diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2022-08-25 12:54:30 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-09-03 13:10:37 +0100 |
commit | 8bc3443c0813f884955def3bb8d7594acd397796 (patch) | |
tree | 64a586ceb8506f819b83182eefc0a6754b823308 /meta/recipes-devtools/go | |
parent | dea6f2c847296639359546198709bf333a881d29 (diff) | |
download | poky-8bc3443c0813f884955def3bb8d7594acd397796.tar.gz |
golang: fix CVE-2022-30629 and CVE-2022-30631
Source: https://github.com/golang/go
MR: 120613, 120613
Type: Security Fix
Disposition: Backport from https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c && https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3
ChangeID: 366db775dec045d7b312b8da0436af36ab322046
Description:
Fixed CVE:
1. CVE-2022-30629
2. CVE-2022-30631
(From OE-Core rev: 6813a265c7c21e24636d07a6a8df16ef0cf7da50)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/go')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14.inc | 2 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch | 47 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch | 116 |
3 files changed, 165 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index b160222f76..6089fd501d 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc | |||
@@ -25,6 +25,8 @@ SRC_URI += "\ | |||
25 | file://CVE-2021-44717.patch \ | 25 | file://CVE-2021-44717.patch \ |
26 | file://CVE-2022-24675.patch \ | 26 | file://CVE-2022-24675.patch \ |
27 | file://CVE-2021-31525.patch \ | 27 | file://CVE-2021-31525.patch \ |
28 | file://CVE-2022-30629.patch \ | ||
29 | file://CVE-2022-30631.patch \ | ||
28 | " | 30 | " |
29 | 31 | ||
30 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" | 32 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" |
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch new file mode 100644 index 0000000000..47313a547f --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 8d0bbb5a6280c2cf951241ec7f6579c90d38df57 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 25 Aug 2022 10:55:08 +0530 | ||
4 | Subject: [PATCH] CVE-2022-30629 | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c] | ||
7 | CVE: CVE-2022-30629 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | src/crypto/tls/handshake_server_tls13.go | 14 ++++++++++++++ | ||
11 | 1 file changed, 14 insertions(+) | ||
12 | |||
13 | diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go | ||
14 | index 5432145..d91797e 100644 | ||
15 | --- a/src/crypto/tls/handshake_server_tls13.go | ||
16 | +++ b/src/crypto/tls/handshake_server_tls13.go | ||
17 | @@ -9,6 +9,7 @@ import ( | ||
18 | "crypto" | ||
19 | "crypto/hmac" | ||
20 | "crypto/rsa" | ||
21 | + "encoding/binary" | ||
22 | "errors" | ||
23 | "hash" | ||
24 | "io" | ||
25 | @@ -742,6 +743,19 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error { | ||
26 | } | ||
27 | m.lifetime = uint32(maxSessionTicketLifetime / time.Second) | ||
28 | |||
29 | + // ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1 | ||
30 | + // The value is not stored anywhere; we never need to check the ticket age | ||
31 | + // because 0-RTT is not supported. | ||
32 | + ageAdd := make([]byte, 4) | ||
33 | + _, err = hs.c.config.rand().Read(ageAdd) | ||
34 | + if err != nil { | ||
35 | + return err | ||
36 | + } | ||
37 | + m.ageAdd = binary.LittleEndian.Uint32(ageAdd) | ||
38 | + | ||
39 | + // ticket_nonce, which must be unique per connection, is always left at | ||
40 | + // zero because we only ever send one ticket per connection. | ||
41 | + | ||
42 | if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil { | ||
43 | return err | ||
44 | } | ||
45 | -- | ||
46 | 2.25.1 | ||
47 | |||
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch new file mode 100644 index 0000000000..5dcfd27f16 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch | |||
@@ -0,0 +1,116 @@ | |||
1 | From d10fc3a84e3344f2421c1dd3046faa50709ab4d5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 25 Aug 2022 11:01:21 +0530 | ||
4 | Subject: [PATCH] CVE-2022-30631 | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3] | ||
