diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2023-06-29 10:20:48 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-07-04 05:37:07 -1000 |
commit | f25b3632334c6ee4920e1dfd4634111344672b3f (patch) | |
tree | 5884f5d2d1c9fcd711605cea1cadabcabe21d897 /meta/recipes-devtools/go | |
parent | 2474c30274840b37ae945dbad55cf812406fc5f7 (diff) | |
download | poky-f25b3632334c6ee4920e1dfd4634111344672b3f.tar.gz |
go: fix CVE-2023-29402 & CVE-2023-29404
Backport fixes for:
* CVE-2023-29402 - Upstream-Status: Backport from https://github.com/golang/go/commit/c160b49b6d328c86bd76ca2fff9009a71347333f
* CVE-2023-29404 - Upstream-Status: Backport from https://github.com/golang/go/commit/bf3c8ce03e175e870763901a3850bca01381a828
(From OE-Core rev: a4a989605d8cab3278d6c6e32eb882815ff36a28)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/go')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14.inc | 2 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch | 201 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch | 84 |
3 files changed, 287 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index ed505c01b3..ea7b9ea80f 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc | |||
@@ -65,6 +65,8 @@ SRC_URI += "\ | |||
65 | file://CVE-2023-24540.patch \ | 65 | file://CVE-2023-24540.patch \ |
66 | file://CVE-2023-29405-1.patch \ | 66 | file://CVE-2023-29405-1.patch \ |
67 | file://CVE-2023-29405-2.patch \ | 67 | file://CVE-2023-29405-2.patch \ |
68 | file://CVE-2023-29402.patch \ | ||
69 | file://CVE-2023-29404.patch \ | ||
68 | " | 70 | " |
69 | 71 | ||
70 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" | 72 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" |
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch new file mode 100644 index 0000000000..01eed9fe1b --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch | |||
@@ -0,0 +1,201 @@ | |||
1 | rom c160b49b6d328c86bd76ca2fff9009a71347333f Mon Sep 17 00:00:00 2001 | ||
2 | From: "Bryan C. Mills" <bcmills@google.com> | ||
3 | Date: Fri, 12 May 2023 14:15:16 -0400 | ||
4 | Subject: [PATCH] [release-branch.go1.19] cmd/go: disallow package directories | ||
5 | containing newlines | ||
6 | |||
7 | Directory or file paths containing newlines may cause tools (such as | ||
8 | cmd/cgo) that emit "//line" or "#line" -directives to write part of | ||
9 | the path into non-comment lines in generated source code. If those | ||
10 | lines contain valid Go code, it may be injected into the resulting | ||
11 | binary. | ||
12 | |||
13 | (Note that Go import paths and file paths within module zip files | ||
14 | already could not contain newlines.) | ||
15 | |||
16 | Thanks to Juho Nurminen of Mattermost for reporting this issue. | ||
17 | |||
18 | Updates #60167. | ||
19 | Fixes #60515. | ||
20 | Fixes CVE-2023-29402. | ||
21 | |||
22 | Change-Id: If55d0400c02beb7a5da5eceac60f1abeac99f064 | ||
23 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1882606 | ||
24 | Reviewed-by: Roland Shoemaker <bracewell@google.com> | ||
25 | Run-TryBot: Roland Shoemaker <bracewell@google.com> | ||
26 | Reviewed-by: Russ Cox <rsc@google.com> | ||
27 | Reviewed-by: Damien Neil <dneil@google.com> | ||
28 | (cherry picked from commit 41f9046495564fc728d6f98384ab7276450ac7e2) | ||
29 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902229 | ||
30 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904343 | ||
31 | Reviewed-by: Michael Knyszek <mknyszek@google.com> | ||
32 | Reviewed-by: Bryan Mills <bcmills@google.com> | ||
