go, branch go1.14.12

[release-branch.go1.14-security] go1.14.12

2020-11-12T16:47:42Z

Change-Id: I8ce7093f7e119216d3a5d8941968788b70b6afaf Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901408 Reviewed-by: Katie Hockman

[release-branch.go1.14-security] math/big: fix shift for recursive division

2020-11-12T14:40:27Z

The previous s value could cause a crash for certain inputs. Will check in tests and documentation improvements later. Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting this. Thanks to Rémy Oudompheng and Robert Griesemer for their help developing and validating the fix. Fixes CVE-2020-28362 Change-Id: Ibbf455c4436bcdb07c84a34fa6551fb3422356d3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899974 Reviewed-by: Roland Shoemaker Reviewed-by: Filippo Valsorda (cherry picked from commit 28015462c2a83239543dc2bef651e9a5f234b633) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901064

[release-branch.go1.14-security] cmd/go: in cgoflags, permit -DX1, prohibit -Wp,-D,opt

2020-11-12T14:40:27Z

Restrict -D and -U to ASCII C identifiers, but do permit trailing digits. When using -Wp, prohibit commas in -D values. Thanks to Imre Rad (https://www.linkedin.com/in/imre-rad-2358749b) for reporting this. Fixes CVE-2020-28367 Change-Id: Ibfc4dfdd6e6c258e131448e7682610c44eee9492 Reviewed-on: https://go-review.googlesource.com/c/go/+/267277 Trust: Ian Lance Taylor Run-TryBot: Ian Lance Taylor TryBot-Result: Go Bot Reviewed-by: Bryan C. Mills Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899923 Reviewed-by: Filippo Valsorda

[release-branch.go1.14-security] cmd/go, cmd/cgo: don't let bogus symbol set cgo_ldflag

2020-11-12T14:40:16Z

A hand-edited object file can have a symbol name that uses newline and other normally invalid characters. The cgo tool will generate Go files containing symbol names, unquoted. That can permit those symbol names to inject Go code into a cgo-generated file. If that Go code uses the //go:cgo_ldflag pragma, it can cause the C linker to run arbitrary code when building a package. If you build an imported package we permit arbitrary code at run time, but we don't want to permit it at package build time. This CL prevents this in two ways. In cgo, reject invalid symbols that contain non-printable or space characters, or that contain anything that looks like a Go comment. In the go tool, double check all //go:cgo_ldflag directives in generated code, to make sure they follow the existing LDFLAG restrictions. Thanks to Chris Brown and Tempus Ex for reporting this. Fixes CVE-2020-28366 Change-Id: Ia1ad8f3791ea79612690fa7d26ac451d0f6df7c1 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/895832 Reviewed-by: Than McIntosh Reviewed-by: Cherry Zhang (cherry picked from commit 6bc814dd2bbfeaafa41d314dd4cc591b575dfbf6) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901055 Reviewed-by: Filippo Valsorda Reviewed-by: Roland Shoemaker

[release-branch.go1.14] go1.14.11

2020-11-05T21:21:19Z

Change-Id: I1b4231179d0825113f2cbb6e84e92b3453e2ee45 Reviewed-on: https://go-review.googlesource.com/c/go/+/267878 Run-TryBot: Alexander Rakoczy TryBot-Result: Go Bot Reviewed-by: Dmitri Shuralyov Trust: Alexander Rakoczy

[release-branch.go1.14] net/http: update bundled x/net/http2

2020-10-30T15:54:58Z

Bring in the change in CL 266157 with: go get -d golang.org/x/net@release-branch.go1.14 go mod tidy go mod vendor go generate -run=bundle std Updates #39337. Fixes #42112. Change-Id: Iefd0012369c7f0c58201256e29d21210cb9f2f7a Reviewed-on: https://go-review.googlesource.com/c/go/+/266374 Run-TryBot: Dmitri Shuralyov Reviewed-by: Emmanuel Odeke TryBot-Result: Go Bot Trust: Dmitri Shuralyov

[release-branch.go1.14] cmd/go/internal/modfetch: drop gopkg.in/russross/blackfriday.v2 from TestCodeRepoVersions

