Fork of Go programming language with my patches. http://git.kilabit.info/go/atom?h=go1.12.17 2020-02-12T19:55:29Z 2020-02-12T19:55:29Z Alexander Rakoczy alex@golang.org 2020-02-12T17:56:44Z urn:sha1:46cb016190389b7e37b21f04e5343a628ca1f662 Change-Id: I9d398ed495011487544b1e5d0a469ae73c6f5927 Reviewed-on: https://go-review.googlesource.com/c/go/+/219218 Run-TryBot: Alexander Rakoczy <alex@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> 2020-02-12T17:52:48Z Alexander Rakoczy alex@golang.org 2020-02-12T16:32:58Z urn:sha1:b293f01b4ae5d480c199d8126a26b88e6f997236 Change-Id: I95f81f269e742ac058cb3e6404cc43beb2428926 Reviewed-on: https://go-review.googlesource.com/c/go/+/219200 Run-TryBot: Alexander Rakoczy <alex@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> 2020-01-31T00:14:28Z Dmitri Shuralyov dmitshur@golang.org 2020-01-31T00:14:03Z urn:sha1:249c282caf075fda88658ef6e11fb90067f238b0 Change-Id: Ic8ed07ad2c77042a67d7e1d4e9c0d5953610cf07 2020-01-27T22:27:19Z Dmitri Shuralyov dmitshur@golang.org 2020-01-27T21:36:40Z urn:sha1:deac3221fc4cd365fb40d269dd56551e9d354356 Change-Id: Iea658e285670a897a45eca3756004f050763c64d Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/649301 Reviewed-by: Katie Hockman <katiehockman@google.com> 2020-01-27T21:15:08Z Katie Hockman katie@golang.org 2020-01-27T19:11:04Z urn:sha1:e60fc07b54375c9dcc5d6e28c9376926c450fd57 Change-Id: Ib8ac9bf5020d9ab126a8069378978d7dce3509dc Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/648870 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> 2020-01-27T20:31:21Z Katie Hockman katie@golang.org 2020-01-24T20:29:12Z urn:sha1:44bb3b4b5341f5bb373acb0b8130795f888c9ace cryptobyte: fix panic due to malformed ASN.1 inputs on 32-bit archs When int is 32 bits wide (on 32-bit architectures like 386 and arm), an overflow could occur, causing a panic, due to malformed ASN.1 being passed to any of the ASN1 methods of String. Tested on linux/386 and darwin/amd64. This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof test vectors. Change-Id: I8c9696a8bfad1b40ec877cd740dba3467d66ab54 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/645211 Reviewed-by: Katie Hockman <katiehockman@google.com> Reviewed-by: Adam Langley <agl@google.com> x/crypto/cryptobyte is used in crypto/x509 for parsing certificates. Malformed certificates might cause a panic during parsing on 32-bit architectures (like arm and 386). Change-Id: I3c619af508bacff84023be4d5a7c4992c2f20a56 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647483 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> 2020-01-24T19:25:49Z Filippo Valsorda filippo@golang.org 2020-01-21T19:45:15Z urn:sha1:a8b372fb365f4b69f0b06aa9c3e642e6aa022840 An attacker can trick the Windows system verifier to use a poisoned set of elliptic curve parameters for a trusted root, allowing it to generate spoofed signatures. When this happens, the returned chain will present the unmodified original root, so the actual signatures won't verify (as they are invalid for the correct parameters). Simply double check them as a safety measure and mitigation. Windows users should still install the system security patch ASAP. This is the same mitigation adopted by Chromium: https://chromium-review.googlesource.com/c/chromium/src/+/1994434 Change-Id: I2c734f6fb2cb51d906c7fd77034318ffeeb3e146 Reviewed-on: https://go-review.googlesource.com/c/go/+/215905 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ryan Sleevi <sleevi@google.com> Reviewed-by: Katie Hockman <katie@golang.org> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/647124 Reviewed-by: Filippo Valsorda <valsorda@google.com> 2020-01-16T19:05:18Z Ian Lance Taylor iant@golang.org 2020-01-15T14:38:16Z urn:sha1:4af1337d1e9eb9e7b766c9deb787c78413bb25c4 Updates #36557 Fixes #36574 Change-Id: Ia8125f382d5e14e5612da811268a58971cc9ac08 Reviewed-on: https://go-review.googlesource.com/c/go/+/214917 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com> Reviewed-by: Austin Clements <austin@google.com> (cherry picked from commit d2de9bd59c068c1bfcb4293de4286196dacf2e43) Reviewed-on: https://go-review.googlesource.com/c/go/+/215017 2020-01-10T21:56:50Z Bryan C. Mills bcmills@google.com 2020-01-10T14:25:51Z urn:sha1:9720aff0bcf876647cf064a4e92eeab43598bfc5 Commit e0cf3de987e6 of the vcs-test.golang.org/git/querytest repo includes a go.mod file specifying path vcs-test.golang.org/git/querytest.git, as does the latest commit. Since the repository also lacks v3 tags, a query for "latest" with a v3 path should fail. Due to a bug, that query does not fail as expected with Go 1.12. However, we do not need to continue to test for buggy behavior that was fixed in a subsequent release. Updates #36489 Change-Id: I766390c962fc75ba98fad02831310d90abf3055f Reviewed-on: https://go-review.googlesource.com/c/go/+/214281 Run-TryBot: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> 2020-01-09T19:00:28Z Carlos Amedee carlos@golang.org 2020-01-09T16:24:31Z urn:sha1:694e20f4e08af7e7669c9652424d0df9b0b83f00 Change-Id: I6e47da51c3687ae9590554d003d803270f50911e Reviewed-on: https://go-review.googlesource.com/c/go/+/214082 Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org>