commit go1.4 for openSUSE:Factory
Hello community,
here is the log from the commit of package go1.4 for openSUSE:Factory checked
in at 2020-06-11 14:46:14
Comparing /work/SRC/openSUSE:Factory/go1.4 (Old)
and /work/SRC/openSUSE:Factory/.go1.4.new.3606 (New)
Package is "go1.4"
Thu Jun 11 14:46:14 2020 rev:11 rq:812964 version:1.4.3
Changes:
--- /work/SRC/openSUSE:Factory/go1.4/go1.4.changes 2020-01-30
09:32:47.181213500 +0100
+++ /work/SRC/openSUSE:Factory/.go1.4.new.3606/go1.4.changes2020-06-11
14:46:58.129778722 +0200
@@ -1,0 +2,5 @@
+Mon Jun 8 08:22:07 UTC 2020 - Guillaume GARDET
+
+- Ensure ARM arch is set properly - boo#1169832
+
+---
Other differences:
--
++ go1.4.spec ++
--- /var/tmp/diff_new_pack.SoKoUF/_old 2020-06-11 14:46:59.461782603 +0200
+++ /var/tmp/diff_new_pack.SoKoUF/_new 2020-06-11 14:46:59.461782603 +0200
@@ -193,6 +193,15 @@
%endif
# Now, compile Go.
+# Ensure ARM arch is set properly - boo#1169832
+%ifarch armv6l armv6hl
+export GOARCH=arm
+export GOARM=6
+%endif
+%ifarch armv7l armv7hl
+export GOARCH=arm
+export GOARM=7
+%endif
export GOROOT="`pwd`"
export GOROOT_FINAL=%{_libdir}/%{name}
export GOBIN="$GOROOT/bin"
commit go1.4 for openSUSE:Factory
Hello community,
here is the log from the commit of package go1.4 for openSUSE:Factory checked
in at 2020-01-30 09:32:27
Comparing /work/SRC/openSUSE:Factory/go1.4 (Old)
and /work/SRC/openSUSE:Factory/.go1.4.new.26092 (New)
Package is "go1.4"
Thu Jan 30 09:32:27 2020 rev:10 rq:766964 version:1.4.3
Changes:
--- /work/SRC/openSUSE:Factory/go1.4/go1.4.changes 2019-03-27
16:12:28.311651193 +0100
+++ /work/SRC/openSUSE:Factory/.go1.4.new.26092/go1.4.changes 2020-01-30
09:32:47.181213500 +0100
@@ -1,0 +2,6 @@
+Fri Jan 24 13:43:31 UTC 2020 - Dominique Leuenberger
+
+- BuildREquire pkgconfig(systemd) instead of systemd: allow OBS to
+ shortcut through the -mini flavor.
+
+---
Other differences:
--
++ go1.4.spec ++
--- /var/tmp/diff_new_pack.ob6Ovb/_old 2020-01-30 09:32:48.573214246 +0100
+++ /var/tmp/diff_new_pack.ob6Ovb/_new 2020-01-30 09:32:48.577214247 +0100
@@ -1,7 +1,7 @@
#
# spec file for package go1.4
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -39,7 +39,7 @@
Summary:A compiled, garbage-collected, concurrent programming language
License:BSD-3-Clause
Group: Development/Languages/Go
-Url:http://golang.org
+URL:http://golang.org
Source0:http://golang.org/dl/go%{version}.src.tar.gz
Source1:go-rpmlintrc
Source3:macros.go
@@ -95,7 +95,7 @@
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExclusiveArch: %ix86 x86_64 %arm
%if 0%{?suse_version} >= 1210
-BuildRequires: systemd
+BuildRequires: pkgconfig(systemd)
%endif
%if 0%{?suse_version} >= 1100
BuildRequires: fdupes
@@ -128,7 +128,7 @@
Summary:Go runtime race detector
License:NCSA OR MIT
Group: Development/Languages/Other
-Url:https://compiler-rt.llvm.org/
+URL:https://compiler-rt.llvm.org/
Requires: %{name} = %{version}
Supplements:%{name} = %{version}
ExclusiveArch: %{tsan_arch}
commit go1.4 for openSUSE:Factory
Hello community,
here is the log from the commit of package go1.4 for openSUSE:Factory checked
in at 2019-03-27 16:12:23
Comparing /work/SRC/openSUSE:Factory/go1.4 (Old)
and /work/SRC/openSUSE:Factory/.go1.4.new.25356 (New)
Package is "go1.4"
Wed Mar 27 16:12:23 2019 rev:9 rq:686159 version:1.4.3
Changes:
--- /work/SRC/openSUSE:Factory/go1.4/go1.4.changes 2018-12-18
15:00:01.770103266 +0100
+++ /work/SRC/openSUSE:Factory/.go1.4.new.25356/go1.4.changes 2019-03-27
16:12:28.311651193 +0100
@@ -1,0 +2,5 @@
+Mon Mar 11 12:53:10 UTC 2019 - Martin Liška
+
+- Add gcc9-rsp-clobber.patch in order to fix bsc#1121397.
