Sync from SUSE:ALP:Source:Standard:1.0 go1.24 revision 45450b5b7fa34e845d04da93cfa80007

2025-04-04 17:12:00 +02:00
parent 125ab73a36
commit fb1746426c
5 changed files with 136 additions and 8 deletions
--- a/go-fixseccomp.patch
+++ b/go-fixseccomp.patch
@@ -0,0 +1,76 @@
+commit 29ebdb37c7095e258303f1c6a05e3af74c440b98
+Author: Marcus Meissner <>
+Date:   Sat May 3 12:02:40 2025 -0700
+
+    Add defines for seccomp and getrandom missing in older kernel headers
+    
+    go1.24 requires kernel headers supplied by glibc new enough to define seccomp and getrandom
+    
+    Building the go1.24 toolchain with older kernel headers fails during the bootstrap phase with the nonspecific error:
+    
+    go tool dist: FAILED: go/pkg/tool/linux_amd64/go_bootstrap install -v std: exit status 1
+
+diff --git a/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go b/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go
+index 32ef52a..0654fcb 100644
+--- a/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go
+++ b/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go
+@@ -49,6 +49,59 @@ struct seccomp_data {
+ #define SECCOMP_RET_ALLOW 0x7fff0000U
+ #define SECCOMP_SET_MODE_FILTER 1
+ 
+#ifndef SYS_seccomp
+# if defined(__i386__)
+#  define SYS_seccomp 354
+# elif defined(__x86_64__)
+#  define SYS_seccomp 317
+# elif defined(__arm__)
+#  define SYS_seccomp 383
+# elif defined(__aarch64__)
+#  define SYS_seccomp 277
+# elif defined(__riscv)
+#  define SYS_seccomp 277
+# elif defined(__csky__)
+#  define SYS_seccomp 277
+# elif defined(__loongarch__)
+#  define SYS_seccomp 277
+# elif defined(__hppa__)
+#  define SYS_seccomp 338
+# elif defined(__powerpc__)
+#  define SYS_seccomp 358
+# elif defined(__s390__)
+#  define SYS_seccomp 348
+# elif defined(__xtensa__)
+#  define SYS_seccomp 337
+# elif defined(__sh__)
+#  define SYS_seccomp 372
+# elif defined(__mc68000__)
+#  define SYS_seccomp 380
+# else
+#  warning "seccomp syscall number unknown for this architecture"
+#  define SYS_seccomp 0xffff
+# endif
+#endif
+
+
+#ifndef SYS_getrandom
+# if defined(__i386__)
+#  define SYS_getrandom 355
+# elif defined(__x86_64__)
+#  define SYS_getrandom 318
+# elif defined(__arm__)
+#  define SYS_getrandom 384
+# elif defined(__aarch64__)
+#  define SYS_getrandom 278
+# elif defined(__powerpc__)
+#  define SYS_getrandom 359
+# elif defined(__s390__)
+#  define SYS_getrandom 349
+# else
+#  warning "getrandom syscall number unknown for this architecture"
+#  define SYS_getrandom 0xffff
+# endif
+#endif
+
+ int disable_getrandom() {
+     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+         return 1;
--- a/go1.24.1.src.tar.gz
+++ b/go1.24.1.src.tar.gz
--- a/go1.24.2.src.tar.gz
+++ b/go1.24.2.src.tar.gz
--- a/go1.24.changes
+++ b/go1.24.changes
@@ -1,10 +1,52 @@
+-------------------------------------------------------------------
+Wed Apr  2 16:21:00 UTC 2025 - Jeff Kowalczyk <jkowalczyk@suse.com>
+
+- Packaging improvements:
+  * SLE-12 only: Fix conditional for go-fixsecomp.patch to work
+    correctly when suse_version is undefined.
+    Refs boo#1239182
+  * Fix RPM warning by removing valid macro syntax in comment
+    describing naming format of llvm-tsan_commit.tar.xz
+
+-------------------------------------------------------------------
+Tue Apr  1 16:11:46 UTC 2025 - Jeff Kowalczyk <jkowalczyk@suse.com>
+
+- go1.24.2 (released 2025-04-01) includes security fixes to the
+  net/http package, as well as bug fixes to the compiler, the
+  runtime, the go command, and the crypto/tls, go/types, net/http,
+  and testing packages.
+  Refs boo#1236217 go1.24 release tracking
+  CVE-2025-22871
+  * go#72011 go#71988 boo#1240550 security: fix CVE-2025-22871 net/http: reject bare LF in chunked encoding
+  * go#72067 cmd/compile: out of memory
+  * go#72103 net/http: go1.24 breaks compatibility by modifying in-place the tls.Config{NextProtos}
+  * go#72115 runtime: process hangs for mips hardware
+  * go#72796 runtime: add an example for AddCleanup
+  * go#72822 cmd/compile: OOM with mutually-recursive iter.Seq
+  * go#72823 crypto/tls: FIPS 140-3 modes reject ECDSA w/ curve P-521/SHA-512 in TLS
+  * go#72826 go/types, types2: CheckExpr / Eval may mutate type checked objects (=> data race)
+  * go#72872 runtime: cgo callback on extra M treated as external code after nested cgo callback returns
+  * go#72934 testing: b.StopTimer breaks b.Loop
+  * go#72938 internal/godebugs: winsymlink and winreadlinkvolume have incorrect defaults for Go 1.22
+  * go#72974 testing: b.Loop gives bogus results in some situations
+
+-------------------------------------------------------------------
+Tue Mar  5 14:32:16 UTC 2025 - Jeff Kowalczyk <jkowalczyk@suse.com>
+
+- Packaging improvements:
+  * SLE-12 only: Add declarations to Cgo seccomp_linux.go
+    for new syscalls seccomp and getrandom which are not present
+    in the kernel headers supplied by glibc version in SLE-12.
+    (Marcus Meissner)
+    Refs boo#1239182
+  * Add patch go-fixseccomp.patch
+
 -------------------------------------------------------------------
 Tue Mar  4 19:27:08 UTC 2025 - Jeff Kowalczyk <jkowalczyk@suse.com>

