Fix CVE-2018-7187
Resolves: BZ#1546386, BZ#1546388
This commit is contained in:
parent
e8abe4385f
commit
2389428bde
124
CVE-2018-7187.patch
Normal file
124
CVE-2018-7187.patch
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
From c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ian Lance Taylor <iant@golang.org>
|
||||||
|
Date: Thu, 15 Feb 2018 15:57:13 -0800
|
||||||
|
Subject: [PATCH] cmd/go: restrict meta imports to valid schemes
|
||||||
|
|
||||||
|
Before this change, when using -insecure, we permitted any meta import
|
||||||
|
repo root as long as it contained "://". When not using -insecure, we
|
||||||
|
restrict meta import repo roots to be valid URLs. People may depend on
|
||||||
|
that somehow, so permit meta import repo roots to be invalid URLs, but
|
||||||
|
require them to have valid schemes per RFC 3986.
|
||||||
|
|
||||||
|
Fixes #23867
|
||||||
|
|
||||||
|
Change-Id: Iac666dfc75ac321bf8639dda5b0dba7c8840922d
|
||||||
|
Reviewed-on: https://go-review.googlesource.com/94603
|
||||||
|
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
|
||||||
|
---
|
||||||
|
src/cmd/go/internal/get/vcs.go | 34 +++++++++++++++++++++++++++--
|
||||||
|
src/cmd/go/internal/get/vcs_test.go | 43 +++++++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 75 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/cmd/go/internal/get/vcs.go b/src/cmd/go/internal/get/vcs.go
|
||||||
|
index ee6b16a1369..dced0ed8db5 100644
|
||||||
|
--- a/src/cmd/go/internal/get/vcs.go
|
||||||
|
+++ b/src/cmd/go/internal/get/vcs.go
|
||||||
|
@@ -809,8 +809,8 @@ func repoRootForImportDynamic(importPath string, security web.SecurityMode) (*re
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if !strings.Contains(mmi.RepoRoot, "://") {
|
||||||
|
- return nil, fmt.Errorf("%s: invalid repo root %q; no scheme", urlStr, mmi.RepoRoot)
|
||||||
|
+ if err := validateRepoRootScheme(mmi.RepoRoot); err != nil {
|
||||||
|
+ return nil, fmt.Errorf("%s: invalid repo root %q: %v", urlStr, mmi.RepoRoot, err)
|
||||||
|
}
|
||||||
|
rr := &repoRoot{
|
||||||
|
vcs: vcsByCmd(mmi.VCS),
|
||||||
|
@@ -824,6 +824,36 @@ func repoRootForImportDynamic(importPath string, security web.SecurityMode) (*re
|
||||||
|
return rr, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
+// validateRepoRootScheme returns an error if repoRoot does not seem
|
||||||
|
+// to have a valid URL scheme. At this point we permit things that
|
||||||
|
+// aren't valid URLs, although later, if not using -insecure, we will
|
||||||
|
+// restrict repoRoots to be valid URLs. This is only because we've
|
||||||
|
+// historically permitted them, and people may depend on that.
|
||||||
|
+func validateRepoRootScheme(repoRoot string) error {
|
||||||
|
+ end := strings.Index(repoRoot, "://")
|
||||||
|
+ if end <= 0 {
|
||||||
|
+ return errors.New("no scheme")
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // RFC 3986 section 3.1.
|
||||||
|
+ for i := 0; i < end; i++ {
|
||||||
|
+ c := repoRoot[i]
|
||||||
|
+ switch {
|
||||||
|
+ case 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z':
|
||||||
|
+ // OK.
|
||||||
|
+ case '0' <= c && c <= '9' || c == '+' || c == '-' || c == '.':
|
||||||
|
+ // OK except at start.
