go-runtime: Security fix for CVE-2022-41722

path/filepath: do not Clean("a/../c:/b") into c:\b on Windows Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c (From OE-Core rev: 70135bf04eb7173434a7240ddf11639d13aab003) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Shubham Kulkarni <skulkarni@mvista.com> 2023-04-19 18:02:49 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-04-26 04:19:06 -1000
commit: 20c932eb013ebf83ef435a29edd8d10f577aaf4b (patch)
tree: 8612d68384c109144075df32898c0640a65ab57c /meta/recipes-devtools/go
parent: e0d5b78c925e416b823fe1ee8a216cefbafa4415 (diff)
download: poky-20c932eb013ebf83ef435a29edd8d10f577aaf4b.tar.gz
3 files changed, 159 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index f2a5fc3f7c..74017f4d90 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -53,6 +53,8 @@ SRC_URI += "\
    file://CVE-2022-41717.patch \
    file://CVE-2022-1962.patch \
    file://CVE-2022-41723.patch \
+    file://CVE-2022-41722-1.patch \
+    file://CVE-2022-41722-2.patch \
 "
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
new file mode 100644
index 0000000000..f5bffd7a0b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
@@ -0,0 +1,53 @@
+From 94e0c36694fb044e81381d112fef3692de7cdf52 Mon Sep 17 00:00:00 2001
+From: Yasuhiro Matsumoto <mattn.jp@gmail.com>
+Date: Fri, 22 Apr 2022 10:07:51 +0900
+Subject: [PATCH 1/2] path/filepath: do not remove prefix "." when following
+ path contains ":".
+Fixes #52476
+Change-Id: I9eb72ac7dbccd6322d060291f31831dc389eb9bb
+Reviewed-on: https://go-review.googlesource.com/c/go/+/401595
+Auto-Submit: Ian Lance Taylor <iant@google.com>
+Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
+Run-TryBot: Ian Lance Taylor <iant@google.com>
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Upstream-Status: Backport from https://github.com/golang/go/commit/9cd1818a7d019c02fa4898b3e45a323e35033290
+CVE: CVE-2022-41722
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/path/filepath/path.go | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
+index 26f1833..92dc090 100644
+--- a/src/path/filepath/path.go
+++ b/src/path/filepath/path.go
+@@ -116,9 +116,21 @@ func Clean(path string) string {
+                case os.IsPathSeparator(path[r]):
+                        // empty path element
+                        r++
+-               case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
+               case path[r] == '.' && r+1 == n:
+                        // . element
+                        r++
+               case path[r] == '.' && os.IsPathSeparator(path[r+1]):
+                       // ./ element
+                       r++
+
+                       for r < len(path) && os.IsPathSeparator(path[r]) {
+                               r++
+                       }
+                       if out.w == 0 && volumeNameLen(path[r:]) > 0 {
+                               // When joining prefix "." and an absolute path on Windows,
+                               // the prefix should not be removed.
+                               out.append('.')
+                       }
+                case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
+                        // .. element: remove to last separator
+                        r += 2
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
new file mode 100644
index 0000000000..e1f7a55581
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
@@ -0,0 +1,104 @@
+From b8803cb711ae163b8e67897deb6cf8c49702227c Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Mon, 12 Dec 2022 16:43:37 -0800
+Subject: [PATCH 2/2] path/filepath: do not Clean("a/../c:/b") into c:\b on
+ Windows
+Do not permit Clean to convert a relative path into one starting
+with a drive reference. This change causes Clean to insert a .
+path element at the start of a path when the original path does not
+start with a volume name, and the first path element would contain
+a colon.
+This may introduce a spurious but harmless . path element under
+some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
+This reverts CL 401595, since the change here supersedes the one
+in that CL.
+Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
+Updates #57274
+Fixes #57276
+Fixes CVE-2022-41722
+Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
+Reviewed-by: Than McIntosh <thanm@google.com>
+Run-TryBot: Michael Pratt <mpratt@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+Upstream-Status: Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
+CVE: CVE-2022-41722
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/path/filepath/path.go | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
+index 92dc090..f0f095e 100644
+--- a/src/path/filepath/path.go
+++ b/src/path/filepath/path.go
+@@ -14,6 +14,7 @@ package filepath
+ import (
+        "errors"
+        "os"
+       "runtime"
+        "sort"
+        "strings"
+ )
+@@ -116,21 +117,9 @@ func Clean(path string) string {
+                case os.IsPathSeparator(path[r]):
+                        // empty path element
+                        r++
+-               case path[r] == '.' && r+1 == n:
+               case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
+                        // . element
+                        r++
+-               case path[r] == '.' && os.IsPathSeparator(path[r+1]):
+-                       // ./ element
+-                       r++
+-
+-                       for r < len(path) && os.IsPathSeparator(path[r]) {
+-                               r++
+-                       }
+-                       if out.w == 0 && volumeNameLen(path[r:]) > 0 {
+-                               // When joining prefix "." and an absolute path on Windows,
+-                               // the prefix should not be removed.
