msft-golang: upgrade 1.22.2 -> 1.22.3 to address CVE-2024-24787 & CVE-2024-24788 (#9108)

Changelog: https://go.dev/doc/devel/release#go1.22.0
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>

Author: mfrw

SPECS/msft-golang/msft-golang.signatures.json

@@ -1,8 +1,8 @@
 {
  "Signatures": {
   "go.20230802.5.src.tar.gz": "56b9e0e0c3c13ca95d5efa6de4e7d49a9d190eca77919beff99d33cd3fa74e95",
-  "go.20240321.6.src.tar.gz": "6be4a8eee684f502d1311ed18acd8bf0cadbf824db666340a60b4f99e74de5a3",
-  "go1.22.2-20240403.7.src.tar.gz": "b1aff61fcc226c910919f89ccde7d30f1bfe8c59c6bfa09c4e5c857b716fda3b",
+  "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd",
+  "go1.22.3-20240507.3.src.tar.gz": "43d600d563ac00c2e9ca485691c26114b29496ec6f811431469c85f495df23c8",
   "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52"
  }
 }

SPECS/msft-golang/msft-golang.spec

@@ -1,7 +1,7 @@
-%global bootstrap_pre_1_20_compiler_version 20230802.5
-%global bootstrap_post_1_20_compiler_version 20240321.6
 %global goroot          %{_libdir}/golang
 %global gopath          %{_datadir}/gocode
+%global ms_go_filename  go1.22.3-20240507.3.src.tar.gz
+%global ms_go_revision  1
 %ifarch aarch64
 %global gohostarch      arm64
 %else
@@ -14,17 +14,20 @@
 %define __find_requires %{nil}
 Summary:        Go
 Name:           msft-golang
-Version:        1.22.2
+Version:        1.22.3
 Release:        1%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Security
 URL:            https://github.com/microsoft/go
-Source0:        https://github.com/microsoft/go/releases/download/v1.22.2-1/go1.22.2-20240403.7.src.tar.gz
-Source1:        https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz
-Source2:        https://github.com/microsoft/go/releases/download/v1.19.12-1/go.%{bootstrap_pre_1_20_compiler_version}.src.tar.gz
-Source3:        https://github.com/microsoft/go/releases/download/v1.21.8-3/go.%{bootstrap_post_1_20_compiler_version}.src.tar.gz
+Source0:        https://github.com/microsoft/go/releases/download/v%{version}-%{ms_go_revision}/%{ms_go_filename}
+# bootstrap 00, same content as https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz
+Source1:        https://github.com/microsoft/go/releases/download/v1.4.0-1/go1.4-bootstrap-20171003.tar.gz
+# bootstrap 01
+Source2:        https://github.com/microsoft/go/releases/download/v1.19.12-1/go.20230802.5.src.tar.gz
+# bootstrap 02
+Source3:        https://github.com/microsoft/go/releases/download/v1.20.14-1/go.20240206.2.src.tar.gz
 Patch0:         go14_bootstrap_aarch64.patch
 Conflicts:      go
 Conflicts:      golang
@@ -36,51 +39,47 @@ Go is an open source programming language that makes it easy to build simple, re
 # Setup go 1.4 bootstrap source
 tar xf %{SOURCE1} --no-same-owner
 patch -Np1 --ignore-whitespace < %{PATCH0}
-mv -v go go-bootstrap
+mv -v go go-bootstrap-00
+
+tar xf %{SOURCE2} --no-same-owner
+mv -v go go-bootstrap-01
+
+tar xf %{SOURCE3} --no-same-owner
+mv -v go go-bootstrap-02
 
