From c6bc0fc3a5b20b1548b550211382acf06308b5dd Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 25 Jan 2019 15:17:26 -0500
Subject: gnu: Go: Update to 1.11.5 [fixes CVE-2019-6486].

* gnu/packages/golang.scm (go-1.11): Update to 1.11.5.
[arguments]: Add a 'tarbomb-workaround' phase and adapt the 'chdir' phase for
the tarbomb.
---
 gnu/packages/golang.scm | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'gnu/packages/golang.scm')

diff --git a/gnu/packages/golang.scm b/gnu/packages/golang.scm
index a571477ef2..e6269f526f 100644
--- a/gnu/packages/golang.scm
+++ b/gnu/packages/golang.scm
@@ -406,7 +406,7 @@ in the style of communicating sequential processes (@dfn{CSP}).")
   (package
     (inherit go-1.9)
     (name "go")
-    (version "1.11.4")
+    (version "1.11.5")
     (source
      (origin
        (method url-fetch)
@@ -414,11 +414,23 @@ in the style of communicating sequential processes (@dfn{CSP}).")
                            name version ".src.tar.gz"))
        (sha256
         (base32
-         "05fvp8dq0yffsrvdyii4wgl756dn0xkgm5a80al7j7kb19r45zac"))))
+         "0gllmbjvp12iszwils8id78mvjxwviwf98lh2gdkb236n4mz07mw"))))
     (arguments
      (substitute-keyword-arguments (package-arguments go-1.9)
        ((#:phases phases)
         `(modify-phases ,phases
+           ;; XXX Work around the Go 1.11.5 tarbomb.
+           ;; <https://github.com/golang/go/issues/29906>
+           (add-after 'unpack 'tarbomb-workaround
+             (lambda _
+               (chdir "..")
+               (delete-file-recursively "gocache")
+               (delete-file-recursively "tmp")
+               #t))
+           (replace 'chdir
+             (lambda _
+               (chdir "go/src")
+               #t))
            (replace 'prebuild
              (lambda* (#:key inputs outputs #:allow-other-keys)
                (let* ((gcclib (string-append (assoc-ref inputs "gcc:lib") "/lib"))
-- 
cgit v1.2.3