[OE-core] [dunfell][PATCH] golang: Fix security issue in go
Source: https://github.com/golang/go MR: 120622, 120625 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df && https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827 ChangeID: aabb29a6dd6a89842f451c95af228aaf66e58bb5 Description: Fixed CVE: 1. CVE-2022-30632 2. CVE-2022-30633 Signed-off-by: Hitendra Prajapati --- meta/recipes-devtools/go/go-1.14.inc | 2 + .../go/go-1.14/CVE-2022-30632.patch | 71 ++ .../go/go-1.14/CVE-2022-30633.patch | 131 ++ 3 files changed, 204 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 6089fd501d..84babc38cb 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -27,6 +27,8 @@ SRC_URI += "\ file://CVE-2021-31525.patch \ file://CVE-2022-30629.patch \ file://CVE-2022-30631.patch \ +file://CVE-2022-30632.patch \ +file://CVE-2022-30633.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch new file mode 100644 index 00..c54ef56a0e --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch @@ -0,0 +1,71 @@ +From 35d1dfe9746029aea9027b405c7d41ffd2f8 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Thu, 25 Aug 2022 13:12:40 +0530 +Subject: [PATCH] CVE-2022-30632 + +Upstream-Status: Backport [https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df] +CVE: CVE-2022-30632 +Signed-off-by: Hitendra Prajapati +--- + src/path/filepath/match.go | 16 +++- + src/path/filepath/match_test.go | 10 ++ + 2 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go +index 46badb5..ba68daa 100644 +--- a/src/path/filepath/match.go b/src/path/filepath/match.go +@@ -232,6 +232,20 @@ func getEsc(chunk string) (r rune, nchunk string, err error) { + // The only possible returned error is ErrBadPattern, when pattern + // is malformed. + func Glob(pattern string) (matches []string, err error) { ++ return globWithLimit(pattern, 0) ++} ++ ++func globWithLimit(pattern string, depth int) (matches []string, err error) { ++ // This limit is used prevent stack exhaustion issues. See CVE-2022-30632. ++ const pathSeparatorsLimit = 1 ++ if depth == pathSeparatorsLimit { ++ return nil, ErrBadPattern ++ } ++ ++ // Check pattern is well-formed. ++ if _, err := Match(pattern, ""); err != nil { ++ return nil, err ++ } + if !hasMeta(pattern) { + if _, err = os.Lstat(pattern); err != nil { + return nil, nil +@@ -257,7 +271,7 @@ func Glob(pattern string) (matches []string, err error) { + } + + var m []string +- m, err = Glob(dir) ++ m, err = globWithLimit(dir, depth+1) + if err != nil { + return + } +diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go +index b865762..c37c812 100644 +--- a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go +@@ -154,6 +154,16 @@ func TestGlob(t *testing.T) { + } + } + ++func TestCVE202230632(t *testing.T) { ++ // Prior to CVE-2022-30632, this would cause a stack exhaustion given a ++ // large number of separators (more than 4,000,000). There is now a limit ++ // of 10,000. ++ _, err := Glob("/*" + strings.Repeat("/", 10001)) ++ if err != ErrBadPattern { ++ t.Fatalf("Glob returned err=%v, want ErrBadPattern", err) ++ } ++} ++ + func TestGlobError(t *testing.T) { + _, err := Glob("[]") + if err == nil { +-- +2.25.1 + diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch new file mode 100644 index 00..c16cb5f50c --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch @@ -0,0 +1,131 @@ +From ab6e2ffdcab0501bcc2de4b196c1c18ae2301d4b Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Thu, 25 Aug 2022 13:29:55 +0530 +Subject: [PATCH] CVE-2022-30633 + +Upstream-Status: Backport [https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827] +CVE: CVE-2022-30633 +Signed-off-by: Hitendra Prajapati +--- + src/encoding/xml/read.go | 27 +++ + src/encoding/xml/read_test.go | 14 ++ + 2 files changed, 33 insertions(+), 8 deletions(-) + +diff --git a/src/encoding/xml/read.go b/src/encoding/xml/read.go +index 10a60ee..4ffed80 100644