33 | Reviewed-on: https://go-review.googlesource.com/c/go/+/501218 | ||
34 | Run-TryBot: David Chase <drchase@google.com> | ||
35 | Auto-Submit: Michael Knyszek <mknyszek@google.com> | ||
36 | TryBot-Result: Gopher Robot <gobot@golang.org> | ||
37 | |||
38 | Upstream-Status: Backport [https://github.com/golang/go/commit/c160b49b6d328c86bd76ca2fff9009a71347333f] | ||
39 | CVE: CVE-2023-29402 | ||
40 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
41 | --- | ||
42 | src/cmd/go/internal/load/pkg.go | 4 + | ||
43 | src/cmd/go/internal/work/exec.go | 6 ++ | ||
44 | src/cmd/go/script_test.go | 1 + | ||
45 | .../go/testdata/script/build_cwd_newline.txt | 100 ++++++++++++++++++ | ||
46 | 4 files changed, 111 insertions(+) | ||
47 | create mode 100644 src/cmd/go/testdata/script/build_cwd_newline.txt | ||
48 | |||
49 | diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go | ||
50 | index 369a79b..d2b63b0 100644 | ||
51 | --- a/src/cmd/go/internal/load/pkg.go | ||
52 | +++ b/src/cmd/go/internal/load/pkg.go | ||
53 | @@ -1697,6 +1697,10 @@ func (p *Package) load(stk *ImportStack, bp *build.Package, err error) { | ||
54 | setError(ImportErrorf(p.ImportPath, "invalid import path %q", p.ImportPath)) | ||
55 | return | ||
56 | } | ||
57 | + if strings.ContainsAny(p.Dir, "\r\n") { | ||
58 | + setError(fmt.Errorf("invalid package directory %q", p.Dir)) | ||
59 | + return | ||
60 | + } | ||
61 | |||
62 | // Build list of imported packages and full dependency list. | ||
63 | imports := make([]*Package, 0, len(p.Imports)) | ||
64 | diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go | ||
65 | index 9a9650b..050b785 100644 | ||
66 | --- a/src/cmd/go/internal/work/exec.go | ||
67 | +++ b/src/cmd/go/internal/work/exec.go | ||
68 | @@ -458,6 +458,12 @@ func (b *Builder) build(a *Action) (err error) { | ||
69 | b.Print(a.Package.ImportPath + "\n") | ||
70 | } | ||
71 | |||
72 | + if p.Error != nil { | ||
73 | + // Don't try to build anything for packages with errors. There may be a | ||
74 | + // problem with the inputs that makes the package unsafe to build. | ||
75 | + return p.Error | ||
76 | + } | ||
77 | + | ||
78 | if a.Package.BinaryOnly { | ||
79 | p.Stale = true | ||
80 | p.StaleReason = "binary-only packages are no longer supported" | ||
81 | diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go | ||
82 | index ec498bb..a1398ad 100644 | ||
83 | --- a/src/cmd/go/script_test.go | ||
84 | +++ b/src/cmd/go/script_test.go | ||
85 | @@ -123,6 +123,7 @@ func (ts *testScript) setup() { | ||
86 | "devnull=" + os.DevNull, | ||
87 | "goversion=" + goVersion(ts), | ||
88 | ":=" + string(os.PathListSeparator), | ||
89 | + "newline=\n", | ||
90 | } | ||
91 | |||
92 | if runtime.GOOS == "plan9" { | ||
93 | diff --git a/src/cmd/go/testdata/script/build_cwd_newline.txt b/src/cmd/go/testdata/script/build_cwd_newline.txt | ||
94 | new file mode 100644 | ||
95 | index 0000000..61c6966 | ||
96 | --- /dev/null | ||
97 | +++ b/src/cmd/go/testdata/script/build_cwd_newline.txt | ||
98 | @@ -0,0 +1,100 @@ | ||
99 | +[windows] skip 'filesystem normalizes / to \' | ||
100 | +[plan9] skip 'filesystem disallows \n in paths' | ||
101 | + | ||
102 | +# If the directory path containing a package to be built includes a newline, | ||
103 | +# the go command should refuse to even try to build the package. | ||
104 | + | ||
105 | +env DIR=$WORK${/}${newline}'package main'${newline}'func main() { panic("uh-oh")'${newline}'/*' | ||
106 | + | ||
107 | +mkdir $DIR | ||
108 | +cd $DIR | ||
109 | +exec pwd | ||
