From patchwork Thu Nov 17 16:54:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Siemsen X-Patchwork-Id: 15561 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 17BD8C43217 for ; Thu, 17 Nov 2022 16:55:13 +0000 (UTC) Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) by mx.groups.io with SMTP id smtpd.web11.1161.1668704106716799349 for ; Thu, 17 Nov 2022 08:55:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=J4VhWBqt; spf=pass (domain: linaro.org, ip: 209.85.222.170, mailfrom: ralph.siemsen@linaro.org) Received: by mail-qk1-f170.google.com with SMTP id s20so1598716qkg.5 for ; Thu, 17 Nov 2022 08:55:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=aMqv4a9EqXtsHBnO42k95DmkRZN87uPBxAeHlCNhBvU=; b=J4VhWBqtrdx9IS/X1K631sk59ZpMNCCU5TvMGRLuBpoidVoGXKBACVXEZdRxZNZgIE CsYZgVnB6ax8RKE8WeS+Y+woZzGVjPDn3xqUQF5Iklp+63h+MiUnC+KX77JnEUNH0mch pxtRJSP9tA8aMruGyCFuK7WQmTIY44vCDN27dPFLRSLTaYHfW7H77jqxgwNnTrCMGyTV 0xs3fT0kiPWWDWLmmZYt9ZO894rJb2ObUpoSgqdIebMhYZu+FaZRpyzApPBK9LrOx5To xihmwAbFs/+jYFoGVgXOVdTSHEdKGWZXraJ5HYdU6kHwewfDAPFYjahHEpT6DdQ+tfj3 oqog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=aMqv4a9EqXtsHBnO42k95DmkRZN87uPBxAeHlCNhBvU=; b=pv8f5NO3vh7qtD2xBw2zYg8Cuvm/T3vEv+MRb6O0ZkGk8pI563wd/Ltjyrn+voDdNC TGK8D4PWqrfp7u5aFCwx3jBAl6cZWTT6Bd9n/186baRl0K1Bme3RA9HkNIYcPKWoNypa oztnUqo3rYwwWsWQoVuCLYv77ufWuJh5TSXqafp5Y6TmzeAKSYehqVf7SwaJS8wUAfG1 hMOwoIrKvOV1j7g6gq4aEM52qOo8VD1m3ztsxpp4Vlo1lzXGeKwDqQR2xij4NM9zIZLi Yg/9D1bBAcxNnd8Itkd6qRrfJbvdGsx/5adv/jwWeVJVz2bMXCt4MgsBA0dbSc4DMUV5 9YNw== X-Gm-Message-State: ANoB5pnSs9b0yp36zy3CNgRkiCRiZLWym+vsveBhDdsWPIo2H2+KbfU1 FiXJtwSVAbz2DhrjY8p9Jqk7QJ+BFHhzZw== X-Google-Smtp-Source: AA0mqf5WDFT2Zy97/Ljmg13iajuyTI+VRNkTTFFqrojNi0P0ejS/0Z3bJE1EbkUnqUJtUP0fLVvrcA== X-Received: by 2002:a37:503:0:b0:6fb:c3b3:a937 with SMTP id 3-20020a370503000000b006fbc3b3a937mr2000370qkf.34.1668704105337; Thu, 17 Nov 2022 08:55:05 -0800 (PST) Received: from maple.netwinder.org (rfs.netwinder.org. [206.248.184.2]) by smtp.gmail.com with ESMTPSA id c7-20020a05620a268700b006fb112f512csm785081qkp.74.2022.11.17.08.55.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Nov 2022 08:55:04 -0800 (PST) From: Ralph Siemsen To: openembedded-core@lists.openembedded.org Cc: Ralph Siemsen Subject: [dunfell][PATCH 01/11] golang: fix CVE-2021-33195 Date: Thu, 17 Nov 2022 11:54:46 -0500 Message-Id: <20221117165456.1029099-1-ralph.siemsen@linaro.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Nov 2022 16:55:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/173434 Upstream-Status: Backport [https://github.com/golang/go/commit/31d60cda1f58b7558fc5725d2b9e4531655d980e] CVE: CVE-2021-33195 Signed-off-by: Ralph Siemsen --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2021-33195.patch | 373 ++++++++++++++++++ 2 files changed, 374 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 3341beb159..63da997bf1 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -42,6 +42,7 @@ SRC_URI += "\ file://0003-CVE-2022-32190.patch \ file://0004-CVE-2022-32190.patch \ file://CVE-2022-2880.patch \ + file://CVE-2021-33195.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch new file mode 100644 index 0000000000..3d9de888ff --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch @@ -0,0 +1,373 @@ +From 9324d7e53151e9dfa4b25af994a28c2e0b11f729 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 27 May 2021 10:40:06 -0700 +Subject: [PATCH] net: verify results from Lookup* are valid domain names + +Upstream-Status: Backport [https://github.com/golang/go/commit/31d60cda1f58b7558fc5725d2b9e4531655d980e] +CVE: CVE-2021-33195 +Signed-off-by: Ralph Siemsen + + +For the methods LookupCNAME, LookupSRV, LookupMX, LookupNS, and +LookupAddr check that the returned domain names are in fact valid DNS +names using the existing isDomainName function. + +Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for +reporting this issue. + +Updates #46241 +Fixes #46356 +Fixes CVE-2021-33195 + +Change-Id: I47a4f58c031cb752f732e88bbdae7f819f0af4f3 +Reviewed-on: https://go-review.googlesource.com/c/go/+/323131 +Trust: Roland Shoemaker +Run-TryBot: Roland Shoemaker +TryBot-Result: Go Bot +Reviewed-by: Filippo Valsorda +Reviewed-by: Katie Hockman +(cherry picked from commit cdcd02842da7c004efd023881e3719105209c908) +Reviewed-on: https://go-review.googlesource.com/c/go/+/323269 +--- + src/net/dnsclient_unix_test.go | 157 +++++++++++++++++++++++++++++++++ + src/net/lookup.go | 111 ++++++++++++++++++++--- + 2 files changed, 255 insertions(+), 13 deletions(-) + +diff --git a/src/net/dnsclient_unix_test.go b/src/net/dnsclient_unix_test.go +index 2ad40df..b8617d9 100644 +--- a/src/net/dnsclient_unix_test.go ++++ b/src/net/dnsclient_unix_test.go +@@ -1800,3 +1800,160 @@ func TestPTRandNonPTR(t *testing.T) { + t.Errorf("names = %q; want %q", names, want) + } + } ++ ++func TestCVE202133195(t *testing.T) { ++ fake := fakeDNSServer{ ++ rh: func(n, _ string, q dnsmessage.Message, _ time.Time) (dnsmessage.Message, error) { ++ r := dnsmessage.Message{ ++ Header: dnsmessage.Header{ ++ ID: q.Header.ID, ++ Response: true, ++ RCode: dnsmessage.RCodeSuccess, ++ RecursionAvailable: true, ++ }, ++ Questions: q.Questions, ++ } ++ switch q.Questions[0].Type { ++ case dnsmessage.TypeCNAME: ++ r.Answers = []dnsmessage.Resource{} ++ case dnsmessage.TypeA: // CNAME lookup uses a A/AAAA as a proxy ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: dnsmessage.MustNewName(".golang.org."), ++ Type: dnsmessage.TypeA, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.AResource{ ++ A: TestAddr, ++ }, ++ }, ++ ) ++ case dnsmessage.TypeSRV: ++ n := q.Questions[0].Name ++ if n.String() == "_hdr._tcp.golang.org." { ++ n = dnsmessage.MustNewName(".golang.org.") ++ } ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: n, ++ Type: dnsmessage.TypeSRV, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.SRVResource{ ++ Target: dnsmessage.MustNewName(".golang.org."), ++ }, ++ }, ++ ) ++ case dnsmessage.TypeMX: ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: dnsmessage.MustNewName(".golang.org."), ++ Type: dnsmessage.TypeMX, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.MXResource{ ++ MX: dnsmessage.MustNewName(".golang.org."), ++ }, ++ }, ++ ) ++ case dnsmessage.TypeNS: ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: dnsmessage.MustNewName(".golang.org."), ++ Type: dnsmessage.TypeNS, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.NSResource{ ++ NS: dnsmessage.MustNewName(".golang.org."), ++ }, ++ }, ++ ) ++ case dnsmessage.TypePTR: ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: dnsmessage.MustNewName(".golang.org."), ++ Type: dnsmessage.TypePTR, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.PTRResource{ ++ PTR: dnsmessage.MustNewName(".golang.org."), ++ }, ++ }, ++ ) ++ } ++ return r, nil ++ }, ++ } ++ ++ r := Resolver{PreferGo: true, Dial: fake.DialContext} ++ // Change the default resolver to match our manipulated resolver ++ originalDefault := DefaultResolver ++ DefaultResolver = &r ++ defer func() { ++ DefaultResolver = originalDefault ++ }() ++ ++ _, err := r.LookupCNAME(context.Background(), "golang.org") ++ if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, err = LookupCNAME("golang.org") ++ if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, _, err = r.LookupSRV(context.Background(), "target", "tcp", "golang.org") ++ if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, _, err = LookupSRV("target", "tcp", "golang.org") ++ if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, _, err = r.LookupSRV(context.Background(), "hdr", "tcp", "golang.org") ++ if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, _, err = LookupSRV("hdr", "tcp", "golang.org") ++ if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, err = r.LookupMX(context.Background(), "golang.org") ++ if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, err = LookupMX("golang.org") ++ if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupMX returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, err = r.LookupNS(context.Background(), "golang.org") ++ if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, err = LookupNS("golang.org") ++ if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupNS returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, err = r.LookupAddr(context.Background(), "1.2.3.4") ++ if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, err = LookupAddr("1.2.3.4") ++ if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++} +diff --git a/src/net/lookup.go b/src/net/lookup.go +index 9cebd10..05e88e4 100644 +--- a/src/net/lookup.go ++++ b/src/net/lookup.go +@@ -364,8 +364,11 @@ func (r *Resolver) LookupPort(ctx context.Context, network, service string) (por + // LookupCNAME does not return an error if host does not + // contain DNS "CNAME" records, as long as host resolves to + // address records. ++// ++// The returned canonical name is validated to be a properly ++// formatted presentation-format domain name. + func LookupCNAME(host string) (cname string, err error) { +- return DefaultResolver.lookupCNAME(context.Background(), host) ++ return DefaultResolver.LookupCNAME(context.Background(), host) + } + + // LookupCNAME returns the canonical name for the given host. +@@ -378,8 +381,18 @@ func LookupCNAME(host string) (cname string, err error) { + // LookupCNAME does not return an error if host does not + // contain DNS "CNAME" records, as long as host resolves to + // address records. +-func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string, err error) { +- return r.lookupCNAME(ctx, host) ++// ++// The returned canonical name is validated to be a properly ++// formatted presentation-format domain name. ++func (r *Resolver) LookupCNAME(ctx context.Context, host string) (string, error) { ++ cname, err := r.lookupCNAME(ctx, host) ++ if err != nil { ++ return "", err ++ } ++ if !isDomainName(cname) { ++ return "", &DNSError{Err: "CNAME target is invalid", Name: host} ++ } ++ return cname, nil + } + + // LookupSRV tries to resolve an SRV query of the given service, +@@ -391,8 +404,11 @@ func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string, + // That is, it looks up _service._proto.name. To accommodate services + // publishing SRV records under non-standard names, if both service + // and proto are empty strings, LookupSRV looks up name directly. ++// ++// The returned service names are validated to be properly ++// formatted presentation-format domain names. + func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err error) { +- return DefaultResolver.lookupSRV(context.Background(), service, proto, name) ++ return DefaultResolver.LookupSRV(context.Background(), service, proto, name) + } + + // LookupSRV tries to resolve an SRV query of the given service, +@@ -404,28 +420,82 @@ func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err err + // That is, it looks up _service._proto.name. To accommodate services + // publishing SRV records under non-standard names, if both service + // and proto are empty strings, LookupSRV looks up name directly. +-func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (cname string, addrs []*SRV, err error) { +- return r.lookupSRV(ctx, service, proto, name) ++// ++// The returned service names are validated to be properly ++// formatted presentation-format domain names. ++func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (string, []*SRV, error) { ++ cname, addrs, err := r.lookupSRV(ctx, service, proto, name) ++ if err != nil { ++ return "", nil, err ++ } ++ if cname != "" && !isDomainName(cname) { ++ return "", nil, &DNSError{Err: "SRV header name is invalid", Name: name} ++ } ++ for _, addr := range addrs { ++ if addr == nil { ++ continue ++ } ++ if !isDomainName(addr.Target) { ++ return "", nil, &DNSError{Err: "SRV target is invalid", Name: name} ++ } ++ } ++ return cname, addrs, nil + } + + // LookupMX returns the DNS MX records for the given domain name sorted by preference. ++// ++// The returned mail server names are validated to be properly ++// formatted presentation-format domain names. + func LookupMX(name string) ([]*MX, error) { +- return DefaultResolver.lookupMX(context.Background(), name) ++ return DefaultResolver.LookupMX(context.Background(), name) + } + + // LookupMX returns the DNS MX records for the given domain name sorted by preference. ++// ++// The returned mail server names are validated to be properly ++// formatted presentation-format domain names. + func (r *Resolver) LookupMX(ctx context.Context, name string) ([]*MX, error) { +- return r.lookupMX(ctx, name) ++ records, err := r.lookupMX(ctx, name) ++ if err != nil { ++ return nil, err ++ } ++ for _, mx := range records { ++ if mx == nil { ++ continue ++ } ++ if !isDomainName(mx.Host) { ++ return nil, &DNSError{Err: "MX target is invalid", Name: name} ++ } ++ } ++ return records, nil + } + + // LookupNS returns the DNS NS records for the given domain name. ++// ++// The returned name server names are validated to be properly ++// formatted presentation-format domain names. + func LookupNS(name string) ([]*NS, error) { +- return DefaultResolver.lookupNS(context.Background(), name) ++ return DefaultResolver.LookupNS(context.Background(), name) + } + + // LookupNS returns the DNS NS records for the given domain name. ++// ++// The returned name server names are validated to be properly ++// formatted presentation-format domain names. + func (r *Resolver) LookupNS(ctx context.Context, name string) ([]*NS, error) { +- return r.lookupNS(ctx, name) ++ records, err := r.lookupNS(ctx, name) ++ if err != nil { ++ return nil, err ++ } ++ for _, ns := range records { ++ if ns == nil { ++ continue ++ } ++ if !isDomainName(ns.Host) { ++ return nil, &DNSError{Err: "NS target is invalid", Name: name} ++ } ++ } ++ return records, nil + } + + // LookupTXT returns the DNS TXT records for the given domain name. +@@ -441,14 +511,29 @@ func (r *Resolver) LookupTXT(ctx context.Context, name string) ([]string, error) + // LookupAddr performs a reverse lookup for the given address, returning a list + // of names mapping to that address. + // ++// The returned names are validated to be properly formatted presentation-format ++// domain names. ++// + // When using the host C library resolver, at most one result will be + // returned. To bypass the host resolver, use a custom Resolver. + func LookupAddr(addr string) (names []string, err error) { +- return DefaultResolver.lookupAddr(context.Background(), addr) ++ return DefaultResolver.LookupAddr(context.Background(), addr) + } + + // LookupAddr performs a reverse lookup for the given address, returning a list + // of names mapping to that address. +-func (r *Resolver) LookupAddr(ctx context.Context, addr string) (names []string, err error) { +- return r.lookupAddr(ctx, addr) ++// ++// The returned names are validated to be properly formatted presentation-format ++// domain names. ++func (r *Resolver) LookupAddr(ctx context.Context, addr string) ([]string, error) { ++ names, err := r.lookupAddr(ctx, addr) ++ if err != nil { ++ return nil, err ++ } ++ for _, name := range names { ++ if !isDomainName(name) { ++ return nil, &DNSError{Err: "PTR target is invalid", Name: addr} ++ } ++ } ++ return names, nil + } From patchwork Thu Nov 17 16:54:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Siemsen X-Patchwork-Id: 15562 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37F89C41535 for ; Thu, 17 Nov 2022 16:55:13 +0000 (UTC) Received: from mail-qk1-f182.google.com (mail-qk1-f182.google.com [209.85.222.182]) by mx.groups.io with SMTP id smtpd.web11.1162.1668704107198347801 for ; Thu, 17 Nov 2022 08:55:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=XJ6bgFa5; spf=pass (domain: linaro.org, ip: 209.85.222.182, mailfrom: ralph.siemsen@linaro.org) Received: by mail-qk1-f182.google.com with SMTP id z1so1586422qkl.9 for ; Thu, 17 Nov 2022 08:55:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=eL4wc56SMMLB5eMroRwV9O0XhDAByIBmhRD4OtUmZt4=; b=XJ6bgFa56qnyIhnGZZUZFvmp/xKhT7bDtUekFw/opq6azt1cOQa8YtiTox0fvisD2O SmRtJM+Jgu6kugF3zPdwe8VkuZdub59IcI1qr2JafsHzl1jDD4aRmrgE1S5E31E/U0XX z1darXgPjOWBjijP+XlH4Bx/A3S5pagu7OMEu9k3q5GGH+zUOPrueSZWDRkwF5hzyYjG uPz7T7FSOtVm3OMKRI6mJEGPnqFwI6bbH0uJAwYKCCk1U1Zz3aSykfdpL26RzaE7LWNc x5p9TLTYDErG12ZBLOTf/gNSFD5rYd+R6NHQ4NLwSi91KjUwTYjnyPSE1rCh40SknglK qc8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eL4wc56SMMLB5eMroRwV9O0XhDAByIBmhRD4OtUmZt4=; b=qZfOLHxbtfwyEH1YhC/kGSphLU32frnaEi0xnHvfpp8cgFrL9mFLCrKRaApzKPhqdq Ox4f+8E3gxiIsV0v+Ym+53hf9q34RMxpg81NkjZeDT4Tcr6zY0GEVdpBhDpgqdFFqoO+ EYODkOUCwkULJvz4QXJ1lgyBQD/zZvp/JDh8yjF4JOmciZTD2Fbj2Sm2JKJioOobva7b E34Xkp0RLdAXSKquvD+r67huObxlipbjVrAbYiMju1Vc+EW8T17df+OVms8OazlDv91i jhI5drZ/aKLqppHRXecWznsncgn3Ed9mDd57qFKpIUvdh2wV7d+h5z5UA2fuJDb2aNxM 39pA== X-Gm-Message-State: ANoB5plkJBUaiLsPdB3F0VYuaCbeHuiw+fwNj+Zxj5vSoQ/UUmw0n1ii GCjW21KP33tggh4T6PGZVcqkVSvxVMs/uA== X-Google-Smtp-Source: AA0mqf4JVsjVlLNqb3J7TgDZKHFOJaIlyHbxTE5AowArmuNGOnvYScV4G1v1OgyzDXrRCCYaKGgUZA== X-Received: by 2002:a05:620a:4708:b0:6fa:ada7:e51b with SMTP id bs8-20020a05620a470800b006faada7e51bmr2423557qkb.674.1668704106256; Thu, 17 Nov 2022 08:55:06 -0800 (PST) Received: from maple.netwinder.org (rfs.netwinder.org. [206.248.184.2]) by smtp.gmail.com with ESMTPSA id c7-20020a05620a268700b006fb112f512csm785081qkp.74.2022.11.17.08.55.