+
+---
New:
gcc9-rsp-clobber.patch
Other differences:
--
++ go1.4.spec ++
--- /var/tmp/diff_new_pack.pLAJQ1/_old 2019-03-27 16:12:29.323650934 +0100
+++ /var/tmp/diff_new_pack.pLAJQ1/_new 2019-03-27 16:12:29.323650934 +0100
@@ -1,7 +1,7 @@
#
# spec file for package go1.4
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -74,6 +74,7 @@
Patch12:cmd-go-reject-update-of-VCS-inside-VCS.patch
# PATCH-FIX-UPSTREAM (compiler-rt): Fix sanitizer build against latest glibc
Patch100: fix-sanitizer-build-against-latest-glibc.patch
+Patch101: gcc9-rsp-clobber.patch
BuildRequires: rpm
# for go1.4.gdbinit, directory ownership
BuildRequires: gdb
@@ -142,6 +143,7 @@
# compiler-rt
%setup -q -T -b 100 -n compiler-rt-r%{tsan_commit}
%patch100 -p1
+%patch101 -p1
%endif
# go
%setup -q -n go
++ gcc9-rsp-clobber.patch ++
--- a/lib/sanitizer_common/sanitizer_linux.cc 2018-01-11 23:53:30.0
+0100
+++ b/lib/sanitizer_common/sanitizer_linux.cc.new 2019-03-10
21:23:23.824919781 +0100
@@ -830,7 +830,7 @@
"d"(parent_tidptr),
"r"(r8),
"r"(r10)
- : "rsp", "memory", "r11", "rcx");
+ : "memory", "r11", "rcx");
return res;
}
#endif // defined(__x86_64__) && SANITIZER_LINUX
commit go1.4 for openSUSE:Factory
Hello community,
here is the log from the commit of package go1.4 for openSUSE:Factory checked
in at 2018-12-18 14:58:31
Comparing /work/SRC/openSUSE:Factory/go1.4 (Old)
and /work/SRC/openSUSE:Factory/.go1.4.new.28833 (New)
Package is "go1.4"
Tue Dec 18 14:58:31 2018 rev:8 rq:658802 version:1.4.3
Changes:
--- /work/SRC/openSUSE:Factory/go1.4/go1.4.changes 2018-03-26
16:03:35.913248796 +0200
+++ /work/SRC/openSUSE:Factory/.go1.4.new.28833/go1.4.changes 2018-12-18
15:00:01.770103266 +0100
@@ -1,0 +2,7 @@
+Sat Dec 15 12:45:31 UTC 2018 - Aleksa Sarai
+
+- Make our profile.d/go.sh no longer set GOROOT=, in order to make switching
+ between versions no longer break. This ends up removing the need for go.sh
+ entirely (because GOPATH is also set automatically). boo#1119634
+
+---
Old:
go.sh
Other differences:
--
++ go1.4.spec ++
--- /var/tmp/diff_new_pack.hN60D6/_old 2018-12-18 15:00:03.106101258 +0100
+++ /var/tmp/diff_new_pack.hN60D6/_new 2018-12-18 15:00:03.110101252 +0100
@@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
# nodebuginfo
@@ -42,7 +42,6 @@
Url:http://golang.org
Source0:http://golang.org/dl/go%{version}.src.tar.gz
Source1:go-rpmlintrc
-Source2:go.sh
Source3:macros.go
Source5:README.SUSE
Source6:go1.4.gdbinit
@@ -216,7 +215,6 @@
%install
export GOROOT="%{buildroot}%{_libdir}/%{name}"
-install -Dm644 %{SOURCE2} $GOROOT/bin/profile.d/go.sh
# locations for third party libraries, see README.SUSE for info about
locations.