110 | +cp $WORK/go.mod ./go.mod | ||
111 | +cp $WORK/main.go ./main.go | ||
112 | +cp $WORK/main_test.go ./main_test.go | ||
113 | + | ||
114 | +! go build -o $devnull . | ||
115 | +stderr 'package example: invalid package directory .*uh-oh' | ||
116 | + | ||
117 | +! go build -o $devnull main.go | ||
118 | +stderr 'package command-line-arguments: invalid package directory .*uh-oh' | ||
119 | + | ||
120 | +! go run . | ||
121 | +stderr 'package example: invalid package directory .*uh-oh' | ||
122 | + | ||
123 | +! go run main.go | ||
124 | +stderr 'package command-line-arguments: invalid package directory .*uh-oh' | ||
125 | + | ||
126 | +! go test . | ||
127 | +stderr 'package example: invalid package directory .*uh-oh' | ||
128 | + | ||
129 | +! go test -v main.go main_test.go | ||
130 | +stderr 'package command-line-arguments: invalid package directory .*uh-oh' | ||
131 | + | ||
132 | + | ||
133 | +# Since we do preserve $PWD (or set it appropriately) for commands, and we do | ||
134 | +# not resolve symlinks unnecessarily, referring to the contents of the unsafe | ||
135 | +# directory via a safe symlink should be ok, and should not inject the data from | ||
136 | +# the symlink target path. | ||
137 | + | ||
138 | +[!symlink] stop 'remainder of test checks symlink behavior' | ||
139 | +[short] stop 'links and runs binaries' | ||
140 | + | ||
141 | +symlink $WORK${/}link -> $DIR | ||
142 | + | ||
143 | +go run $WORK${/}link${/}main.go | ||
144 | +! stdout panic | ||
145 | +! stderr panic | ||
146 | +stderr '^ok$' | ||
147 | + | ||
148 | +go test -v $WORK${/}link${/}main.go $WORK${/}link${/}main_test.go | ||
149 | +! stdout panic | ||
150 | +! stderr panic | ||
151 | +stdout '^ok$' # 'go test' combines the test's stdout into stderr | ||
152 | + | ||
153 | +cd $WORK/link | ||
154 | + | ||
155 | +! go run $DIR${/}main.go | ||
156 | +stderr 'package command-line-arguments: invalid package directory .*uh-oh' | ||
157 | + | ||
158 | +go run . | ||
159 | +! stdout panic | ||
160 | +! stderr panic | ||
161 | +stderr '^ok$' | ||
162 | + | ||
163 | +go run main.go | ||
164 | +! stdout panic | ||
165 | +! stderr panic | ||
166 | +stderr '^ok$' | ||
167 | + | ||
168 | +go test -v | ||
169 | +! stdout panic | ||
170 | +! stderr panic | ||
171 | +stdout '^ok$' # 'go test' combines the test's stdout into stderr | ||
172 | + | ||
173 | +go test -v . | ||
174 | +! stdout panic | ||
175 | +! stderr panic | ||
176 | +stdout '^ok$' # 'go test' combines the test's stdout into stderr | ||
177 | + | ||
178 | + | ||
179 | +-- $WORK/go.mod -- | ||
180 | +module example | ||
181 | +go 1.19 | ||
182 | +-- $WORK/main.go -- | ||
183 | +package main | ||
184 | + | ||
185 | +import "C" | ||
186 | + | ||
187 | +func main() { | ||
188 | + /* nothing here */ | ||
189 | + println("ok") | ||
190 | +} | ||
191 | +-- $WORK/main_test.go -- | ||
192 | +package main | ||
193 | + | ||
194 | +import "testing" | ||
195 | + | ||
196 | +func TestMain(*testing.M) { | ||
197 | + main() | ||
198 | +} | ||
199 | -- | ||
200 | 2.25.1 | ||
201 | |||
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch new file mode 100644 index 0000000000..61336ee9ee --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch | |||
@@ -0,0 +1,84 @@ | |||
1 | From bf3c8ce03e175e870763901a3850bca01381a828 Mon Sep 17 00:00:00 2001 | ||
2 | From: Roland Shoemaker <bracewell@google.com> | ||
3 | Date: Fri, 5 May 2023 13:10:34 -0700 | ||
4 | Subject: [PATCH] [release-branch.go1.19] cmd/go: enforce flags with | ||
5 | non-optional arguments | ||
6 | |||
