go, branch go1.15.5

[release-branch.go1.15-security] go1.15.5

2020-11-12T16:39:58Z

Change-Id: Id3b116c0f54c2131111bc8afacb8d81d06f96461 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901407 Reviewed-by: Katie Hockman

[release-branch.go1.15-security] math/big: fix shift for recursive division

2020-11-11T23:35:42Z

The previous s value could cause a crash for certain inputs. Will check in tests and documentation improvements later. Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting this. Thanks to Rémy Oudompheng and Robert Griesemer for their help developing and validating the fix. Fixes CVE-2020-28362 Change-Id: Ibbf455c4436bcdb07c84a34fa6551fb3422356d3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899974 Reviewed-by: Roland Shoemaker Reviewed-by: Filippo Valsorda (cherry picked from commit 28015462c2a83239543dc2bef651e9a5f234b633) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901065

[release-branch.go1.15-security] cmd/go: in cgoflags, permit -DX1, prohibit -Wp,-D,opt

2020-11-11T23:35:26Z

Restrict -D and -U to ASCII C identifiers, but do permit trailing digits. When using -Wp, prohibit commas in -D values. Thanks to Imre Rad (https://www.linkedin.com/in/imre-rad-2358749b) for reporting this. Fixes CVE-2020-28367 Change-Id: Ibfc4dfdd6e6c258e131448e7682610c44eee9492 Reviewed-on: https://go-review.googlesource.com/c/go/+/267277 Trust: Ian Lance Taylor Run-TryBot: Ian Lance Taylor TryBot-Result: Go Bot Reviewed-by: Bryan C. Mills Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899924 Reviewed-by: Filippo Valsorda

[release-branch.go1.15-security] cmd/go, cmd/cgo: don't let bogus symbol set cgo_ldflag

2020-11-11T23:35:14Z

A hand-edited object file can have a symbol name that uses newline and other normally invalid characters. The cgo tool will generate Go files containing symbol names, unquoted. That can permit those symbol names to inject Go code into a cgo-generated file. If that Go code uses the //go:cgo_ldflag pragma, it can cause the C linker to run arbitrary code when building a package. If you build an imported package we permit arbitrary code at run time, but we don't want to permit it at package build time. This CL prevents this in two ways. In cgo, reject invalid symbols that contain non-printable or space characters, or that contain anything that looks like a Go comment. In the go tool, double check all //go:cgo_ldflag directives in generated code, to make sure they follow the existing LDFLAG restrictions. Thanks to Chris Brown and Tempus Ex for reporting this. Fixes CVE-2020-28366 Change-Id: Ia1ad8f3791ea79612690fa7d26ac451d0f6df7c1 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/895832 Reviewed-by: Than McIntosh Reviewed-by: Cherry Zhang (cherry picked from commit 6bc814dd2bbfeaafa41d314dd4cc591b575dfbf6) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/901056 Reviewed-by: Filippo Valsorda Reviewed-by: Roland Shoemaker

[release-branch.go1.15] go1.15.4

2020-11-05T21:21:32Z

Change-Id: Ibcd61e2c7ef7cc6f8509dadea6c3952c5dd7016e Reviewed-on: https://go-review.googlesource.com/c/go/+/267879 Run-TryBot: Alexander Rakoczy TryBot-Result: Go Bot Reviewed-by: Dmitri Shuralyov Trust: Alexander Rakoczy

[release-branch.go1.15] net/http: update bundled x/net/http2

2020-10-30T15:57:43Z

Bring in the change in CL 266158 with: go mod edit -replace=golang.org/x/net=golang.org/x/net@release-branch.go1.15-bundle GOFLAGS='-mod=mod' go generate -run=bundle std go mod edit -dropreplace=golang.org/x/net go get -d golang.org/x/net@release-branch.go1.15 go mod tidy go mod vendor Updates #39337. Fixes #42113. Change-Id: I3ebef4b90c11ad271b7a3031aafd80c423c2c241 Reviewed-on: https://go-review.googlesource.com/c/go/+/266375 Trust: Dmitri Shuralyov Run-TryBot: Dmitri Shuralyov TryBot-Result: Go Bot Reviewed-by: Emmanuel Odeke