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Nov 2022 08:55:05 -0800 (PST) From: Ralph Siemsen To: openembedded-core@lists.openembedded.org Cc: Ralph Siemsen Subject: [dunfell][PATCH 02/11] golang: fix CVE-2021-33198 Date: Thu, 17 Nov 2022 11:54:47 -0500 Message-Id: <20221117165456.1029099-2-ralph.siemsen@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221117165456.1029099-1-ralph.siemsen@linaro.org> References: <20221117165456.1029099-1-ralph.siemsen@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Nov 2022 16:55:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/173435 Upstream-Status: Backport [https://github.com/golang/go/commit/df9ce19db6df32d94eae8760927bdfbc595433c3] CVE: CVE-2021-33198 Signed-off-by: Ralph Siemsen --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2021-33198.patch | 113 ++++++++++++++++++ 2 files changed, 114 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-33198.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 63da997bf1..90f483c294 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -43,6 +43,7 @@ SRC_URI += "\ file://0004-CVE-2022-32190.patch \ file://CVE-2022-2880.patch \ file://CVE-2021-33195.patch \ + file://CVE-2021-33198.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33198.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33198.patch new file mode 100644 index 0000000000..241c08dad7 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33198.patch @@ -0,0 +1,113 @@ +From c8866491ac424cdf39aedb325e6dec9e54418cfb Mon Sep 17 00:00:00 2001 +From: Robert Griesemer +Date: Sun, 2 May 2021 11:27:03 -0700 +Subject: [PATCH] math/big: check for excessive exponents in Rat.SetString + +CVE-2021-33198 + +Upstream-Status: Backport [https://github.com/golang/go/commit/df9ce19db6df32d94eae8760927bdfbc595433c3] +CVE: CVE-2021-33198 +Signed-off-by: Ralph Siemsen + + +Found by OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33284 + +Thanks to Emmanuel Odeke for reporting this issue. + +Updates #45910 +Fixes #46305 +Fixes CVE-2021-33198 + +Change-Id: I61e7b04dbd80343420b57eede439e361c0f7b79c +Reviewed-on: https://go-review.googlesource.com/c/go/+/316149 +Trust: Robert Griesemer +Trust: Katie Hockman +Run-TryBot: Robert Griesemer +TryBot-Result: Go Bot +Reviewed-by: Katie Hockman +Reviewed-by: Emmanuel Odeke +(cherry picked from commit 6c591f79b0b5327549bd4e94970f7a279efb4ab0) +Reviewed-on: https://go-review.googlesource.com/c/go/+/321831 +Run-TryBot: Katie Hockman +Reviewed-by: Roland Shoemaker +--- + src/math/big/ratconv.go | 15 ++++++++------- + src/math/big/ratconv_test.go | 25 +++++++++++++++++++++++++ + 2 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go +index e8cbdbe..90053a9 100644 +--- a/src/math/big/ratconv.go ++++ b/src/math/big/ratconv.go +@@ -51,7 +51,8 @@ func (z *Rat) Scan(s fmt.ScanState, ch rune) error { + // An optional base-10 ``e'' or base-2 ``p'' (or their upper-case variants) + // exponent may be provided as well, except for hexadecimal floats which + // only accept an (optional) ``p'' exponent (because an ``e'' or ``E'' cannot +-// be distinguished from a mantissa digit). ++// be distinguished from a mantissa digit). If the exponent's absolute value ++// is too large, the operation may fail. + // The entire string, not just a prefix, must be valid for success. If the + // operation failed, the value of z is undefined but the returned value is nil. + func (z *Rat) SetString(s string) (*Rat, bool) { +@@ -174,6 +175,9 @@ func (z *Rat) SetString(s string) (*Rat, bool) { + return nil, false + } + } ++ if n > 1e6 { ++ return nil, false // avoid excessively large exponents ++ } + pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs + if exp5 > 0 { + z.a.abs = z.a.abs.mul(z.a.abs, pow5) +@@ -186,15 +190,12 @@ func (z *Rat) SetString(s string) (*Rat, bool) { + } + + // apply exp2 contributions ++ if exp2 < -1e7 || exp2 > 1e7 { ++ return nil, false // avoid excessively large exponents ++ } + if exp2 > 0 { +- if int64(uint(exp2)) != exp2 { +- panic("exponent too large") +- } + z.a.abs = z.a.abs.shl(z.a.abs, uint(exp2)) + } else if exp2 < 0 { +- if int64(uint(-exp2)) != -exp2 { +- panic("exponent too large") +- } + z.b.abs = z.b.abs.shl(z.b.abs, uint(-exp2)) + } + +diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go +index b820df4..e55e655 100644 +--- a/src/math/big/ratconv_test.go ++++ b/src/math/big/ratconv_test.go +@@ -590,3 +590,28 @@ func TestIssue31184(t *testing.T) { + } + } + } ++ ++func TestIssue45910(t *testing.T) { ++ var x Rat ++ for _, test := range []struct { ++ input string ++ want bool ++ }{ ++ {"1e-1000001", false}, ++ {"1e-1000000", true}, ++ {"1e+1000000", true}, ++ {"1e+1000001", false}, ++ ++ {"0p1000000000000", true}, ++ {"1p-10000001", false}, ++ {"1p-10000000", true}, ++ {"1p+10000000", true}, ++ {"1p+10000001", false}, ++ {"1.770p02041010010011001001", false}, // test case from issue ++ } { ++ _, got := x.SetString(test.input) ++ if got != test.want { ++ t.Errorf("SetString(%s) got ok = %v; want %v", test.input, got, test.want) ++ } ++ } ++} From patchwork Thu Nov 17 16:54:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Siemsen X-Patchwork-Id: 15560 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37A6AC4167E for ; Thu, 17 Nov 2022 16:55:13 +0000 (UTC) Received: from mail-qt1-f173.google.com (mail-qt1-f173.google.com [209.85.160.173]) by mx.groups.io with SMTP id smtpd.web10.1036.1668704108059738981 for ; Thu, 17 Nov 2022 08:55:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=CtzOn7NF; spf=pass (domain: linaro.org, ip: 209.85.160.173, mailfrom: ralph.siemsen@linaro.org) Received: by mail-qt1-f173.google.com with SMTP id h21so1465990qtu.2 for ; Thu, 17 Nov 2022 08:55:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=C9PhAPo1Kd15XnHTO5hsldPf4wTIkbUnJs9tMnLUk2I=; b=CtzOn7NF053KQAMJlI0Gv4S3sx9IcvGzUITcwI5iOLgU9EUNEogfk+L2lgePBI9ZSH kiIlAKl2b1PIZbnz3rJREJiiidvHu6Z3OzPC7YoZIPNzDcNxFGFKNDCCxiJepaNr93p1 +yCTws4h++birxSMMQdhbTPuOzEftG+bDa0X9GCbT2uiswDU9CPtaPSSwAIo7w6O/bDJ ibTctii/L6HxteGaK1MoovsGAK9KxPiHDmANgK1SapxU/Or8YBRIP/chtesFeCZiFini las6AMC5OY7N6ZYXabb5rjXdrIqQ/TkGHhCj0srz+Kd3cjvou62P5ylMAQbxh/RjTkI8 coaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=C9PhAPo1Kd15XnHTO5hsldPf4wTIkbUnJs9tMnLUk2I=; b=C5G4RMHC+d2KLDv4FXtRhhQyQ6wggnt8D19acuZyASMTDV51UbyYNHqOfHYeZ4M42+ EQpNUwDziP4EtkehchDLYu66zBQ+F2BFwS1vjswg4ts5/riSrEawxsUZTTnmEcnqgx8K 5AsGcXldtw+AXbat+9oG56o5HqpOC1UA1HA3YFTnPolNFZaucZjyhKeeDev+1tMhk73Y p7xNZWv3qNQsqAJKLXDqGf1Y55NjmF8FPztsdAyF6eorJ3ddrCkzQmxyNXdWlvkVPrqi TKC3WELKfrdfz9S75gCJSypKw/AQvF9xoL99r22lC2lhKzXHlMzMMamRj+5szZi6mytZ pBQg== X-Gm-Message-State: ANoB5plnYbNqBHJe/dPzl0tJAq2qBOU5Q/j54HQUxGyS+fQjEdnu1Z64 Rp+dbqRwXcb7ZF9QKs2aZCw3DycQYRkpEA== X-Google-Smtp-Source: AA0mqf6aVKpn/bEmvPX0InvYORnfb/1qXJ8IAObqE53A2T5he69oSyRhudAqfVKewSd5bKPJrl9BhQ== X-Received: by 2002:ac8:4d4e:0:b0:39c:bdd5:30b7 with SMTP id x14-20020ac84d4e000000b0039cbdd530b7mr3030891qtv.213.1668704107172; Thu, 17 Nov 2022 08:55:07 -0800 (PST) Received: from maple.netwinder.org (rfs.netwinder.org. [206.248.184.2]) by smtp.gmail.com with ESMTPSA id c7-20020a05620a268700b006fb112f512csm785081qkp.74.2022.11.17.08.55.