diff options
author | Armin Kuster <akuster@mvista.com> | 2021-09-09 16:55:21 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-09-14 17:27:42 +0100 |
commit | 9bae357b12a6374b0f415c555083ea4f9e8eac48 (patch) | |
tree | ad6cdaede100fd49d61206080edd71b37d909257 /meta/recipes-devtools | |
parent | d3f4731220e66a97d5eff60df8de6d0683169cda (diff) | |
download | poky-9bae357b12a6374b0f415c555083ea4f9e8eac48.tar.gz |
go: Several Security fixes
Source: golang.org
MR: 111958, 112390, 112393
Type: Security Fix
Disposition: Backport from https://github.com/golang/go.git
ChangeID: 662d021814f025b3d768a04864498486f94819a7
Description:
Affects < 1.16.5
Fixes:
CVE-2021-33196
CVE-2021-33197
CVE-2021-34558
(From OE-Core rev: 1eaac89b0384cc39ea489a3b7ea58eab6b23240b)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14.inc | 3 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch | 124 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch | 152 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch | 51 |
4 files changed, 330 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 50136ca841..abc6f42184 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc | |||
@@ -16,6 +16,9 @@ SRC_URI += "\ | |||
16 | file://0006-cmd-dist-separate-host-and-target-builds.patch \ | 16 | file://0006-cmd-dist-separate-host-and-target-builds.patch \ |
17 | file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ | 17 | file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ |
18 | file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ | 18 | file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ |
19 | file://CVE-2021-34558.patch \ | ||
20 | file://CVE-2021-33196.patch \ | ||
21 | file://CVE-2021-33197.patch \ | ||
19 | " | 22 | " |
20 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" | 23 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" |
21 | SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149" | 24 | SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149" |
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch new file mode 100644 index 0000000000..2e2dc62c49 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch | |||
@@ -0,0 +1,124 @@ | |||
1 | From 74242baa4136c7a9132a8ccd9881354442788c8c Mon Sep 17 00:00:00 2001 | ||
2 | From: Roland Shoemaker <roland@golang.org> | ||
3 | Date: Tue, 11 May 2021 11:31:31 -0700 | ||
4 | Subject: [PATCH] archive/zip: only preallocate File slice if reasonably sized | ||
5 | |||
6 | Since the number of files in the EOCD record isn't validated, it isn't | ||
7 | safe to preallocate Reader.Files using that field. A malformed archive | ||
8 | can indicate it contains up to 1 << 128 - 1 files. We can still safely | ||
9 | preallocate the slice by checking if the specified number of files in | ||
10 | the archive is reasonable, given the size of the archive. | ||
11 | |||
12 | Thanks to the OSS-Fuzz project for discovering this issue and to | ||
13 | Emmanuel Odeke for reporting it. | ||
14 | |||
15 | Fixes #46242 | ||
16 | Fixes CVE-2021-33196 | ||
17 | |||
18 | Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76 | ||
19 | Reviewed-on: https://go-review.googlesource.com/c/go/+/318909 | ||
20 | Trust: Roland Shoemaker <roland@golang.org> | ||
21 | Trust: Katie Hockman <katie@golang.org> | ||
22 | Trust: Joe Tsai <thebrokentoaster@gmail.com> | ||
23 | Run-TryBot: Roland Shoemaker <roland@golang.org> | ||
24 | TryBot-Result: Go Bot <gobot@golang.org> | ||
25 | Reviewed-by: Katie Hockman <katie@golang.org> | ||
26 | Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com> | ||
27 | |||
28 | Upstream-Status: Backport | ||
