!377 fix CVE-2023-45285
From: @euleroswander Reviewed-by: @hcnbxx Signed-off-by: @hcnbxx
This commit is contained in:
openeuler-ci-bot
Gitee
commit
936ed05c85
@ -0,0 +1,108 @@
|
||||
From 558cbc498c70278bea8297272f2d4fc50d67893b Mon Sep 17 00:00:00 2001
|
||||
From: "Bryan C. Mills" <bcmills@google.com>
|
||||
Date: Thu, 2 Nov 2023 15:06:35 -0400
|
||||
Subject: [PATCH] [Backport] cmd/go/internal/vcs: error out if the requested
|
||||
repo does not support a secure protocol
|
||||
|
||||
CVE: CVE-2023-45285
|
||||
Reference: https://go-review.googlesource.com/c/go/+/540335
|
||||
|
||||
Updates #63845.
|
||||
Fixes #63972.
|
||||
|
||||
Change-Id: If86d6b13d3b55877b35c087112bd76388c9404b8
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/539321
|
||||
Reviewed-by: Michael Matloob <matloob@golang.org>
|
||||
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
||||
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
||||
Auto-Submit: Bryan Mills <bcmills@google.com>
|
||||
(cherry picked from commit be26ae18caf7ddffca4073333f80d0d9e76483c3)
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/540335
|
||||
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
|
||||
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
||||
Signed-off-by: wangbingyao 00557526 <wangbingyao5@huawei.com>
|
||||
---
|
||||
src/cmd/go/internal/vcs/vcs.go | 25 +++++++++++++----
|
||||
.../script/mod_insecure_issue63845.txt | 28 +++++++++++++++++++
|
||||
2 files changed, 47 insertions(+), 6 deletions(-)
|
||||
create mode 100644 src/cmd/go/testdata/script/mod_insecure_issue63845.txt
|
||||
|
||||
diff --git a/src/cmd/go/internal/vcs/vcs.go b/src/cmd/go/internal/vcs/vcs.go
|
||||
index c65dd0f624..dbf16d1de7 100644
|
||||
--- a/src/cmd/go/internal/vcs/vcs.go
|
||||
+++ b/src/cmd/go/internal/vcs/vcs.go
|
||||
@@ -1204,18 +1204,31 @@ func repoRootFromVCSPaths(importPath string, security web.SecurityMode, vcsPaths
|
||||
var ok bool
|
||||
repoURL, ok = interceptVCSTest(repo, vcs, security)
|
||||
if !ok {
|
||||
- scheme := vcs.Scheme[0] // default to first scheme
|
||||
- if vcs.PingCmd != "" {
|
||||
- // If we know how to test schemes, scan to find one.
|
||||
+ scheme, err := func() (string, error) {
|
||||
for _, s := range vcs.Scheme {
|
||||
if security == web.SecureOnly && !vcs.isSecureScheme(s) {
|
||||
continue
|
||||
}
|
||||
- if vcs.Ping(s, repo) == nil {
|
||||
- scheme = s
|
||||
- break
|
||||
+
|
||||
+ // If we know how to ping URL schemes for this VCS,
|
||||
+ // check that this repo works.
|
||||
+ // Otherwise, default to the first scheme
|
||||
+ // that meets the requested security level.
|
||||
+ if vcs.PingCmd == "" {
|
||||
+ return s, nil
|
||||
+ }
|
||||
+ if err := vcs.Ping(s, repo); err == nil {
|
||||
+ return s, nil
|
||||
}
|
||||
}
|
||||
+ securityFrag := ""
|
||||
+ if security == web.SecureOnly {
|
||||
+ securityFrag = "secure "
|
||||
+ }
|
||||
+ return "", fmt.Errorf("no %sprotocol found for repository", securityFrag)
|
||||
+ }()
|
||||
+ if err != nil {
|
||||
+ return nil, err
|
||||
}
|
||||
repoURL = scheme + "://" + repo
|
||||
}
|
||||
diff --git a/src/cmd/go/testdata/script/mod_insecure_issue63845.txt b/src/cmd/go/testdata/script/mod_insecure_issue63845.txt
|
||||
new file mode 100644
|
||||
index 0000000000..5fa6a4f12b
|
||||
--- /dev/null
|
||||
+++ b/src/cmd/go/testdata/script/mod_insecure_issue63845.txt
|
||||
@@ -0,0 +1,28 @@
|
||||
+# Regression test for https://go.dev/issue/63845:
|
||||
+# If 'git ls-remote' fails for all secure protocols,
|
||||
+# we should fail instead of falling back to an arbitrary protocol.
|
||||
+#
|
||||
+# Note that this test does not use the local vcweb test server
|
||||
+# (vcs-test.golang.org), because the hook for redirecting to that
|
||||
+# server bypasses the "ping to determine protocol" logic
|
||||
+# in cmd/go/internal/vcs.
|
||||
+
|
||||
+[!net] skip
|
||||
+[!git] skip
|
||||
+[short] skip 'tries to access a nonexistent external Git repo'
|
||||
+
|
||||
+env GOPRIVATE=golang.org
|
||||
+env CURLOPT_TIMEOUT_MS=100
|
||||
+env GIT_SSH_COMMAND=false
|
||||
+
|
||||
+! go get -x golang.org/nonexist.git@latest
|
||||
+stderr '^git ls-remote https://golang.org/nonexist$'
|
||||
+stderr '^git ls-remote git\+ssh://golang.org/nonexist'
|
||||
+stderr '^git ls-remote ssh://golang.org/nonexist$'
|
||||
+! stderr 'git://'
|
||||
+stderr '^go: golang.org/nonexist.git@latest: no secure protocol found for repository$'
|
||||
+
|
||||
+-- go.mod --
|
||||
+module example
|
||||
+
|
||||
+go 1.19
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -66,7 +66,7 @@
|
||||
|
||||
Name: golang
|
||||
Version: 1.21.4
|
||||
Release: 11
|
||||
Release: 12
|
||||
Summary: The Go Programming Language
|
||||
License: BSD and Public Domain
|
||||
URL: https://golang.org/
|
||||
@ -129,6 +129,7 @@ Patch6006: backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.pa
|
||||
Patch6007: backport-0007-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch
|
||||
|
||||
Patch6008: backport-0008-release-branch.go1.21-net-netip-check-if-address-is-v6.patch
|
||||
Patch6009: backport-0009-Backport-cmd-go-internal-vcs-error-out-if-the-reques.patch
|
||||
|
||||
ExclusiveArch: %{golang_arches}
|
||||
|
||||
@ -367,7 +368,10 @@ fi
|
||||
%files devel -f go-tests.list -f go-misc.list -f go-src.list
|
||||
|
||||
%changelog
|
||||
* Thu May 23 2024 <314264452@qq.com> - 1.21.4-11
|
||||
* Fri Jun 21 2024 EulerOSWander <314264452@qq.com> - 1.21.4-12
|
||||
- fix CVE-2023-45285
|
||||
|
||||
* Thu May 23 2024 EulerOSWander <314264452@qq.com> - 1.21.4-11
|
||||
- fix CVE-2024-24787
|
||||
|
||||
* Thu Jun 13 2024 Zhao Mengmeng <zhaomengmeng@kylinos.cn> - 1.21.4-10
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user