 %setup -q -n go
 
 %build
-# Go >= 1.20, < 1.22 bootstraps with go >= 1.17 and
-# go >= 1.22 bootstraps with go >= 1.20.6.
-# This condition makes go compiler >= 1.20 build a 4 step process:
-# - Build the bootstrap compiler 1.4 (bootstrap bits in c)
-# - Use the 1.4 compiler to build the %%{bootstrap_pre_1_20_compiler_version} compiler.
-# - Use the %%{bootstrap_pre_1_20_compiler_version} compiler to build go %%{bootstrap_post_1_20_compiler_version} compiler.
-# - Use the go %%{bootstrap_post_1_20_compiler_version} compiler to build the final go compiler.
-
-# Build go 1.4 bootstrap
-pushd %{_topdir}/BUILD/go-bootstrap/src
-CGO_ENABLED=0 ./make.bash
-popd
-mv -v %{_topdir}/BUILD/go-bootstrap %{_libdir}/golang
-export GOROOT=%{_libdir}/golang
-
-# Use go1.4 bootstrap to compile go.%%{bootstrap_pre_1_20_compiler_version} (C bootstrap)
-export GOROOT_BOOTSTRAP=%{_libdir}/golang
-mkdir -p %{_topdir}/BUILD/go.%{bootstrap_pre_1_20_compiler_version}
-tar xf %{SOURCE2} -C %{_topdir}/BUILD/go.%{bootstrap_pre_1_20_compiler_version} --strip-components=1
-pushd %{_topdir}/BUILD/go.%{bootstrap_pre_1_20_compiler_version}/src
-CGO_ENABLED=0 ./make.bash
-popd
-
-# Nuke the older go 1.4 bootstrap
-rm -rf %{_libdir}/golang
-
-# Make go.%%{bootstrap_pre_1_20_compiler_version} as the new bootstrapper (Go boostrap)
-mv -v %{_topdir}/BUILD/go.%{bootstrap_pre_1_20_compiler_version} %{_libdir}/golang
-
-# Build go %%{bootstrap_post_1_20_compiler_version}
-export GOROOT_BOOTSTRAP=%{_libdir}/golang
-mkdir -p %{_topdir}/BUILD/go.%{bootstrap_pre_1_20_compiler_version}
-tar xf %{SOURCE3} -C %{_topdir}/BUILD/go.%{bootstrap_pre_1_20_compiler_version} --strip-components=1
-pushd %{_topdir}/BUILD/go.%{bootstrap_pre_1_20_compiler_version}/src
-CGO_ENABLED=0 ./make.bash
-popd
-# Remove %%{bootstrap_pre_1_20_compiler_version} bootstrapper
-rm -rf %{_libdir}/golang
-# Make %%{bootstrap_post_1_20_compiler_version} as the new bootstrapper
-mv -v %{_topdir}/BUILD/go.%{bootstrap_pre_1_20_compiler_version} %{_libdir}/golang
+# go 1.4 bootstraps with C.
+# go 1.20 bootstraps with go >= 1.17.13
+# go >= 1.22 bootstraps with go >= 1.20.14
+#
+# These conditions make building the current go compiler from C a multistep
+# process. Approximately once a year, the bootstrap requirement is moved
+# forward, adding another step.
+#
+# PS: Since go compiles fairly quickly, the extra overhead is around 2-3 minutes
+#     on a reasonable machine.
+
+# Use prev bootstrap to compile next bootstrap.
+function go_bootstrap() {
+  local bootstrap=$1
+  local new_root=%{_topdir}/BUILD/go-bootstrap-${bootstrap}
+  (
+    cd ${new_root}/src
+    CGO_ENABLED=0 ./make.bash
+  )
+  # Nuke the older bootstrapper
+  rm -rf %{_libdir}/golang
+  # Install the new bootstrapper
+  mv -v $new_root %{_libdir}/golang
+  export GOROOT=%{_libdir}/golang
+  export GOROOT_BOOTSTRAP=%{_libdir}/golang
+}
+
+go_bootstrap 00
+go_bootstrap 01
+go_bootstrap 02
 
 # Build current go version
 export GOHOSTOS=linux
@@ -91,9 +90,10 @@ export GOROOT="`pwd`"
 export GOPATH=%{gopath}
 export GOROOT_FINAL=%{_bindir}/go
 rm -f  %{gopath}/src/runtime/*.c
-pushd src
-./make.bash --no-clean
-popd
+(
+  cd src
+  ./make.bash --no-clean
+)
 
 %install
 
@@ -153,6 +153,10 @@ fi
 %{_bindir}/*
 
 %changelog
+* Wed May 15 2024 Muhammad Falak <mwani@microsoft.com> - 1.22.3-1
+- Introduce function in spec to simplify bootstrapping
+- Bump version to 1.22.3
+
 * Mon Apr 15 2024 Muhammad Falak <mwani@microsoft.com> - 1.22.2-1
 - Bump version to 1.22.2
 
@@ -171,7 +175,7 @@ fi
 
 * Wed Aug 16 2023 Brian Fjeldstad <bfjelds@microsoft.com> - 1.19.12-1
 - Upgrade to 1.19.12 to fix CVE-2023-39533
-
+1.22.2
 * Tue Jun 06 2023 Bala <balakumaran.kannan@microsoft.com> - 1.19.10-1
 - Upgrade to 1.19.10 to fix CVE-2023-29404
 

cgmanifest.json

@@ -13653,8 +13653,8 @@
         "type": "other",
         "other": {
           "name": "msft-golang",
-          "version": "1.22.2",
-          "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.22.2-1/go1.22.2-20240403.7.src.tar.gz"
+          "version": "1.22.3",
+          "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.22.3-1/go1.22.3-20240507.3.src.tar.gz"
         }
       }
     },