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Nov 2022 08:55:06 -0800 (PST) From: Ralph Siemsen To: openembedded-core@lists.openembedded.org Cc: Ralph Siemsen Subject: [dunfell][PATCH 03/11] golang: fix CVE-2021-44716 Date: Thu, 17 Nov 2022 11:54:48 -0500 Message-Id: <20221117165456.1029099-3-ralph.siemsen@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221117165456.1029099-1-ralph.siemsen@linaro.org> References: <20221117165456.1029099-1-ralph.siemsen@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Nov 2022 16:55:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/173436 Upstream-Status: Backport [https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a] CVE: CVE-2021-44716 Signed-off-by: Ralph Siemsen --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2021-44716.patch | 93 +++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 90f483c294..ae3f724c53 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -44,6 +44,7 @@ SRC_URI += "\ file://CVE-2022-2880.patch \ file://CVE-2021-33195.patch \ file://CVE-2021-33198.patch \ + file://CVE-2021-44716.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch new file mode 100644 index 0000000000..9c4fee2db4 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch @@ -0,0 +1,93 @@ +From 9f1860075990e7bf908ca7cc329d1d3ef91741c8 Mon Sep 17 00:00:00 2001 +From: Filippo Valsorda +Date: Thu, 9 Dec 2021 06:13:31 -0500 +Subject: [PATCH] net/http: update bundled golang.org/x/net/http2 + +Upstream-Status: Backport [https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a] +CVE: CVE-2021-44716 +Signed-off-by: Ralph Siemsen + + +Pull in security fix + + a5309b3 http2: cap the size of the server's canonical header cache + +Updates #50058 +Fixes CVE-2021-44716 + +Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9 +Reviewed-on: https://go-review.googlesource.com/c/go/+/370575 +Trust: Filippo Valsorda +Run-TryBot: Filippo Valsorda +Reviewed-by: Alex Rakoczy +TryBot-Result: Gopher Robot +(cherry picked from commit d0aebe3e74fe14799f97ddd3f01129697c6a290a) +--- + src/go.mod | 2 +- + src/go.sum | 4 ++-- + src/net/http/h2_bundle.go | 10 +++++++++- + src/vendor/modules.txt | 2 +- + 4 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/src/go.mod b/src/go.mod +index ec6bd98..56f2fbb 100644 +--- a/src/go.mod ++++ b/src/go.mod +@@ -4,7 +4,7 @@ go 1.14 + + require ( + golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d +- golang.org/x/net v0.0.0-20210129194117-4acb7895a057 ++ golang.org/x/net v0.0.0-20211209100217-a5309b321dca + golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf // indirect + golang.org/x/text v0.3.3-0.20191031172631-4b67af870c6f // indirect + ) +diff --git a/src/go.sum b/src/go.sum +index 171e083..1ceba05 100644 +--- a/src/go.sum ++++ b/src/go.sum +@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk + golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d h1:9FCpayM9Egr1baVnV1SX0H87m+XB0B8S0hAMi99X/3U= + golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= + golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +-golang.org/x/net v0.0.0-20210129194117-4acb7895a057 h1:HThQeV5c0Ab/Puir+q6mC97b7+3dfZdsLWMLoBrzo68= +-golang.org/x/net v0.0.0-20210129194117-4acb7895a057/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= ++golang.org/x/net v0.0.0-20211209100217-a5309b321dca h1:UmeWAm8AwB6NA/e4FSaGlK1EKTLXKX3utx4Si+6kfPg= ++golang.org/x/net v0.0.0-20211209100217-a5309b321dca/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= + golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= + golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf h1:+4j7oujXP478CVb/AFvHJmVX5+Pczx2NGts5yirA0oY= +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go +index 702fd5a..83f2a72 100644 +--- a/src/net/http/h2_bundle.go ++++ b/src/net/http/h2_bundle.go +@@ -4293,7 +4293,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string { + sc.canonHeader = make(map[string]string) + } + cv = CanonicalHeaderKey(v) +- sc.canonHeader[v] = cv ++ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of ++ // entries in the canonHeader cache. This should be larger than the number ++ // of unique, uncommon header keys likely to be sent by the peer, while not ++ // so high as to permit unreaasonable memory usage if the peer sends an unbounded ++ // number of unique header keys. ++ const maxCachedCanonicalHeaders = 32 ++ if len(sc.canonHeader) < maxCachedCanonicalHeaders { ++ sc.canonHeader[v] = cv ++ } + return cv + } + +diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt +index 669bd9b..1d67183 100644 +--- a/src/vendor/modules.txt ++++ b/src/vendor/modules.txt +@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519 + golang.org/x/crypto/hkdf + golang.org/x/crypto/internal/subtle + golang.org/x/crypto/poly1305 +-# golang.org/x/net v0.0.0-20210129194117-4acb7895a057 ++# golang.org/x/net v0.0.0-20211209100217-a5309b321dca + ## explicit + golang.org/x/net/dns/dnsmessage + golang.org/x/net/http/httpguts From patchwork Thu Nov 17 16:54:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ralph Siemsen X-Patchwork-Id: 15559 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28AB2C43219 for ; Thu, 17 Nov 2022 16:55:13 +0000 (UTC) Received: from mail-qv1-f53.google.com (mail-qv1-f53.google.com [209.85.219.53]) by mx.groups.io with SMTP id smtpd.web10.1039.1668704109160201852 for ; Thu, 17 Nov 2022 08:55:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=PfPODC3S; spf=pass (domain: linaro.org, ip: 209.85.219.53, mailfrom: ralph.siemsen@linaro.org) Received: by mail-qv1-f53.google.com with SMTP id ml12so1616650qvb.0 for ; Thu, 17 Nov 2022 08:55:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vXzMad5diV45FvwRK2r6D+VT//+p4pw9Xj/C2RZt4BI=; b=PfPODC3SYnPionp0RWMVzdQm7EXsvaT+mwKlNs4ukYl15gPZ9NCP5Q05XlqhrZ9nug NyEpQikXFliJ5pnIIKIj3d44l6CldXkoIcSVhCc5pZReeLdybHMqSzekiTYtTcBCa4f3 1TGhPLKvUdAkjUi8XLyYINMnitiybG5fX8Q41PtkAH7/YMgadUHd4oMvLI15GgZL3SKY vpoc++Va8WvQoKNof9mgrLwFSLXnObEEkHnYgHzRQMpoiSngB+AFjvyJnpzm2OhSxMkn h145t4baLMTXOZx99sw4UnlPWlcA4QPhtQtkk9ly7OgpBoPLLTGJYkDK9JrlI3JqmVAM 72oQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vXzMad5diV45FvwRK2r6D+VT//+p4pw9Xj/C2RZt4BI=; b=HHqHWmm3yh/OYybiiipF4FA9F2UqUKYR6DsCD+/iVhFCNOOztwT3Yd77eKRDzqPqdk fcSYp8uf4138R4fa5Alrb3B0LODxUwSrcfnFXn2peCJEHTDD/V4UNfQYWdKTRJNJTxEU 6mQLRH2+UcwA5eS84ctXV4C4FWeA1l29fN6b+LYuaCYFvGUVT9SUJMQjbU4HanwaKrjd CgMqMFIE3AhsCJflySDkRntITJdxrXIWXQDvSmI1DR3uBar4m92ndzGW8hPtnD4eM72a TCb3A8Q9SkhVJMv6wcXUquk0VQQCZc3Z1XH1NF5omUzvOjfeWOgk6qKH3bh32Ccho9Og nOTg== X-Gm-Message-State: ANoB5pm6Ni3hVsKR5rnwjrm4hoAtZgE7gBrfXGa4Mx/fKykf1KMMjoex tVr8KOqh9wvPO+Z3NPd8yRFAOX0Cf2V8BQ== X-Google-Smtp-Source: AA0mqf4v0mYcraDW3KBVcO7U70+9ZROYoNZOJr5rXc/CEBgF0B+PWrkuLYn5e7YsPxcDCHD46+5nqw== X-Received: by 2002:a05:6214:3688:b0:4bb:9180:638f with SMTP id nl8-20020a056214368800b004bb9180638fmr3133993qvb.98.1668704108118; Thu, 17 Nov 2022 08:55:08 -0800 (PST) Received: from maple.netwinder.org (rfs.netwinder.org. [206.248.184.2]) by smtp.gmail.com with ESMTPSA id c7-20020a05620a268700b006fb112f512csm785081qkp.74.2022.11.17.08.55.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Nov 2022 08:55:07 -0800 (PST) From: Ralph Siemsen To: openembedded-core@lists.openembedded.org Cc: Ralph Siemsen Subject: [dunfell][PATCH 04/11] golang: fix CVE-2022-24291 Date: Thu, 17 Nov 2022 11:54:49 -0500 Message-Id: <20221117165456.1029099-4-ralph.siemsen@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221117165456.1029099-1-ralph.siemsen@linaro.org> References: <20221117165456.1029099-1-ralph.siemsen@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Nov 2022 16:55:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/173437 Upstream-Status: Backport [https://github.com/golang/go/commit/2b65cde5868d8245ef8a0b8eba1e361440252d3b] CVE: CVE-2022-24921 Signed-off-by: Ralph Siemsen +Date: Wed, 2 Feb 2022 16:41:32 -0500 +Subject: [PATCH] regexp/syntax: reject very deeply nested regexps in Parse +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Backport [https://github.com/golang/go/commit/2b65cde5868d8245ef8a0b8eba1e361440252d3b] +CVE: CVE-2022-24921 +Signed-off-by: Ralph Siemsen +Run-TryBot: Russ Cox +Reviewed-by: Ian Lance Taylor +Reviewed-on: https://go-review.googlesource.com/c/go/+/384855 +--- + src/regexp/syntax/parse.go | 72 ++++++++++++++++++++++++++++++++- + src/regexp/syntax/parse_test.go | 7 ++++ + 2 files changed, 77 insertions(+), 2 deletions(-) + +diff --git a/src/regexp/syntax/parse.go b/src/regexp/syntax/parse.go +index 8c6d43a..55bd20d 100644 +--- a/src/regexp/syntax/parse.go ++++ b/src/regexp/syntax/parse.go +@@ -76,13 +76,29 @@ const ( + opVerticalBar + ) + ++// maxHeight is the maximum height of a regexp parse tree. ++// It is somewhat arbitrarily chosen, but the idea is to be large enough ++// that no one will actually hit in real use but at the same time small enough ++// that recursion on the Regexp tree will not hit the 1GB Go stack limit. ++// The maximum amount of stack for a single recursive frame is probably ++// closer to 1kB, so this could potentially be raised, but it seems unlikely ++// that people have regexps nested even this deeply. ++// We ran a test on Google's C++ code base and turned up only ++// a single use case with depth > 100; it had depth 128. ++// Using depth 1000 should be plenty of margin. ++// As an optimization, we don't even bother calculating heights ++// until we've allocated at least maxHeight Regexp structures. ++const maxHeight = 1000 ++ + type parser struct { + flags Flags // parse mode flags + stack []*Regexp // stack of parsed expressions + free *Regexp + numCap int // number of capturing groups seen + wholeRegexp string +- tmpClass []rune // temporary char class work space ++ tmpClass []rune // temporary char class work space ++ numRegexp int // number of regexps allocated ++ height map[*Regexp]int // regexp height for height limit check + } + + func (p *parser) newRegexp(op Op) *Regexp { +@@ -92,16 +108,52 @@ func (p *parser) newRegexp(op Op) *Regexp { + *re = Regexp{} + } else { + re = new(Regexp) ++ p.numRegexp++ + } + re.Op = op + return re + } + + func (p *parser) reuse(re *Regexp) { ++ if p.height != nil { ++ delete(p.height, re) ++ } + re.Sub0[0] = p.free + p.free = re + } + ++func (p *parser) checkHeight(re *Regexp) { ++ if p.numRegexp < maxHeight { ++ return ++ } ++ if p.height == nil { ++ p.height = make(map[*Regexp]int) ++ for _, re := range p.stack { ++ p.checkHeight(re) ++ } ++ } ++ if p.calcHeight(re, true) > maxHeight { ++ panic(ErrInternalError) ++ } ++} ++ ++func (p *parser) calcHeight(re *Regexp, force bool) int { ++ if !force { ++ if h, ok := p.height[re]; ok { ++ return h ++ } ++ } ++ h := 1 ++ for _, sub := range re.Sub { ++ hsub := p.calcHeight(sub, false) ++ if h < 1+hsub { ++ h = 1 + hsub ++ } ++ } ++ p.height[re] = h ++ return h ++} ++ + // Parse stack manipulation. + + // push pushes the regexp re onto the parse stack and returns the regexp. +@@ -137,6 +189,7 @@ func (p *parser) push(re *Regexp) *Regexp { + } + + p.stack = append(p.stack, re) ++ p.checkHeight(re) + return re + } + +@@ -252,6 +305,7 @@ func (p *parser) repeat(op Op, min, max int, before, after, lastRepeat string) ( + re.Sub = re.Sub0[:1] + re.Sub[0] = sub + p.stack[n-1] = re ++ p.checkHeight(re) + + if op == OpRepeat && (min >= 2 || max >= 2) && !repeatIsValid(re, 1000) { + return "", &Error{ErrInvalidRepeatSize, before[:len(before)-len(after)]} +@@ -699,6 +753,21 @@ func literalRegexp(s string, flags Flags) *Regexp { + // Flags, and returns a regular expression parse tree. The syntax is + // described in the top-level comment. + func Parse(s string, flags Flags) (*Regexp, error) { ++ return parse(s, flags) ++} ++ ++func parse(s string, flags Flags) (_ *Regexp, err error) { ++ defer func() { ++ switch r := recover(); r { ++ default: ++ panic(r) ++ case nil: ++ // ok ++ case ErrInternalError: ++ err = &Error{Code: ErrInternalError, Expr: s} ++ } ++ }() ++ + if flags&Literal != 0 { + // Trivial parser for literal string. + if err := checkUTF8(s); err != nil { +@@ -710,7 +779,6 @@ func Parse(s string, flags Flags) (*Regexp, error) { + // Otherwise, must do real work. + var ( + p parser +- err error + c rune + op Op + lastRepeat string +diff --git a/src/regexp/syntax/parse_test.go b/src/regexp/syntax/parse_test.go +index 5581ba1..1ef6d8a 100644 +--- a/src/regexp/syntax/parse_test.go ++++ b/src/regexp/syntax/parse_test.go +@@ -207,6 +207,11 @@ var parseTests = []parseTest{ + // Valid repetitions. + {`((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}))`, ``}, + {`((((((((((x{1}){2}){2}){2}){2}){2}){2}){2}){2}){2})`, ``}, ++ ++ // Valid nesting. ++ {strings.Repeat("(", 999) + strings.Repeat(")", 999), ``}, ++ {strings.Repeat("(?:", 999) + strings.Repeat(")*", 999), ``}, ++ {"(" + strings.Repeat("|", 12345) + ")", ``}, // not nested at all + } + + const testFlags = MatchNL | PerlX | UnicodeGroups +@@ -482,6 +487,8 @@ var invalidRegexps = []string{ + `a{100000}`, + `a{100000,}`, + "((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})", ++ strings.Repeat("(", 1000) + strings.Repeat(")", 1000), ++ strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000), + `\Q\E*`, + } + From patchwork Thu Nov 17 16:54:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Siemsen X-Patchwork-Id: 15557 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29751C4167D for ; Thu, 17 Nov 2022 16:55:13 +0000 (UTC) Received: from mail-qv1-f45.google.com (mail-qv1-f45.google.com [209.85.219.45]) by mx.groups.io with SMTP id smtpd.web10.1040.1668704110057355159 for ; Thu, 17 Nov 2022 08:55:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=WxeXGVgH; spf=pass (domain: linaro.org, ip: 209.85.219.45, mailfrom: ralph.siemsen@linaro.org) Received: by mail-qv1-f45.google.com with SMTP id j6so1561405qvn.12 for ; Thu, 17 Nov 2022 08:55:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pVBYxDL5qIePep9NGxLFVXquK98SgMPkBp/OpVvrkTU=; b=WxeXGVgHey9Pu0ZMLqN/cUo/cf1iULKTOfQ6SDnMKdeiVBKYoNXcPrG2878JRzX3G+ as+KTW7kjKComXahjjrC9BNEQTW73mQv4nTjgugV4nPYuQ64DkveqhBhNaxjUy2Uz9Oc Cpy7MvLE3pkR28xQMk2tD3N9tgpuEKF3PMVe5YNqXbAyzFPSmFfgTvfqT1gxl0ZRzsOu FllLfWOlyS6IhMww22t5CdlBk3CPCQlQzJx4Zn0q7zkfFMmVA/QnzVJfewbOK3nTpQtL efbisS9uhmHMvP74swa8Bwha0xjoA3yR/d6RNWYeevxts9cUHIfnQO0EXCvURV8kml3+ IM3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pVBYxDL5qIePep9NGxLFVXquK98SgMPkBp/OpVvrkTU=; b=u51VUdq/uIqSgvr9yZuB44lOSduCgrQgxfynxtjaZl1xtHnoweArmACwbG83i6OWh/ Dro/1pH/zXiqQaqOlE3T/sPkICHBsUGgbzv0bf+ENl3RlxhoTsg34sfEbRVtMCaLA0rM zqowctC2MxialYc2dK0zpsuaXEXks1RS/u2HDarlz1ZMWe2+U0QmUwLSpVee9JHPpwYe vYFT6YW+cPu09CaYTl90jubI53HFq1WfBxCWYAl26kEayK6+wqg2uY6YdMEedWi1o9fV KgdaK/sqpmBKi9bC41k6mAnwQL/t5Uz+mZnFpfcey4MFDbB5gC7V6rNebOgXfjre06nU 3i8Q== X-Gm-Message-State: ANoB5pmtHiLJErffCbTZ0Ppuppz4WbKNOym1soaXaSq5fho8CXh4HyEs 1+HTFHCJapnWL1vFsEuScPuTva9pkOcAEQ== X-Google-Smtp-Source: AA0mqf7hTp2mIPywhdoi7oBqqMOHofzJ1y7lOPfBJ9/zr5a3pYWyg31SwqIpCS8J9v1fivAmJKwj0g== X-Received: by 2002:a0c:e810:0:b0:4bc:10c8:96fc with SMTP id y16-20020a0ce810000000b004bc10c896fcmr3157480qvn.120.1668704109181; Thu, 17 Nov 2022 08:55:09 -0800 (PST) Received: from maple.netwinder.org (rfs.netwinder.org. [206.248.184.2]) by smtp.gmail.com with ESMTPSA id c7-20020a05620a268700b006fb112f512csm785081qkp.74.2022.11.17.08.55.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Nov 2022 08:55:08 -0800 (PST) From: Ralph Siemsen To: openembedded-core@lists.openembedded.org Cc: Ralph Siemsen Subject: [dunfell][PATCH 05/11] golang: fix CVE-2022-28131 Date: Thu, 17 Nov 2022 11:54:50 -0500 Message-Id: <20221117165456.1029099-5-ralph.siemsen@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221117165456.1029099-1-ralph.siemsen@linaro.org> References: <20221117165456.1029099-1-ralph.siemsen@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Nov 2022 16:55:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/173438 Upstream-Status: Backport [https://github.com/golang/go/commit/58facfbe7db2fbb9afed794b281a70bdb12a60ae] CVE: CVE-2022-28131 Signed-off-by: Ralph Siemsen --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2022-28131.patch | 104 ++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index d670d637cd..ddd08ce0c9 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -46,6 +46,7 @@ SRC_URI += "\ file://CVE-2021-33198.patch \ file://CVE-2021-44716.patch \ file://CVE-2022-24921.patch \ + file://CVE-2022-28131.