[AUTO-CHERRYPICK] Upgrade default golang to 1.22.5 and backport the fix for 1.18 - branch main (#9968)

Co-authored-by: bhagyapathak <bhagyapathak@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/golang/CVE-2024-24790.patch

@@ -0,0 +1,193 @@
+diff --git a/src/net/netip/inlining_test.go b/src/net/netip/inlining_test.go
+index 107fe1f083..1250c37725 100644
+--- a/src/net/netip/inlining_test.go
++++ b/src/net/netip/inlining_test.go
+@@ -41,8 +41,6 @@ func TestInlining(t *testing.T) {
+ 		"Addr.Is4",
+ 		"Addr.Is4In6",
+ 		"Addr.Is6",
+-		"Addr.IsLoopback",
+-		"Addr.IsMulticast",
+ 		"Addr.IsInterfaceLocalMulticast",
+ 		"Addr.IsValid",
+ 		"Addr.IsUnspecified",
+diff --git a/src/net/netip/netip.go b/src/net/netip/netip.go
+index f27984ab57..310e4e5bf4 100644
+--- a/src/net/netip/netip.go
++++ b/src/net/netip/netip.go
+@@ -75,6 +75,9 @@ var (
+ // address ff02::1.
+ func IPv6LinkLocalAllNodes() Addr { return AddrFrom16([16]byte{0: 0xff, 1: 0x02, 15: 0x01}) }
+ 
++// IPv6Loopback returns the IPv6 loopback address ::1.
++func IPv6Loopback() Addr { return AddrFrom16([16]byte{15: 0x01}) }
++
+ // IPv6Unspecified returns the IPv6 unspecified address "::".
+ func IPv6Unspecified() Addr { return Addr{z: z6noz} }
+ 
+@@ -515,6 +518,9 @@ func (ip Addr) hasZone() bool {
+ 
+ // IsLinkLocalUnicast reports whether ip is a link-local unicast address.
+ func (ip Addr) IsLinkLocalUnicast() bool {
++	if ip.Is4In6() {
++		ip = ip.Unmap()
++	}
+ 	// Dynamic Configuration of IPv4 Link-Local Addresses
+ 	// https://datatracker.ietf.org/doc/html/rfc3927#section-2.1
+ 	if ip.Is4() {
+@@ -530,6 +536,9 @@ func (ip Addr) IsLinkLocalUnicast() bool {
+ 
+ // IsLoopback reports whether ip is a loopback address.
+ func (ip Addr) IsLoopback() bool {
++	if ip.Is4In6() {
++		ip = ip.Unmap()
++	}
+ 	// Requirements for Internet Hosts -- Communication Layers (3.2.1.3 Addressing)
+ 	// https://datatracker.ietf.org/doc/html/rfc1122#section-3.2.1.3
+ 	if ip.Is4() {
+@@ -545,6 +554,9 @@ func (ip Addr) IsLoopback() bool {
+ 
+ // IsMulticast reports whether ip is a multicast address.
+ func (ip Addr) IsMulticast() bool {
++	if ip.Is4In6() {
++		ip = ip.Unmap()
++	}
+ 	// Host Extensions for IP Multicasting (4. HOST GROUP ADDRESSES)
+ 	// https://datatracker.ietf.org/doc/html/rfc1112#section-4
+ 	if ip.Is4() {
+@@ -563,7 +575,7 @@ func (ip Addr) IsMulticast() bool {
+ func (ip Addr) IsInterfaceLocalMulticast() bool {
+ 	// IPv6 Addressing Architecture (2.7.1. Pre-Defined Multicast Addresses)
+ 	// https://datatracker.ietf.org/doc/html/rfc4291#section-2.7.1
+-	if ip.Is6() {
++	if ip.Is6() && !ip.Is4In6() {
+ 		return ip.v6u16(0)&0xff0f == 0xff01
+ 	}
+ 	return false // zero value
+@@ -571,6 +583,9 @@ func (ip Addr) IsInterfaceLocalMulticast() bool {
+ 
+ // IsLinkLocalMulticast reports whether ip is a link-local multicast address.
+ func (ip Addr) IsLinkLocalMulticast() bool {
++	if ip.Is4In6() {
++		ip = ip.Unmap()
++	}
+ 	// IPv4 Multicast Guidelines (4. Local Network Control Block (224.0.0/24))
+ 	// https://datatracker.ietf.org/doc/html/rfc5771#section-4
+ 	if ip.Is4() {
+@@ -599,6 +614,9 @@ func (ip Addr) IsGlobalUnicast() bool {
+ 		return false
+ 	}
+ 
++	if ip.Is4In6() {
++		ip = ip.Unmap()
++	}
+ 	// Match package net's IsGlobalUnicast logic. Notably private IPv4 addresses
+ 	// and ULA IPv6 addresses are still considered "global unicast".
+ 	if ip.Is4() && (ip == IPv4Unspecified() || ip == AddrFrom4([4]byte{255, 255, 255, 255})) {