|
||||||
|
+ if i == 0 {
|
||||||
|
+ return errors.New("invalid scheme")
|
||||||
|
+ }
|
||||||
|
+ default:
|
||||||
|
+ return errors.New("invalid scheme")
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return nil
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
var fetchGroup singleflight.Group
|
||||||
|
var (
|
||||||
|
fetchCacheMu sync.Mutex
|
||||||
|
diff --git a/src/cmd/go/internal/get/vcs_test.go b/src/cmd/go/internal/get/vcs_test.go
|
||||||
|
index 2cb611fabd8..ece78b563ce 100644
|
||||||
|
--- a/src/cmd/go/internal/get/vcs_test.go
|
||||||
|
+++ b/src/cmd/go/internal/get/vcs_test.go
|
||||||
|
@@ -416,3 +416,46 @@ func TestMatchGoImport(t *testing.T) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+func TestValidateRepoRootScheme(t *testing.T) {
|
||||||
|
+ tests := []struct {
|
||||||
|
+ root string
|
||||||
|
+ err string
|
||||||
|
+ }{
|
||||||
|
+ {
|
||||||
|
+ root: "",
|
||||||
|
+ err: "no scheme",
|
||||||
|
+ },
|
||||||
|
+ {
|
||||||
|
+ root: "http://",
|
||||||
|
+ err: "",
|
||||||
|
+ },
|
||||||
|
+ {
|
||||||
|
+ root: "a://",
|
||||||
|
+ err: "",
|
||||||
|
+ },
|
||||||
|
+ {
|
||||||
|
+ root: "a#://",
|
||||||
|
+ err: "invalid scheme",
|
||||||
|
+ },
|
||||||
|
+ {
|
||||||
|
+ root: "-config://",
|
||||||
|
+ err: "invalid scheme",
|
||||||
|
+ },
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ for _, test := range tests {
|
||||||
|
+ err := validateRepoRootScheme(test.root)
|
||||||
|
+ if err == nil {
|
||||||
|
+ if test.err != "" {
|
||||||
|
+ t.Errorf("validateRepoRootScheme(%q) = nil, want %q", test.root, test.err)
|
||||||
|
+ }
|
||||||
|
+ } else if test.err == "" {
|
||||||
|
+ if err != nil {
|
||||||
|
+ t.Errorf("validateRepoRootScheme(%q) = %q, want nil", test.root, test.err)
|
||||||
|
+ }
|
||||||
|
+ } else if err.Error() != test.err {
|
||||||
|
+ t.Errorf("validateRepoRootScheme(%q) = %q, want %q", test.root, err, test.err)
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+}
|
10
golang.spec
10
golang.spec
@ -106,7 +106,7 @@
|
|||||||
|
|
||||||
Name: golang
|
Name: golang
|
||||||
Version: 1.10
|
Version: 1.10
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: The Go Programming Language
|
Summary: The Go Programming Language
|
||||||
# source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
|
# source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
|
||||||
License: BSD and Public Domain
|
License: BSD and Public Domain
|
||||||
@ -185,6 +185,8 @@ Patch219: s390x-expose-IfInfomsg-X__ifi_pad.patch
|
|||||||
# Proposed patch by jcajka https://golang.org/cl/86541
|
# Proposed patch by jcajka https://golang.org/cl/86541
|
||||||
Patch221: golang-1.10-pkgconfig-fix.patch
|
Patch221: golang-1.10-pkgconfig-fix.patch
|
||||||
|
|
||||||
|
Patch222: CVE-2018-7187.patch
|
||||||
|
|
||||||
# Having documentation separate was broken
|
# Having documentation separate was broken
|
||||||
Obsoletes: %{name}-docs < 1.1-4
|
Obsoletes: %{name}-docs < 1.1-4
|
||||||
|
|
||||||
@ -313,6 +315,8 @@ Requires: %{name} = %{version}-%{release}
|
|||||||
|
|
||||||
%patch221 -p1
|
%patch221 -p1
|
||||||
|
|
||||||
|
%patch222 -p1
|
||||||
|
|
||||||
cp %{SOURCE1} ./src/runtime/
|
cp %{SOURCE1} ./src/runtime/
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -548,6 +552,10 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Mar 03 2018 Jakub Čajka <jcajka@redhat.com> - 1.10-2
|
||||||
|
- Fix CVE-2018-7187
|
||||||
|
- Resolves: BZ#1546386, BZ#1546388
|
||||||
|
|
||||||
* Wed Feb 21 2018 Jakub Čajka <jcajka@redhat.com> - 1.10-1
|
* Wed Feb 21 2018 Jakub Čajka <jcajka@redhat.com> - 1.10-1
|
||||||
- Rebase to 1.10
|
- Rebase to 1.10
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user