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch new file mode 100644 index 0000000000..8afa292144 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch @@ -0,0 +1,104 @@ +From 8136eb2e5c316a51d0da710fbd0504cbbefee526 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Mon, 28 Mar 2022 18:41:26 -0700 +Subject: [PATCH] encoding/xml: use iterative Skip, rather than recursive + +Upstream-Status: Backport [https://github.com/golang/go/commit/58facfbe7db2fbb9afed794b281a70bdb12a60ae] +CVE: CVE-2022-28131 +Signed-off-by: Ralph Siemsen + + +Prevents exhausting the stack limit in _incredibly_ deeply nested +structures. + +Fixes #53711 +Updates #53614 +Fixes CVE-2022-28131 + +Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912 +Reviewed-by: Julie Qiu +Reviewed-by: Damien Neil +(cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49) +Reviewed-on: https://go-review.googlesource.com/c/go/+/417068 +TryBot-Result: Gopher Robot +Reviewed-by: Heschi Kreinick +Run-TryBot: Michael Knyszek +--- + src/encoding/xml/read.go | 15 ++++++++------- + src/encoding/xml/read_test.go | 18 ++++++++++++++++++ + 2 files changed, 26 insertions(+), 7 deletions(-) + +diff --git a/src/encoding/xml/read.go b/src/encoding/xml/read.go +index 4ffed80..3fac859 100644 +--- a/src/encoding/xml/read.go ++++ b/src/encoding/xml/read.go +@@ -743,12 +743,12 @@ Loop: + } + + // Skip reads tokens until it has consumed the end element +-// matching the most recent start element already consumed. +-// It recurs if it encounters a start element, so it can be used to +-// skip nested structures. ++// matching the most recent start element already consumed, ++// skipping nested structures. + // It returns nil if it finds an end element matching the start + // element; otherwise it returns an error describing the problem. + func (d *Decoder) Skip() error { ++ var depth int64 + for { + tok, err := d.Token() + if err != nil { +@@ -756,11 +756,12 @@ func (d *Decoder) Skip() error { + } + switch tok.(type) { + case StartElement: +- if err := d.Skip(); err != nil { +- return err +- } ++ depth++ + case EndElement: +- return nil ++ if depth == 0 { ++ return nil ++ } ++ depth-- + } + } + } +diff --git a/src/encoding/xml/read_test.go b/src/encoding/xml/read_test.go +index 6a20b1a..7a621a5 100644 +--- a/src/encoding/xml/read_test.go ++++ b/src/encoding/xml/read_test.go +@@ -5,9 +5,11 @@ + package xml + + import ( ++ "bytes" + "errors" + "io" + "reflect" ++ "runtime" + "strings" + "testing" + "time" +@@ -1093,3 +1095,19 @@ func TestCVE202228131(t *testing.T) { + t.Fatalf("Unmarshal unexpected error: got %q, want %q", err, errExeceededMaxUnmarshalDepth) + } + } ++ ++func TestCVE202230633(t *testing.T) { ++ if runtime.GOARCH == "wasm" { ++ t.Skip("causes memory exhaustion on js/wasm") ++ } ++ defer func() { ++ p := recover() ++ if p != nil { ++ t.Fatal("Unmarshal panicked") ++ } ++ }() ++ var example struct { ++ Things []string ++ } ++ Unmarshal(bytes.Repeat([]byte(""), 17_000_000), &example) ++} From patchwork Thu Nov 17 16:54:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Siemsen X-Patchwork-Id: 15558 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18C8FC4332F for ; Thu, 17 Nov 2022 16:55:13 +0000 (UTC) Received: from mail-qv1-f48.google.com (mail-qv1-f48.google.com [209.85.219.48]) by mx.groups.io with SMTP id smtpd.web10.1041.1668704111010043832 for ; Thu, 17 Nov 2022 08:55:11 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=pITOAPRk; spf=pass (domain: linaro.org, ip: 209.85.219.48, mailfrom: ralph.siemsen@linaro.org) Received: by mail-qv1-f48.google.com with SMTP id k2so392846qvo.1 for ; Thu, 17 Nov 2022 08:55:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=p8Ilxs+9rqQK5eKtzY7ZzDIhkrSWPGI56XNBq5g4yNE=; b=pITOAPRkat4EcWmez5Q+Vlbe/5K75YCOLldRgPwmKMgpgbaMZL/nGtfuFQQ03d+wqs /QQVym6WEyywglytK4q2GoY+h1FDIexv6OYGrS5pFR60P8dQW4N+x0fkXNggEDoPqnNC cd102u2lt03jARhkS5TBvvny7ny1CuhvlkUChy17dwiWHnf6pNvwzRz66GqEDybddg6i N4giBWwU/mrDBkhB6LH6qgrHVOqQC1Ko8kDmmTeQ9zUkGVbc5+X6Px6YV7n/YEBp/G0s fg1IOGBEuZS5iIz4mQT2jxURyprclCrI+8Lg6yDP+xZQlYXUPRWI5LgLOJHDz/VuaEMP pe5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=p8Ilxs+9rqQK5eKtzY7ZzDIhkrSWPGI56XNBq5g4yNE=; b=td5KoJZ1hdd9czaYfLB2Zcuaa+XvaOFXZZPb+23sLoJJ5yRboRyhvMUEKVBZqDatHs MPvm+lNsHQAmDgzOvmYB4coc6hgK+Gl2RQt3W/1jcvlyxf+Lm4oIgPSr8olJA2QM2hgl g0yTxwJs0qMPrAnfzlsrMHTeZsSaWrOzmLMH+KDKrIIcF6PH6isisk+MfrW/u/5MCWEH rY7ZXqlQkuJisvkTXJs0lv9G02AjLUaaRUzrlXEb90T7nBNQsKtWwS4dfZiyeTlMXfMw 5CWFiCE6lQHDz2BXgRoHAffPi6cokSZYefvl/R6TnM3Kdrk/sCxUVd91YTMqGn6ox1Hl HzwQ== X-Gm-Message-State: ANoB5pmSvKjmYzjz4s/rOr6GcZBo96v35WZtiQachB4cex9JZCtE+XYw FK5RQ5xBqYcILdENBVKqK9M4rG9y50dMBg== X-Google-Smtp-Source: AA0mqf6KC+6GhAHwTNGJSP36qUnOyy802cGYgIJXQDS7IMoFZfObuKfHyiHkr7FcyvXp2X3s0mRwLg== X-Received: by 2002:ad4:57a9:0:b0:4bb:699e:4cec with SMTP id g9-20020ad457a9000000b004bb699e4cecmr3348888qvx.6.1668704110097; Thu, 17 Nov 2022 08:55:10 -0800 (PST) Received: from maple.netwinder.org (rfs.netwinder.org. [206.248.184.2]) by smtp.gmail.com with ESMTPSA id c7-20020a05620a268700b006fb112f512csm785081qkp.74.2022.11.17.08.55.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Nov 2022 08:55:09 -0800 (PST) From: Ralph Siemsen To: openembedded-core@lists.openembedded.org Cc: Ralph Siemsen Subject: [dunfell][PATCH 06/11] golang: fix CVE-2022-28327 Date: Thu, 17 Nov 2022 11:54:51 -0500 Message-Id: <20221117165456.1029099-6-ralph.siemsen@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221117165456.1029099-1-ralph.siemsen@linaro.org> References: <20221117165456.1029099-1-ralph.siemsen@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Nov 2022 16:55:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/173439 Upstream-Status: Backport [https://github.com/golang/go/commit/7139e8b024604ab168b51b99c6e8168257a5bf58] CVE: CVE-2022-28327 Signed-off-by: Ralph Siemsen --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2022-28327.patch | 36 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index ddd08ce0c9..467ba13b72 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -47,6 +47,7 @@ SRC_URI += "\ file://CVE-2021-44716.patch \ file://CVE-2022-24921.patch \ file://CVE-2022-28131.patch \ + file://CVE-2022-28327.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch new file mode 100644 index 0000000000..6361deec7d --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch @@ -0,0 +1,36 @@ +From 34d9ab78568d63d8097911237897b188bdaba9c2 Mon Sep 17 00:00:00 2001 +From: Filippo Valsorda +Date: Thu, 31 Mar 2022 12:31:58 -0400 +Subject: [PATCH] crypto/elliptic: tolerate zero-padded scalars in generic + P-256 + +Upstream-Status: Backport [https://github.com/golang/go/commit/7139e8b024604ab168b51b99c6e8168257a5bf58] +CVE: CVE-2022-28327 +Signed-off-by: Ralph Siemsen + + +Updates #52075 +Fixes #52076 +Fixes CVE-2022-28327 + +Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27 +Reviewed-on: https://go-review.googlesource.com/c/go/+/397136 +Trust: Filippo Valsorda +Reviewed-by: Julie Qiu +--- + src/crypto/elliptic/p256.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/crypto/elliptic/p256.go b/src/crypto/elliptic/p256.go +index c23e414..787e3e7 100644 +--- a/src/crypto/elliptic/p256.go ++++ b/src/crypto/elliptic/p256.go +@@ -51,7 +51,7 @@ func p256GetScalar(out *[32]byte, in []byte) { + n := new(big.Int).SetBytes(in) + var scalarBytes []byte + +- if n.Cmp(p256Params.N) >= 0 { ++ if n.Cmp(p256Params.N) >= 0 || len(in) > len(out) { + n.Mod(n, p256Params.N) + scalarBytes = n.Bytes() + } else { From patchwork Thu Nov 17 16:54:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Siemsen X-Patchwork-Id: 15556 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A85EC4321E for ; Thu, 17 Nov 2022 16:55:13 +0000 (UTC) Received: from mail-qv1-f50.google.com (mail-qv1-f50.google.com [209.85.219.50]) by mx.groups.io with SMTP id smtpd.web11.1164.1668704111942703296 for ; Thu, 17 Nov 2022 08:55:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=Ct9zujxi; spf=pass (domain: linaro.org, ip: 209.85.219.50, mailfrom: ralph.siemsen@linaro.org) Received: by mail-qv1-f50.google.com with SMTP id i12so1598407qvs.2 for ; Thu, 17 Nov 2022 08:55:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=L5WCKJmPHKzaNjRot287QJac8qJ9532nYzrvkAsgscQ=; b=Ct9zujxiEggmlENmRXzD1ytMxVG86/p3hCYzGdzFQPJ2Cto7dpTudKeLLEuNvSgQol