 - go1.24.1 (released 2025-03-04) includes security fixes to the
-  net/http, x/net/proxy, and x/net/http/httpproxy packages, as well
-  as bug fixes to the compiler, the runtime, the go command and the
-  crypto, debug, os and reflect packages.
+  net/http package, as well as bug fixes to cgo, the compiler, the
+  go command, and the reflect, runtime, and syscall packages.
  Refs boo#1236217 go1.24 release tracking
  CVE-2025-22870
  * go#71986 go#71984 boo#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs
--- a/go1.24.spec
+++ b/go1.24.spec
@@ -122,7 +122,7 @@
 %endif

 Name:           go1.24
-Version:        1.24.1
+Version:        1.24.2
 Release:        0
 Summary:        A compiled, garbage-collected, concurrent programming language
 License:        BSD-3-Clause
@@ -134,12 +134,13 @@ Source4:        README.SUSE
 Source6:        go.gdbinit
 # We have to compile TSAN ourselves. boo#1052528
 # Preferred form when all arches share llvm race version
-# Source100:      llvm-%{tsan_commit}.tar.xz
+# Source100:      llvm-tsan_commit.tar.xz
 Source100:      llvm-51bfeff0e4b0757ff773da6882f4d538996c9b04.tar.xz
 # PATCH-FIX-OPENSUSE: https://go-review.googlesource.com/c/go/+/391115
 Patch7:         dont-force-gold-on-arm64.patch
 # PATCH-FIX-UPSTREAM marguerite@opensuse.org - find /usr/bin/go-8 when bootstrapping with gcc8-go
 Patch8:         gcc-go.patch
+Patch9:         go-fixseccomp.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 # boostrap
 %if %{with gccgo}
@@ -225,6 +226,15 @@ Go standard library compiled to a dynamically loadable shared object libstd.so
 # go
 %setup -q -n go
 %patch -P 7 -p1
+
+# SLE-12 only: Add declarations to Cgo seccomp_linux.go
+# for new syscalls seccomp and getrandom which are not present
+# in the kernel headers supplied by glibc version in SLE-12.
+# Refs boo#1239182
+%if 0%{?suse_version} && 0%{?suse_version} < 1500
+%patch -P 9 -p1
+%endif
+
 %if %{with gccgo}
 # Currently gcc-go does not manage an update-alternatives entry and will
 # never be symlinked as "go", even if gcc-go is the only installed go toolchain.