[BACK]Return to distinfo CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / pkgsrc / lang / go115

File: [cvs.NetBSD.org] / pkgsrc / lang / go115 / distinfo (download)

Revision 1.5, Fri Nov 13 18:45:50 2020 UTC (2 months, 1 week ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4, HEAD
Changes since 1.4: +5 -5 lines

Update go115 to 1.15.5 (security fix).

   - math/big: panic during recursive division of very large numbers

A number of math/big.Int <https://pkg.go.dev/math/big#Int> methods (Div,
Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD)
can panic when provided crafted large inputs. For the panic to happen, the
divisor or modulo argument must be larger than 3168 bits (on 32-bit
architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat
<https://pkg.go.dev/math/big#Rat> methods are similarly affected.

crypto/rsa.VerifyPSS <https://pkg.go.dev/crypto/rsa#VerifyPSS>,
crypto/rsa.VerifyPKCS1v15 <https://pkg.go.dev/crypto/rsa#VerifyPKCS1v15>,
and crypto/dsa.Verify <https://pkg.go.dev/crypto/dsa#Verify> may panic when
provided crafted public keys and signatures. crypto/ecdsa and
crypto/elliptic operations may only be affected if custom CurveParams
<https://pkg.go.dev/crypto/elliptic#CurveParams> with unusually large field
sizes (several times larger than the largest supported curve, P-521) are in
use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead
to a panic, even if the certificates don chain to a trusted root. The
chain can be delivered via a crypto/tls connection to a client, or to a
server that accepts and verifies client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept
client certificates will recover the panic and are unaffected.

Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
request or during a golang.org/x/crypto/otr conversation. Parsing a
golang.org/x/crypto/openpgp Entity or verifying a signature may crash.
Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host
key, while a server could panic if either PublicKeyCallback accepts a
malformed public key, or if IsUserAuthority accepts a certificate with a
malformed public key.

This issue is CVE-2020-28362 and Go issue golang.org/issue/42552.


   - cmd/go: arbitrary code execution at build time through cgo

The go command may execute arbitrary code at build time when cgo is in use.
This may occur when running go get on a malicious package, or any other
command that builds untrusted code.

This can be caused by malicious gcc flags specified via a #cgo directive,
or by a malicious symbol name in a linked object file.

These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues
golang.org/issue/42556 and golang.org/issue/42559 respectively.

$NetBSD: distinfo,v 1.5 2020/11/13 18:45:50 bsiegert Exp $

SHA1 (go1.15.5.src.tar.gz) = 696fee3f3efa184c5d9ad28b048bbd36d7c84ef3
RMD160 (go1.15.5.src.tar.gz) = c5c60ae185efd5b399d222e2430380da7d3bf5e0
SHA512 (go1.15.5.src.tar.gz) = 8e1d71f628d364b949b1e124af8950a563bbe9d9ae73b94c66af6ce029f67c26e2654556c0c118d0bc8566af52a7e9ed736b4667bbef7ccdab2bd338c43e6eb4
Size (go1.15.5.src.tar.gz) = 23019303 bytes
SHA1 (patch-misc_io_clangwrap.sh) = df5911c430ff6251abab12e5cc233e32fc3cd953
SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e
SHA1 (patch-src_cmd_link_internal_ld_elf.go) = 3dfcb5c824d4201fadda0cfb6b48e5938899baf0
SHA1 (patch-src_crypto_x509_root__bsd.go) = 93a2de7c685a0919fe93f5bc99f156e105dace4d
SHA1 (patch-src_runtime_cgo_gcc__netbsd__arm64.c) = d2fc1cebc104ad2e35f488e5edebcecd6f0323be
SHA1 (patch-src_runtime_os__netbsd.go) = 9b80de94667e3f8d8d1ae3648ab1fe43dd55d577
SHA1 (patch-src_runtime_sys__netbsd__arm64.s) = c8d3dfddd7930794a6ff9b2919c42632aa9358cd
SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b