7 | Enforce that linker flags which expect arguments get them, otherwise it | ||
8 | may be possible to smuggle unexpected flags through as the linker can | ||
9 | consume what looks like a flag as an argument to a preceding flag (i.e. | ||
10 | "-Wl,-O -Wl,-R,-bad-flag" is interpreted as "-O=-R -bad-flag"). Also be | ||
11 | somewhat more restrictive in the general format of some flags. | ||
12 | |||
13 | Thanks to Juho Nurminen of Mattermost for reporting this issue. | ||
14 | |||
15 | Updates #60305 | ||
16 | Fixes #60511 | ||
17 | Fixes CVE-2023-29404 | ||
18 | |||
19 | Change-Id: Icdffef2c0f644da50261cace6f43742783931cff | ||
20 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1876275 | ||
21 | Reviewed-by: Ian Lance Taylor <iant@google.com> | ||
22 | Reviewed-by: Damien Neil <dneil@google.com> | ||
23 | (cherry picked from commit 896779503cf754cbdac24b61d4cc953b50fe2dde) | ||
24 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902225 | ||
25 | Run-TryBot: Roland Shoemaker <bracewell@google.com> | ||
26 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904342 | ||
27 | Reviewed-by: Michael Knyszek <mknyszek@google.com> | ||
28 | Reviewed-on: https://go-review.googlesource.com/c/go/+/501217 | ||
29 | Auto-Submit: Michael Knyszek <mknyszek@google.com> | ||
30 | Run-TryBot: David Chase <drchase@google.com> | ||
31 | TryBot-Bypass: Michael Knyszek <mknyszek@google.com> | ||
32 | |||
33 | Upstream-Status: Backport [https://github.com/golang/go/commit/bf3c8ce03e175e870763901a3850bca01381a828] | ||
34 | CVE: CVE-2023-29404 | ||
35 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
36 | --- | ||
37 | src/cmd/go/internal/work/security.go | 6 +++--- | ||
38 | src/cmd/go/internal/work/security_test.go | 5 +++++ | ||
39 | 2 files changed, 8 insertions(+), 3 deletions(-) | ||
40 | |||
41 | diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go | ||
42 | index a823b20..8acb6dc 100644 | ||
43 | --- a/src/cmd/go/internal/work/security.go | ||
44 | +++ b/src/cmd/go/internal/work/security.go | ||
45 | @@ -177,17 +177,17 @@ var validLinkerFlags = []*lazyregexp.Regexp{ | ||
46 | re(`-Wl,-Bdynamic`), | ||
47 | re(`-Wl,-berok`), | ||
48 | re(`-Wl,-Bstatic`), | ||
49 | - re(`-WL,-O([^@,\-][^,]*)?`), | ||
50 | + re(`-Wl,-O[0-9]+`), | ||
51 | re(`-Wl,-d[ny]`), | ||
52 | re(`-Wl,--disable-new-dtags`), | ||
53 | - re(`-Wl,-e[=,][a-zA-Z0-9]*`), | ||
54 | + re(`-Wl,-e[=,][a-zA-Z0-9]+`), | ||
55 | re(`-Wl,--enable-new-dtags`), | ||
56 | re(`-Wl,--end-group`), | ||
57 | re(`-Wl,--(no-)?export-dynamic`), | ||
58 | re(`-Wl,-framework,[^,@\-][^,]+`), | ||
59 | re(`-Wl,-headerpad_max_install_names`), | ||
60 | re(`-Wl,--no-undefined`), | ||
61 | - re(`-Wl,-R([^@\-][^,@]*$)`), | ||
62 | + re(`-Wl,-R,?([^@\-,][^,@]*$)`), | ||
63 | re(`-Wl,--just-symbols[=,]([^,@\-][^,@]+)`), | ||
64 | re(`-Wl,-rpath(-link)?[=,]([^,@\-][^,]+)`), | ||
65 | re(`-Wl,-s`), | ||
66 | diff --git a/src/cmd/go/internal/work/security_test.go b/src/cmd/go/internal/work/security_test.go | ||
67 | index bd707ff..7b0b7d3 100644 | ||
68 | --- a/src/cmd/go/internal/work/security_test.go | ||
69 | +++ b/src/cmd/go/internal/work/security_test.go | ||
70 | @@ -220,6 +220,11 @@ var badLinkerFlags = [][]string{ | ||
71 | {"-Wl,-R,@foo"}, | ||
72 | {"-Wl,--just-symbols,@foo"}, | ||
73 | {"../x.o"}, | ||
74 | + {"-Wl,-R,"}, | ||
75 | + {"-Wl,-O"}, | ||
76 | + {"-Wl,-e="}, | ||
77 | + {"-Wl,-e,"}, | ||
78 | + {"-Wl,-R,-flag"}, | ||
79 | } | ||
80 | |||
81 | func TestCheckLinkerFlags(t *testing.T) { | ||
82 | -- | ||
83 | 2.25.1 | ||
84 | |||