+@@ -616,6 +634,10 @@ func (ip Addr) IsGlobalUnicast() bool {
+ // ip is in 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or fc00::/7. This is the
+ // same as net.IP.IsPrivate.
+ func (ip Addr) IsPrivate() bool {
++	if ip.Is4In6() {
++		ip = ip.Unmap()
++	}
++
+ 	// Match the stdlib's IsPrivate logic.
+ 	if ip.Is4() {
+ 		// RFC 1918 allocates 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as
+diff --git a/src/net/netip/netip_test.go b/src/net/netip/netip_test.go
+index d988864827..c7e458af43 100644
+--- a/src/net/netip/netip_test.go
++++ b/src/net/netip/netip_test.go
+@@ -554,10 +554,13 @@ func TestIPProperties(t *testing.T) {
+ 		ilm6     = mustIP("ff01::1")
+ 		ilmZone6 = mustIP("ff01::1%eth0")
+ 
+-		private4a = mustIP("10.0.0.1")
+-		private4b = mustIP("172.16.0.1")
+-		private4c = mustIP("192.168.1.1")
+-		private6  = mustIP("fd00::1")
++		private4a        = mustIP("10.0.0.1")
++		private4b        = mustIP("172.16.0.1")
++		private4c        = mustIP("192.168.1.1")
++		private6         = mustIP("fd00::1")
++		private6mapped4a = mustIP("::ffff:10.0.0.1")
++		private6mapped4b = mustIP("::ffff:172.16.0.1")
++		private6mapped4c = mustIP("::ffff:192.168.1.1")
+ 
+ 		unspecified4 = AddrFrom4([4]byte{})
+ 		unspecified6 = IPv6Unspecified()
+@@ -584,6 +587,11 @@ func TestIPProperties(t *testing.T) {
+ 			ip:            unicast4,
+ 			globalUnicast: true,
+ 		},
++		{
++			name:          "unicast v6 mapped v4Addr",
++			ip:            AddrFrom16(unicast4.As16()),
++			globalUnicast: true,
++		},
+ 		{
+ 			name:          "unicast v6Addr",
+ 			ip:            unicast6,
+@@ -605,6 +613,12 @@ func TestIPProperties(t *testing.T) {
+ 			linkLocalMulticast: true,
+ 			multicast:          true,
+ 		},
++		{
++			name:               "multicast v6 mapped v4Addr",
++			ip:                 AddrFrom16(multicast4.As16()),
++			linkLocalMulticast: true,
++			multicast:          true,
++		},
+ 		{
+ 			name:               "multicast v6Addr",
+ 			ip:                 multicast6,
+@@ -622,6 +636,11 @@ func TestIPProperties(t *testing.T) {
+ 			ip:               llu4,
+ 			linkLocalUnicast: true,
+ 		},
++		{
++			name:             "link-local unicast v6 mapped v4Addr",
++			ip:               AddrFrom16(llu4.As16()),
++			linkLocalUnicast: true,
++		},
+ 		{
+ 			name:             "link-local unicast v6Addr",
+ 			ip:               llu6,
+@@ -647,6 +666,11 @@ func TestIPProperties(t *testing.T) {
+ 			ip:       loopback6,
+ 			loopback: true,
+ 		},
++		{
++			name:     "loopback v6 mapped v4Addr",
++			ip:       AddrFrom16(IPv6Loopback().As16()),
++			loopback: true,
++		},
+ 		{
+ 			name:                    "interface-local multicast v6Addr",
+ 			ip:                      ilm6,
+@@ -683,6 +707,24 @@ func TestIPProperties(t *testing.T) {
+ 			globalUnicast: true,
+ 			private:       true,
+ 		},
++		{
++			name:          "private v6 mapped v4Addr 10/8",
++			ip:            private6mapped4a,
++			globalUnicast: true,
++			private:       true,
++		},
++		{
++			name:          "private v6 mapped v4Addr 172.16/12",
++			ip:            private6mapped4b,
++			globalUnicast: true,
++			private:       true,
++		},
++		{
++			name:          "private v6 mapped v4Addr 192.168/16",
++			ip:            private6mapped4c,
++			globalUnicast: true,
++			private:       true,
++		},
+ 		{
+ 			name:        "unspecified v4Addr",
+ 			ip:          unspecified4,

