golang: fix CVE-2022-30629 and CVE-2022-30631

Source: https://github.com/golang/go MR: 120613, 120613 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c && https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3 ChangeID: 366db775dec045d7b312b8da0436af36ab322046 Description: Fixed CVE: 1. CVE-2022-30629 2. CVE-2022-30631 (From OE-Core rev: 6813a265c7c21e24636d07a6a8df16ef0cf7da50) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hitendra Prajapati <hprajapati@mvista.com> 2022-08-25 12:54:30 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-09-03 13:10:37 +0100
commit: 8bc3443c0813f884955def3bb8d7594acd397796 (patch)
tree: 64a586ceb8506f819b83182eefc0a6754b823308 /meta/recipes-devtools/go
parent: dea6f2c847296639359546198709bf333a881d29 (diff)
download: poky-8bc3443c0813f884955def3bb8d7594acd397796.tar.gz
3 files changed, 165 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index b160222f76..6089fd501d 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -25,6 +25,8 @@ SRC_URI += "\
    file://CVE-2021-44717.patch \
    file://CVE-2022-24675.patch \
    file://CVE-2021-31525.patch \
+    file://CVE-2022-30629.patch \
+    file://CVE-2022-30631.patch \
 "
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch
new file mode 100644
index 0000000000..47313a547f
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch
@@ -0,0 +1,47 @@
+From 8d0bbb5a6280c2cf951241ec7f6579c90d38df57 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 25 Aug 2022 10:55:08 +0530
+Subject: [PATCH] CVE-2022-30629
+Upstream-Status: Backport [https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c]
+CVE: CVE-2022-30629
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/crypto/tls/handshake_server_tls13.go | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
+index 5432145..d91797e 100644
+--- a/src/crypto/tls/handshake_server_tls13.go
+++ b/src/crypto/tls/handshake_server_tls13.go
+@@ -9,6 +9,7 @@ import (
+        "crypto"
+        "crypto/hmac"
+        "crypto/rsa"
+       "encoding/binary"
+        "errors"
+        "hash"
+        "io"
+@@ -742,6 +743,19 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
+        }
+        m.lifetime = uint32(maxSessionTicketLifetime / time.Second)
+ 
+       // ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1
+       // The value is not stored anywhere; we never need to check the ticket age
+       // because 0-RTT is not supported.
+       ageAdd := make([]byte, 4)
+       _, err = hs.c.config.rand().Read(ageAdd)
+       if err != nil {
+               return err
+       }
+       m.ageAdd = binary.LittleEndian.Uint32(ageAdd)
+
+       // ticket_nonce, which must be unique per connection, is always left at
+       // zero because we only ever send one ticket per connection.
+
+        if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {
+                return err
+        }
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
new file mode 100644
index 0000000000..5dcfd27f16
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
@@ -0,0 +1,116 @@
+From d10fc3a84e3344f2421c1dd3046faa50709ab4d5 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 25 Aug 2022 11:01:21 +0530
+Subject: [PATCH] CVE-2022-30631
+Upstream-Status: Backport [https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3]
+CVE: CVE-2022-30631
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/compress/gzip/gunzip.go      | 60 +++++++++++++++-----------------
+ src/compress/gzip/gunzip_test.go | 16 +++++++++
+ 2 files changed, 45 insertions(+), 31 deletions(-)
+diff --git a/src/compress/gzip/gunzip.go b/src/compress/gzip/gunzip.go
+index 924bce1..237b2b9 100644
+--- a/src/compress/gzip/gunzip.go
+++ b/src/compress/gzip/gunzip.go
+@@ -248,42 +248,40 @@ func (z *Reader) Read(p []byte) (n int, err error) {
+                return 0, z.err
+        }
+ 
+-       n, z.err = z.decompressor.Read(p)
+-       z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
+-       z.size += uint32(n)
+-       if z.err != io.EOF {
+-               // In the normal case we return here.
+-               return n, z.err
+-       }
+       for n == 0 {
+               n, z.err = z.decompressor.Read(p)
+               z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
+               z.size += uint32(n)
+               if z.err != io.EOF {
+                       // In the normal case we return here.
+                       return n, z.err
+               }
+ 
+-       // Finished file; check checksum and size.
+-       if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil {
+-               z.err = noEOF(err)
+-               return n, z.err
+-       }
+-       digest := le.Uint32(z.buf[:4])
+-       size := le.Uint32(z.buf[4:8])
+-       if digest != z.digest || size != z.size {
+-               z.err = ErrChecksum
+-               return n, z.err
+-       }
+-       z.digest, z.size = 0, 0
+               // Finished file; check checksum and size.
+               if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil {
+                       z.err = noEOF(err)
+                       return n, z.err
+               }
+               digest := le.Uint32(z.buf[:4])
+               size := le.Uint32(z.buf[4:8])
+               if digest != z.digest || size != z.size {
+                       z.err = ErrChecksum
+                       return n, z.err
+               }
+               z.digest, z.size = 0, 0
+ 
+-       // File is ok; check if there is another.
+-       if !z.multistream {
+-               return n, io.EOF
+-       }
+-       z.err = nil // Remove io.EOF
+               // File is ok; check if there is another.
+               if !z.multistream {
+                       return n, io.EOF
+               }
+               z.err = nil // Remove io.EOF
+ 
+-       if _, z.err = z.readHeader(); z.err != nil {
+-               return n, z.err
+               if _, z.err = z.readHeader(); z.err != nil {
+                       return n, z.err
+               }
+        }
+ 
+-       // Read from next file, if necessary.
+-       if n > 0 {
+-               return n, nil
+-       }
+-       return z.Read(p)
+       return n, nil
+ }
+ 
+ // Close closes the Reader. It does not close the underlying io.Reader.
+diff --git a/src/compress/gzip/gunzip_test.go b/src/compress/gzip/gunzip_test.go
+index 1b01404..95220ae 100644
+--- a/src/compress/gzip/gunzip_test.go
+++ b/src/compress/gzip/gunzip_test.go
+@@ -516,3 +516,19 @@ func TestTruncatedStreams(t *testing.T) {
+                }
+        }
+ }
+
+func TestCVE202230631(t *testing.T) {
+       var empty = []byte{0x1f, 0x8b, 0x08, 0x00, 0xa7, 0x8f, 0x43, 0x62, 0x00,
+               0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
+       r := bytes.NewReader(bytes.Repeat(empty, 4e6))
+       z, err := NewReader(r)
+       if err != nil {
+               t.Fatalf("NewReader: got %v, want nil", err)
+       }
+       // Prior to CVE-2022-30631 fix, this would cause an unrecoverable panic due
+       // to stack exhaustion.
+       _, err = z.Read(make([]byte, 10))
+       if err != io.EOF {
+               t.Errorf("Reader.Read: got %v, want %v", err, io.EOF)
+       }
+}
+-- 
+2.25.1
author	Hitendra Prajapati <hprajapati@mvista.com>	2022-08-25 12:54:30 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-09-03 13:10:37 +0100
commit	8bc3443c0813f884955def3bb8d7594acd397796 (patch)
tree	64a586ceb8506f819b83182eefc0a6754b823308 /meta/recipes-devtools/go
parent	dea6f2c847296639359546198709bf333a881d29 (diff)
download	poky-8bc3443c0813f884955def3bb8d7594acd397796.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index b160222f76..6089fd501d 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -25,6 +25,8 @@ SRC_URI += "\
25	file://CVE-2021-44717.patch \	25	file://CVE-2021-44717.patch \
26	file://CVE-2022-24675.patch \	26	file://CVE-2022-24675.patch \
27	file://CVE-2021-31525.patch \	27	file://CVE-2021-31525.patch \
		28	file://CVE-2022-30629.patch \
		29	file://CVE-2022-30631.patch \
28	"	30	"
29		31
30	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"	32	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"


diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch new file mode 100644 index 0000000000..47313a547f --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch
@@ -0,0 +1,47 @@
		1	From 8d0bbb5a6280c2cf951241ec7f6579c90d38df57 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Thu, 25 Aug 2022 10:55:08 +0530
		4	Subject: [PATCH] CVE-2022-30629
		5
		6	Upstream-Status: Backport [https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c]
		7	CVE: CVE-2022-30629
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	src/crypto/tls/handshake_server_tls13.go \| 14 ++++++++++++++
		11	1 file changed, 14 insertions(+)
		12
		13	diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
		14	index 5432145..d91797e 100644
		15	--- a/src/crypto/tls/handshake_server_tls13.go
		16	+++ b/src/crypto/tls/handshake_server_tls13.go
		17	@@ -9,6 +9,7 @@ import (
		18	"crypto"
		19	"crypto/hmac"
		20	"crypto/rsa"
		21	+ "encoding/binary"
		22	"errors"
		23	"hash"
		24	"io"
		25	@@ -742,6 +743,19 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
		26	}
		27	m.lifetime = uint32(maxSessionTicketLifetime / time.Second)
		28
		29	+ // ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1
		30	+ // The value is not stored anywhere; we never need to check the ticket age
		31	+ // because 0-RTT is not supported.
		32	+ ageAdd := make([]byte, 4)
		33	+ _, err = hs.c.config.rand().Read(ageAdd)
		34	+ if err != nil {
		35	+ return err
		36	+ }
		37	+ m.ageAdd = binary.LittleEndian.Uint32(ageAdd)
		38	+
		39	+ // ticket_nonce, which must be unique per connection, is always left at
		40	+ // zero because we only ever send one ticket per connection.
		41	+
		42	if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {
		43	return err
		44	}
		45	--
		46	2.25.1
		47


diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch new file mode 100644 index 0000000000..5dcfd27f16 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
@@ -0,0 +1,116 @@
		1	From d10fc3a84e3344f2421c1dd3046faa50709ab4d5 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Thu, 25 Aug 2022 11:01:21 +0530
		4	Subject: [PATCH] CVE-2022-30631
		5
		6	Upstream-Status: Backport [https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3]
		7	CVE: CVE-2022-30631
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	src/compress/gzip/gunzip.go \| 60 +++++++++++++++-----------------
		11	src/compress/gzip/gunzip_test.go \| 16 +++++++++
		12	2 files changed, 45 insertions(+), 31 deletions(-)
		13
		14	diff --git a/src/compress/gzip/gunzip.go b/src/compress/gzip/gunzip.go
		15	index 924bce1..237b2b9 100644
		16	--- a/src/compress/gzip/gunzip.go
		17	+++ b/src/compress/gzip/gunzip.go
		18	@@ -248,42 +248,40 @@ func (z *Reader) Read(p []byte) (n int, err error) {
		19	return 0, z.err
		20	}
		21
		22	- n, z.err = z.decompressor.Read(p)
		23	- z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
		24	- z.size += uint32(n)
		25	- if z.err != io.EOF {
		26	- // In the normal case we return here.
		27	- return n, z.err
		28	- }
		29	+ for n == 0 {
		30	+ n, z.err = z.decompressor.Read(p)
		31	+ z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
		32	+ z.size += uint32(n)
		33	+ if z.err != io.EOF {
		34	+ // In the normal case we return here.
		35	+ return n, z.err
		36	+ }
		37
		38	- // Finished file; check checksum and size.
		39	- if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil {
		40	- z.err = noEOF(err)
		41	- return n, z.err
		42	- }
		43	- digest := le.Uint32(z.buf[:4])
		44	- size := le.Uint32(z.buf[4:8])
		45	- if digest != z.digest \|\| size != z.size {
		46	- z.err = ErrChecksum
		47	- return n, z.err
		48	- }
		49	- z.digest, z.size = 0, 0
		50	+ // Finished file; check checksum and size.
		51	+ if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil {
		52	+ z.err = noEOF(err)
		53	+ return n, z.err
		54	+ }
		55	+ digest := le.Uint32(z.buf[:4])
		56	+ size := le.Uint32(z.buf[4:8])
		57	+ if digest != z.digest \|\| size != z.size {
		58	+ z.err = ErrChecksum
		59	+ return n, z.err
		60	+ }
		61	+ z.digest, z.size = 0, 0
		62
		63	- // File is ok; check if there is another.
		64	- if !z.multistream {
		65	- return n, io.EOF
		66	- }
		67	- z.err = nil // Remove io.EOF
		68	+ // File is ok; check if there is another.
		69	+ if !z.multistream {
		70	+ return n, io.EOF
		71	+ }
		72	+ z.err = nil // Remove io.EOF
		73
		74	- if _, z.err = z.readHeader(); z.err != nil {
		75	- return n, z.err
		76	+ if _, z.err = z.readHeader(); z.err != nil {
		77	+ return n, z.err
		78	+ }
		79	}
		80
		81	- // Read from next file, if necessary.
		82	- if n > 0 {
		83	- return n, nil
		84	- }
		85	- return z.Read(p)
		86	+ return n, nil
		87	}
		88
		89	// Close closes the Reader. It does not close the underlying io.Reader.
		90	diff --git a/src/compress/gzip/gunzip_test.go b/src/compress/gzip/gunzip_test.go
		91	index 1b01404..95220ae 100644
		92	--- a/src/compress/gzip/gunzip_test.go
		93	+++ b/src/compress/gzip/gunzip_test.go
		94	@@ -516,3 +516,19 @@ func TestTruncatedStreams(t *testing.T) {
		95	}
		96	}
		97	}
		98	+
		99	+func TestCVE202230631(t *testing.T) {
		100	+ var empty = []byte{0x1f, 0x8b, 0x08, 0x00, 0xa7, 0x8f, 0x43, 0x62, 0x00,
		101	+ 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
		102	+ r := bytes.NewReader(bytes.Repeat(empty, 4e6))
		103	+ z, err := NewReader(r)
		104	+ if err != nil {
		105	+ t.Fatalf("NewReader: got %v, want nil", err)
		106	+ }
		107	+ // Prior to CVE-2022-30631 fix, this would cause an unrecoverable panic due
		108	+ // to stack exhaustion.
		109	+ _, err = z.Read(make([]byte, 10))
		110	+ if err != io.EOF {
		111	+ t.Errorf("Reader.Read: got %v, want %v", err, io.EOF)
		112	+ }
		113	+}
		114	--
		115	2.25.1
		116