7 | CVE: CVE-2022-30631 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | src/compress/gzip/gunzip.go | 60 +++++++++++++++----------------- | ||
11 | src/compress/gzip/gunzip_test.go | 16 +++++++++ | ||
12 | 2 files changed, 45 insertions(+), 31 deletions(-) | ||
13 | |||
14 | diff --git a/src/compress/gzip/gunzip.go b/src/compress/gzip/gunzip.go | ||
15 | index 924bce1..237b2b9 100644 | ||
16 | --- a/src/compress/gzip/gunzip.go | ||
17 | +++ b/src/compress/gzip/gunzip.go | ||
18 | @@ -248,42 +248,40 @@ func (z *Reader) Read(p []byte) (n int, err error) { | ||
19 | return 0, z.err | ||
20 | } | ||
21 | |||
22 | - n, z.err = z.decompressor.Read(p) | ||
23 | - z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n]) | ||
24 | - z.size += uint32(n) | ||
25 | - if z.err != io.EOF { | ||
26 | - // In the normal case we return here. | ||
27 | - return n, z.err | ||
28 | - } | ||
29 | + for n == 0 { | ||
30 | + n, z.err = z.decompressor.Read(p) | ||
31 | + z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n]) | ||
32 | + z.size += uint32(n) | ||
33 | + if z.err != io.EOF { | ||
34 | + // In the normal case we return here. | ||
35 | + return n, z.err | ||
36 | + } | ||
37 | |||
38 | - // Finished file; check checksum and size. | ||
39 | - if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil { | ||
40 | - z.err = noEOF(err) | ||
41 | - return n, z.err | ||
42 | - } | ||
43 | - digest := le.Uint32(z.buf[:4]) | ||
44 | - size := le.Uint32(z.buf[4:8]) | ||
45 | - if digest != z.digest || size != z.size { | ||
46 | - z.err = ErrChecksum | ||
47 | - return n, z.err | ||
48 | - } | ||
49 | - z.digest, z.size = 0, 0 | ||
50 | + // Finished file; check checksum and size. | ||
51 | + if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil { | ||
52 | + z.err = noEOF(err) | ||
53 | + return n, z.err | ||
54 | + } | ||
55 | + digest := le.Uint32(z.buf[:4]) | ||
56 | + size := le.Uint32(z.buf[4:8]) | ||
57 | + if digest != z.digest || size != z.size { | ||
58 | + z.err = ErrChecksum | ||
59 | + return n, z.err | ||
60 | + } | ||
61 | + z.digest, z.size = 0, 0 | ||
62 | |||
63 | - // File is ok; check if there is another. | ||
64 | - if !z.multistream { | ||
65 | - return n, io.EOF | ||
66 | - } | ||
67 | - z.err = nil // Remove io.EOF | ||
68 | + // File is ok; check if there is another. | ||
69 | + if !z.multistream { | ||
70 | + return n, io.EOF | ||
71 | + } | ||
72 | + z.err = nil // Remove io.EOF | ||
73 | |||
74 | - if _, z.err = z.readHeader(); z.err != nil { | ||
75 | - return n, z.err | ||
76 | + if _, z.err = z.readHeader(); z.err != nil { | ||
77 | + return n, z.err | ||
78 | + } | ||
79 | } | ||
80 | |||
81 | - // Read from next file, if necessary. | ||
82 | - if n > 0 { | ||
83 | - return n, nil | ||
84 | - } | ||
85 | - return z.Read(p) | ||
86 | + return n, nil | ||
87 | } | ||
88 | |||
89 | // Close closes the Reader. It does not close the underlying io.Reader. | ||
90 | diff --git a/src/compress/gzip/gunzip_test.go b/src/compress/gzip/gunzip_test.go | ||
91 | index 1b01404..95220ae 100644 | ||
92 | --- a/src/compress/gzip/gunzip_test.go | ||
93 | +++ b/src/compress/gzip/gunzip_test.go | ||
94 | @@ -516,3 +516,19 @@ func TestTruncatedStreams(t *testing.T) { | ||
95 | } | ||
96 | } | ||
97 | } | ||
98 | + | ||
99 | +func TestCVE202230631(t *testing.T) { | ||
100 | + var empty = []byte{0x1f, 0x8b, 0x08, 0x00, 0xa7, 0x8f, 0x43, 0x62, 0x00, | ||
101 | + 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} | ||
102 | + r := bytes.NewReader(bytes.Repeat(empty, 4e6)) | ||
103 | + z, err := NewReader(r) | ||
104 | + if err != nil { | ||
105 | + t.Fatalf("NewReader: got %v, want nil", err) | ||
106 | + } | ||
107 | + // Prior to CVE-2022-30631 fix, this would cause an unrecoverable panic due | ||
108 | + // to stack exhaustion. | ||
109 | + _, err = z.Read(make([]byte, 10)) | ||
110 | + if err != io.EOF { | ||
111 | + t.Errorf("Reader.Read: got %v, want %v", err, io.EOF) | ||
112 | + } | ||
113 | +} | ||
114 | -- | ||
115 | 2.25.1 | ||
116 | |||