Hi Soumya, I've already sent patch for the Kirkstone branch.
https://lists.openembedded.org/g/openembedded-core/message/198495 Thanks & Regards, Vijay On Fri, Apr 19, 2024 at 6:52 PM Soumya via lists.openembedded.org <[email protected]> wrote: > From: Soumya Sambu <[email protected]> > > An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of > header data by sending an excessive number of CONTINUATION frames. > Maintaining HPACK state requires parsing and processing all HEADERS > and CONTINUATION frames on a connection. When a request's headers > exceed MaxHeaderBytes, no memory is allocated to store the excess > headers, but they are still parsed. This permits an attacker to cause > an HTTP/2 endpoint to read arbitrary amounts of header data, all > associated with a request which is going to be rejected. These headers > can include Huffman-encoded data which is significantly more expensive > for the receiver to decode than for an attacker to send. The fix sets > a limit on the amount of excess header frames we will process before > closing a connection. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2023-45288 > > Signed-off-by: Soumya Sambu <[email protected]> > --- > meta/recipes-devtools/go/go-1.17.13.inc | 3 +- > .../go/go-1.22/CVE-2023-45288.patch | 96 +++++++++++++++++++ > 2 files changed, 98 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch > > diff --git a/meta/recipes-devtools/go/go-1.17.13.inc > b/meta/recipes-devtools/go/go-1.17.13.inc > index 768961de2c..b5566db1fe 100644 > --- a/meta/recipes-devtools/go/go-1.17.13.inc > +++ b/meta/recipes-devtools/go/go-1.17.13.inc > @@ -1,6 +1,6 @@ > require go-common.inc > > -FILESEXTRAPATHS:prepend := > "${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.20:${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:" > +FILESEXTRAPATHS:prepend := > "${FILE_DIRNAME}/go-1.22:${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.20:${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:" > > LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" > > @@ -55,6 +55,7 @@ SRC_URI += "\ > file://CVE-2023-45290.patch \ > file://CVE-2024-24784.patch \ > file://CVE-2024-24785.patch \ > + file://CVE-2023-45288.patch \ > " > SRC_URI[main.sha256sum] = > "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" > > diff --git a/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch > b/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch > new file mode 100644 > index 0000000000..ad84fb84d9 > --- /dev/null > +++ b/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch > @@ -0,0 +1,96 @@ > +From e55d7cf8435ba4e58d4a5694e63b391821d4ee9b Mon Sep 17 00:00:00 2001 > +From: Damien Neil <[email protected]> > +Date: Thu, 28 Mar 2024 16:57:51 -0700 > +Subject: [PATCH] [release-branch.go1.22] net/http: update bundled > + golang.org/x/net/http2 > + > +Disable cmd/internal/moddeps test, since this update includes PRIVATE > +track fixes. > + > +Fixes CVE-2023-45288 > +For #65051 > +Fixes #66298 > + > +Change-Id: I5bbf774ebe7651e4bb7e55139d3794bd2b8e8fa8 > +Reviewed-on: > https://team-review.git.corp.google.com/c/golang/go-private/+/2197227 > +Reviewed-by > <https://team-review.git.corp.google.com/c/golang/go-private/+/2197227+Reviewed-by>: > Tatiana Bradley <[email protected]> > +Run-TryBot: Damien Neil <[email protected]> > +Reviewed-by: Dmitri Shuralyov <[email protected]> > +Reviewed-on: https://go-review.googlesource.com/c/go/+/576076 > +Auto-Submit: Dmitri Shuralyov <[email protected]> > +TryBot-Bypass: Dmitri Shuralyov <[email protected]> > +Reviewed-by: Than McIntosh <[email protected]> > + > +CVE: CVE-2023-45288 > + > +Upstream-Status: Backport [ > https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b > ] > + > +Signed-off-by: Soumya Sambu <[email protected]> > +--- > + src/cmd/internal/moddeps/moddeps_test.go | 1 + > + src/net/http/h2_bundle.go | 31 ++++++++++++++++++++++++ > + 2 files changed, 32 insertions(+) > + > +diff --git a/src/cmd/internal/moddeps/moddeps_test.go > b/src/cmd/internal/moddeps/moddeps_test.go > +index d48d43f..ee6d455 100644 > +--- a/src/cmd/internal/moddeps/moddeps_test.go > ++++ b/src/cmd/internal/moddeps/moddeps_test.go > +@@ -36,6 +36,7 @@ import ( > + func TestAllDependencies(t *testing.T) { > + t.Skip("TODO(#57009): 1.19.4 contains unreleased changes from > vendored modules") > + t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from > vendored modules") > ++ t.Skip("TODO(#65051): 1.22.2 contains unreleased changes from > vendored modules") > + > + goBin := testenv.GoToolPath(t) > + > +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go > +index 9d6abd8..10ff193 100644 > +--- a/src/net/http/h2_bundle.go > ++++ b/src/net/http/h2_bundle.go > +@@ -2842,6 +2842,7 @@ func (fr *http2Framer) readMetaFrame(hf > *http2HeadersFrame) (*http2MetaHeadersFr > + if size > remainSize { > + hdec.SetEmitEnabled(false) > + mh.Truncated = true > ++ remainSize = 0 > + return > + } > + remainSize -= size > +@@ -2854,6 +2855,36 @@ func (fr *http2Framer) readMetaFrame(hf > *http2HeadersFrame) (*http2MetaHeadersFr > + var hc http2headersOrContinuation = hf > + for { > + frag := hc.HeaderBlockFragment() > ++ > ++ // Avoid parsing large amounts of headers that we will > then discard. > ++ // If the sender exceeds the max header list size by too > much, > ++ // skip parsing the fragment and close the connection. > ++ // > ++ // "Too much" is either any CONTINUATION frame after we've > already > ++ // exceeded the max header list size (in which case > remainSize is 0), > ++ // or a frame whose encoded size is more than twice the > remaining > ++ // header list bytes we're willing to accept. > ++ if int64(len(frag)) > int64(2*remainSize) { > ++ if http2VerboseLogs { > ++ log.Printf("http2: header list too large") > ++ } > ++ // It would be nice to send a RST_STREAM before > sending the GOAWAY, > ++ // but the struture of the server's frame writer > makes this difficult. > ++ return nil, > http2ConnectionError(http2ErrCodeProtocol) > ++ } > ++ > ++ // Also close the connection after any CONTINUATION frame > following an > ++ // invalid header, since we stop tracking the size of the > headers after > ++ // an invalid one. > ++ if invalid != nil { > ++ if http2VerboseLogs { > ++ log.Printf("http2: invalid header: %v", > invalid) > ++ } > ++ // It would be nice to send a RST_STREAM before > sending the GOAWAY, > ++ // but the struture of the server's frame writer > makes this difficult. > ++ return nil, > http2ConnectionError(http2ErrCodeProtocol) > ++ } > ++ > + if _, err := hdec.Write(frag); err != nil { > + return nil, > http2ConnectionError(http2ErrCodeCompression) > + } > +-- > +2.40.0 > -- > 2.40.0 > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#198554): https://lists.openembedded.org/g/openembedded-core/message/198554 Mute This Topic: https://lists.openembedded.org/mt/105617671/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