install -d %{buildroot}%{_datadir}/%{name}/contrib
@@ -250,11 +248,9 @@
# update-alternatives
mkdir -p %{buildroot}%{_sysconfdir}/alternatives
mkdir -p %{buildroot}%{_bindir}
-mkdir -p %{buildroot}%{_sysconfdir}/profile.d
-touch %{buildroot}%{_sysconfdir}/alternatives/{go,gofmt,go.sh}
+touch %{buildroot}%{_sysconfdir}/alternatives/{go,gofmt}
ln -sf %{_sysconfdir}/alternatives/go %{buildroot}%{_bindir}/go
ln -sf %{_sysconfdir}/alternatives/gofmt %{buildroot}%{_bindir}/gofmt
-ln -sf %{_sysconfdir}/alternatives/go.sh
%{buildroot}%{_sysconfdir}/profile.d/go.sh
# documentation and examples
# fix documetation permissions (rpmlint warning)
@@ -284,8 +280,7 @@
%post
update-alternatives \
--install %{_bindir}/go go %{_libdir}/%{name}/bin/go 60 \
- --slave %{_bindir}/gofmt gofmt %{_libdir}/%{name}/bin/gofmt \
- --slave %{_sysconfdir}/profile.d/go.sh go.sh
%{_libdir}/%{name}/bin/profile.d/go.sh
+ --slave %{_bindir}/gofmt gofmt %{_libdir}/%{name}/bin/gofmt
%postun
if [ $1 -eq 0 ] ; then
@@ -309,8 +304,6 @@
%{_datadir}/%{name}/
%ghost %{_sysconfdir}/alternatives/go
%ghost %{_sysconfdir}/alternatives/gofmt
-%ghost %{_sysconfdir}/alternatives/go.sh
-%config %{_sysconfdir}/profile.d/go.sh
%config %{_sysconfdir}/gdbinit.d/%{name}.gdb
%config %{_sysconfdir}/rpm/macros.%{name}
%dir %{_docdir}/%{name}/
commit go1.4 for openSUSE:Factory
Hello community,
here is the log from the commit of package go1.4 for openSUSE:Factory checked
in at 2018-03-26 16:03:28
Comparing /work/SRC/openSUSE:Factory/go1.4 (Old)
and /work/SRC/openSUSE:Factory/.go1.4.new (New)
Package is "go1.4"
Mon Mar 26 16:03:28 2018 rev:7 rq:590977 version:1.4.3
Changes:
--- /work/SRC/openSUSE:Factory/go1.4/go1.4.changes 2018-02-27
17:00:51.665748117 +0100
+++ /work/SRC/openSUSE:Factory/.go1.4.new/go1.4.changes 2018-03-26
16:03:35.913248796 +0200
@@ -1,0 +2,6 @@
+Sun Mar 25 10:31:29 UTC 2018 - kasim...@outlook.de
+
+- Fix patch for armv6l build
+ * armv6l.patch
+
+---
Other differences:
--
++ armv6l.patch ++
--- /var/tmp/diff_new_pack.GXGJc7/_old 2018-03-26 16:03:37.961175393 +0200
+++ /var/tmp/diff_new_pack.GXGJc7/_new 2018-03-26 16:03:37.961175393 +0200
@@ -1,11 +1,11 @@
a/src/pkg/runtime/os_linux.h 2014-08-13 05:49:43.0 +0200
-+++ b/src/pkg/runtime/os_linux.h 2014-10-17 04:02:55.791948419 +0200
-@@ -16,7 +16,7 @@
- void runtime·setitimer(int32, Itimerval*, Itimerval*);
+--- a/src/runtime/os_linux.h 2015-09-23 06:37:38.0 +0200
b/src/runtime/os_linux.h 2018-03-25 12:07:58.098617526 +0200
+@@ -16,7 +16,7 @@ void runtime·setitimer(int32, Itimerval
-
--#define NSIG65
-+#define NSIG64
- #define SI_USER 0
-
- // It's hard to tease out exactly how big a Sigset is, but
+ enum {
+ SS_DISABLE = 2,
+- NSIG = 65,
