!360 [sync] PR-355: backport: fix CVE-2024-24787

From: @openeuler-sync-bot 
Reviewed-by: @hcnbxx 
Signed-off-by: @hcnbxx

0065-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch

@@ -0,0 +1,113 @@
+From 2d5d295d8fb84ec472e6131ca00c4a5a9dcd3ad8 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Fri, 26 Apr 2024 04:09:54 +0800
+Subject: [PATCH] [Backport] cmd/go: disallow -lto_library in LDFLAGS
+CVE: CVE-2024-24787
+Reference: https://go-review.googlesource.com/c/go/+/583795
+
+The darwin linker allows setting the LTO library with the -lto_library
+flag. This wasn't caught by our "safe linker flags" check because it
+was covered by the -lx flag used for linking libraries. This change
+adds a specific check for excluded flags which otherwise satisfy our
+existing checks.
+
+Loading a mallicious LTO library would allow an attacker to cause the
+linker to execute abritrary code when "go build" was called.
+
+Thanks to Juho Forsén of Mattermost for reporting this issue.
+
+Fixes #67119
+Fixes #67121
+Fixes CVE-2024-24787
+
+Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290)
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1401
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/583795
+Reviewed-by: David Chase <drchase@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Signed-off-by: Ma Chang Wang machangwang@huawei.com
+---
+ src/cmd/go/internal/work/security.go            | 17 ++++++++++++++---
+ .../script/darwin_lto_library_ldflag.txt        | 17 +++++++++++++++++
+ 2 files changed, 31 insertions(+), 3 deletions(-)
+ create mode 100644 src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+
+diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
+index 91e6e4c86b..5dddff9fbc 100644
+--- a/src/cmd/go/internal/work/security.go
++++ b/src/cmd/go/internal/work/security.go
+@@ -140,6 +140,12 @@ var validCompilerFlagsWithNextArg = []string{
+ 	"-x",
+ }
+ 
++var invalidLinkerFlags = []*lazyregexp.Regexp{
++	// On macOS this means the linker loads and executes the next argument.
++	// Have to exclude separately because -lfoo is allowed in general.
++	re(`-lto_library`),
++}
++
+ var validLinkerFlags = []*lazyregexp.Regexp{
+ 	re(`-F([^@\-].*)`),
+ 	re(`-l([^@\-].*)`),
+@@ -229,14 +235,14 @@ var validLinkerFlagsWithNextArg = []string{
+ }
+ 
+ func checkCompilerFlags(name, source string, list []string) error {
+-	return checkFlags(name, source, list, validCompilerFlags, validCompilerFlagsWithNextArg)
++	return checkFlags(name, source, list, nil, validCompilerFlags, validCompilerFlagsWithNextArg)
+ }
+ 
+ func checkLinkerFlags(name, source string, list []string) error {
+-	return checkFlags(name, source, list, validLinkerFlags, validLinkerFlagsWithNextArg)
++	return checkFlags(name, source, list, invalidLinkerFlags, validLinkerFlags, validLinkerFlagsWithNextArg)
+ }
+ 
+-func checkFlags(name, source string, list []string, valid []*lazyregexp.Regexp, validNext []string) error {
++func checkFlags(name, source string, list []string, invalid, valid []*lazyregexp.Regexp, validNext []string) error {
+ 	// Let users override rules with $CGO_CFLAGS_ALLOW, $CGO_CFLAGS_DISALLOW, etc.
+ 	var (
+ 		allow    *regexp.Regexp
+@@ -266,6 +272,11 @@ Args:
+ 		if allow != nil && allow.FindString(arg) == arg {
+ 			continue Args
+ 		}
++		for _, re := range invalid {
++			if re.FindString(arg) == arg { // must be complete match
++				goto Bad
++			}
++		}
+ 		for _, re := range valid {
+ 			if re.FindString(arg) == arg { // must be complete match
+ 				continue Args
+diff --git a/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+new file mode 100644
+index 0000000000..a079784b34
+--- /dev/null
++++ b/src/cmd/go/testdata/script/darwin_lto_library_ldflag.txt
+@@ -0,0 +1,17 @@
++[!darwin] skip
++[!cgo] skip
++
++! go build
++stderr 'invalid flag in #cgo LDFLAGS: -lto_library'
++
++-- go.mod --
++module ldflag
++
++-- main.go --
++package main
++
++// #cgo CFLAGS: -flto
++// #cgo LDFLAGS: -lto_library bad.dylib
++import "C"
++
++func main() {}
+\ No newline at end of file
+-- 
+2.33.0
+

golang.spec

@@ -63,7 +63,7 @@
 
 Name:           golang
 Version:        1.17.3
-Release:        32
+Release:        33
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -214,6 +214,7 @@ Patch6061:	0061-Backport-net-mail-properly-handle-special-characters.patch
 Patch6062:	0062-1.17-backport-runtime-decrement-netpollWaiters-in-ne.patch
 Patch6063:	0063-1.17-backport-runtime-adjust-netpollWaiters-after-go.patch
 Patch6064:	0064-Backport-net-http-update-bundled-golang.org-x-net-ht.patch
+Patch6065:	0065-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -452,6 +453,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Mon May 27 2024 lujingxiao <lujingxiao@huawei.com> - 1.17.3-33
+- Type:CVE
+- CVE:CVE-2024-24787
+- SUG:NA
+- DESC:fix CVE-2024-24787
+
 * Tue Apr 16 2024 hanchao <hanchao63@huawei.com> - 1.17.3-32
 - Type:CVE
 - CVE:CVE-2023-45288