Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH v1 1/1] package/go: security bump to version go1.22.7
@ 2024-09-11 21:18 Christian Stewart via buildroot
  2024-09-14  9:00 ` Thomas Petazzoni via buildroot
  0 siblings, 1 reply; 6+ messages in thread
From: Christian Stewart via buildroot @ 2024-09-11 21:18 UTC (permalink / raw)
  To: buildroot; +Cc: Christian Stewart, Yann E . MORIN, Thomas Petazzoni

Fixes the following CVEs:

CVE-2024-34155: go/parser: stack exhaustion in all Parse* functions
CVE-2024-34156: encoding/gob: stack exhaustion in Decoder.Decode
CVE-2024-34158: go/build/constraint: stack exhaustion in Parse

https://go.dev/doc/devel/release#go1.22.7

Signed-off-by: Christian Stewart <christian@aperture.us>
---
 package/go/go-src/go-src.hash | 2 +-
 package/go/go.mk              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/go/go-src/go-src.hash b/package/go/go-src/go-src.hash
index d300f6e2c9..f5727390f7 100644
--- a/package/go/go-src/go-src.hash
+++ b/package/go/go-src/go-src.hash
@@ -1,3 +1,3 @@
 # From https://go.dev/dl
-sha256  ac9c723f224969aee624bc34fd34c9e13f2a212d75c71c807de644bb46e112f6
 go1.22.5.src.tar.gz
+sha256  66432d87d85e0cfac3edffe637d5930fc4ddf5793313fe11e4a0f333023c879f
 go1.22.7.src.tar.gz
 sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067
 LICENSE
diff --git a/package/go/go.mk b/package/go/go.mk
index 4c56660651..8b9651d7a1 100644
--- a/package/go/go.mk
+++ b/package/go/go.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GO_VERSION = 1.22.5
+GO_VERSION = 1.22.7

 HOST_GO_GOPATH = $(HOST_DIR)/share/go-path
 HOST_GO_HOST_CACHE = $(HOST_DIR)/share/host-go-cache
-- 
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH v1 1/1] package/go: security bump to version go1.22.7
  2024-09-11 21:18 [Buildroot] [PATCH v1 1/1] package/go: security bump to version go1.22.7 Christian Stewart via buildroot
@ 2024-09-14  9:00 ` Thomas Petazzoni via buildroot
  2024-09-15  3:07   ` Christian Stewart via buildroot
  2024-09-19 19:56   ` Peter Korsgaard
  0 siblings, 2 replies; 6+ messages in thread
From: Thomas Petazzoni via buildroot @ 2024-09-14  9:00 UTC (permalink / raw)
  To: Christian Stewart via buildroot; +Cc: Yann E . MORIN, Christian Stewart

Hello Christian,

On Wed, 11 Sep 2024 21:18:58 +0000
Christian Stewart via buildroot <buildroot@buildroot.org> wrote:

> Fixes the following CVEs:
> 
> CVE-2024-34155: go/parser: stack exhaustion in all Parse* functions
> CVE-2024-34156: encoding/gob: stack exhaustion in Decoder.Decode
> CVE-2024-34158: go/build/constraint: stack exhaustion in Parse
> 
> https://go.dev/doc/devel/release#go1.22.7
> 
> Signed-off-by: Christian Stewart <christian@aperture.us>
> ---
>  package/go/go-src/go-src.hash | 2 +-
>  package/go/go.mk              | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

I've applied, but your patch was badly line-wrapped. Could you make
sure to use "git send-email", or adjust your tooling?

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH v1 1/1] package/go: security bump to version go1.22.7
  2024-09-14  9:00 ` Thomas Petazzoni via buildroot
@ 2024-09-15  3:07   ` Christian Stewart via buildroot
  2024-09-15  7:31     ` Thomas Petazzoni via buildroot
  2024-09-19 19:56   ` Peter Korsgaard
  1 sibling, 1 reply; 6+ messages in thread
From: Christian Stewart via buildroot @ 2024-09-15  3:07 UTC (permalink / raw)
  To: Thomas Petazzoni; +Cc: Yann E . MORIN, Christian Stewart via buildroot

Hi Thomas,

On Sat, Sep 14, 2024 at 2:00 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
> I've applied, but your patch was badly line-wrapped. Could you make
> sure to use "git send-email", or adjust your tooling?