+-                               out.append('.')
+-                       }
+                case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
+                        // .. element: remove to last separator
+                        r += 2
+@@ -156,6 +145,18 @@ func Clean(path string) string {
+                        if rooted && out.w != 1 || !rooted && out.w != 0 {
+                                out.append(Separator)
+                        }
+                       // If a ':' appears in the path element at the start of a Windows path,
+                       // insert a .\ at the beginning to avoid converting relative paths
+                       // like a/../c: into c:.
+                       if runtime.GOOS == "windows" && out.w == 0 && out.volLen == 0 && r != 0 {
+                               for i := r; i < n && !os.IsPathSeparator(path[i]); i++ {
+                                       if path[i] == ':' {
+                                               out.append('.')
+                                               out.append(Separator)
+                                               break
+                                       }
+                               }
+                       }
+                        // copy element
+                        for ; r < n && !os.IsPathSeparator(path[r]); r++ {
+                                out.append(path[r])
+--
+2.7.4
author	Shubham Kulkarni <skulkarni@mvista.com>	2023-04-19 18:02:49 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-04-26 04:19:06 -1000
commit	20c932eb013ebf83ef435a29edd8d10f577aaf4b (patch)
tree	8612d68384c109144075df32898c0640a65ab57c /meta/recipes-devtools/go
parent	e0d5b78c925e416b823fe1ee8a216cefbafa4415 (diff)
download	poky-20c932eb013ebf83ef435a29edd8d10f577aaf4b.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index f2a5fc3f7c..74017f4d90 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -53,6 +53,8 @@ SRC_URI += "\
53	file://CVE-2022-41717.patch \	53	file://CVE-2022-41717.patch \
54	file://CVE-2022-1962.patch \	54	file://CVE-2022-1962.patch \
55	file://CVE-2022-41723.patch \	55	file://CVE-2022-41723.patch \
		56	file://CVE-2022-41722-1.patch \
		57	file://CVE-2022-41722-2.patch \
56	"	58	"
57		59
58	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"	60	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"


diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch new file mode 100644 index 0000000000..f5bffd7a0b --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
@@ -0,0 +1,53 @@
		1	From 94e0c36694fb044e81381d112fef3692de7cdf52 Mon Sep 17 00:00:00 2001
		2	From: Yasuhiro Matsumoto <mattn.jp@gmail.com>
		3	Date: Fri, 22 Apr 2022 10:07:51 +0900
		4	Subject: [PATCH 1/2] path/filepath: do not remove prefix "." when following
		5	path contains ":".
		6
		7	Fixes #52476
		8
		9	Change-Id: I9eb72ac7dbccd6322d060291f31831dc389eb9bb
		10	Reviewed-on: https://go-review.googlesource.com/c/go/+/401595
		11	Auto-Submit: Ian Lance Taylor <iant@google.com>
		12	Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
		13	Run-TryBot: Ian Lance Taylor <iant@google.com>
		14	Reviewed-by: Ian Lance Taylor <iant@google.com>
		15	Reviewed-by: Damien Neil <dneil@google.com>
		16	TryBot-Result: Gopher Robot <gobot@golang.org>
		17
		18	Upstream-Status: Backport from https://github.com/golang/go/commit/9cd1818a7d019c02fa4898b3e45a323e35033290
		19	CVE: CVE-2022-41722
		20	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
		21	---
		22	src/path/filepath/path.go \| 14 +++++++++++++-
		23	1 file changed, 13 insertions(+), 1 deletion(-)
		24
		25	diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
		26	index 26f1833..92dc090 100644
		27	--- a/src/path/filepath/path.go
		28	+++ b/src/path/filepath/path.go
		29	@@ -116,9 +116,21 @@ func Clean(path string) string {
		30	case os.IsPathSeparator(path[r]):
		31	// empty path element
		32	r++
		33	- case path[r] == '.' && (r+1 == n \|\| os.IsPathSeparator(path[r+1])):
		34	+ case path[r] == '.' && r+1 == n:
		35	// . element
		36	r++
		37	+ case path[r] == '.' && os.IsPathSeparator(path[r+1]):
		38	+ // ./ element
		39	+ r++
		40	+
		41	+ for r < len(path) && os.IsPathSeparator(path[r]) {
		42	+ r++
		43	+ }
		44	+ if out.w == 0 && volumeNameLen(path[r:]) > 0 {
		45	+ // When joining prefix "." and an absolute path on Windows,
		46	+ // the prefix should not be removed.