++ NSIG = 64,
+ SI_USER = 0,
+ SIG_SETMASK = 2,
+ RLIMIT_AS = 9,
commit go1.4 for openSUSE:Factory
Hello community,
here is the log from the commit of package go1.4 for openSUSE:Factory checked
in at 2018-02-27 17:00:22
Comparing /work/SRC/openSUSE:Factory/go1.4 (Old)
and /work/SRC/openSUSE:Factory/.go1.4.new (New)
Package is "go1.4"
Tue Feb 27 17:00:22 2018 rev:6 rq:580586 version:1.4.3
Changes:
--- /work/SRC/openSUSE:Factory/go1.4/go1.4.changes 2018-01-19
11:53:19.603317205 +0100
+++ /work/SRC/openSUSE:Factory/.go1.4.new/go1.4.changes 2018-02-27
17:00:51.665748117 +0100
@@ -1,0 +2,5 @@
+Sat Feb 24 18:54:32 UTC 2018 - jmassaguer...@suse.com
+
+- fix bsc#1082409: Review dependencies (requires, recommends and supports)
+
+---
Other differences:
--
++ go1.4.spec ++
--- /var/tmp/diff_new_pack.yZiTPU/_old 2018-02-27 17:00:53.425684528 +0100
+++ /var/tmp/diff_new_pack.yZiTPU/_new 2018-02-27 17:00:53.429684383 +0100
@@ -99,7 +99,7 @@
%endif
%if 0%{?suse_version} >= 1100
BuildRequires: fdupes
-Recommends: %{name}-doc
+Recommends: %{name}-doc = %{version}
#BNC#818502 debug edit tool of rpm fails on i586 builds
%if 0%{?suse_version} > 1230
BuildRequires: rpm >= 4.11.1
@@ -126,11 +126,11 @@
# boo#1052528
%package race
Summary:Go runtime race detector
-License:NCSA or MIT
+License:NCSA OR MIT
Group: Development/Languages/Other
Url:https://compiler-rt.llvm.org/
-Requires: go = %{version}
-Supplements:go
+Requires: %{name} = %{version}
+Supplements:%{name} = %{version}
ExclusiveArch: %{tsan_arch}
%description race
commit go1.4 for openSUSE:Factory
Hello community,
here is the log from the commit of package go1.4 for openSUSE:Factory checked
in at 2018-01-19 11:53:07
Comparing /work/SRC/openSUSE:Factory/go1.4 (Old)
and /work/SRC/openSUSE:Factory/.go1.4.new (New)
Package is "go1.4"
Fri Jan 19 11:53:07 2018 rev:5 rq:566415 version:1.4.3
Changes:
--- /work/SRC/openSUSE:Factory/go1.4/go1.4.changes 2017-10-23
16:53:41.207575694 +0200
+++ /work/SRC/openSUSE:Factory/.go1.4.new/go1.4.changes 2018-01-19
11:53:19.603317205 +0100
@@ -34,0 +35,16 @@
+Thu Aug 31 18:46:47 UTC 2017 - th...@suse.de
+
+- add fix-sanitizer-build-against-latest-glibc.patch which fixes
+ the sanitizer built against certain glibc versions
+
+---
+Wed Aug 9 07:45:47 UTC 2017 - asa...@suse.com
+
+- go-race: add compiler-rt TSAN binary, necessary for the race detector builds
+ to work. This requires building compiler-rt from source (becuase upstream Go
+ stores precompiled binaries in the tree, and we cannot use them). In
+ addition, a %check was added purely to ensure that we don't install the wrong
+ version of compiler-rt. boo#1052528
+- go-rpmlintrc: add some entries to address the .syso additions.
