go, branch go1.18.1

[release-branch.go1.18] go1.18.1

2022-04-12T15:40:19Z

Change-Id: If2b91acf7fb4a55cded985d6f2a2ab058c1b7bd3 Reviewed-on: https://go-review.googlesource.com/c/go/+/399818 Run-TryBot: Dmitri Shuralyov Reviewed-by: Cherry Mui TryBot-Result: Gopher Robot Reviewed-by: Dmitri Shuralyov

[release-branch.go1.18] encoding/pem: fix stack overflow in Decode

2022-04-12T14:45:32Z

Previously, Decode called decodeError, a recursive function that was prone to stack overflows when given a large PEM file containing errors. Credit to Juho Nurminen of Mattermost who reported the error. Fixes CVE-2022-24675 Updates #51853 Fixes #52037 Change-Id: Iffe768be53c8ddc0036fea0671d290f8f797692c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1391157 Reviewed-by: Damien Neil Reviewed-by: Filippo Valsorda (cherry picked from commit 794ea5e828010e8b68493b2fc6d2963263195a02) Reviewed-on: https://go-review.googlesource.com/c/go/+/399817 Run-TryBot: Dmitri Shuralyov Reviewed-by: Dmitri Shuralyov Reviewed-by: Cherry Mui TryBot-Result: Gopher Robot

[release-branch.go1.18] go/types: don't report errors for untyped int shifts on Go < 1.13

2022-04-06T17:10:45Z

CL 337529 introduced upfront type-checking of constant shift operands, to avoid converting their type to uint (per the spec). However, it had an oversight in that the checks intended for non-constant operands still ran after the explicit checking of constant operands. As a result, there are at least two bugs: - When GoVersion is < 1.13, we report spurious errors for untyped constant shift operands. - When the operand is an untyped float constant, we still convert to uint (this was a known bug reported in #47410). Looking at this now, it seems clear that we can avoid both of these bugs by simply not running the additional checks in the case of a constant operand. However, this should be considered with some care, as shifts are notoriously tricky. While cherry-picking, the new test file is updated to use the go1_12 package name, following our convention for specifying language version in the release branch. Fixes #52032 Change-Id: Ia489cc5470b92a8187d3de0423d05b309daf47bb Reviewed-on: https://go-review.googlesource.com/c/go/+/396775 Reviewed-by: Robert Griesemer Trust: Robert Findley Run-TryBot: Robert Findley TryBot-Result: Gopher Robot (cherry picked from commit 8a816d5efcc842ae92f0193aa9c1d433bd66ef31) Reviewed-on: https://go-review.googlesource.com/c/go/+/397680

[release-branch.go1.18] go/types, types2: fix overlap test for union termlist

2022-04-06T16:37:43Z

Per the spec, "the type sets of all non-interface terms must be pairwise disjoint (the pairwise intersection of the type sets must be empty)" in a union. For the overlap test, the existing implementation casually mixed syntactic union terms (which may have interface type) with type set terms (which are normalized/expanded and must not have interface type). As a consequence, in some cases the overlap test failed. This change skips terms with interface types in the overlap test. For this cherry-pick, also rename the files ending in issue51607.go to issue51607.go2 because the 1.18 branch requires tests containing generic features to end in .go2. Fixes #52119. Change-Id: I8ae9953db31f0a0428389c6a45a6696aa2450219 Reviewed-on: https://go-review.googlesource.com/c/go/+/397695 Trust: Robert Griesemer Run-TryBot: Robert Griesemer TryBot-Result: Gopher Robot Reviewed-by: Ian Lance Taylor Reviewed-by: Robert Findley Reviewed-on: https://go-review.googlesource.com/c/go/+/398154

[release-branch.go1.18] crypto/elliptic: tolerate zero-padded scalars in generic P-256

2022-04-06T16:36:36Z

Updates #52075 Fixes #52077 Fixes CVE-2022-28327 Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27 Reviewed-on: https://go-review.googlesource.com/c/go/+/397137 Trust: Filippo Valsorda Reviewed-by: Julie Qiu

