kumquat-buildroot/package/go/go.mk
Peter Korsgaard 9104583124 package/go: security bump to version 1.21.3
Fixes CVE-2023-39325: rapid stream resets can cause excessive work

A malicious HTTP/2 client which rapidly creates requests and immediately
resets them can cause excessive server resource consumption.  While the
total number of requests is bounded to the http2.Server.MaxConcurrentStreams
setting, resetting an in-progress request allows the attacker to create a
new request while the existing one is still executing.

go1.21.3 (released 2023-10-10) includes a security fix to the net/http
package.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-10-12 16:38:28 +02:00

169 lines
4.7 KiB
Makefile

################################################################################
#
# go
#
################################################################################
GO_VERSION = 1.21.3
GO_SITE = https://storage.googleapis.com/golang
GO_SOURCE = go$(GO_VERSION).src.tar.gz
GO_LICENSE = BSD-3-Clause
GO_LICENSE_FILES = LICENSE
GO_CPE_ID_VENDOR = golang
HOST_GO_DEPENDENCIES = host-go-bootstrap-stage2
HOST_GO_GOPATH = $(HOST_DIR)/share/go-path
HOST_GO_HOST_CACHE = $(HOST_DIR)/share/host-go-cache
HOST_GO_ROOT = $(HOST_DIR)/lib/go
HOST_GO_TARGET_CACHE = $(HOST_DIR)/share/go-cache
# We pass an empty GOBIN, otherwise "go install: cannot install
# cross-compiled binaries when GOBIN is set"
HOST_GO_COMMON_ENV = \
GO111MODULE=on \
GOFLAGS=-mod=vendor \
GOROOT="$(HOST_GO_ROOT)" \
GOPATH="$(HOST_GO_GOPATH)" \
GOCACHE="$(HOST_GO_TARGET_CACHE)" \
GOMODCACHE="$(HOST_GO_GOPATH)/pkg/mod" \
GOPROXY=off \
GOTOOLCHAIN=local \
PATH=$(BR_PATH) \
GOBIN= \
CGO_ENABLED=$(HOST_GO_CGO_ENABLED)
ifeq ($(BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS),y)
ifeq ($(BR2_arm),y)
GO_GOARCH = arm
ifeq ($(BR2_ARM_CPU_ARMV5),y)
GO_GOARM = 5
else ifeq ($(BR2_ARM_CPU_ARMV6),y)
GO_GOARM = 6
else ifeq ($(BR2_ARM_CPU_ARMV7A),y)
GO_GOARM = 7
else ifeq ($(BR2_ARM_CPU_ARMV8A),y)
# Go doesn't support 32-bit GOARM=8 (https://github.com/golang/go/issues/29373)
# but can still benefit from armv7 optimisations
GO_GOARM = 7
endif
else ifeq ($(BR2_aarch64),y)
GO_GOARCH = arm64
else ifeq ($(BR2_i386),y)
GO_GOARCH = 386
# i386: use softfloat if no SSE2: https://golang.org/doc/go1.16#386
ifneq ($(BR2_X86_CPU_HAS_SSE2),y)
GO_GO386 = softfloat
endif
else ifeq ($(BR2_x86_64),y)
GO_GOARCH = amd64
else ifeq ($(BR2_powerpc64),y)
GO_GOARCH = ppc64
else ifeq ($(BR2_powerpc64le),y)
GO_GOARCH = ppc64le
else ifeq ($(BR2_mips64),y)
GO_GOARCH = mips64
else ifeq ($(BR2_mips64el),y)
GO_GOARCH = mips64le
else ifeq ($(BR2_riscv),y)
GO_GOARCH = riscv64
else ifeq ($(BR2_s390x),y)
GO_GOARCH = s390x
endif
# For the convienience of target packages.
HOST_GO_TOOLDIR = $(HOST_GO_ROOT)/pkg/tool/linux_$(GO_GOARCH)