AjIsxkbVkaWq37bIcRKi51SqP3VAEVKRqdRuBg60C4pAp62xz+6aSirhrj+v4EaePSqN H4aXfh/yUpKNVbfSPsTeuBmiI8o2oyvjfFGXqVyaigYul4kNErWv/1ZNzPQ8QF8eL3lK fQtpuNMlOaTmIA+PftuhvvO2LxYeFq7yNyPO1DGxpiVZ6eYwreLfAa1xtGlFhyw4MlLi Aevdl05aHWrNogq1D7ol3U3KQQRGLni8T26l46pcDaaCZEGvBRSVC8+/XdPrTjPewO0j u+5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=L5WCKJmPHKzaNjRot287QJac8qJ9532nYzrvkAsgscQ=; b=WQOTG4CH0VucnYUwfivqcwoNVxfyOQDQfH1s6MXtnJ1wtbHjcieQSGZXHpIMfZr0I0 /pYDeI7TWkEWnbzvbtGGl5lJhyVoYy18MqFsitq0A1AkdmPwS/P+ku9Adw5DE5GHglNS RjMYxfptWs/JuSlGNMbFZuG83HgrLk0twP9WJFby/fnZb1GTtgXYt14CwiWNQX6nLDsp T4JTcktejRR5fl7urkCFwOHSCSApgy5o6wHYZfsADQBhdvmuCVrADQUWfszPz3sXyoMR Sro5FVTxBzpypea8wADTpYdgJNZ6gXnWukCw6lNZaMqOOpzEiUNeBRVs4V6LtmzJEvRF Ayfw== X-Gm-Message-State: ANoB5pnrmgUeR7mU2S+zBRfW/gD0y4kg7gsacef9Sk8qdnW8U5BcqXJ6 gCiv1Wso/pKtUdfAj/ddAd/tB4AS02eHuQ== X-Google-Smtp-Source: AA0mqf4b2Qtz1Lw4gYt3Q6rs2XlRwvVN6IAaWOY4imETfVHPx45nYi14QFvm+38oxzz4vXGc3xdY4w== X-Received: by 2002:ad4:48d0:0:b0:4bb:7584:748d with SMTP id v16-20020ad448d0000000b004bb7584748dmr3095095qvx.117.1668704111003; Thu, 17 Nov 2022 08:55:11 -0800 (PST) Received: from maple.netwinder.org (rfs.netwinder.org. [206.248.184.2]) by smtp.gmail.com with ESMTPSA id c7-20020a05620a268700b006fb112f512csm785081qkp.74.2022.11.17.08.55.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Nov 2022 08:55:10 -0800 (PST) From: Ralph Siemsen To: openembedded-core@lists.openembedded.org Cc: Ralph Siemsen Subject: [dunfell][PATCH 07/11] golang: ignore CVE-2022-29804 Date: Thu, 17 Nov 2022 11:54:52 -0500 Message-Id: <20221117165456.1029099-7-ralph.siemsen@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221117165456.1029099-1-ralph.siemsen@linaro.org> References: <20221117165456.1029099-1-ralph.siemsen@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Nov 2022 16:55:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/173440 The issue only affects Windows per the golang announcement [1]: On Windows, the filepath.Clean function could convert an invalid path to a valid, absolute path. For example, Clean(`.\c:`) returned `c:`. [1] https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg Signed-off-by: Ralph Siemsen --- meta/recipes-devtools/go/go-1.14.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 467ba13b72..a76e5ab70c 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -63,4 +63,5 @@ CVE_CHECK_WHITELIST += "CVE-2021-29923" CVE_CHECK_WHITELIST += "CVE-2022-29526" # Issue only on windows +CVE_CHECK_WHITELIST += "CVE-2022-29804" CVE_CHECK_WHITELIST += "CVE-2022-30634" From patchwork Thu Nov 17 16:54:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Siemsen X-Patchwork-Id: 15563 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38A3EC46467 for ; Thu, 17 Nov 2022 16:55:13 +0000 (UTC) Received: from mail-qt1-f182.google.com (mail-qt1-f182.google.com [209.85.160.182]) by mx.groups.io with SMTP id smtpd.web10.1042.1668704112715064083 for ; Thu, 17 Nov 2022 08:55:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=k26cb78T; spf=pass (domain: linaro.org, ip: 209.85.160.182, mailfrom: ralph.siemsen@linaro.org) Received: by mail-qt1-f182.google.com with SMTP id a27so1445640qtw.10 for ; Thu, 17 Nov 2022 08:55:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TGihK8SvZAcswnMXFG0JVSp1ImG/qx/M9JahXZlPbBk=; b=k26cb78T6VEQ7B3QCGDm4iMWVI6QbR+HLgnuwin+Pv8Iv2HZAyY4qTLducNIixuqYB wpSN+IPNNG8SKa7+GbQmBYxl9gsw2Ci+pYOwko1nPFWm6kMemvsRV6sGfciLHK7ALbte upJRPmZtuvzR8ORDdbreUWQ2abSPRETpEuZ7wlgQfjOc9fAcI6QcaymtlMV3cxRGWQbr EW33JhpIE5E3+MPjEtF6NP49VT2jUPy4dDasiD09tfAn/lQPKDdMzrWPjXrSDLxzoeme AzUIc2qBxgYUnUKSYG3jwfok22WNbjX8HsJso1JZ8o0yVEqiBrHxG0oYq7W6W9Vjwn+C Mdaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TGihK8SvZAcswnMXFG0JVSp1ImG/qx/M9JahXZlPbBk=; b=mdXf5ONmxPNeSU8JlOIuYAENXpOcjEwFfO8YRmigPb/jK6HKYqIbAcfgOf0Ph7q0f1 aHut40QNU8HRM2CQ06kaBHGMzr0JlmihtmDb2Iv/YLX+lkKWo+uoSCQ04ccaEmU4zh4L ME3SyWxhhqEDrxc6Ln/MZTOqPPO7ThZmRE0TtFb+hSkZjz3yLi3vudTuo7skqBNigCMf w0in4TEYldXDiriL7wN8rZQKSZtyn+jnmpa0KZfr4X5IzRTO5/jaEFh1dUXwyDPTwmUo nRnJa4kb77mcsB6PX3PBPca58YKsx9uTlVMiHqYkGXBjZUfHZusdopCho4QSZGZMNHqw DVxw== X-Gm-Message-State: ANoB5pm5df6yssAbSDYPS6jWI8cAKtSuob1UOXAfZaq2We7nE6Kp6Y6j Y3DYO7QbE4bjnHI41SydDxB/bILX10Kq7A== X-Google-Smtp-Source: AA0mqf5qzcUv106YUbC7HPVLxVaNVOvEcUdoKjpCVOHaQNUznKncp34xuW7k0bjyE5b851mkzmPpWQ== X-Received: by 2002:ac8:7608:0:b0:3a5:6797:c57a with SMTP id t8-20020ac87608000000b003a56797c57amr3049695qtq.34.1668704111855; Thu, 17 Nov 2022 08:55:11 -0800 (PST) Received: from maple.netwinder.org (rfs.netwinder.org. [206.248.184.2]) by smtp.gmail.com with ESMTPSA id c7-20020a05620a268700b006fb112f512csm785081qkp.74.2022.11.17.08.55.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Nov 2022 08:55:11 -0800 (PST) From: Ralph Siemsen To: openembedded-core@lists.openembedded.org Cc: Ralph Siemsen Subject: [dunfell][PATCH 08/11] golang: ignore CVE-2021-33194 Date: Thu, 17 Nov 2022 11:54:53 -0500 Message-Id: <20221117165456.1029099-8-ralph.siemsen@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221117165456.1029099-1-ralph.siemsen@linaro.org> References: <20221117165456.1029099-1-ralph.siemsen@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Nov 2022 16:55:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/173441 This is a bug in golang.org/x/net/html/parse.go. The golang compiler includes a partial copy of this under src/vendor/golang.org/x/net/ however the "html" subdirectory is not included. So this bug does not apply to the compiler itself. Signed-off-by: Ralph Siemsen --- meta/recipes-devtools/go/go-1.14.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index a76e5ab70c..9fd46356e9 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -65,3 +65,6 @@ CVE_CHECK_WHITELIST += "CVE-2022-29526" # Issue only on windows CVE_CHECK_WHITELIST += "CVE-2022-29804" CVE_CHECK_WHITELIST += "CVE-2022-30634" + +# Issue is in golang.org/x/net/html/parse.go, not used in go compiler +CVE_CHECK_WHITELIST += "CVE-2021-33194" From patchwork Thu Nov 17 16:54:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Siemsen X-Patchwork-Id: 15566 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30D3CC4332F for ; Thu, 17 Nov 2022 16:55:23 +0000 (UTC) Received: from mail-qt1-f177.google.com (mail-qt1-f177.google.com [209.85.160.177]) by mx.groups.io with SMTP id smtpd.web11.1165.1668704113610444743 for ; Thu, 17 Nov 2022 08:55:13 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=WgSHb2UO; spf=pass (domain: linaro.org, ip: 209.85.160.177, mailfrom: ralph.siemsen@linaro.org) Received: by mail-qt1-f177.google.com with SMTP id w9so1434452qtv.13 for ; Thu, 17 Nov 2022 08:55:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0x4Rx4XTOynb1Ks0i3xkSzPG+VwLJZRVVHQhJk+MRZc=; b=WgSHb2UOrs4koT1eJpr4wG1QwIDNMEKycfWywyZu1AqQXwYa4Bao+GXC9WdZLy3Lrw NqNNLDeuw6MU050GS6Gkpx1g0VR3abR+aBH8m2OLt6lCD6XCHEBzjI/1BcNKV1CPVDBL CKg7PJ0u3mlDLv2ZH2dNq6GBEbYnQ4K444q+3wionzYK8XzIFyLsu8TsDo90Sbxw6B3j Q5zXhRb6cH4IQRJbg32vNRzauy4Y3IQyWAaoprXp9PyEaZIASjEM2Is++/Qhx4NGdbFE 7zbZIyaqBFIG6ZcLOnBtmba55Tot320+dmaPql+lfbBUz/9H6fzDkenPTyYM2SUllw6h 8sFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0x4Rx4XTOynb1Ks0i3xkSzPG+VwLJZRVVHQhJk+MRZc=; b=CilagbUUSlp4jsPhKiLrLlEmbXCATXR3AFzwRYEHGS3Ig+42s0+tLa33nD19nYhaeV arot1+ern+EwfYU+ZGLE3nLC2ZPpOyy9TAjfdQfOt0IyyLl08tm/38yMOdKjKvPG9fvM o4iTKZ+5taZqVxnQQLLMdjnr+lgtnvXuQjPi2GWDPO+X3BFc0gkDWRlLGNL3WmaIfzCk I1yW5hW9AffhmVsFCTN8uCWiZDfjX+iqg7zIj3fgwqtxoiOo9HkMCCkKE/hTxVFxo0ou OoAPXFSmUBJx+9HgcALJHr3R6twM9yvRB4avmM4iBt2/Vhay3OWYcM9N01G30Ob535Ib I4pQ== X-Gm-Message-State: ANoB5plIK0T1++mJnAPoEVSROQwvb59F7Qfl3sx/HCaxV79Mfz2w9y66 B/3hpj3TzZijUowBpOZnYZK/rfUwl15zYg== X-Google-Smtp-Source: AA0mqf4mpEJmiGQ2p0KjFQbpY/GIsKBGsyDSiQYZoohaRbtPLYY/wVR2Ai9vHTY5z+Kuf/Lpmda63Q== X-Received: by 2002:a05:622a:6002:b0:3a5:8c9a:638f with SMTP id he2-20020a05622a600200b003a58c9a638fmr3046802qtb.350.1668704112730; Thu, 17 Nov 2022 08:55:12 -0800 (PST) Received: from maple.netwinder.org (rfs.netwinder.org. [206.248.184.2]) by smtp.gmail.com with ESMTPSA id c7-20020a05620a268700b006fb112f512csm785081qkp.74.2022.11.17.08.55.