[kirkstone,02/29] go: fix CVE-2023-29405

Message ID	7ce6d0029effc06cff500271a124150f1a7db7b3.1687961326.git.steve@sakoman.com
State	New, archived
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.214.169, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/29] go: fix CVE-2023-29405 Date: Wed, 28 Jun 2023 04:12:27 -1000 Message-Id: <7ce6d0029effc06cff500271a124150f1a7db7b3.1687961326.git.steve@sakoman.com> In-Reply-To: <cover.1687961326.git.steve@sakoman.com> References: <cover.1687961326.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/29] go: fix CVE-2023-29404 \| expand [kirkstone,01/29] go: fix CVE-2023-29404 [kirkstone,02/29] go: fix CVE-2023-29405 [kirkstone,03/29] libcap: CVE-2023-2602 Memory Leak on pthread_create() Error [kirkstone,04/29] ninja: ignore CVE-2021-4336, wrong ninja [kirkstone,05/29] go: fix CVE-2023-29402 [kirkstone,06/29] babeltrace2: upgrade 2.0.4 -> 2.0.5 [kirkstone,07/29] fribidi: upgrade 1.0.12 -> 1.0.13 [kirkstone,08/29] libxpm: upgrade 3.5.15 -> 3.5.16 [kirkstone,09/29] xdpyinfo: upgrade 1.3.3 -> 1.3.4 [kirkstone,10/29] mobile-broadband-provider-info: upgrade 20221107 -> 20230416 [kirkstone,11/29] dbus: upgrade 1.14.6 -> 1.14.8 [kirkstone,12/29] linux-yocto/5.10: update to v5.10.182 [kirkstone,13/29] linux-yocto/5.10: update to v5.10.183 [kirkstone,14/29] linux-yocto/5.10: update to v5.10.184 [kirkstone,15/29] linux-yocto/5.10: update to v5.10.185 [kirkstone,16/29] linux-yocto/5.10: cfg: fix DECNET configuration warning [kirkstone,17/29] psmisc: Set ALTERNATIVE for pstree to resolve conflict with busybox [kirkstone,18/29] minicom: remove unused patch files [kirkstone,19/29] kmod: remove unused ptest.patch [kirkstone,20/29] pm-utils: fix multilib conflictions [kirkstone,21/29] maintaines.inc: unassign Richard Weinberger from erofs-utils entry [kirkstone,22/29] maintainers.inc: unassign Andreas Müller from itstool entry [kirkstone,23/29] maintainers.inc: unassign Pascal Bach from cmake entry [kirkstone,24/29] maintainers.inc: correct unassigned entries [kirkstone,25/29] connman: fix warning by specifying runstatedir at configure time [kirkstone,26/29] selftest/license: Exclude from world [kirkstone,27/29] maintainers.inc: correct Carlos Rafael Giani's email address [kirkstone,28/29] layer.conf: Add missing dependency exclusion [kirkstone,29/29] blktrace: ask for python3 specifically

Message ID

7ce6d0029effc06cff500271a124150f1a7db7b3.1687961326.git.steve@sakoman.com

State

New, archived

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 02/29] go: fix CVE-2023-29405
Date: Wed, 28 Jun 2023 04:12:27 -1000
Message-Id: 
 <7ce6d0029effc06cff500271a124150f1a7db7b3.1687961326.git.steve@sakoman.com>
In-Reply-To: <cover.1687961326.git.steve@sakoman.com>
References: <cover.1687961326.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/29] go: fix CVE-2023-29404 | expand

Commit Message

Steve Sakoman June 28, 2023, 2:12 p.m. UTC

From: Archana Polampalli <archana.polampalli@windriver.com>

The go command may execute arbitrary code at build time when using cgo.
This may occur when running "go get" on a malicious module, or when running
any other command which builds untrusted code. This is can by triggered by
linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing
embedded spaces are mishandled, allowing disallowed flags to be smuggled
through the LDFLAGS sanitization by including them in the argument of
another flag. This only affects usage of the gccgo compiler.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29405

Upstream patches:
https://github.com/golang/go/commit/6d8af00a630aa51134e54f0f321658621c6410f0

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.17.13.inc       |   1 +
 .../go/go-1.19/CVE-2023-29405.patch           | 109 ++++++++++++++++++
 2 files changed, 110 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 2c1febfe9c..9af9eb2752 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -33,6 +33,7 @@  SRC_URI += "\
     file://CVE-2023-24540.patch \
     file://CVE-2023-24539.patch \
     file://CVE-2023-29404.patch \
+    file://CVE-2023-29405.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch
new file mode 100644
index 0000000000..d806e1e67d
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch
@@ -0,0 +1,109 @@ 
+From 6d8af00a630aa51134e54f0f321658621c6410f0 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Thu, 4 May 2023 14:06:39 -0700
+Subject: [PATCH] cmd/go,cmd/cgo: in _cgo_flags use one line per flag
+
+The flags that we recorded in _cgo_flags did not use any quoting,
+so a flag containing embedded spaces was mishandled.
+Change the _cgo_flags format to put each flag on a separate line.
+That is a simple format that does not require any quoting.
+
+As far as I can tell only cmd/go uses _cgo_flags, and it is only
+used for gccgo. If this patch doesn't cause any trouble, then
+in the next release we can change to only using _cgo_flags for gccgo.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes #60306
+Fixes CVE-2023-29405
+
+Change-Id: I81fb5337db8a22e1f4daca22ceff4b79b96d0b4f
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501224
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+Run-TryBot: David Chase <drchase@google.com>
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/6d8af00a630aa51134e54f0f321658621c6410f0]
+CVE: CVE-2023-29405
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/cmd/cgo/out.go                            |  4 +++-
+ src/cmd/go/internal/work/gccgo.go             | 14 ++++++-------
+ .../go/testdata/script/gccgo_link_ldflags.txt | 20 +++++++++++++++++++
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+ create mode 100644 src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+
+diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
+index 94152f4..62e6528 100644
+--- a/src/cmd/cgo/out.go
++++ b/src/cmd/cgo/out.go
+@@ -47,7 +47,9 @@ func (p *Package) writeDefs() {
+
+	fflg := creat(*objDir + "_cgo_flags")
+	for k, v := range p.CgoFlags {
+-		fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, strings.Join(v, " "))
++		for _, arg := range v {
++			fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, arg)
++		}
+		if k == "LDFLAGS" && !*gccgo {
+			for _, arg := range v {
+				fmt.Fprintf(fgo2, "//go:cgo_ldflag %q\n", arg)
+diff --git a/src/cmd/go/internal/work/gccgo.go b/src/cmd/go/internal/work/gccgo.go
+index 1499536..bb4be2f 100644
+--- a/src/cmd/go/internal/work/gccgo.go
++++ b/src/cmd/go/internal/work/gccgo.go
+@@ -283,14 +283,12 @@ func (tools gccgoToolchain) link(b *Builder, root *Action, out, importcfg string
+		const ldflagsPrefix = "_CGO_LDFLAGS="
+		for _, line := range strings.Split(string(flags), "\n") {
+			if strings.HasPrefix(line, ldflagsPrefix) {
+-				newFlags := strings.Fields(line[len(ldflagsPrefix):])
+-				for _, flag := range newFlags {
+-					// Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
+-					// but they don't mean anything to the linker so filter
+-					// them out.
+-					if flag != "-g" && !strings.HasPrefix(flag, "-O") {
+-						cgoldflags = append(cgoldflags, flag)
+-					}
++				flag := line[len(ldflagsPrefix):]
++				// Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
++				// but they don't mean anything to the linker so filter
++				// them out.
++				if flag != "-g" && !strings.HasPrefix(flag, "-O") {
++					cgoldflags = append(cgoldflags, flag)
+				}
+			}
+		}
+diff --git a/src/cmd/go/testdata/script/gccgo_link_ldflags.txt b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+new file mode 100644
+index 0000000..4e91ae5
+--- /dev/null
++++ b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+@@ -0,0 +1,20 @@
++# Test that #cgo LDFLAGS are properly quoted.
++# The #cgo LDFLAGS below should pass a string with spaces to -L,
++# as though searching a directory with a space in its name.
++# It should not pass --nosuchoption to the external linker.
++
++[!cgo] skip
++
++go build
++
++[!exec:gccgo] skip
++
++go build -compiler gccgo
++
++-- go.mod --
++module m
++-- cgo.go --
++package main
++// #cgo LDFLAGS: -L "./ -Wl,--nosuchoption"
++import "C"
++func main() {}
+--
+2.40.0

[kirkstone,02/29] go: fix CVE-2023-29405

Commit Message

Patch