.syso' + +# Do not complain about CFLAGS, etc, since Go doesn't use them. +QA_FLAGS_IGNORED='.*' + +# The tools in /usr/lib/go should not cause the multilib-strict check to fail. +QA_MULTILIB_PATHS="usr/lib/go/pkg/tool/.*/.*" + +# This package triggers "unrecognized elf file(s)" notices on riscv. +# https://bugs.gentoo.org/794046 +QA_PREBUILT="*" +QA_PRESTRIPPED="*.syso" + +DOCS=( + CONTRIBUTING.md + PATENTS + README.md + SECURITY.md +) + +go_tuple() { + echo "$(go-env_goos $@)_$(go-env_goarch $@)" +} + +go_cross_compile() { + [[ $(go_tuple ${CBUILD}) != $(go_tuple) ]] +} + +PATCHES=( + "${FILESDIR}"/go-1.24-skip-gdb-tests.patch + "${FILESDIR}"/go-1.24-dont-force-gold-arm.patch + "${FILESDIR}"/go-1.25-no-dwarf5.patch + "${FILESDIR}"/go-1.25.3-ipv6-validation.patch # https://go-review.googlesource.com/c/go/+/712240 + "${FILESDIR}"/go-never-download-newer-toolchains.patch +) + +src_compile() { + if has_version -b ">=dev-lang/go-${GO_BOOTSTRAP_MIN}"; then + export GOROOT_BOOTSTRAP="${BROOT}/usr/lib/go" + elif has_version -b ">=dev-lang/go-bootstrap-${GO_BOOTSTRAP_MIN}"; then + export GOROOT_BOOTSTRAP="${BROOT}/usr/lib/go-bootstrap" + else + eerror "Go cannot be built without go or go-bootstrap installed" + die "Should not be here, please report a bug" + fi + + # Go's build script does not use BUILD/HOST/TARGET consistently. :( + export GOHOSTARCH=$(go-env_goarch ${CBUILD}) + export GOHOSTOS=$(go-env_goos ${CBUILD}) + export CC=$(tc-getBUILD_CC) + + export GOARCH=$(go-env_goarch) + export GOOS=$(go-env_goos) + export CC_FOR_TARGET=$(tc-getCC) + export CXX_FOR_TARGET=$(tc-getCXX) + use arm && export GOARM=$(go-env_goarm) + use x86 && export GO386=$(go-env_go386) + + cd src + bash -x ./make.bash || die "build failed" +} + +src_test() { + go_cross_compile && return 0 + cd src + PATH="${GOBIN}:${PATH}" \ + ./run.bash -no-rebuild -k || die "tests failed" +} + +src_install() { + dodir /usr/lib/go + # The use of cp is deliberate in order to retain permissions + cp -R . "${ED}"/usr/lib/go + einstalldocs + + # testdata directories are not needed on the installed system + # The other files we remove are installed by einstalldocs + rm -r $(find "${ED}"/usr/lib/go -iname testdata -type d -print) || die + rm "${ED}"/usr/lib/go/{CONTRIBUTING.md,PATENTS,README.md} || die + rm "${ED}"/usr/lib/go/{SECURITY.md,codereview.cfg,LICENSE} || die + + local bin_path + if go_cross_compile; then + bin_path="bin/$(go_tuple)" + else + bin_path=bin + fi + local f x + for x in ${bin_path}/*; do + f=${x##*/} + dosym ../lib/go/${bin_path}/${f} /usr/bin/${f} + done +}