2020-10-30T00:17:28Z

Follow-up for CL 265819. Given the -pre tag added recently, a new stable version is likely tagged soon. This would break TestCodeRepoVersions on the longtest builders again. Since the other test cases in codeRepoVersionsTests already provide enough coverage, drop gopkg.in/russross/blackfriday.v2 to avoid breaking TestCodeRepoVersions once the release happens. Updates #28856 Change-Id: If86a637b5e47f59faf9048fc1cbbae6e8f1dcc53 Reviewed-on: https://go-review.googlesource.com/c/go/+/265917 Trust: Tobias Klauser Run-TryBot: Tobias Klauser Reviewed-by: Bryan C. Mills Reviewed-by: Jay Conrod TryBot-Result: Go Bot (cherry picked from commit 421d4e72de802ed65cb38317660654771cfb13e9) Reviewed-on: https://go-review.googlesource.com/c/go/+/266178 Trust: Dmitri Shuralyov Trust: Jay Conrod Run-TryBot: Dmitri Shuralyov Reviewed-by: Tobias Klauser (cherry picked from commit 8687f6d924ee3a311e08db855c6dc1024c1f9349) Reviewed-on: https://go-review.googlesource.com/c/go/+/266302 Trust: Ian Lance Taylor Run-TryBot: Ian Lance Taylor Reviewed-by: Dmitri Shuralyov

[release-branch.go1.14] time: fix LoadLocationFromTZData with slim tzdata

2020-10-29T23:29:37Z

The extend information of a time zone file with last transition < now could result in a wrong cached zone because it used the zone of the last transition. This could lead to wrong zones in systems with slim zoneinfo. Fixes #42155 Change-Id: I7c57c35b5cfa58482ac7925b5d86618c52f5444d Reviewed-on: https://go-review.googlesource.com/c/go/+/264939 Trust: Tobias Klauser Run-TryBot: Tobias Klauser TryBot-Result: Go Bot Reviewed-by: Ian Lance Taylor (cherry picked from commit 70e022e4a83dc996ac4f108e811fbc399ad5565b) Reviewed-on: https://go-review.googlesource.com/c/go/+/266303 Trust: Ian Lance Taylor Run-TryBot: Ian Lance Taylor Reviewed-by: Tobias Klauser

[release-branch.go1.14] time: support slim tzdata format

2020-10-29T22:30:04Z

Backport of part of https://golang.org/cl/261877 to support the slim tzdata format. As of tzdata 2020b, the default is to use the slim format. We need to support that format so that Go installations continue to work when tzdata is updated. Relevant part of the CL description: The reason for the failed tests was that when caching location data, the extended time format past the end of zone transitions was not considered. The respective change was introduced in (*Location).lookup by CL 215539. For #42155 Change-Id: I37f52a0917b2c6e3957e6b4612c8ef104c736e65 Reviewed-on: https://go-review.googlesource.com/c/go/+/264301 Trust: Ian Lance Taylor Reviewed-by: Tobias Klauser (cherry picked from commit 414668cfbc41fd8cadf74e981849d1e05cc23b2e) Reviewed-on: https://go-review.googlesource.com/c/go/+/266298 Run-TryBot: Ian Lance Taylor

[release-branch.go1.14] time: use extended time format past end of zone transitions

2020-10-29T19:00:01Z

This gives us better expected information for daylight savings time transitions in year 2038 and beyond. For #36654 For #42155 Change-Id: I5a39aed3c40b184e1d7bb7d6ce3aff5307c4c146 Reviewed-on: https://go-review.googlesource.com/c/go/+/215539 Run-TryBot: Ian Lance Taylor TryBot-Result: Gobot Gobot Reviewed-by: Brad Fitzpatrick (cherry picked from commit b71eafbcece175db33acfb205e9090ca99a8f984) Reviewed-on: https://go-review.googlesource.com/c/go/+/264302 Trust: Ian Lance Taylor TryBot-Result: Go Bot Reviewed-by: Tobias Klauser