gnu: Go: Update to 1.11.5 [fixes CVE-2019-6486].

* gnu/packages/golang.scm (go-1.11): Update to 1.11.5. [arguments]: Add a 'tarbomb-workaround' phase and adapt the 'chdir' phase for the tarbomb.
3 years ago · c6bc0fc3a5
1 changed files with 14 additions and 2 deletions
--- a/gnu/packages/golang.scm
+++ b/gnu/packages/golang.scm
@ -406,7 +406,7 @@ in the style of communicating sequential processes (@dfn{CSP}).")
  (package
    (inherit go-1.9)
    (name "go")
-    (version "1.11.4")
+    (version "1.11.5")
    (source
     (origin
       (method url-fetch)
@ -414,11 +414,23 @@ in the style of communicating sequential processes (@dfn{CSP}).")
                           name version ".src.tar.gz"))
       (sha256
        (base32
-         "05fvp8dq0yffsrvdyii4wgl756dn0xkgm5a80al7j7kb19r45zac"))))
+         "0gllmbjvp12iszwils8id78mvjxwviwf98lh2gdkb236n4mz07mw"))))
    (arguments
     (substitute-keyword-arguments (package-arguments go-1.9)
       ((#:phases phases)
        `(modify-phases ,phases
+           ;; XXX Work around the Go 1.11.5 tarbomb.
+           ;; <https://github.com/golang/go/issues/29906>
+           (add-after 'unpack 'tarbomb-workaround
+             (lambda _
+               (chdir "..")
+               (delete-file-recursively "gocache")
+               (delete-file-recursively "tmp")
+               #t))
+           (replace 'chdir
+             (lambda _
+               (chdir "go/src")
+               #t))
           (replace 'prebuild
             (lambda* (#:key inputs outputs #:allow-other-keys)
               (let* ((gcclib (string-append (assoc-ref inputs "gcc:lib") "/lib"))