[OE-core] [dunfell][PATCH] golang: Fix security issue
Source: https://github.com/golang/go MR: 120613, 120613 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c && https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3 ChangeID: 366db775dec045d7b312b8da0436af36ab322046 Description: Fixed CVE: 1. CVE-2022-30629 2. CVE-2022-30631 Signed-off-by: Hitendra Prajapati --- meta/recipes-devtools/go/go-1.14.inc | 2 + .../go/go-1.14/CVE-2022-30629.patch | 47 +++ .../go/go-1.14/CVE-2022-30631.patch | 116 ++ 3 files changed, 165 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index b160222f76..6089fd501d 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -25,6 +25,8 @@ SRC_URI += "\ file://CVE-2021-44717.patch \ file://CVE-2022-24675.patch \ file://CVE-2021-31525.patch \ +file://CVE-2022-30629.patch \ +file://CVE-2022-30631.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch new file mode 100644 index 00..47313a547f --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch @@ -0,0 +1,47 @@ +From 8d0bbb5a6280c2cf951241ec7f6579c90d38df57 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Thu, 25 Aug 2022 10:55:08 +0530 +Subject: [PATCH] CVE-2022-30629 + +Upstream-Status: Backport [https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c] +CVE: CVE-2022-30629 +Signed-off-by: Hitendra Prajapati +--- + src/crypto/tls/handshake_server_tls13.go | 14 ++ + 1 file changed, 14 insertions(+) + +diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go +index 5432145..d91797e 100644 +--- a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go +@@ -9,6 +9,7 @@ import ( + "crypto" + "crypto/hmac" + "crypto/rsa" ++ "encoding/binary" + "errors" + "hash" + "io" +@@ -742,6 +743,19 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error { + } + m.lifetime = uint32(maxSessionTicketLifetime / time.Second) + ++ // ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1 ++ // The value is not stored anywhere; we never need to check the ticket age ++ // because 0-RTT is not supported. ++ ageAdd := make([]byte, 4) ++ _, err = hs.c.config.rand().Read(ageAdd) ++ if err != nil { ++ return err ++ } ++ m.ageAdd = binary.LittleEndian.Uint32(ageAdd) ++ ++ // ticket_nonce, which must be unique per connection, is always left at ++ // zero because we only ever send one ticket per connection. ++ + if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil { + return err + } +-- +2.25.1 + diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch new file mode 100644 index 00..5dcfd27f16 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch @@ -0,0 +1,116 @@ +From d10fc3a84e3344f2421c1dd3046faa50709ab4d5 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Thu, 25 Aug 2022 11:01:21 +0530 +Subject: [PATCH] CVE-2022-30631 + +Upstream-Status: Backport [https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3] +CVE: CVE-2022-30631 +Signed-off-by: Hitendra Prajapati +--- + src/compress/gzip/gunzip.go | 60 +++- + src/compress/gzip/gunzip_test.go | 16 + + 2 files changed, 45 insertions(+), 31 deletions(-) + +diff --git a/src/compress/gzip/gunzip.go b/src/compress/gzip/gunzip.go +index 924bce1..237b2b9 100644 +--- a/src/compress/gzip/gunzip.go b/src/compress/gzip/gunzip.go +@@ -248,42 +248,40 @@ func (z *Reader) Read(p []byte) (n int, err error) { + return 0, z.err + } + +- n, z.err = z.decompressor.Read(p) +- z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n]) +- z.size += uint32(n) +- if z.err != io.EOF { +- // In the normal case we return here. +- return n, z.err +- } ++ for n == 0 { ++ n, z.err = z.decompressor.Read(p) ++ z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n]) ++ z.size += uint32(n) ++ if z.err != io.EOF { ++ // In the normal case we return here. ++ return n, z.err ++ } + +- // Finished file; check checksum