29 | CVE: CVE-2021-33196 | ||
30 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
31 | |||
32 | --- | ||
33 | src/archive/zip/reader.go | 10 +++++- | ||
34 | src/archive/zip/reader_test.go | 59 ++++++++++++++++++++++++++++++++++ | ||
35 | 2 files changed, 68 insertions(+), 1 deletion(-) | ||
36 | |||
37 | Index: go/src/archive/zip/reader.go | ||
38 | =================================================================== | ||
39 | --- go.orig/src/archive/zip/reader.go | ||
40 | +++ go/src/archive/zip/reader.go | ||
41 | @@ -84,7 +84,15 @@ func (z *Reader) init(r io.ReaderAt, siz | ||
42 | return err | ||
43 | } | ||
44 | z.r = r | ||
45 | - z.File = make([]*File, 0, end.directoryRecords) | ||
46 | + // Since the number of directory records is not validated, it is not | ||
47 | + // safe to preallocate z.File without first checking that the specified | ||
48 | + // number of files is reasonable, since a malformed archive may | ||
49 | + // indicate it contains up to 1 << 128 - 1 files. Since each file has a | ||
50 | + // header which will be _at least_ 30 bytes we can safely preallocate | ||
51 | + // if (data size / 30) >= end.directoryRecords. | ||
52 | + if (uint64(size)-end.directorySize)/30 >= end.directoryRecords { | ||
53 | + z.File = make([]*File, 0, end.directoryRecords) | ||
54 | + } | ||
55 | z.Comment = end.comment | ||
56 | rs := io.NewSectionReader(r, 0, size) | ||
57 | if _, err = rs.Seek(int64(end.directoryOffset), io.SeekStart); err != nil { | ||
58 | Index: go/src/archive/zip/reader_test.go | ||
59 | =================================================================== | ||
60 | --- go.orig/src/archive/zip/reader_test.go | ||
61 | +++ go/src/archive/zip/reader_test.go | ||
62 | @@ -1070,3 +1070,62 @@ func TestIssue12449(t *testing.T) { | ||
63 | t.Errorf("Error reading the archive: %v", err) | ||
64 | } | ||
65 | } | ||
66 | + | ||
67 | +func TestCVE202133196(t *testing.T) { | ||
68 | + // Archive that indicates it has 1 << 128 -1 files, | ||
69 | + // this would previously cause a panic due to attempting | ||
70 | + // to allocate a slice with 1 << 128 -1 elements. | ||
71 | + data := []byte{ | ||
72 | + 0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x08, 0x08, | ||
73 | + 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
74 | + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
75 | + 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x02, | ||
76 | + 0x03, 0x62, 0x61, 0x65, 0x03, 0x04, 0x00, 0x00, | ||
77 | + 0xff, 0xff, 0x50, 0x4b, 0x07, 0x08, 0xbe, 0x20, | ||
78 | + 0x5c, 0x6c, 0x09, 0x00, 0x00, 0x00, 0x03, 0x00, | ||
79 | + 0x00, 0x00, 0x50, 0x4b, 0x01, 0x02, 0x14, 0x00, | ||
80 | + 0x14, 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x00, | ||
81 | + 0x00, 0x00, 0xbe, 0x20, 0x5c, 0x6c, 0x09, 0x00, | ||
82 | + 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x03, 0x00, | ||
83 | + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
84 | + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
85 | + 0x01, 0x02, 0x03, 0x50, 0x4b, 0x06, 0x06, 0x2c, | ||
86 | + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, | ||
87 | + 0x00, 0x2d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
88 | + 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, | ||
89 | + 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
90 | + 0xff, 0xff, 0xff, 0x31, 0x00, 0x00, 0x00, 0x00, | ||
91 | + 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00, | ||
92 | + 0x00, 0x00, 0x00, 0x50, 0x4b, 0x06, 0x07, 0x00, | ||
93 | + 0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x00, | ||
94 | + 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50, | ||
