[OE-core] [dunfell][PATCH] golang: Fix security issue in go
Source: https://github.com/golang/go
MR: 120622, 120625
Type: Security Fix
Disposition: Backport from
https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df &&
https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827
ChangeID: aabb29a6dd6a89842f451c95af228aaf66e58bb5
Description:
Fixed CVE:
1. CVE-2022-30632
2. CVE-2022-30633
Signed-off-by: Hitendra Prajapati
---
meta/recipes-devtools/go/go-1.14.inc | 2 +
.../go/go-1.14/CVE-2022-30632.patch | 71 ++
.../go/go-1.14/CVE-2022-30633.patch | 131 ++
3 files changed, 204 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch
diff --git a/meta/recipes-devtools/go/go-1.14.inc
b/meta/recipes-devtools/go/go-1.14.inc
index 6089fd501d..84babc38cb 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -27,6 +27,8 @@ SRC_URI += "\
file://CVE-2021-31525.patch \
file://CVE-2022-30629.patch \
file://CVE-2022-30631.patch \
+file://CVE-2022-30632.patch \
+file://CVE-2022-30633.patch \
"
SRC_URI_append_libc-musl = "
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
new file mode 100644
index 00..c54ef56a0e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
@@ -0,0 +1,71 @@
+From 35d1dfe9746029aea9027b405c7d41ffd2f8 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati
+Date: Thu, 25 Aug 2022 13:12:40 +0530
+Subject: [PATCH] CVE-2022-30632
+
+Upstream-Status: Backport
[https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df]
+CVE: CVE-2022-30632
+Signed-off-by: Hitendra Prajapati
+---
+ src/path/filepath/match.go | 16 +++-
+ src/path/filepath/match_test.go | 10 ++
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go
+index 46badb5..ba68daa 100644
+--- a/src/path/filepath/match.go
b/src/path/filepath/match.go
+@@ -232,6 +232,20 @@ func getEsc(chunk string) (r rune, nchunk string, err
error) {
+ // The only possible returned error is ErrBadPattern, when pattern
+ // is malformed.
+ func Glob(pattern string) (matches []string, err error) {
++ return globWithLimit(pattern, 0)
++}
++
++func globWithLimit(pattern string, depth int) (matches []string, err error) {
++ // This limit is used prevent stack exhaustion issues. See
CVE-2022-30632.
++ const pathSeparatorsLimit = 1
++ if depth == pathSeparatorsLimit {
++ return nil, ErrBadPattern
++ }
++
++ // Check pattern is well-formed.
++ if _, err := Match(pattern, ""); err != nil {
++ return nil, err
++ }
+ if !hasMeta(pattern) {
+ if _, err = os.Lstat(pattern); err != nil {
+ return nil, nil
+@@ -257,7 +271,7 @@ func Glob(pattern string) (matches []string, err error) {
+ }
+
+ var m []string
+- m, err = Glob(dir)
++ m, err = globWithLimit(dir, depth+1)
+ if err != nil {
+ return
+ }
+diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go
+index b865762..c37c812 100644
+--- a/src/path/filepath/match_test.go
b/src/path/filepath/match_test.go
+@@ -154,6 +154,16 @@ func TestGlob(t *testing.T) {
+ }
+ }
+
++func TestCVE202230632(t *testing.T) {
++ // Prior to CVE-2022-30632, this would cause a stack exhaustion given a
++ // large number of separators (more than 4,000,000). There is now a
limit
++ // of 10,000.