SPECS/golang/golang-1.18.spec

@@ -13,7 +13,7 @@
 Summary:        Go
 Name:           golang
 Version:        1.18.8
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -24,10 +24,13 @@ Source1:        https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz
 Patch0:         go14_bootstrap_aarch64.patch
 # CVE-2022-41717 is fixed in 1.18.9
 Patch1:         CVE-2022-41717.patch
+# CVE-2024-24790 is fixed in 1.18.8
+Patch2:		CVE-2024-24790.patch
 Obsoletes:      %{name} < %{version}
 Provides:       %{name} = %{version}
 Provides:       go = %{version}-%{release}
 
+
 %description
 Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.
 
@@ -40,7 +43,7 @@ mv -v go go-bootstrap
 
 %setup -q -n go
 patch -Np1 --ignore-whitespace < %{PATCH1}
-
+patch -Np1 --ignore-whitespace < %{PATCH2}
 %build
 # Build go 1.4 bootstrap
 pushd %{_topdir}/BUILD/go-bootstrap/src
@@ -120,6 +123,9 @@ fi
 %{_bindir}/*
 
 %changelog
+* Mon July 29 2024 Bhagyashri Pathak bhapathak@microsoft.com - 1.18.8.4
+- Patch CVE-2024-24790
+
 * Mon Jan 23 2022 Nicolas Guibourge <nicolasg@microsoft.com> - 1.18.8-3
 - Create spec file for golang 1.18
 

SPECS/golang/golang.signatures.json

@@ -1,7 +1,8 @@
 {
-  "Signatures": {
-    "go1.19.12.src.tar.gz": "ee5d50e0a7fd74ba1b137cb879609aaaef9880bf72b5d1742100e38ae72bb557",
-    "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52",
-    "go1.21.11.src.tar.gz": "42aee9bf2b6956c75a7ad6aa3f0a51b5821ffeac57f5a2e733a2d6eae1e6d9d2"
-  }
-}
+ "Signatures": {
+  "go1.17.13.src.tar.gz": "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd",
+  "go1.21.6.src.tar.gz": "124926a62e45f78daabbaedb9c011d97633186a33c238ffc1e25320c02046248",
+  "go1.22.5.src.tar.gz": "ac9c723f224969aee624bc34fd34c9e13f2a212d75c71c807de644bb46e112f6",
+  "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52"
+ }
+}

SPECS/golang/golang.spec

@@ -1,4 +1,5 @@
-%global bootstrap_compiler_version 1.19.12
+%global bootstrap_compiler_version_0 1.17.13
+%global bootstrap_compiler_version_1 1.21.6
 %global goroot          %{_libdir}/golang
 %global gopath          %{_datadir}/gocode
 %ifarch aarch64
@@ -13,7 +14,7 @@
 %define __find_requires %{nil}
 Summary:        Go
 Name:           golang
-Version:        1.21.11
+Version:        1.22.5
 Release:        1%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
@@ -22,7 +23,8 @@ Group:          System Environment/Security
 URL:            https://golang.org
 Source0:        https://golang.org/dl/go%{version}.src.tar.gz
 Source1:        https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz
-Source2:        https://dl.google.com/go/go%{bootstrap_compiler_version}.src.tar.gz
+Source2:        https://dl.google.com/go/go%{bootstrap_compiler_version_0}.src.tar.gz
+Source3:        https://dl.google.com/go/go%{bootstrap_compiler_version_1}.src.tar.gz
 Patch0:         go14_bootstrap_aarch64.patch
 Obsoletes:      %{name} < %{version}
 Provides:       %{name} = %{version}
@@ -41,11 +43,13 @@ mv -v go go-bootstrap
 %setup -q -n go
 
 %build
-# (go >= 1.20 bootstraps with go >= 1.17)
-# This condition makes go compiler >= 1.20 build a 3 step process:
+# Go 1.22 requires the final point release of Go 1.20 or later for bootstrap.
+# And Go 1.20 requires the Go 1.17.
+# This condition makes go compiler >= 1.22 build a 4 step process:
 # - Build the bootstrap compiler 1.4 (bootstrap bits in c)
-# - Use the 1.4 compiler to build %{bootstrap_compiler_version}
-# - Use the %{bootstrap_compiler_version} compiler to build go >= 1.20 compiler
+# - Use the 1.4 compiler to build %{bootstrap_compiler_version_0}
+# - Use the %{bootstrap_compiler_version_0} compiler to build %{bootstrap_compiler_version_1}
+# - Use %{bootstrap_compiler_version_1} to build %{version}
 # PS: Since go compiles fairly quickly, the extra overhead is arounnd 2-3 minutes
 #     on a reasonable machine.
 
