[dunfell,12/21] golang: fix CVE-2022-28327

Message ID	7333de25c554375a5ea9ba21a6bdc79036e7bb6d.1668879817.git.steve@sakoman.com
State	Accepted, archived
Commit	aab2a343be4b0b21dcaf22a7fbf77007d48c08d6
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.216.43, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 12/21] golang: fix CVE-2022-28327 Date: Sat, 19 Nov 2022 07:47:40 -1000 Message-Id: <7333de25c554375a5ea9ba21a6bdc79036e7bb6d.1668879817.git.steve@sakoman.com> In-Reply-To: <cover.1668879817.git.steve@sakoman.com> References: <cover.1668879817.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,01/21] sudo: CVE-2022-43995 heap-based overflow with very small passwords \| expand [dunfell,01/21] sudo: CVE-2022-43995 heap-based overflow with very small passwords [dunfell,02/21] systemd: Fix CVE-2022-3821 issue [dunfell,03/21] python3: Fix CVE-2022-45061 [dunfell,04/21] libtasn1: fix CVE-2021-46848 off-by-one in asn1_encode_simple_der [dunfell,05/21] libxml2: Fix CVE-2022-40303 [dunfell,06/21] libxml2: Fix CVE-2022-40304 [dunfell,07/21] golang: fix CVE-2021-33195 [dunfell,08/21] golang: fix CVE-2021-33198 [dunfell,09/21] golang: fix CVE-2021-44716 [dunfell,10/21] golang: fix CVE-2022-24291 [dunfell,11/21] golang: fix CVE-2022-28131 [dunfell,12/21] golang: fix CVE-2022-28327 [dunfell,13/21] golang: ignore CVE-2022-29804 [dunfell,14/21] golang: ignore CVE-2021-33194 [dunfell,15/21] golang: ignore CVE-2021-41772 [dunfell,16/21] golang: ignore CVE-2022-30580 [dunfell,17/21] golang: ignore CVE-2022-30630 [dunfell,18/21] gcc : upgrade to v9.5 [dunfell,19/21] maintainers: update gcc version to 9.5 [dunfell,20/21] vim: upgrade 9.0.0614 -> 9.0.0820 [dunfell,21/21] sstate: Account for reserved characters when shortening sstate filenames

Message ID

7333de25c554375a5ea9ba21a6bdc79036e7bb6d.1668879817.git.steve@sakoman.com

State

Accepted, archived

Commit

aab2a343be4b0b21dcaf22a7fbf77007d48c08d6

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 12/21] golang: fix CVE-2022-28327
Date: Sat, 19 Nov 2022 07:47:40 -1000
Message-Id: 
 <7333de25c554375a5ea9ba21a6bdc79036e7bb6d.1668879817.git.steve@sakoman.com>
In-Reply-To: <cover.1668879817.git.steve@sakoman.com>
References: <cover.1668879817.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,01/21] sudo: CVE-2022-43995 heap-based overflow with very small passwords | expand

Commit Message

Steve Sakoman Nov. 19, 2022, 5:47 p.m. UTC

From: Ralph Siemsen <ralph.siemsen@linaro.org>

Upstream-Status: Backport [https://github.com/golang/go/commit/7139e8b024604ab168b51b99c6e8168257a5bf58]
CVE: CVE-2022-28327
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.14.inc          |  1 +
 .../go/go-1.14/CVE-2022-28327.patch           | 36 +++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 525a3e77c5..6e596f4141 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -48,6 +48,7 @@  SRC_URI += "\
     file://CVE-2021-44716.patch \
     file://CVE-2022-24921.patch \
     file://CVE-2022-28131.patch \
+    file://CVE-2022-28327.patch \
 "
 
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch
new file mode 100644
index 0000000000..6361deec7d
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch
@@ -0,0 +1,36 @@ 
+From 34d9ab78568d63d8097911237897b188bdaba9c2 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Thu, 31 Mar 2022 12:31:58 -0400
+Subject: [PATCH] crypto/elliptic: tolerate zero-padded scalars in generic
+ P-256
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/7139e8b024604ab168b51b99c6e8168257a5bf58]
+CVE: CVE-2022-28327
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+
+
+Updates #52075
+Fixes #52076
+Fixes CVE-2022-28327
+
+Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27
+Reviewed-on: https://go-review.googlesource.com/c/go/+/397136
+Trust: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Julie Qiu <julie@golang.org>
+---
+ src/crypto/elliptic/p256.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/crypto/elliptic/p256.go b/src/crypto/elliptic/p256.go
+index c23e414..787e3e7 100644
+--- a/src/crypto/elliptic/p256.go
++++ b/src/crypto/elliptic/p256.go
+@@ -51,7 +51,7 @@ func p256GetScalar(out *[32]byte, in []byte) {
+ 	n := new(big.Int).SetBytes(in)
+ 	var scalarBytes []byte
+ 
+-	if n.Cmp(p256Params.N) >= 0 {
++	if n.Cmp(p256Params.N) >= 0 || len(in) > len(out) {
+ 		n.Mod(n, p256Params.N)
+ 		scalarBytes = n.Bytes()
+ 	} else {

[dunfell,12/21] golang: fix CVE-2022-28327

Commit Message

Patch