[release-branch.go1.18] cmd/go: prevent panic in go work use

2022-04-05T15:18:32Z

Check if paths passed as arguments are existing directories. Fixes #52140 Updates #51841 Change-Id: Icfd148627e6f2c4651d6f923a37d413e68c67f6c GitHub-Last-Rev: 77fffa7635052f11dc93488ee23fd1c895284b4d GitHub-Pull-Request: golang/go#51845 Reviewed-on: https://go-review.googlesource.com/c/go/+/394154 Trust: Bryan Mills Reviewed-by: Bryan Mills Trust: Emmanuel Odeke Run-TryBot: Emmanuel Odeke TryBot-Result: Gopher Robot Reviewed-on: https://go-review.googlesource.com/c/go/+/397995 Run-TryBot: Bryan Mills Reviewed-by: Cherry Mui

[release-branch.go1.18] crypto/x509: only disable SHA-1 verification for certificates

2022-04-05T15:01:00Z

Disable SHA-1 signature verification in Certificate.CheckSignatureFrom, but not in Certificate.CheckSignature. This allows verification of OCSP responses and CRLs, which still use SHA-1 signatures, but not on certificates. Updates #41682 Fixes #51852 Change-Id: Ia705eb5052e6fc2724fed59248b1c4ef8af6c3fe Reviewed-on: https://go-review.googlesource.com/c/go/+/394294 Trust: Roland Shoemaker Run-TryBot: Roland Shoemaker Auto-Submit: Roland Shoemaker Reviewed-by: Jordan Liggitt Reviewed-by: Filippo Valsorda TryBot-Result: Gopher Robot (cherry picked from commit 35998c010947d3a5a26409fffcb4ed16c3595850) Reviewed-on: https://go-review.googlesource.com/c/go/+/398074 Reviewed-by: Cherry Mui

[release-branch.go1.18] cmd/go: prevent go work use panic when given a file

2022-04-05T14:17:24Z

The current implementation fails to identify that an argument to go work use is a file when expecting a directory, and panics when attempting to access it as a directory. This change checks arguments are directories and generates an error otherwise. Fixes #51764 Updates #51749 Change-Id: If8f69d233409e93fcf391a8774bace74c031c986 Reviewed-on: https://go-review.googlesource.com/c/go/+/393615 Reviewed-by: Bryan Mills Trust: Bryan Mills Run-TryBot: Bryan Mills TryBot-Result: Gopher Robot Trust: Ian Lance Taylor (cherry picked from commit a84ef500213ef6c2a0e4bfd82253e9fcd28f1f62) Reviewed-on: https://go-review.googlesource.com/c/go/+/397994 Reviewed-by: Cherry Mui

[release-branch.go1.18] crypto/x509: fix Certificate.Verify crash

2022-04-04T21:16:23Z

(Primarily from Josh) Updates #51759 Fixes #51763 Fixes CVE-2022-27536 Co-authored-by: Josh Bleecher Snyder Change-Id: I0a6f2623b57750abd13d5e194b5c6ffa3be6bf72 Reviewed-on: https://go-review.googlesource.com/c/go/+/393655 Trust: Brad Fitzpatrick Run-TryBot: Brad Fitzpatrick Reviewed-by: Roland Shoemaker TryBot-Result: Gopher Robot (cherry picked from commit 0fca8a8f25cf4636fd980e72ba0bded4230922de) Reviewed-on: https://go-review.googlesource.com/c/go/+/394655 Trust: Roland Shoemaker Reviewed-by: Brad Fitzpatrick Reviewed-by: Filippo Valsorda

[release-branch.go1.18] go/types, types2: preserve parent scope when substituting receivers

2022-04-04T20:28:11Z

For #51920 Fixes #52007 Change-Id: I29e44a52dabee5c09e1761f9ec8fb2e8795f8901 Reviewed-on: https://go-review.googlesource.com/c/go/+/395538 Trust: Robert Findley Run-TryBot: Robert Findley Reviewed-by: Robert Griesemer TryBot-Result: Gopher Robot (cherry picked from commit 9b90838712856cad86504a526e566f963f86c04e) Reviewed-on: https://go-review.googlesource.com/c/go/+/395680