95 | + 0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0xff, | ||
96 | + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
97 | + 0xff, 0xff, 0xff, 0x00, 0x00, | ||
98 | + } | ||
99 | + _, err := NewReader(bytes.NewReader(data), int64(len(data))) | ||
100 | + if err != ErrFormat { | ||
101 | + t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat) | ||
102 | + } | ||
103 | + | ||
104 | + // Also check that an archive containing a handful of empty | ||
105 | + // files doesn't cause an issue | ||
106 | + b := bytes.NewBuffer(nil) | ||
107 | + w := NewWriter(b) | ||
108 | + for i := 0; i < 5; i++ { | ||
109 | + _, err := w.Create("") | ||
110 | + if err != nil { | ||
111 | + t.Fatalf("Writer.Create failed: %s", err) | ||
112 | + } | ||
113 | + } | ||
114 | + if err := w.Close(); err != nil { | ||
115 | + t.Fatalf("Writer.Close failed: %s", err) | ||
116 | + } | ||
117 | + r, err := NewReader(bytes.NewReader(b.Bytes()), int64(b.Len())) | ||
118 | + if err != nil { | ||
119 | + t.Fatalf("NewReader failed: %s", err) | ||
120 | + } | ||
121 | + if len(r.File) != 5 { | ||
122 | + t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File)) | ||
123 | + } | ||
124 | +} | ||
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch new file mode 100644 index 0000000000..2052b1d3db --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch | |||
@@ -0,0 +1,152 @@ | |||
1 | From cbd1ca84453fecf3825a6bb9f985823e8bc32b76 Mon Sep 17 00:00:00 2001 | ||
2 | From: Filippo Valsorda <filippo@golang.org> | ||
3 | Date: Fri, 21 May 2021 14:02:30 -0400 | ||
4 | Subject: [PATCH] [release-branch.go1.15] net/http/httputil: always remove | ||
5 | hop-by-hop headers | ||
6 | |||
7 | Previously, we'd fail to remove the Connection header from a request | ||
8 | like this: | ||
9 | |||
10 | Connection: | ||
11 | Connection: x-header | ||
12 | |||
13 | Updates #46313 | ||
14 | Fixes #46314 | ||
15 | Fixes CVE-2021-33197 | ||
16 | |||
17 | Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d | ||
18 | Reviewed-on: https://go-review.googlesource.com/c/go/+/321929 | ||
19 | Run-TryBot: Filippo Valsorda <filippo@golang.org> | ||
20 | Reviewed-by: Katie Hockman <katie@golang.org> | ||
21 | Trust: Katie Hockman <katie@golang.org> | ||
22 | Trust: Filippo Valsorda <filippo@golang.org> | ||
23 | TryBot-Result: Go Bot <gobot@golang.org> | ||
24 | Reviewed-on: https://go-review.googlesource.com/c/go/+/323091 | ||
25 | Run-TryBot: Katie Hockman <katie@golang.org> | ||
26 | |||
27 | Upstream-Status: Backport | ||
28 | CVE: CVE-2021-33197 | ||
29 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
30 | |||
31 | --- | ||
32 | src/net/http/httputil/reverseproxy.go | 22 ++++---- | ||
33 | src/net/http/httputil/reverseproxy_test.go | 63 +++++++++++++++++++++- | ||
34 | 2 files changed, 70 insertions(+), 15 deletions(-) | ||
35 | |||
36 | Index: go/src/net/http/httputil/reverseproxy.go | ||
37 | =================================================================== | ||
38 | --- go.orig/src/net/http/httputil/reverseproxy.go | ||
39 | +++ go/src/net/http/httputil/reverseproxy.go | ||
40 | @@ -221,22 +221,18 @@ func (p *ReverseProxy) ServeHTTP(rw http | ||
41 | // important is "Connection" because we want a persistent | ||
42 | // connection, regardless of what the client sent to us. | ||
43 | for _, h := range hopHeaders { | ||
44 | - hv := outreq.Header.Get(h) | ||
45 | - if hv == "" { | ||
46 | - continue | ||
47 | - } | ||
48 | - if h == "Te" && hv == "trailers" { | ||
49 | - // Issue 21096: tell backend applications that | ||
50 | - // care about trailer support that we support | ||
51 | - // trailers. (We do, but we don't go out of | ||
52 | - // our way to advertise that unless the | ||
53 | - // incoming client request thought it was | ||
54 | - // worth mentioning) | ||
55 | - continue | ||
56 | - } | ||
57 | outreq.Header.Del(h) | ||
58 | } | ||
59 | |||
60 | + // Issue 21096: tell backend applications that care about trailer support | ||
61 | + // that we support trailers. (We do, but we don't go out of our way to | ||
62 | + // advertise that unless the incoming client request thought it was worth | ||
63 | + // mentioning.) Note that we look at req.Header, not outreq.Header, since | ||
64 | + // the latter has passed through removeConnectionHeaders. | ||
65 | + if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") { | ||
66 | + outreq.Header.Set("Te", "trailers") | ||
67 | + } | ||
68 | + | ||
69 | // After stripping all the hop-by-hop connection headers above, add back any | ||
70 | // necessary for protocol upgrades, such as for websockets. | ||
71 | if reqUpType != "" { | ||
72 | Index: go/src/net/http/httputil/reverseproxy_test.go | ||
73 | =================================================================== | ||
74 | --- go.orig/src/net/http/httputil/reverseproxy_test.go | ||
75 | +++ go/src/net/http/httputil/reverseproxy_test.go | ||
76 | @@ -91,8 +91,9 @@ func TestReverseProxy(t *testing.T) { | ||
77 | |||
78 | getReq, _ := http.NewRequest("GET", frontend.URL, nil) | ||
79 | getReq.Host = "some-name" | ||
80 | - getReq.Header.Set("Connection", "close") | ||
81 | - getReq.Header.Set("Te", "trailers") | ||
82 | + getReq.Header.Set("Connection", "close, TE") | ||
83 | + getReq.Header.Add("Te", "foo") | ||
84 | + getReq.Header.Add("Te", "bar, trailers") | ||
85 | getReq.Header.Set("Proxy-Connection", "should be deleted") | ||
86 | getReq.Header.Set("Upgrade", "foo") | ||
87 | getReq.Close = true | ||
88 | @@ -236,6 +237,64 @@ func TestReverseProxyStripHeadersPresent | ||
89 | } | ||
90 | } | ||
91 | |||
92 | +func TestReverseProxyStripEmptyConnection(t *testing.T) { | ||
93 | + // See Issue 46313. | ||
94 | + const backendResponse = "I am the backend" | ||
95 | + | ||
96 | + // someConnHeader is some arbitrary header to be declared as a hop-by-hop header | ||
97 | + // in the Request's Connection header. | ||
98 | + const someConnHeader = "X-Some-Conn-Header" | ||
99 | + | ||
100 | + backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
101 | + if c := r.Header.Values("Connection"); len(c) != 0 { | ||
102 | + t.Errorf("handler got header %q = %v; want empty", "Connection", c) | ||
103 | + } | ||
104 | + if c := r.Header.Get(someConnHeader); c != "" { | ||
105 | + t.Errorf("handler got header %q = %q; want empty", someConnHeader, c) | ||
106 | + } | ||
107 | + w.Header().Add("Connection", "") | ||
108 | + w.Header().Add("Connection", someConnHeader) | ||
109 | + w.Header().Set(someConnHeader, "should be deleted") | ||
110 | + io.WriteString(w, backendResponse) | ||
111 | + })) | ||
112 | + defer backend.Close() | ||
113 | + backendURL, err := url.Parse(backend.URL) | ||
114 | + if err != nil { | ||
115 | + t.Fatal(err) | ||
116 | + } | ||
117 | + proxyHandler := NewSingleHostReverseProxy(backendURL) | ||
118 | + frontend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
119 | + proxyHandler.ServeHTTP(w, r) | ||
120 | + if c := r.Header.Get(someConnHeader); c != "should be deleted" { | ||
121 | + t.Errorf("handler modified header %q = %q; want %q", someConnHeader, c, "should be deleted") | ||
122 | + } | ||
123 | + })) | ||
124 | + defer frontend.Close() | ||
125 | + | ||
126 | + getReq, _ := http.NewRequest("GET", frontend.URL, nil) | ||