		47	+ out.append('.')
		48	+ }
		49	case path[r] == '.' && path[r+1] == '.' && (r+2 == n \|\| os.IsPathSeparator(path[r+2])):
		50	// .. element: remove to last separator
		51	r += 2
		52	--
		53	2.7.4


diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch new file mode 100644 index 0000000000..e1f7a55581 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
@@ -0,0 +1,104 @@
		1	From b8803cb711ae163b8e67897deb6cf8c49702227c Mon Sep 17 00:00:00 2001
		2	From: Damien Neil <dneil@google.com>
		3	Date: Mon, 12 Dec 2022 16:43:37 -0800
		4	Subject: [PATCH 2/2] path/filepath: do not Clean("a/../c:/b") into c:\b on
		5	Windows
		6
		7	Do not permit Clean to convert a relative path into one starting
		8	with a drive reference. This change causes Clean to insert a .
		9	path element at the start of a path when the original path does not
		10	start with a volume name, and the first path element would contain
		11	a colon.
		12
		13	This may introduce a spurious but harmless . path element under
		14	some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
		15
		16	This reverts CL 401595, since the change here supersedes the one
		17	in that CL.
		18
		19	Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
		20
		21	Updates #57274
		22	Fixes #57276
		23	Fixes CVE-2022-41722
		24
		25	Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
		26	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
		27	Reviewed-by: Roland Shoemaker <bracewell@google.com>
		28	Run-TryBot: Damien Neil <dneil@google.com>
		29	Reviewed-by: Julie Qiu <julieqiu@google.com>
		30	TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
		31	(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
		32	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
		33	Run-TryBot: Roland Shoemaker <bracewell@google.com>
		34	Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
		35	Reviewed-by: Damien Neil <dneil@google.com>
		36	Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
		37	Reviewed-by: Than McIntosh <thanm@google.com>
		38	Run-TryBot: Michael Pratt <mpratt@google.com>
		39	TryBot-Result: Gopher Robot <gobot@golang.org>
		40	Auto-Submit: Michael Pratt <mpratt@google.com>
		41
		42	Upstream-Status: Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
		43	CVE: CVE-2022-41722
		44	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
		45	---
		46	src/path/filepath/path.go \| 27 ++++++++++++++-------------
		47	1 file changed, 14 insertions(+), 13 deletions(-)
		48
		49	diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
		50	index 92dc090..f0f095e 100644
		51	--- a/src/path/filepath/path.go
		52	+++ b/src/path/filepath/path.go
		53	@@ -14,6 +14,7 @@ package filepath
		54	import (
		55	"errors"
		56	"os"
		57	+ "runtime"
		58	"sort"
		59	"strings"
		60	)
		61	@@ -116,21 +117,9 @@ func Clean(path string) string {
		62	case os.IsPathSeparator(path[r]):
		63	// empty path element
		64	r++
		65	- case path[r] == '.' && r+1 == n:
		66	+ case path[r] == '.' && (r+1 == n \|\| os.IsPathSeparator(path[r+1])):
		67	// . element
		68	r++
		69	- case path[r] == '.' && os.IsPathSeparator(path[r+1]):
		70	- // ./ element
		71	- r++
		72	-
		73	- for r < len(path) && os.IsPathSeparator(path[r]) {
		74	- r++
		75	- }
		76	- if out.w == 0 && volumeNameLen(path[r:]) > 0 {
		77	- // When joining prefix "." and an absolute path on Windows,
		78	- // the prefix should not be removed.
		79	- out.append('.')
		80	- }
		81	case path[r] == '.' && path[r+1] == '.' && (r+2 == n \|\| os.IsPathSeparator(path[r+2])):
		82	// .. element: remove to last separator
		83	r += 2
		84	@@ -156,6 +145,18 @@ func Clean(path string) string {
		85	if rooted && out.w != 1 \|\| !rooted && out.w != 0 {
		86	out.append(Separator)
		87	}
		88	+ // If a ':' appears in the path element at the start of a Windows path,
		89	+ // insert a .\ at the beginning to avoid converting relative paths
		90	+ // like a/../c: into c:.
		91	+ if runtime.GOOS == "windows" && out.w == 0 && out.volLen == 0 && r != 0 {
		92	+ for i := r; i < n && !os.IsPathSeparator(path[i]); i++ {
		93	+ if path[i] == ':' {
		94	+ out.append('.')
		95	+ out.append(Separator)
		96	+ break
		97	+ }
		98	+ }
		99	+ }
		100	// copy element
		101	for ; r < n && !os.IsPathSeparator(path[r]); r++ {
		102	out.append(path[r])
		103	--
		104	2.7.4