@@ -56,21 +60,32 @@ popd
 mv -v %{_topdir}/BUILD/go-bootstrap %{_libdir}/golang
 export GOROOT=%{_libdir}/golang
 
-# Use go1.4 bootstrap to compile go%{bootstrap_compiler_version} (bootstrap)
+# Use go1.4 bootstrap to compile go%{bootstrap_compiler_version_0}
 export GOROOT_BOOTSTRAP=%{_libdir}/golang
-mkdir -p %{_topdir}/BUILD/go%{bootstrap_compiler_version}
-tar xf %{SOURCE2} -C %{_topdir}/BUILD/go%{bootstrap_compiler_version} --strip-components=1
-pushd %{_topdir}/BUILD/go%{bootstrap_compiler_version}/src
+mkdir -p %{_topdir}/BUILD/go%{bootstrap_compiler_version_0}
+tar xf %{SOURCE2} -C %{_topdir}/BUILD/go%{bootstrap_compiler_version_0} --strip-components=1
+pushd %{_topdir}/BUILD/go%{bootstrap_compiler_version_0}/src
 CGO_ENABLED=0 ./make.bash
 popd
-
-# Nuke the older go1.4 bootstrap
+# Nuke the older %{bootstrap_compiler_version_0}
 rm -rf %{_libdir}/golang
+mv -v %{_topdir}/BUILD/go%{bootstrap_compiler_version_0} %{_libdir}/golang
+export GOROOT=%{_libdir}/golang
 
-# Make go%{bootstrap_compiler_version} as the new bootstrapper
-mv -v %{_topdir}/BUILD/go1.19.12 %{_libdir}/golang
 
-# Build current go version
+# Use go%{bootstrap_compiler_version_0} bootstrap to compile go%{bootstrap_compiler_version_1} (bootstrap)
+export GOROOT_BOOTSTRAP=%{_libdir}/golang
+mkdir -p %{_topdir}/BUILD/go%{bootstrap_compiler_version_1}
+tar xf %{SOURCE3} -C %{_topdir}/BUILD/go%{bootstrap_compiler_version_1} --strip-components=1
+pushd %{_topdir}/BUILD/go%{bootstrap_compiler_version_1}/src
+CGO_ENABLED=0 ./make.bash
+popd
+# Nuke the older %{bootstrap_compiler_version_1}
+rm -rf %{_libdir}/golang
+mv -v %{_topdir}/BUILD/go%{bootstrap_compiler_version_1} %{_libdir}/golang
+export GOROOT=%{_libdir}/golang
+
+# Use %{bootstrap_compiler_version_1} to compile %{version}
 export GOHOSTOS=linux
 export GOHOSTARCH=%{gohostarch}
 export GOROOT_BOOTSTRAP=%{goroot}
@@ -141,6 +156,9 @@ fi
 %{_bindir}/*
 
 %changelog
+* Mon Jul 29 2024 Bhagyashri Pathak <bhapathak@microsoft.com> - 1.22.5
+- Bump version to 1.22.5
+
 * Fri Jun 07 2024 Muhammad Falak <mwani@microsoft.com> - 1.21.11-1
 - Bump version to 1.21.11 to address CVE-2024-24790
 

cgmanifest.json

@@ -4620,18 +4620,8 @@
         "type": "other",
         "other": {
           "name": "golang",
-          "version": "1.19.12",
-          "downloadUrl": "https://golang.org/dl/go1.19.12.src.tar.gz"
-        }
-      }
-    },
-    {
-      "component": {
-        "type": "other",
-        "other": {
-          "name": "golang",
-          "version": "1.21.11",
-          "downloadUrl": "https://golang.org/dl/go1.21.11.src.tar.gz"
+          "version": "1.22.5",
+          "downloadUrl": "https://golang.org/dl/go1.22.5.src.tar.gz"
         }
       }
     },