+
+---
New:
_service
compiler-rt-r215000.tar.xz
fix-sanitizer-build-against-latest-glibc.patch
Other differences:
--
++ go1.4.spec ++
--- /var/tmp/diff_new_pack.6MMYah/_old 2018-01-19 11:53:20.547272717 +0100
+++ /var/tmp/diff_new_pack.6MMYah/_new 2018-01-19 11:53:20.555272340 +0100
@@ -1,7 +1,7 @@
#
# spec file for package go1.4
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -14,6 +14,7 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
+# nodebuginfo
%define with_gccgo 1
@@ -22,6 +23,16 @@
%define with_gccgo 0
%endif
+# By default we don't include tsan. It's only supported on amd64.
+%define tsan_arch x86_64
+
+# Go has precompiled versions of LLVM's compiler-rt inside their source code.
+# We cannot ship pre-compiled binaries so we have to recompile said source,
+# however they vendor specific commits from upstream. This value comes from
+# src/runtime/race/README (and we verify that it matches in check).
+# See boo#1052528 for more details.
+%define tsan_commit 215000
+
Name: go1.4
Version:1.4.3
Release:0
@@ -35,6 +46,8 @@
Source3:macros.go
Source5:README.SUSE
Source6:go1.4.gdbinit
+# We have to compile TSAN ourselves. boo#1052528
+Source100: compiler-rt-r%{tsan_commit}.tar.xz
# PATCH-FIX-OPENSUSE add -s flag to 'go install' (don't rebuild/install std
libs)
Patch1: go-build-dont-reinstall-stdlibs.patch
# PATCH-FIX-OPENSUSE re-enable build binary only packages (we are binary
distro)
@@ -60,12 +73,18 @@
Patch11:
net-smtp-fix-PlainAuth-to-refuse-to-send-passwords-to-non-TLS-servers.patch
# PATCH-FIX-UPSTREAM cmd/go: reject update of VCS inside VCS
Patch12:cmd-go-reject-update-of-VCS-inside-VCS.patch
+# PATCH-FIX-UPSTREAM (compiler-rt): Fix sanitizer build against latest glibc
+Patch100: fix-sanitizer-build-against-latest-glibc.patch
BuildRequires: rpm
# for go1.4.gdbinit, directory ownership
BuildRequires: gdb
%if %{with_gccgo}
Requires: gcc
%endif
+%ifarch %{tsan_arch}
+# Needed to compile compiler-rt/TSAN.
+BuildRequires: gcc-c++
+%endif
Requires(post): update-alternatives
Requires(postun): update-alternatives
Provides: go = %{version}
@@ -96,13 +115,36 @@
%package doc
Summary:Go documentation
+License:BSD-3-Clause
Group: Documentation/Other
Requires: %{name} = %{version}
%description doc
Go examples and documentation.
+%ifarch %{tsan_arch}
+# boo#1052528
+%package race
+Summary:Go runtime race detector
+License:NCSA or MIT
+Group: Development/Languages/Other
+Url:https://compiler-rt.llvm.org/
+Requires: go = %{version}
+Supplements:go
+ExclusiveArch: %{tsan_arch}
+
+%description race
+Go runtime race detector libraries. Install this package if you wish to use the
+-race option, in order to detect race conditions present in your Go programs.
+%endif
+
%prep
+%ifarch %{tsan_arch}
+# compiler-rt
+%setup -q -T -b 100 -n compiler-rt-r%{tsan_commit}
+%patch100 -p1
+%endif
+# go
%setup -q -n go
%patch1 -p1
%patch2 -p1
@@ -136,6 +178,20 @@
%endif
%build
+# Remove the pre-included .sysos, to avoid shipping
commit go1.4 for openSUSE:Factory
Hello community,
here is the log from the commit of package go1.4 for openSUSE:Factory checked
in at 2017-10-23 16:53:18
Comparing /work/SRC/openSUSE:Factory/go1.4 (Old)
and /work/SRC/openSUSE:Factory/.go1.4.new (New)
Package is "go1.4"
Mon Oct 23 16:53:18 2017 rev:4 rq:535894 version:1.4.3
Changes:
--- /work/SRC/openSUSE:Factory/go1.4/go1.4.changes 2017-10-17
01:53:51.546665597 +0200
+++ /work/SRC/openSUSE:Factory/.go1.4.new/go1.4.changes 2017-10-23
16:53:41.207575694 +0200
@@ -1,0 +2,6 @@
+Sat Oct 21 11:44:02 UTC 2017 - asa...@suse.com
+
+- Install $GOROOT/lib packages, to include upstream files such as the timezone
+ database. bsc#1064522
+
+---
Other differences:
--
++ go1.4.spec ++
--- /var/tmp/diff_new_pack.FFMiBy/_old 2017-10-23 16:53:42.219528335 +0200
+++ /var/tmp/diff_new_pack.FFMiBy/_new 2017-10-23 16:53:42.227527960 +0200
@@ -175,10 +175,12 @@
for i in $(ls %{buildroot}%{_datadir}/%{name}/src);do
ln -s %{_datadir}/%{name}/src/$i $GOROOT/src/$i
done
+# add lib files that are needed (such as the timezone database).
+install -d $GOROOT/lib
+find lib -type f -exec install -D -m644 {} $GOROOT/{} \;
# copy document templates, packages, obj libs and command utilities
mkdir -p $GOROOT/bin
-mkdir -p $GOROOT/lib
mv pkg $GOROOT
mv bin/* $GOROOT/bin
rm -f $GOROOT/bin/{hgpatch,quietgcc}
commit go1.4 for openSUSE:Factory
Hello community,
here is the log from the commit of package go1.4 for openSUSE:Factory checked
in at 2017-10-17 01:53:45
Comparing /work/SRC/openSUSE:Factory/go1.4 (Old)
and /work/SRC/openSUSE:Factory/.go1.4.new (New)
Package is "go1.4"
Tue Oct 17 01:53:45 2017 rev:3 rq:534198 version:1.4.3
Changes:
--- /work/SRC/openSUSE:Factory/go1.4/go1.4.changes 2017-10-09
19:48:53.389820584 +0200
+++ /work/SRC/openSUSE:Factory/.go1.4.new/go1.4.changes 2017-10-17
01:53:51.546665597 +0200
@@ -1,0 +2,8 @@
+Tue Oct 10 13:22:35 UTC 2017 - th...@suse.de
+
+- Add patch to fix arbitrary code execution during “go get” or “go get -d”
+ (CVE-2017-15041).
+ bsc#1062085
+ + cmd-go-reject-update-of-VCS-inside-VCS.patch
+
+---
New:
cmd-go-reject-update-of-VCS-inside-VCS.patch
Other differences:
--
++ go1.4.spec ++
--- /var/tmp/diff_new_pack.Op6axW/_old 2017-10-17 01:53:52.710611082 +0200
+++ /var/tmp/diff_new_pack.Op6axW/_new 2017-10-17 01:53:52.718610708 +0200
@@ -58,6 +58,8 @@
Patch10:CVE-2016-5386.patch
# PATCH-FIX-UPSTREAM net/smtp: fix PlainAuth to refuse to send passwords to
non-TLS servers
Patch11:
net-smtp-fix-PlainAuth-to-refuse-to-send-passwords-to-non-TLS-servers.patch
+# PATCH-FIX-UPSTREAM cmd/go: reject update of VCS inside VCS
+Patch12:cmd-go-reject-update-of-VCS-inside-VCS.patch
BuildRequires: rpm
# for go1.4.gdbinit, directory ownership
BuildRequires: gdb
@@ -115,6 +117,7 @@
%patch9 -p1
%patch10 -p1
%patch11 -p1
+%patch12 -p1
cp %{SOURCE5} .