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Nov 2022 08:55:12 -0800 (PST) From: Ralph Siemsen To: openembedded-core@lists.openembedded.org Cc: Ralph Siemsen Subject: [dunfell][PATCH 09/11] golang: ignore CVE-2021-41772 Date: Thu, 17 Nov 2022 11:54:54 -0500 Message-Id: <20221117165456.1029099-9-ralph.siemsen@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221117165456.1029099-1-ralph.siemsen@linaro.org> References: <20221117165456.1029099-1-ralph.siemsen@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Nov 2022 16:55:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/173442 Dunfell uses golang 1.14 which does not contain the affected code (it was introduced in golang 1.16). From the golang announcement [1] "Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an attacker providing either a crafted ZIP archive containing completely invalid names or an empty filename argument. [1] https://groups.google.com/g/golang-announce/c/0fM21h43arc Signed-off-by: Ralph Siemsen --- meta/recipes-devtools/go/go-1.14.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 9fd46356e9..ef33bf5afb 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -68,3 +68,6 @@ CVE_CHECK_WHITELIST += "CVE-2022-30634" # Issue is in golang.org/x/net/html/parse.go, not used in go compiler CVE_CHECK_WHITELIST += "CVE-2021-33194" + +# Issue introduced in go1.16, does not exist in 1.14 +CVE_CHECK_WHITELIST += "CVE-2021-41772" From patchwork Thu Nov 17 16:54:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Siemsen X-Patchwork-Id: 15564 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 271B6C433FE for ; Thu, 17 Nov 2022 16:55:23 +0000 (UTC) Received: from mail-qk1-f182.google.com (mail-qk1-f182.google.com [209.85.222.182]) by mx.groups.io with SMTP id smtpd.web10.1044.1668704114657146927 for ; Thu, 17 Nov 2022 08:55:14 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=IOvGTY6L; spf=pass (domain: linaro.org, ip: 209.85.222.182, mailfrom: ralph.siemsen@linaro.org) Received: by mail-qk1-f182.google.com with SMTP id d8so1567719qki.13 for ; Thu, 17 Nov 2022 08:55:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mXT+W0zbHuymxkPFSaObhvABgMTfYjMvfjJsT+ZEhts=; b=IOvGTY6L1zCorBGMWZ7jlp8ms2Jiw+ZIlUPp0p5kLNMh7/YPR5iPHC0dXJpBH+gvKw L4me4vtjaQ4OJLooKeDM83YicrnMDzyyzI+ko6UiYiTCnfYY2z10JZjS84n0u1kS0RmH BiXhrQAlzrzOCCUloLf7NRvQMBBjtgx/kZ1i6rBGlWUUpvSK/Rar+2e2PiCSdNKE4LEp 4uhVptnhcespQ+z2Y/sjvBLx0znJsQHlsEWaUdUFZJPn7yBkV0GY87gpogM7tDJW6u/L 2pFZ5W+HBagd0xATW7tKYNf6CwS/KxySB55YDO9xVyZ/8HIwY1tKVzbCCLKiQWB4orG8 NK7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mXT+W0zbHuymxkPFSaObhvABgMTfYjMvfjJsT+ZEhts=; b=wv8kWGIIAKIXQPJ/pIT1NOB0liTqiQ0SGZsPrpbjOFAtQvcHtrnRKqLtXg4TLVl0qQ icvb+cY9AlmMlBSKo7Cwf4k/U9v77khMcXQhBMo8xowzlyrmgbrzZ275Fnx8ZZpwcjBx VnsZa1A65zpyCn5NaqklONBucsrV7jRbPMOP6hhG2SFyocpkAJQFk9u1e5OsbsdYLeF1 zpexhu2YkMYexONBDNjgfN6S0r7RO/npZ6SbbjxKN3LsDL/eVf/jB2SetQBqr8bPiDn5 za3KZUzNOIlGgRob6ALDZx6BchOr/p9uhv8rTCnI6ApEVfqZAMOTVUWUBoTiMLlkDmDH 9NFw== X-Gm-Message-State: ANoB5pnmcIDkx1hdikpIeJaaWEJkixW1NlMvbxIQcUEnxKXgC3ECkIBe 3bj4qahMUdF4GW5XhnmNxx/GiLNKNqJiIA== X-Google-Smtp-Source: AA0mqf4aLfJYh1LzKs6vWDaZE3FndrCpSQv270djdRmGMPpCeC/UfTv16uNhEwcmbHHUjP120VfgDA== X-Received: by 2002:a37:a951:0:b0:6fb:9f9c:fb1d with SMTP id s78-20020a37a951000000b006fb9f9cfb1dmr2441698qke.499.1668704113794; Thu, 17 Nov 2022 08:55:13 -0800 (PST) Received: from maple.netwinder.org (rfs.netwinder.org. [206.248.184.2]) by smtp.gmail.com with ESMTPSA id c7-20020a05620a268700b006fb112f512csm785081qkp.74.2022.11.17.08.55.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Nov 2022 08:55:13 -0800 (PST) From: Ralph Siemsen To: openembedded-core@lists.openembedded.org Cc: Ralph Siemsen Subject: [dunfell][PATCH 10/11] golang: ignore CVE-2022-30580 Date: Thu, 17 Nov 2022 11:54:55 -0500 Message-Id: <20221117165456.1029099-10-ralph.siemsen@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221117165456.1029099-1-ralph.siemsen@linaro.org> References: <20221117165456.1029099-1-ralph.siemsen@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Nov 2022 16:55:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/173443 Only affects Windows platform, as per the release announcement [1]: "If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset and, in the working directory, there are binaries named either "..com" or "..exe", they will be executed." [1] https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ Signed-off-by: Ralph Siemsen --- meta/recipes-devtools/go/go-1.14.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index ef33bf5afb..4c10104aca 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -64,6 +64,7 @@ CVE_CHECK_WHITELIST += "CVE-2022-29526" # Issue only on windows CVE_CHECK_WHITELIST += "CVE-2022-29804" +CVE_CHECK_WHITELIST += "CVE-2022-30580" CVE_CHECK_WHITELIST += "CVE-2022-30634" # Issue is in golang.org/x/net/html/parse.go, not used in go compiler From patchwork Thu Nov 17 16:54:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Siemsen X-Patchwork-Id: 15565 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31098C43217 for ; Thu, 17 Nov 2022 16:55:23 +0000 (UTC) Received: from mail-qv1-f43.google.com (mail-qv1-f43.google.com [209.85.219.43]) by mx.groups.io with SMTP id smtpd.web10.1045.1668704115521632287 for ; Thu, 17 Nov 2022 08:55:15 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=bU6KOaBy; spf=pass (domain: linaro.org, ip: 209.85.219.43, mailfrom: ralph.siemsen@linaro.org) Received: by mail-qv1-f43.google.com with SMTP id lf15so1568622qvb.9 for ; Thu, 17 Nov 2022 08:55:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=w0l2RdEL2n2ob3kQio41SkgZwPGvE6MCLDUlUn6daJQ=; b=bU6KOaByEvYg3OPUMFJ7jqbadsEOWy2NEU6O0bkJBHFHXC2b960iCaRFgm6m15/qJa o7Ivj7ZvwzOUeosHQHdQbzraVAq9n8y7URU4QwlXSV6q1rokRjy5/woCaWHxFANtjxaF 3X9NgFtD43pT3sFsfqyKN5nMHj7nd8baANKqh3dqrHwwjoxEcgs21UteotZPs4BruqMC P2liyz1B2ecZmlB1dQ63m4xBnRtbrbUWIyvuZ3b6dlTUqQBodW7KLYbDytZgDoINh/cm vse51QM0y6lsIcEpF9HL9MkZE35aOU8Yrl10Y/78H9am2zaKuz7mNvNctC2BxxBvRYJC UOfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=w0l2RdEL2n2ob3kQio41SkgZwPGvE6MCLDUlUn6daJQ=; b=J8Muq13Qvrwv0QwArXMK/G3FEfapDBN0cg6ylsLAPb1Sof9BHd95stDGksUWn4vH4Q QVlpVnpbkgkrlnVPGHebAOprzmsKZW0wxHjSQIzCHvauePqk7BIXwB0yxEStiF0i+BB/ e9gdM4WEIlJuAaiA4CkhqrND8U2+PEFS99IjojkVWpdqq+K8xl3CaxBbqlNt1NgqACNo 42gOQjJZ0XAlX1uvs4uTHCAgFh/zY/F9pkzfZn3iSp0SoJYfsrhgOtiSeGC9PPTQNVEf xM/1TrkHqkmC2eoTpyDSvGNzLrvM35lY/PjmcWGSpLGe8MTWnZ5MvjcRO2idHTcoRg+J lCJA== X-Gm-Message-State: ANoB5pk8WHId8tYHgKLgmitED2avzX0571cG5i0YwmOwXoeOkvPO3DfH E9WMsw5Le3MkI/Apzw/n8x1fEl9qF14DKA== X-Google-Smtp-Source: AA0mqf6ysrtVHIQfu05+dTM3L1wx3RVCo6LmLq6I0cK3u6VQmgwid2w6XkVvR4+5qdQBK5wNB9jiuw== X-Received: by 2002:a05:6214:aab:b0:4bb:7313:3859 with SMTP id ew11-20020a0562140aab00b004bb73133859mr3167320qvb.105.1668704114672; Thu, 17 Nov 2022 08:55:14 -0800 (PST) Received: from maple.netwinder.org (rfs.netwinder.org. [206.248.184.2]) by smtp.gmail.com with ESMTPSA id c7-20020a05620a268700b006fb112f512csm785081qkp.74.2022.11.17.08.55.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Nov 2022 08:55:14 -0800 (PST) From: Ralph Siemsen To: openembedded-core@lists.openembedded.org Cc: Ralph Siemsen Subject: [dunfell][PATCH 11/11] golang: ignore CVE-2022-30630 Date: Thu, 17 Nov 2022 11:54:56 -0500 Message-Id: <20221117165456.1029099-11-ralph.siemsen@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221117165456.1029099-1-ralph.siemsen@linaro.org> References: <20221117165456.1029099-1-ralph.siemsen@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Nov 2022 16:55:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/173444 The CVE is in the io/fs package, which first appeared in go1.16. Since dunfell is using go1.14, this issue does not apply. CVE was fixed in fa2d41d0ca736f3ad6b200b2a4e134364e9acc59 Original code in b64202bc29b9c1cf0118878d1c0acc9cdb2308f6 Signed-off-by: Ralph Siemsen --- meta/recipes-devtools/go/go-1.14.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 4c10104aca..2cd3c9311a 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -72,3 +72,6 @@ CVE_CHECK_WHITELIST += "CVE-2021-33194" # Issue introduced in go1.16, does not exist in 1.14 CVE_CHECK_WHITELIST += "CVE-2021-41772" + +# Fixes code that was added in go1.16, does not exist in 1.14 +CVE_CHECK_WHITELIST += "CVE-2022-30630"