new file mode 100644

@@ -0,0 +1,124 @@

+From c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc Mon Sep 17 00:00:00 2001

+From: Ian Lance Taylor <iant@golang.org>

+Date: Thu, 15 Feb 2018 15:57:13 -0800

+Subject: [PATCH] cmd/go: restrict meta imports to valid schemes

+

+Before this change, when using -insecure, we permitted any meta import

+repo root as long as it contained "://". When not using -insecure, we

+restrict meta import repo roots to be valid URLs. People may depend on

+that somehow, so permit meta import repo roots to be invalid URLs, but

+require them to have valid schemes per RFC 3986.

+

+Fixes #23867

+

+Change-Id: Iac666dfc75ac321bf8639dda5b0dba7c8840922d

+Reviewed-on: https://go-review.googlesource.com/94603

+Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

+---

+ src/cmd/go/internal/get/vcs.go      | 34 +++++++++++++++++++++++++++--

+ src/cmd/go/internal/get/vcs_test.go | 43 +++++++++++++++++++++++++++++++++++++

+ 2 files changed, 75 insertions(+), 2 deletions(-)

+

+diff --git a/src/cmd/go/internal/get/vcs.go b/src/cmd/go/internal/get/vcs.go

+index ee6b16a1369..dced0ed8db5 100644

+--- a/src/cmd/go/internal/get/vcs.go

+@@ -809,8 +809,8 @@ func repoRootForImportDynamic(importPath string, security web.SecurityMode) (*re

+ 		}

+ 	}

+ 

+-	if !strings.Contains(mmi.RepoRoot, "://") {

+-		return nil, fmt.Errorf("%s: invalid repo root %q; no scheme", urlStr, mmi.RepoRoot)

++	if err := validateRepoRootScheme(mmi.RepoRoot); err != nil {

++		return nil, fmt.Errorf("%s: invalid repo root %q: %v", urlStr, mmi.RepoRoot, err)

+ 	}

+ 	rr := &repoRoot{

+ 		vcs:      vcsByCmd(mmi.VCS),

+@@ -824,6 +824,36 @@ func repoRootForImportDynamic(importPath string, security web.SecurityMode) (*re

+ 	return rr, nil

+ }

+ 

++// validateRepoRootScheme returns an error if repoRoot does not seem

++// to have a valid URL scheme. At this point we permit things that

++// aren't valid URLs, although later, if not using -insecure, we will

++// restrict repoRoots to be valid URLs. This is only because we've

++// historically permitted them, and people may depend on that.

++func validateRepoRootScheme(repoRoot string) error {

++	end := strings.Index(repoRoot, "://")

++	if end <= 0 {

++		return errors.New("no scheme")

++	}

++

++	// RFC 3986 section 3.1.

++	for i := 0; i < end; i++ {

++		c := repoRoot[i]

++		switch {

++		case 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z':

++			// OK.

++		case '0' <= c && c <= '9' || c == '+' || c == '-' || c == '.':

++			// OK except at start.

++			if i == 0 {

++				return errors.New("invalid scheme")

++			}

++		default:

++			return errors.New("invalid scheme")

++		}

++	}

++

++	return nil

++}

++

+ var fetchGroup singleflight.Group

+ var (

+ 	fetchCacheMu sync.Mutex

+diff --git a/src/cmd/go/internal/get/vcs_test.go b/src/cmd/go/internal/get/vcs_test.go

+index 2cb611fabd8..ece78b563ce 100644

+--- a/src/cmd/go/internal/get/vcs_test.go

+@@ -416,3 +416,46 @@ func TestMatchGoImport(t *testing.T) {

+ 		}

+ 	}

+ }

++

++func TestValidateRepoRootScheme(t *testing.T) {

++	tests := []struct {

++		root string

++		err  string

++	}{

++		{

++			root: "",

++			err:  "no scheme",

++		},

++		{

++			root: "http://",

++			err:  "",

++		},

++		{

++			root: "a://",

++			err:  "",

++		},

++		{

++			root: "a#://",

++			err:  "invalid scheme",

++		},

++		{

++			root: "-config://",

++			err:  "invalid scheme",

++		},

++	}

++

++	for _, test := range tests {

++		err := validateRepoRootScheme(test.root)

++		if err == nil {

++			if test.err != "" {

++				t.Errorf("validateRepoRootScheme(%q) = nil, want %q", test.root, test.err)

++			}

++		} else if test.err == "" {

++			if err != nil {

++				t.Errorf("validateRepoRootScheme(%q) = %q, want nil", test.root, test.err)

++			}

++		} else if err.Error() != test.err {

++			t.Errorf("validateRepoRootScheme(%q) = %q, want %q", test.root, err, test.err)

++		}

++	}

++}

@@ -10,7 +10,7 @@

 Summary:        Go 

 Name:           go

 Version:        1.9.4

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        BSD

 URL:            https://golang.org

 Group:          System Environment/Security

@@ -19,6 +19,7 @@ Distribution:   Photon

 Source0:        https://dl.google.com/go/%{name}%{version}.src.tar.gz

 %define sha1    go=12b0ecee83525cd594f4fbf30380d4832e06f189

 Patch0:         go_imports_fix.patch

+Patch1:         CVE-2018-7187.patch 

 BuildRequires:  mercurial

 Requires:       mercurial

 Requires:       glibc

@@ -29,6 +30,7 @@ Go is an open source programming language that makes it easy to build simple, re

 %prep

 %setup -qn %{name}

 %patch0 -p1

+%patch1 -p1

 %build

 export GOHOSTOS=linux

@@ -115,6 +117,8 @@ rm -rf %{buildroot}/*

 %{_bindir}/*

 %changelog

+*   Mon Apr 02 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.9.4-2

+-   Fix for CVE-2018-7187

 *   Thu Mar 15 2018 Xiaolin Li <xiaolinl@vmware.com> 1.9.4-1

 -   Update to golang release v1.9.4

 *   Mon Oct 23 2017 Vinay Kulkarni <kulkarniv@vmware.com> 1.9.1-1