# setup go_arch (BSD-like scheme)
++ cmd-go-reject-update-of-VCS-inside-VCS.patch ++
>From a4544a0f8af001d1fb6df0e70750f570ec49ccf9 Mon Sep 17 00:00:00 2001
From: Russ Cox
Date: Fri, 22 Sep 2017 12:17:21 -0400
Subject: [PATCH] [release-branch.go1.8] cmd/go: reject update of VCS inside
VCS
Cherry-pick of CL 68110.
Change-Id: Iae84c6404ab5eeb6950faa2364f97a017c67c506
Reviewed-on: https://go-review.googlesource.com/68190
Run-TryBot: Russ Cox
Reviewed-by: Chris Broadfoot
---
src/cmd/go/get.go | 5 +
src/cmd/go/go_test.go | 19 +
src/cmd/go/vcs.go | 58 ++-
3 files changed, 81 insertions(+), 1 deletion(-)
Index: go/src/cmd/go/get.go
===
--- go.orig/src/cmd/go/get.go
+++ go/src/cmd/go/get.go
@@ -319,6 +319,11 @@ func downloadPackage(p *Package) error {
p.build.PkgRoot = filepath.Join(list[0], "pkg")
}
root := filepath.Join(p.build.SrcRoot, rootPath)
+
+ if err := checkNestedVCS(vcs, root, p.build.SrcRoot); err != nil {
+ return err
+ }
+
// If we've considered this repository already, don't do it again.
if downloadRootCache[root] {
return nil
Index: go/src/cmd/go/vcs.go
===
--- go.orig/src/cmd/go/vcs.go
+++ go/src/cmd/go/vcs.go
@@ -432,11 +432,28 @@ func vcsForDir(p *Package) (vcs *vcsCmd,
return nil, "", fmt.Errorf("directory %q is outside source root
%q", dir, srcRoot)
}
+ var vcsRet *vcsCmd
+ var rootRet string
+
origDir := dir
for len(dir) > len(srcRoot) {
for _, vcs := range vcsList {
if fi, err := os.Stat(filepath.Join(dir, "."+vcs.cmd));
err == nil && fi.IsDir() {
- return vcs, dir[len(srcRoot)+1:], nil
+ root := filepath.ToSlash(dir[len(srcRoot)+1:])
+ // Record first VCS we find, but keep looking,
+ // to detect mistakes like one kind of VCS
inside another.
+ if vcsRet == nil {
+ vcsRet = vcs
+ rootRet = root
+ continue
+ }
+ // Allow .git inside .git, which can arise due
to submodules.
+ if vcsRet == vcs && vcs.cmd == "git" {
+ continue
+ }
+ // Otherwise, we have one VCS inside a
different VCS.
+ return nil, "", fmt.Errorf("directory %q uses
%s, but parent %q uses %s",
+ filepath.Join(srcRoot, rootRet),
vcsRet.cmd, filepath.Join(srcRoot, root), vcs.cmd)
}
}
@@ -449,9 +466,48 @@ func vcsForDir(p *Package) (vcs *vcsCmd,
dir
commit go1.4 for openSUSE:Factory
Hello community,
here is the log from the commit of package go1.4 for openSUSE:Factory checked
in at 2017-10-09 19:47:36
Comparing /work/SRC/openSUSE:Factory/go1.4 (Old)
and /work/SRC/openSUSE:Factory/.go1.4.new (New)
Package is "go1.4"
Mon Oct 9 19:47:36 2017 rev:2 rq:532732 version:1.4.3
Changes:
--- /work/SRC/openSUSE:Factory/go1.4/go1.4.changes 2017-09-15
21:03:33.512960639 +0200
+++ /work/SRC/openSUSE:Factory/.go1.4.new/go1.4.changes 2017-10-09
19:48:53.389820584 +0200
@@ -1,0 +2,8 @@
+Mon Oct 9 08:44:02 UTC 2017 - th...@suse.de
+
+- Add patch to fix PlainAuth to refuse to send passwords to non-TLS servers
+ (CVE-2017-15042).