HOST_GO_TARGET_ENV = \
$(HOST_GO_COMMON_ENV) \
GOOS="linux" \
GOARCH=$(GO_GOARCH) \
CC="$(TARGET_CC)" \
CXX="$(TARGET_CXX)" \
CGO_CFLAGS="$(TARGET_CFLAGS)" \
CGO_CXXFLAGS="$(TARGET_CXXFLAGS)" \
CGO_LDFLAGS="$(TARGET_LDFLAGS)" \
GOTOOLDIR="$(HOST_GO_TOOLDIR)"
# The go compiler's cgo support uses threads. If BR2_TOOLCHAIN_HAS_THREADS is
# set, build in cgo support for any go programs that may need it. Note that
# any target package needing cgo support must include
# 'depends on BR2_TOOLCHAIN_HAS_THREADS' in its config file.
ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
HOST_GO_DEPENDENCIES += toolchain
HOST_GO_CGO_ENABLED = 1
else
HOST_GO_CGO_ENABLED = 0
endif
HOST_GO_CROSS_ENV = \
CC_FOR_TARGET="$(TARGET_CC)" \
CXX_FOR_TARGET="$(TARGET_CXX)" \
GOOS="linux" \
GOARCH=$(GO_GOARCH) \
$(if $(GO_GO386),GO386=$(GO_GO386)) \
$(if $(GO_GOARM),GOARM=$(GO_GOARM)) \
GO_ASSUME_CROSSCOMPILING=1
else # !BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS
# host-go can still be used to build packages for the host. No need to set all
# the arch stuff since we will not be cross-compiling.
HOST_GO_CGO_ENABLED = 1
endif # BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS
# For the convenience of host golang packages
HOST_GO_HOST_ENV = \
$(HOST_GO_COMMON_ENV) \
GOOS="" \
GOARCH="" \
GOCACHE="$(HOST_GO_HOST_CACHE)" \
CC="$(HOSTCC_NOCCACHE)" \
CXX="$(HOSTCXX_NOCCACHE)" \
CGO_CFLAGS="$(HOST_CFLAGS)" \
CGO_CXXFLAGS="$(HOST_CXXFLAGS)" \
CGO_LDFLAGS="$(HOST_LDFLAGS)"
# The go build system is not compatible with ccache, so use
# HOSTCC_NOCCACHE. See https://github.com/golang/go/issues/11685.
HOST_GO_MAKE_ENV = \
GO111MODULE=off \
GOCACHE=$(HOST_GO_HOST_CACHE) \
GOROOT_BOOTSTRAP=$(HOST_GO_BOOTSTRAP_STAGE2_ROOT) \
GOROOT_FINAL=$(HOST_GO_ROOT) \
GOROOT="$(@D)" \
GOBIN="$(@D)/bin" \
GOOS=linux \
CC=$(HOSTCC_NOCCACHE) \
CXX=$(HOSTCXX_NOCCACHE) \
CGO_ENABLED=$(HOST_GO_CGO_ENABLED) \
$(HOST_GO_CROSS_ENV)
define HOST_GO_BUILD_CMDS
cd $(@D)/src && \
$(HOST_GO_MAKE_ENV) ./make.bash $(if $(VERBOSE),-v)
endef
define HOST_GO_INSTALL_CMDS
$(INSTALL) -D -m 0755 $(@D)/bin/go $(HOST_GO_ROOT)/bin/go
$(INSTALL) -D -m 0755 $(@D)/bin/gofmt $(HOST_GO_ROOT)/bin/gofmt
mkdir -p $(HOST_DIR)/bin
ln -sf ../lib/go/bin/go $(HOST_DIR)/bin/
ln -sf ../lib/go/bin/gofmt $(HOST_DIR)/bin/
cp -a $(@D)/lib $(HOST_GO_ROOT)/
mkdir -p $(HOST_GO_ROOT)/pkg
cp -a $(@D)/pkg/include $(HOST_GO_ROOT)/pkg/
cp -a $(@D)/pkg/tool $(HOST_GO_ROOT)/pkg/
# The Go sources must be installed to the host/ tree for the Go stdlib.
cp -a $(@D)/src $(HOST_GO_ROOT)/
# Set file timestamps to prevent the Go compiler from rebuilding the stdlib
# when compiling other programs.
find $(HOST_GO_ROOT) -type f -exec touch -r $(@D)/bin/go {} \;
endef
$(eval $(host-generic-package))