Skip to content

go_1_23: 1.23.0 -> 1.23.1#339878

Merged
zowoq merged 1 commit intoNixOS:masterfrom
techknowlogick:bump-go-05-09-24
Sep 6, 2024
Merged

go_1_23: 1.23.0 -> 1.23.1#339878
zowoq merged 1 commit intoNixOS:masterfrom
techknowlogick:bump-go-05-09-24

Conversation

@techknowlogick
Copy link
Member

@techknowlogick techknowlogick commented Sep 5, 2024
edited
Loading

Description of changes

go/parser: stack exhaustion in all Parse* functions
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.
encoding/gob: stack exhaustion in Decoder.Decode
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.
This is a follow-up to CVE-2022-30635.
Thanks to Md Sakib Anwar of The Ohio State University ( [email protected]) for reporting this issue.
This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.
go/build/constraint: stack exhaustion in Parse
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added the 6.topic: golang Go is a high-level general purpose programming language that is statically typed and compiled. label Sep 5, 2024
@techknowlogick techknowlogick added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Sep 5, 2024
@ofborg ofborg bot requested review from mfrw and qbit September 5, 2024 20:09
@ofborg ofborg bot added 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 2501-5000 This PR causes many rebuilds on Darwin and should target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 2501-5000 This PR causes many rebuilds on Linux and should target the staging branches. labels Sep 5, 2024
@zowoq
Copy link
Contributor

zowoq commented Sep 6, 2024

The go_1_22 bump is a mass rebuild that can't go to master but sending it to staging-next should be fine as it is a security fix. cc @vcunat

@techknowlogick techknowlogick mentioned this pull request Sep 6, 2024
Merged
13 tasks
@techknowlogick techknowlogick changed the title go_1_23: 1.23.0 -> 1.23.1, go_1_22: 1.22.6 -> 1.22.7 go_1_23: 1.23.0 -> 1.23.1 Sep 6, 2024
@techknowlogick
Copy link
Member Author

techknowlogick commented Sep 6, 2024

Thanks @zowoq. I've changed this one to solely 1.23.1, and created a new PR #339946 for 1.22.7&1.23.1 to go to staging-next.

@zowoq
Copy link
Contributor

zowoq commented Sep 6, 2024

created a new PR ... for 1.22.7&1.23.1 to go to staging-next.

Only needs to be 1.22 as master is merged into staging-next automatically every few hours.

@techknowlogick
Copy link
Member Author

techknowlogick commented Sep 6, 2024

@zowoq sounds good. thanks for that info :) I've changed the other PR to be 1.22.7 only

@ofborg ofborg bot added 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. and removed 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 2501-5000 This PR causes many rebuilds on Darwin and should target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 2501-5000 This PR causes many rebuilds on Linux and should target the staging branches. labels Sep 6, 2024
@zowoq zowoq merged commit 0e0665d into NixOS:master Sep 6, 2024
@techknowlogick techknowlogick deleted the bump-go-05-09-24 branch September 6, 2024 03:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kalbasit kalbasit Awaiting requested review from kalbasit

@katexochen katexochen Awaiting requested review from katexochen

@Mic92 Mic92 Awaiting requested review from Mic92

@zowoq zowoq Awaiting requested review from zowoq

@qbit qbit Awaiting requested review from qbit

@mfrw mfrw Awaiting requested review from mfrw

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: golang Go is a high-level general purpose programming language that is statically typed and compiled. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@techknowlogick @zowoq