Gmail just destroys the line length it seems. It's hard to send
patches or plaintext emails via gmail as it wraps at 78chars

Will try to find a solution

Thanks,
Christian
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH v1 1/1] package/go: security bump to version go1.22.7
  2024-09-15  3:07   ` Christian Stewart via buildroot
@ 2024-09-15  7:31     ` Thomas Petazzoni via buildroot
  2024-09-15 14:22       ` Christian Stewart via buildroot
  0 siblings, 1 reply; 6+ messages in thread
From: Thomas Petazzoni via buildroot @ 2024-09-15  7:31 UTC (permalink / raw)
  To: Christian Stewart; +Cc: Yann E . MORIN, Christian Stewart via buildroot

On Sat, 14 Sep 2024 20:07:37 -0700
Christian Stewart <christian@aperture.us> wrote:

> Gmail just destroys the line length it seems. It's hard to send
> patches or plaintext emails via gmail as it wraps at 78chars

A number of other people use gmail and git send-email and don't have
this issue, so I'm not sure what's going on in your case?

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH v1 1/1] package/go: security bump to version go1.22.7
  2024-09-15  7:31     ` Thomas Petazzoni via buildroot
@ 2024-09-15 14:22       ` Christian Stewart via buildroot
  0 siblings, 0 replies; 6+ messages in thread
From: Christian Stewart via buildroot @ 2024-09-15 14:22 UTC (permalink / raw)
  To: Thomas Petazzoni; +Cc: Yann E . MORIN, Christian Stewart via buildroot


[-- Attachment #1.1: Type: text/plain, Size: 921 bytes --]

Hi Thomas,

On Sun, Sep 15, 2024, 12:31 AM Thomas Petazzoni <
thomas.petazzoni@bootlin.com> wrote:

> On Sat, 14 Sep 2024 20:07:37 -0700
> Christian Stewart <christian@aperture.us> wrote:
>
> > Gmail just destroys the line length it seems. It's hard to send
> > patches or plaintext emails via gmail as it wraps at 78chars
>
> A number of other people use gmail and git send-email and don't have
> this issue, so I'm not sure what's going on in your case?
>

They are probably using the insecure app password method. This method
requires setting an "app password" in the google settings, a plaintext
password which bypasses 2fa and other security options.

This is not good for security as the app password has no access limits and
anyone that can read your home dir and read the password from .gitconfig
can then log into and access the Google account without limits.

Best regards,
Christian

[-- Attachment #1.2: Type: text/html, Size: 1477 bytes --]

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH v1 1/1] package/go: security bump to version go1.22.7
  2024-09-14  9:00 ` Thomas Petazzoni via buildroot
  2024-09-15  3:07   ` Christian Stewart via buildroot
@ 2024-09-19 19:56   ` Peter Korsgaard
  1 sibling, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2024-09-19 19:56 UTC (permalink / raw)
  To: Thomas Petazzoni via buildroot
  Cc: Christian Stewart, Yann E . MORIN, Thomas Petazzoni

>>>>> "Thomas" == Thomas Petazzoni via buildroot <buildroot@buildroot.org> writes:

 > Hello Christian,
 > On Wed, 11 Sep 2024 21:18:58 +0000
 > Christian Stewart via buildroot <buildroot@buildroot.org> wrote:

 >> Fixes the following CVEs:
 >> 
 >> CVE-2024-34155: go/parser: stack exhaustion in all Parse* functions
 >> CVE-2024-34156: encoding/gob: stack exhaustion in Decoder.Decode
 >> CVE-2024-34158: go/build/constraint: stack exhaustion in Parse
 >> 
 >> https://go.dev/doc/devel/release#go1.22.7
 >> 
 >> Signed-off-by: Christian Stewart <christian@aperture.us>
 >> ---
 >> package/go/go-src/go-src.hash | 2 +-
 >> package/go/go.mk              | 2 +-
 >> 2 files changed, 2 insertions(+), 2 deletions(-)

 > I've applied, but your patch was badly line-wrapped. Could you make
 > sure to use "git send-email", or adjust your tooling?

Committed to 2024.02.x and 2024.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-09-19 19:56 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-11 21:18 [Buildroot] [PATCH v1 1/1] package/go: security bump to version go1.22.7 Christian Stewart via buildroot
2024-09-14  9:00 ` Thomas Petazzoni via buildroot
2024-09-15  3:07   ` Christian Stewart via buildroot
2024-09-15  7:31     ` Thomas Petazzoni via buildroot
2024-09-15 14:22       ` Christian Stewart via buildroot
2024-09-19 19:56   ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox