go: Fix for CVE-2023-45288

Upstream-Status: Backport from https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b (From OE-Core rev: 9ad10bf355665ff799cefd40fb0d1938b0104b08) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-04-18 09:52:01 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-05-02 06:21:09 -0700
commit: 966777e0a45b7391a73103a7b554678bea5eac3b (patch)
tree: 3e6584f35b39d455af874b10da83c5262a602a40
parent: 43b8c2ab9f4a19ce36a03050dabea44616f7e4fc (diff)
download: poky-966777e0a45b7391a73103a7b554678bea5eac3b.tar.gz
2 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 768961de2c..95fb572362 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -55,6 +55,7 @@ SRC_URI += "\
    file://CVE-2023-45290.patch \
    file://CVE-2024-24784.patch \
    file://CVE-2024-24785.patch \
+    file://CVE-2023-45288.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch
new file mode 100644
index 0000000000..741e7be89a
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch
@@ -0,0 +1,95 @@
+From e55d7cf8435ba4e58d4a5694e63b391821d4ee9b Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Thu, 28 Mar 2024 16:57:51 -0700
+Subject: [PATCH] [release-branch.go1.22] net/http: update bundled
+ golang.org/x/net/http2
+Disable cmd/internal/moddeps test, since this update includes PRIVATE
+track fixes.
+Fixes CVE-2023-45288
+For #65051
+Fixes #66298
+Change-Id: I5bbf774ebe7651e4bb7e55139d3794bd2b8e8fa8
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197227
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/576076
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Than McIntosh <thanm@google.com>
+Upstream-Status: Backport [https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b]
+CVE: CVE-2023-45288
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/cmd/internal/moddeps/moddeps_test.go |  1 +
+ src/net/http/h2_bundle.go                | 31 ++++++++++++++++++++++++
+ 2 files changed, 32 insertions(+)
+diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go
+index d48d43f..250bde4 100644
+--- a/src/cmd/internal/moddeps/moddeps_test.go
+++ b/src/cmd/internal/moddeps/moddeps_test.go
+@@ -34,6 +34,7 @@ import (
+ // See issues 36852, 41409, and 43687.
+ // (Also see golang.org/issue/27348.)
+ func TestAllDependencies(t *testing.T) {
+       t.Skip("TODO(#65051): 1.22.2 contains unreleased changes from vendored modules")
+        t.Skip("TODO(#57009): 1.19.4 contains unreleased changes from vendored modules")
+        t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from vendored modules")
+ 
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index 9d6abd8..10ff193 100644
+--- a/src/net/http/h2_bundle.go
+++ b/src/net/http/h2_bundle.go
+@@ -2842,6 +2842,7 @@ func (fr *http2Framer) readMetaFrame(hf *http2HeadersFrame) (*http2MetaHeadersFr
+                if size > remainSize {
+                        hdec.SetEmitEnabled(false)
+                        mh.Truncated = true
+                       remainSize = 0
+                        return
+                }
+                remainSize -= size
+@@ -2854,6 +2855,36 @@ func (fr *http2Framer) readMetaFrame(hf *http2HeadersFrame) (*http2MetaHeadersFr
+        var hc http2headersOrContinuation = hf
+        for {
+                frag := hc.HeaderBlockFragment()
+
+               // Avoid parsing large amounts of headers that we will then discard.
+               // If the sender exceeds the max header list size by too much,
+               // skip parsing the fragment and close the connection.
+               //
+               // "Too much" is either any CONTINUATION frame after we've already
+               // exceeded the max header list size (in which case remainSize is 0),
+               // or a frame whose encoded size is more than twice the remaining
+               // header list bytes we're willing to accept.
+               if int64(len(frag)) > int64(2*remainSize) {
+                       if http2VerboseLogs {
+                               log.Printf("http2: header list too large")
+                       }
+                       // It would be nice to send a RST_STREAM before sending the GOAWAY,
+                       // but the struture of the server's frame writer makes this difficult.
+                       return nil, http2ConnectionError(http2ErrCodeProtocol)
+               }
+
+               // Also close the connection after any CONTINUATION frame following an
+               // invalid header, since we stop tracking the size of the headers after
+               // an invalid one.
+               if invalid != nil {
+                       if http2VerboseLogs {
+                               log.Printf("http2: invalid header: %v", invalid)
+                       }
+                       // It would be nice to send a RST_STREAM before sending the GOAWAY,
+                       // but the struture of the server's frame writer makes this difficult.
+                       return nil, http2ConnectionError(http2ErrCodeProtocol)
+               }
+
+                if _, err := hdec.Write(frag); err != nil {
+                        return nil, http2ConnectionError(http2ErrCodeCompression)
+                }
+-- 
+2.25.1
author	Vijay Anusuri <vanusuri@mvista.com>	2024-04-18 09:52:01 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-05-02 06:21:09 -0700
commit	966777e0a45b7391a73103a7b554678bea5eac3b (patch)
tree	3e6584f35b39d455af874b10da83c5262a602a40
parent	43b8c2ab9f4a19ce36a03050dabea44616f7e4fc (diff)
download	poky-966777e0a45b7391a73103a7b554678bea5eac3b.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 768961de2c..95fb572362 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -55,6 +55,7 @@ SRC_URI += "\
55	file://CVE-2023-45290.patch \	55	file://CVE-2023-45290.patch \
56	file://CVE-2024-24784.patch \	56	file://CVE-2024-24784.patch \
57	file://CVE-2024-24785.patch \	57	file://CVE-2024-24785.patch \
		58	file://CVE-2023-45288.patch \
58	"	59	"
59	SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"	60	SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
60		61


diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch new file mode 100644 index 0000000000..741e7be89a --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch
@@ -0,0 +1,95 @@
		1	From e55d7cf8435ba4e58d4a5694e63b391821d4ee9b Mon Sep 17 00:00:00 2001
		2	From: Damien Neil <dneil@google.com>
		3	Date: Thu, 28 Mar 2024 16:57:51 -0700
		4	Subject: [PATCH] [release-branch.go1.22] net/http: update bundled
		5	golang.org/x/net/http2
		6
		7	Disable cmd/internal/moddeps test, since this update includes PRIVATE
		8	track fixes.
		9
		10	Fixes CVE-2023-45288
		11	For #65051
		12	Fixes #66298
		13
		14	Change-Id: I5bbf774ebe7651e4bb7e55139d3794bd2b8e8fa8
		15	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197227
		16	Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
		17	Run-TryBot: Damien Neil <dneil@google.com>
		18	Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
		19	Reviewed-on: https://go-review.googlesource.com/c/go/+/576076
		20	Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
		21	TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
		22	Reviewed-by: Than McIntosh <thanm@google.com>
		23
		24	Upstream-Status: Backport [https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b]
		25	CVE: CVE-2023-45288
		26	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		27	---
		28	src/cmd/internal/moddeps/moddeps_test.go \| 1 +
		29	src/net/http/h2_bundle.go \| 31 ++++++++++++++++++++++++
		30	2 files changed, 32 insertions(+)
		31
		32	diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go
		33	index d48d43f..250bde4 100644
		34	--- a/src/cmd/internal/moddeps/moddeps_test.go
		35	+++ b/src/cmd/internal/moddeps/moddeps_test.go
		36	@@ -34,6 +34,7 @@ import (
		37	// See issues 36852, 41409, and 43687.
		38	// (Also see golang.org/issue/27348.)
		39	func TestAllDependencies(t *testing.T) {
		40	+ t.Skip("TODO(#65051): 1.22.2 contains unreleased changes from vendored modules")
		41	t.Skip("TODO(#57009): 1.19.4 contains unreleased changes from vendored modules")
		42	t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from vendored modules")
		43
		44	diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
		45	index 9d6abd8..10ff193 100644
		46	--- a/src/net/http/h2_bundle.go
		47	+++ b/src/net/http/h2_bundle.go
		48	@@ -2842,6 +2842,7 @@ func (fr http2Framer) readMetaFrame(hf http2HeadersFrame) (*http2MetaHeadersFr
		49	if size > remainSize {
		50	hdec.SetEmitEnabled(false)
		51	mh.Truncated = true
		52	+ remainSize = 0
		53	return
		54	}
		55	remainSize -= size
		56	@@ -2854,6 +2855,36 @@ func (fr http2Framer) readMetaFrame(hf http2HeadersFrame) (*http2MetaHeadersFr
		57	var hc http2headersOrContinuation = hf
		58	for {
		59	frag := hc.HeaderBlockFragment()
		60	+
		61	+ // Avoid parsing large amounts of headers that we will then discard.
		62	+ // If the sender exceeds the max header list size by too much,
		63	+ // skip parsing the fragment and close the connection.
		64	+ //
		65	+ // "Too much" is either any CONTINUATION frame after we've already
		66	+ // exceeded the max header list size (in which case remainSize is 0),
		67	+ // or a frame whose encoded size is more than twice the remaining
		68	+ // header list bytes we're willing to accept.
		69	+ if int64(len(frag)) > int64(2*remainSize) {
		70	+ if http2VerboseLogs {
		71	+ log.Printf("http2: header list too large")
		72	+ }
		73	+ // It would be nice to send a RST_STREAM before sending the GOAWAY,
		74	+ // but the struture of the server's frame writer makes this difficult.
		75	+ return nil, http2ConnectionError(http2ErrCodeProtocol)
		76	+ }
		77	+
		78	+ // Also close the connection after any CONTINUATION frame following an
		79	+ // invalid header, since we stop tracking the size of the headers after
		80	+ // an invalid one.
		81	+ if invalid != nil {
		82	+ if http2VerboseLogs {
		83	+ log.Printf("http2: invalid header: %v", invalid)
		84	+ }
		85	+ // It would be nice to send a RST_STREAM before sending the GOAWAY,
		86	+ // but the struture of the server's frame writer makes this difficult.
		87	+ return nil, http2ConnectionError(http2ErrCodeProtocol)
		88	+ }
		89	+
		90	if _, err := hdec.Write(frag); err != nil {
		91	return nil, http2ConnectionError(http2ErrCodeCompression)
		92	}
		93	--
		94	2.25.1
		95