[release-branch.go1.15] time: fix LoadLocationFromTZData with slim tzdata

2020-10-29T22:30:25Z

The extend information of a time zone file with last transition < now could result in a wrong cached zone because it used the zone of the last transition. This could lead to wrong zones in systems with slim zoneinfo. For #42216 Fixes #42138 Change-Id: I7c57c35b5cfa58482ac7925b5d86618c52f5444d Reviewed-on: https://go-review.googlesource.com/c/go/+/264939 Trust: Tobias Klauser Run-TryBot: Tobias Klauser TryBot-Result: Go Bot Reviewed-by: Ian Lance Taylor (cherry picked from commit 70e022e4a83dc996ac4f108e811fbc399ad5565b) Reviewed-on: https://go-review.googlesource.com/c/go/+/266299 Trust: Ian Lance Taylor Run-TryBot: Ian Lance Taylor Reviewed-by: Tobias Klauser

[release-branch.go1.15] time: support slim tzdata format

2020-10-29T19:02:27Z

Backport of part of https://golang.org/cl/261877 to support the slim tzdata format. As of tzdata 2020b, the default is to use the slim format. We need to support that format so that Go installations continue to work when tzdata is updated. Relevant part of the CL description: The reason for the failed tests was that when caching location data, the extended time format past the end of zone transitions was not considered. The respective change was introduced in (*Location).lookup by CL 215539. For #42138 Change-Id: I37f52a0917b2c6e3957e6b4612c8ef104c736e65 Reviewed-on: https://go-review.googlesource.com/c/go/+/264301 Trust: Ian Lance Taylor Reviewed-by: Tobias Klauser

[release-branch.go1.15] compress/flate: fix corrupted output

2020-10-29T18:54:36Z

The fastest compression mode can pick up a false match for every 2GB of input data resulting in incorrectly decompressed data. Since matches are allowed to be up to and including at maxMatchOffset we must offset the buffer by an additional element to prevent the first 4 bytes to match after an out-of-reach value after shiftOffsets has been called. We offset by `maxMatchOffset + 1` so offset 0 in the table will now fail the `if offset > maxMatchOffset` in all cases. Updates #41420. Fixes #41463. Change-Id: If1fbe01728e132b8a207e3f3f439edd832dcc710 GitHub-Last-Rev: 50fabab0da874c37543b139459a810e12e83cee2 GitHub-Pull-Request: golang/go#41477 Reviewed-on: https://go-review.googlesource.com/c/go/+/255879 Reviewed-by: Matthew Dempsky Run-TryBot: Matthew Dempsky TryBot-Result: Go Bot Trust: Joe Tsai Trust: Matthew Dempsky (cherry picked from commit ab541a0560408999ac65d12bec2a3057994eda38) Reviewed-on: https://go-review.googlesource.com/c/go/+/266177 Run-TryBot: Dmitri Shuralyov Trust: Dmitri Shuralyov Reviewed-by: Joe Tsai

[release-branch.go1.15] cmd/go/internal/modfetch: drop gopkg.in/russross/blackfriday.v2 from TestCodeRepoVersions

2020-10-29T18:53:25Z

Follow-up for CL 265819. Given the -pre tag added recently, a new stable version is likely tagged soon. This would break TestCodeRepoVersions on the longtest builders again. Since the other test cases in codeRepoVersionsTests already provide enough coverage, drop gopkg.in/russross/blackfriday.v2 to avoid breaking TestCodeRepoVersions once the release happens. Updates #28856 Change-Id: If86a637b5e47f59faf9048fc1cbbae6e8f1dcc53 Reviewed-on: https://go-review.googlesource.com/c/go/+/265917 Trust: Tobias Klauser Run-TryBot: Tobias Klauser Reviewed-by: Bryan C. Mills Reviewed-by: Jay Conrod TryBot-Result: Go Bot (cherry picked from commit 421d4e72de802ed65cb38317660654771cfb13e9) Reviewed-on: https://go-review.googlesource.com/c/go/+/266178 Trust: Dmitri Shuralyov Trust: Jay Conrod Run-TryBot: Dmitri Shuralyov Reviewed-by: Tobias Klauser