1.16.1 included fixes for:
* CVE-2021-27918 - encoding/xml: infinite loop when using
xml.NewTokenDecoder with a custom TokenReader
* CVE-2021-27919 - archive/zip: can panic when calling Reader.Open
1.16.4 included fixes for:
* CVE-2021-31525 - net/http: ReadRequest can stack overflow due to
recursion with very large headers
1.16.5 includes fixes for:
* CVE-2021-33195 - net: Lookup functions may return invalid host names
* CVE-2021-33196 - archive/zip: malformed archive may cause panic or
memory exhaustion
* CVE-2021-33197 - net/http/httputil: ReverseProxy forwards Connection
headers if first one is empty
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This includes fixes for:
* CVE-2021-3114: crypto/elliptic: incorrect operations on the P-224
curve
* CVE-2021-3115: cmd/go: packages using cgo can cause arbitrary code
execution on Windows
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This includes security fixes for:
* CVE-2020-28362: panic during recursive division of very large numbers
* CVE-2020-28366: arbitrary code can be injected into cgo generated
files
* CVE-2020-28367: improper validation of cgo flags can lead to remote
code execution at build time
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This changes the default build cache directory from $(TOPDIR)/.go-build
to $(TMP_DIR)/go-build, so that the cache directory is ignored by git
and is removed by "make dirclean".
This does not move/remove a build cache directory in the previous
location; it will need to be removed manually.
Fixes https://github.com/openwrt/packages/issues/13675.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
In Go 1.15, the linker now defaults to internal linking mode for
-buildmode=pie on amd64 and arm64[1], however this results in go tool
binaries with the wrong dynamic linker/interpreter.
External linking is still used when PIE is enabled for other platforms,
whereas internal linking is used when PIE is not enabled.
This changes target Go to always use external linking, to fix PIE
binaries for amd64/arm64 and for consistency.
[1]: https://golang.org/doc/go1.15#linker
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* Reuse GO_PKG_ENABLE_PIE from golang-package.mk
* Replace $(if ...) with $(or ...) to get default values
* Refactor vars common to each compile stage into variable
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This also adds a config option GOLANG_BUILD_CACHE_DIR to customize the
location of the build cache directory.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This also adds a config option GOLANG_MOD_CACHE_WORLD_READABLE; if
enabled, chmod is run after a Go package build to make all
files/directories in the module cache world-readable.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
1.15.1 includes a fix for CVE-2020-24553:
net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type
is not specified
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This includes a fix for CVE-2020-16845 (encoding/binary: ReadUvarint and
ReadVarint can read an unlimited number of bytes from invalid inputs).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Because the first stage for building target Go is actually a host build,
the default platform options (GO386, GOARM, etc.) are detected from the
host. These values are written to a source file and kept when building
the second stage.
This modifies this source file to set the appropriate values for the
target platform, and reset values for other platforms to their
cross-compiling / most compatible defaults.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The variable is a list of shell variables; the new name is more in-line
with other parts the build system (CONFIGURE_VARS, MAKE_VARS, etc.).
GoPackage/Environment is kept (for now) in case other feeds are using
it.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The default bootstrap Go (Go 1.4) can only be compiled on a limited
number of platforms compared to newer versions of Go.
This adds a config option to use an external bootstrap Go, e.g.
installed through the build system's package manager or downloaded from
golang.org.
See: https://github.com/openwrt/packages/issues/11731
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* Move more environment variables into GoPackage/Environment
* Split GoPackage/Environment into target and build sections
* Do not set GOROOT_FINAL for Go packages (setting it should only affect
the Go compiler and not Go packages)
* Set CGO_LDFLAGS to $(TARGET_LDFLAGS)
* Move GO_TARGET_* variables from golang-values.mk, and GO_VERSION_*
variables from golang-version.mk, into golang/Makefile
This also updates runc, containerd, and docker-ce to reflect the changes
in GoPackage/Environment.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* Set GOENV=off when building Go compiler and packages, to ignore user's
environment configuration file
* Set GOCACHE when building host Go
* Unset GOTMPDIR, to use the buildroot temp directory instead of temp
directories in build_dir
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The ASLR PIE option was changed to a tristate option
(openwrt/openwrt@19cbac7d26). This updates
the Go compiler package and golang-package.mk to account for this
change.
This also adds warning messages for when the user has selected PIE but
Go does not have PIE support for the chosen target.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This adds support to compile host and target Go as position-independent
executables.
Host Go will have PIE enabled if Go supports PIE on the host platform.
Target Go will have PIE enabled if Go supports PIE on the target
platform and CONFIG_PKG_ASLR_PIE is selected.
Go 1.13 supports PIE for x86 and arm targets; mips support is in
progress[1].
[1]: https://github.com/golang/go/issues/21222#issuecomment-542064462
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
