subject:"\[OE\-core\]\[dunfell\]\[PATCH\] go\: Fix for CVE\-2023\-45289 CVE\-2023\-45290 \& CVE\-2024\-24785"

Re: [OE-core][dunfell][PATCH] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785

2024-03-26 Thread Anuj Mittal

On Tue, 2024-03-26 at 13:09 +0530, Vijay Anusuri via
lists.openembedded.org wrote:
> +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
> @@ -0,0 +1,121 @@
> +From 20586c0dbe03d144f914155f879fa5ee287591a1 Mon Sep 17 00:00:00
> 2001
> +From: Damien Neil 
> +Date: Thu, 11 Jan 2024 11:31:57 -0800
> +Subject: [PATCH] [release-branch.go1.21] net/http,
> net/http/cookiejar: avoid
> + subdomain matches on IPv6 zones
> +
> +When deciding whether to forward cookies or sensitive headers
> +across a redirect, do not attempt to interpret an IPv6 address
> +as a domain name.
> +
> +Avoids a case where a maliciously-crafted redirect to an
> +IPv6 address with a scoped addressing zone could be
> +misinterpreted as a within-domain redirect. For example,
> +we could interpret "::1%.www.example.com" as a subdomain
> +of "www.example.com".
> +
> +Thanks to Juho Nurminen of Mattermost for reporting this issue.
> +
> +Fixes CVE-2023-45289
> +Fixes #65385
> +For #65065
> +
> +Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
> +Reviewed-on:
> https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
> +Reviewed-by: Tatiana Bradley 
> +Reviewed-by: Roland Shoemaker 
> +Reviewed-on:
> https://team-review.git.corp.google.com/c/golang/go-private/+/2173775
> +Reviewed-by: Carlos Amedee 
> +Reviewed-on: https://go-review.googlesource.com/c/go/+/569239
> +Reviewed-by: Carlos Amedee 
> +Auto-Submit: Michael Knyszek 
> +TryBot-Bypass: Michael Knyszek 
> +
> +Upstream-Status: Backport
> [https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee
> 287591a1]
> +CVE: CVE-45289

Incorrect CVE number here ...

Thanks,

Anuj

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197531): 
https://lists.openembedded.org/g/openembedded-core/message/197531
Mute This Topic: https://lists.openembedded.org/mt/105154485/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785

2024-03-26 Thread Vijay Anusuri via lists.openembedded.org

From: Vijay Anusuri 

Upstream-Status: Backport
[https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1
&
https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0
&
https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e]

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/go/go-1.14.inc  |   3 +
 .../go/go-1.14/CVE-2023-45289.patch   | 121 
 .../go/go-1.14/CVE-2023-45290.patch   | 271 ++
 .../go/go-1.14/CVE-2024-24785.patch   | 197 +
 4 files changed, 592 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc 
b/meta/recipes-devtools/go/go-1.14.inc
index 4fbf9d7590..69b65f3eb2 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -88,6 +88,9 @@ SRC_URI += "\
 file://CVE-2023-45287-pre2.patch \
 file://CVE-2023-45287-pre3.patch \
 file://CVE-2023-45287.patch \
+file://CVE-2023-45289.patch \
+file://CVE-2023-45290.patch \
+file://CVE-2024-24785.patch \
 "
 
 SRC_URI_append_libc-musl = " 
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch 
b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
new file mode 100644
index 00..3bec62ab83
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
@@ -0,0 +1,121 @@
+From 20586c0dbe03d144f914155f879fa5ee287591a1 Mon Sep 17 00:00:00 2001
+From: Damien Neil 
+Date: Thu, 11 Jan 2024 11:31:57 -0800
+Subject: [PATCH] [release-branch.go1.21] net/http, net/http/cookiejar: avoid
+ subdomain matches on IPv6 zones
+
+When deciding whether to forward cookies or sensitive headers
+across a redirect, do not attempt to interpret an IPv6 address
+as a domain name.
+
+Avoids a case where a maliciously-crafted redirect to an
+IPv6 address with a scoped addressing zone could be
+misinterpreted as a within-domain redirect. For example,
+we could interpret "::1%.www.example.com" as a subdomain
+of "www.example.com".
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes CVE-2023-45289
+Fixes #65385
+For #65065
+
+Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
+Reviewed-by: Tatiana Bradley 
+Reviewed-by: Roland Shoemaker 
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/2173775
+Reviewed-by: Carlos Amedee 
+Reviewed-on: https://go-review.googlesource.com/c/go/+/569239
+Reviewed-by: Carlos Amedee 
+Auto-Submit: Michael Knyszek 
+TryBot-Bypass: Michael Knyszek 
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1]
+CVE: CVE-45289
+Signed-off-by: Vijay Anusuri 
+---
+ src/net/http/client.go |  6 ++
+ src/net/http/client_test.go|  1 +
+ src/net/http/cookiejar/jar.go  |  7 +++
+ src/net/http/cookiejar/jar_test.go | 10 ++
+ 4 files changed, 24 insertions(+)
+
+diff --git a/src/net/http/client.go b/src/net/http/client.go
+index a496f1c..2031834 100644
+--- a/src/net/http/client.go
 b/src/net/http/client.go
+@@ -973,6 +973,12 @@ func isDomainOrSubdomain(sub, parent string) bool {
+   if sub == parent {
+   return true
+   }
++  // If sub contains a :, it's probably an IPv6 address (and is 
definitely not a hostname).
++  // Don't check the suffix in this case, to avoid matching the contents 
of a IPv6 zone.
++  // For example, "::1%.www.example.com" is not a subdomain of 
"www.example.com".
++  if strings.ContainsAny(sub, ":%") {
++  return false
++  }
+   // If sub is "foo.example.com" and parent is "example.com",
+   // that means sub must end in "."+parent.
+   // Do it without allocating.
+diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
+index 2b4f53f..442fe35 100644
+--- a/src/net/http/client_test.go
 b/src/net/http/client_test.go
+@@ -1703,6 +1703,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
+   {"cookie2", "http://foo.com/;, "http://bar.com/;, false},
+   {"authorization", "http://foo.com/;, "http://bar.com/;, false},
+   {"www-authenticate", "http://foo.com/;, "http://bar.com/;, 
false},
++  {"authorization", "http://foo.com/;, 
"http://[::1%25.foo.com]/;, false},
+ 
+   // But subdomains should work:
+   {"www-authenticate", "http://foo.com/;, "http://foo.com/;, 
true},
+diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go
+index 9f19917..18cbfc2 100644
+--- a/src/net/http/cookiejar/jar.go
 b/src/net/http/cookiejar/jar.go
+@@

Re: [OE-core][dunfell][PATCH] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785

[OE-core][dunfell][PATCH] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785

2 matches

Site Navigation

Mail list logo

Footer information