+ bsc#1062087
+ + net-smtp-fix-PlainAuth-to-refuse-to-send-passwords-to-non-TLS-servers.patch
+
+---
New:
net-smtp-fix-PlainAuth-to-refuse-to-send-passwords-to-non-TLS-servers.patch
Other differences:
--
++ go1.4.spec ++
--- /var/tmp/diff_new_pack.e6kS7W/_old 2017-10-09 19:48:54.261782261 +0200
+++ /var/tmp/diff_new_pack.e6kS7W/_new 2017-10-09 19:48:54.265782085 +0200
@@ -1,7 +1,7 @@
#
# spec file for package go1.4
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -15,6 +15,7 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
+
%define with_gccgo 1
%if 0%{?suse_version} > 1320
@@ -55,6 +56,8 @@
# PATCH-FIX-UPSTREAM binutils support for new 386/amd64 relocations. add
support for them in go linker.
Patch9: go-1.4.3-support-new-386_amd64-relocations.patch
Patch10:CVE-2016-5386.patch
+# PATCH-FIX-UPSTREAM net/smtp: fix PlainAuth to refuse to send passwords to
non-TLS servers
+Patch11:
net-smtp-fix-PlainAuth-to-refuse-to-send-passwords-to-non-TLS-servers.patch
BuildRequires: rpm
# for go1.4.gdbinit, directory ownership
BuildRequires: gdb
@@ -111,6 +114,7 @@
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch11 -p1
cp %{SOURCE5} .
# setup go_arch (BSD-like scheme)
++
net-smtp-fix-PlainAuth-to-refuse-to-send-passwords-to-non-TLS-servers.patch
++
>From 4be3fc33ef512532b916aa14258087e89eb47347 Mon Sep 17 00:00:00 2001
From: Russ Cox
Date: Wed, 4 Oct 2017 13:24:49 -0400
Subject: [PATCH] [release-branch.go1.8] net/smtp: fix PlainAuth to refuse to
send passwords to non-TLS servers
PlainAuth originally refused to send passwords to non-TLS servers
and was documented as such.
In 2013, issue #5184 was filed objecting to the TLS requirement,
despite the fact that it is spelled out clearly in RFC 4954.
The only possibly legitimate use case raised was using PLAIN auth
for connections to localhost, and the suggested fix was to let the
server decide: if it advertises that PLAIN auth is OK, believe it.
That approach was adopted in CL 8279043 and released in Go 1.1.
Unfortunately, this is exactly wrong. The whole point of the TLS
requirement is to make sure not to send the password to the wrong
server or to a man-in-the-middle. Instead of implementing this rule,
CL 8279043 blindly trusts the server, so that if a man-in-the-middle
says "it's OK, you can send me your password," PlainAuth does.
And the documentation was not updated to reflect any of this.
This CL restores the original TLS check, as required by RFC 4954
and as promised in the documentation for PlainAuth.
It then carves out a documented exception for connections made
to localhost (defined as "localhost", "127.0.0.1", or "::1").
Cherry-pick of CL 68170.
Change-Id: I1d3729bbd33aa2f11a03f4c000e6bb473164957b
Reviewed-on: https://go-review.googlesource.com/68023
Run-TryBot: Russ Cox
Reviewed-by: Chris Broadfoot
---
src/net/smtp/auth.go | 33 ++---
src/net/smtp/smtp_test.go | 32 ++--
2 files changed, 40 insertions(+), 25 deletions(-)
diff --git a/src/net/smtp/auth.go b/src/net/smtp/auth.go
index 3f1339ebc56..fd1a472f930 100644
--- a/src/net/smtp/auth.go
+++ b/src/net/smtp/auth.go
@@ -44,26 +44,29 @@ type plainAuth struct {
}
// PlainAuth returns an Auth that implements the PLAIN authentication
-// mechanism as defined in RFC 4616.
-// The returned Auth uses the given username and password to authenticate
-// on TLS connections to host and act as identity. Usually identity will be
-// left blank to act as username.
+// mechanism as defined in RFC 4616. The returned Auth uses the given
+// username and password to authenticate to host and act as identity.
+// Usually identity should be the empty string, to act as username.
+//
+//