127 | + getReq.Header.Add("Connection", "") | ||
128 | + getReq.Header.Add("Connection", someConnHeader) | ||
129 | + getReq.Header.Set(someConnHeader, "should be deleted") | ||
130 | + res, err := frontend.Client().Do(getReq) | ||
131 | + if err != nil { | ||
132 | + t.Fatalf("Get: %v", err) | ||
133 | + } | ||
134 | + defer res.Body.Close() | ||
135 | + bodyBytes, err := ioutil.ReadAll(res.Body) | ||
136 | + if err != nil { | ||
137 | + t.Fatalf("reading body: %v", err) | ||
138 | + } | ||
139 | + if got, want := string(bodyBytes), backendResponse; got != want { | ||
140 | + t.Errorf("got body %q; want %q", got, want) | ||
141 | + } | ||
142 | + if c := res.Header.Get("Connection"); c != "" { | ||
143 | + t.Errorf("handler got header %q = %q; want empty", "Connection", c) | ||
144 | + } | ||
145 | + if c := res.Header.Get(someConnHeader); c != "" { | ||
146 | + t.Errorf("handler got header %q = %q; want empty", someConnHeader, c) | ||
147 | + } | ||
148 | +} | ||
149 | + | ||
150 | func TestXForwardedFor(t *testing.T) { | ||
151 | const prevForwardedFor = "client ip" | ||
152 | const backendResponse = "I am the backend" | ||
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch new file mode 100644 index 0000000000..8fb346d622 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From a98589711da5e9d935e8d690cfca92892e86d557 Mon Sep 17 00:00:00 2001 | ||
2 | From: Roland Shoemaker <roland@golang.org> | ||
3 | Date: Wed, 9 Jun 2021 11:31:27 -0700 | ||
4 | Subject: [PATCH] crypto/tls: test key type when casting | ||
5 | |||
6 | When casting the certificate public key in generateClientKeyExchange, | ||
7 | check the type is appropriate. This prevents a panic when a server | ||
8 | agrees to a RSA based key exchange, but then sends an ECDSA (or | ||
9 | other) certificate. | ||
10 | |||
11 | Fixes #47143 | ||
12 | Fixes CVE-2021-34558 | ||
13 | |||
14 | Thanks to Imre Rad for reporting this issue. | ||
15 | |||
16 | Change-Id: Iabccacca6052769a605cccefa1216a9f7b7f6aea | ||
17 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1116723 | ||
18 | Reviewed-by: Filippo Valsorda <valsorda@google.com> | ||
19 | Reviewed-by: Katie Hockman <katiehockman@google.com> | ||
20 | Reviewed-on: https://go-review.googlesource.com/c/go/+/334031 | ||
21 | Trust: Filippo Valsorda <filippo@golang.org> | ||
22 | Run-TryBot: Filippo Valsorda <filippo@golang.org> | ||
23 | TryBot-Result: Go Bot <gobot@golang.org> | ||
24 | Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> | ||
25 | |||
26 | Upstream-Status: Backport | ||
27 | https://github.com/golang/go/commit/a98589711da5e9d935e8d690cfca92892e86d557 | ||
28 | CVE: CVE-2021-34558 | ||
29 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
30 | |||
31 | --- | ||
32 | src/crypto/tls/key_agreement.go | 6 +++++- | ||
33 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
34 | |||
35 | Index: go/src/crypto/tls/key_agreement.go | ||
36 | =================================================================== | ||
37 | --- go.orig/src/crypto/tls/key_agreement.go | ||
38 | +++ go/src/crypto/tls/key_agreement.go | ||
39 | @@ -67,7 +67,11 @@ func (ka rsaKeyAgreement) generateClient | ||
40 | return nil, nil, err | ||
41 | } | ||
42 | |||
43 | - encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret) | ||
44 | + rsaKey, ok := cert.PublicKey.(*rsa.PublicKey) | ||
45 | + if !ok { | ||
46 | + return nil, nil, errors.New("tls: server certificate contains incorrect key type for selected ciphersuite") | ||
47 | + } | ||
48 | + encrypted, err := rsa.EncryptPKCS1v15(config.rand(), rsaKey, preMasterSecret) | ||
49 | if err != nil { | ||
50 | return nil, nil, err | ||
51 | } | ||