++ _, err := Glob("/*" + strings.Repeat("/", 10001))
++ if err != ErrBadPattern {
++ t.Fatalf("Glob returned err=%v, want ErrBadPattern", err)
++ }
++}
++
+ func TestGlobError(t *testing.T) {
+ _, err := Glob("[]")
+ if err == nil {
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch
b/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch
new file mode 100644
index 00..c16cb5f50c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch
@@ -0,0 +1,131 @@
+From ab6e2ffdcab0501bcc2de4b196c1c18ae2301d4b Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati
+Date: Thu, 25 Aug 2022 13:29:55 +0530
+Subject: [PATCH] CVE-2022-30633
+
+Upstream-Status: Backport
[https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827]
+CVE: CVE-2022-30633
+Signed-off-by: Hitendra Prajapati
+---
+ src/encoding/xml/read.go | 27 +++
+ src/encoding/xml/read_test.go | 14 ++
+ 2 files changed, 33 insertions(+), 8 deletions(-)
+
+diff --git a/src/encoding/xml/read.go b/src/encoding/xml/read.go
+index 10a60ee..4ffed80 100644
[OE-core] [dunfell][PATCH] golang: Fix security issue
Source: https://github.com/golang/go
MR: 120613, 120613
Type: Security Fix
Disposition: Backport from
https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c &&
https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3
ChangeID: 366db775dec045d7b312b8da0436af36ab322046
Description:
Fixed CVE:
1. CVE-2022-30629
2. CVE-2022-30631
Signed-off-by: Hitendra Prajapati
---
meta/recipes-devtools/go/go-1.14.inc | 2 +
.../go/go-1.14/CVE-2022-30629.patch | 47 +++
.../go/go-1.14/CVE-2022-30631.patch | 116 ++
3 files changed, 165 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
diff --git a/meta/recipes-devtools/go/go-1.14.inc
b/meta/recipes-devtools/go/go-1.14.inc
index b160222f76..6089fd501d 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -25,6 +25,8 @@ SRC_URI += "\
file://CVE-2021-44717.patch \
file://CVE-2022-24675.patch \
file://CVE-2021-31525.patch \
+file://CVE-2022-30629.patch \
+file://CVE-2022-30631.patch \
"
SRC_URI_append_libc-musl = "
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch
b/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch
new file mode 100644
index 00..47313a547f
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch
@@ -0,0 +1,47 @@
+From 8d0bbb5a6280c2cf951241ec7f6579c90d38df57 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati
+Date: Thu, 25 Aug 2022 10:55:08 +0530
+Subject: [PATCH] CVE-2022-30629
+
+Upstream-Status: Backport
[https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c]
+CVE: CVE-2022-30629
+Signed-off-by: Hitendra Prajapati
+---
+ src/crypto/tls/handshake_server_tls13.go | 14 ++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/crypto/tls/handshake_server_tls13.go
b/src/crypto/tls/handshake_server_tls13.go
+index 5432145..d91797e 100644
+--- a/src/crypto/tls/handshake_server_tls13.go
b/src/crypto/tls/handshake_server_tls13.go
+@@ -9,6 +9,7 @@ import (
+ "crypto"
+ "crypto/hmac"
+ "crypto/rsa"
++ "encoding/binary"
+ "errors"
+ "hash"
+ "io"
+@@ -742,6 +743,19 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets()
error {
+ }
+ m.lifetime = uint32(maxSessionTicketLifetime / time.Second)
+
++ // ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1
++ // The value is not stored anywhere; we never need to check the ticket
age
++ // because 0-RTT is not supported.
++ ageAdd := make([]byte, 4)
++ _, err = hs.c.config.rand().Read(ageAdd)
++ if err != nil {
++ return err
++ }
++ m.ageAdd = binary.LittleEndian.Uint32(ageAdd)
++
++ // ticket_nonce, which must be unique per connection, is always left at
++ // zero because we only ever send one ticket per connection.
++
+ if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err !=
nil {
+ return err
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
new file mode 100644
index 00..5dcfd27f16
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
@@ -0,0 +1,116 @@
+From d10fc3a84e3344f2421c1dd3046faa50709ab4d5 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati
+Date: Thu, 25 Aug 2022 11:01:21 +0530
+Subject: [PATCH] CVE-2022-30631
+
+Upstream-Status: Backport
[https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3]
+CVE: CVE-2022-30631
+Signed-off-by: Hitendra Prajapati
+---
+ src/compress/gzip/gunzip.go | 60 +++-
+ src/compress/gzip/gunzip_test.go | 16 +
+ 2 files changed, 45 insertions(+), 31 deletions(-)
+
+diff --git a/src/compress/gzip/gunzip.go b/src/compress/gzip/gunzip.go
+index 924bce1..237b2b9 100644
+--- a/src/compress/gzip/gunzip.go
b/src/compress/gzip/gunzip.go
+@@ -248,42 +248,40 @@ func (z *Reader) Read(p []byte) (n int, err error) {
+ return 0, z.err
+ }
+
+- n, z.err = z.decompressor.Read(p)
+- z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
+- z.size += uint32(n)
+- if z.err != io.EOF {
+- // In the normal case we return here.
+- return n, z.err
+- }
++ for n == 0 {
++ n, z.err = z.decompressor.Read(p)
++ z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
++ z.size += uint32(n)
++ if z.err != io.EOF {
++ // In the normal case we return here.
++ return n, z.err
++ }
+
+- // Finished file; check checksum
