go: Several Security fixes

Source: golang.org MR: 111958, 112390, 112393 Type: Security Fix Disposition: Backport from https://github.com/golang/go.git ChangeID: 662d021814f025b3d768a04864498486f94819a7 Description: Affects < 1.16.5 Fixes: CVE-2021-33196 CVE-2021-33197 CVE-2021-34558 (From OE-Core rev: 1eaac89b0384cc39ea489a3b7ea58eab6b23240b) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2021-09-09 16:55:21 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-14 17:27:42 +0100
commit: 9bae357b12a6374b0f415c555083ea4f9e8eac48 (patch)
tree: ad6cdaede100fd49d61206080edd71b37d909257 /meta/recipes-devtools
parent: d3f4731220e66a97d5eff60df8de6d0683169cda (diff)
download: poky-9bae357b12a6374b0f415c555083ea4f9e8eac48.tar.gz
4 files changed, 330 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 50136ca841..abc6f42184 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -16,6 +16,9 @@ SRC_URI += "\
    file://0006-cmd-dist-separate-host-and-target-builds.patch \
    file://0007-cmd-go-make-GOROOT-precious-by-default.patch \
    file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
+    file://CVE-2021-34558.patch \
+    file://CVE-2021-33196.patch \
+    file://CVE-2021-33197.patch \
 "
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
 SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch
new file mode 100644
index 0000000000..2e2dc62c49
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch
@@ -0,0 +1,124 @@
+From 74242baa4136c7a9132a8ccd9881354442788c8c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Tue, 11 May 2021 11:31:31 -0700
+Subject: [PATCH] archive/zip: only preallocate File slice if reasonably sized
+Since the number of files in the EOCD record isn't validated, it isn't
+safe to preallocate Reader.Files using that field. A malformed archive
+can indicate it contains up to 1 << 128 - 1 files. We can still safely
+preallocate the slice by checking if the specified number of files in
+the archive is reasonable, given the size of the archive.
+Thanks to the OSS-Fuzz project for discovering this issue and to
+Emmanuel Odeke for reporting it.
+Fixes #46242
+Fixes CVE-2021-33196
+Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76
+Reviewed-on: https://go-review.googlesource.com/c/go/+/318909
+Trust: Roland Shoemaker <roland@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Trust: Joe Tsai <thebrokentoaster@gmail.com>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
+Upstream-Status: Backport
+CVE: CVE-2021-33196
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/archive/zip/reader.go      | 10 +++++-
+ src/archive/zip/reader_test.go | 59 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+), 1 deletion(-)
+Index: go/src/archive/zip/reader.go
+===================================================================
+--- go.orig/src/archive/zip/reader.go
+++ go/src/archive/zip/reader.go
+@@ -84,7 +84,15 @@ func (z *Reader) init(r io.ReaderAt, siz
+                return err
+        }
+        z.r = r
+-       z.File = make([]*File, 0, end.directoryRecords)
+       // Since the number of directory records is not validated, it is not
+       // safe to preallocate z.File without first checking that the specified
+       // number of files is reasonable, since a malformed archive may
+       // indicate it contains up to 1 << 128 - 1 files. Since each file has a
+       // header which will be _at least_ 30 bytes we can safely preallocate
+       // if (data size / 30) >= end.directoryRecords.
+       if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
+               z.File = make([]*File, 0, end.directoryRecords)
+       }
+        z.Comment = end.comment
+        rs := io.NewSectionReader(r, 0, size)
+        if _, err = rs.Seek(int64(end.directoryOffset), io.SeekStart); err != nil {
+Index: go/src/archive/zip/reader_test.go
+===================================================================
+--- go.orig/src/archive/zip/reader_test.go
+++ go/src/archive/zip/reader_test.go
+@@ -1070,3 +1070,62 @@ func TestIssue12449(t *testing.T) {
+                t.Errorf("Error reading the archive: %v", err)
+        }
+ }
+
+func TestCVE202133196(t *testing.T) {
+       // Archive that indicates it has 1 << 128 -1 files,
+       // this would previously cause a panic due to attempting
+       // to allocate a slice with 1 << 128 -1 elements.
+       data := []byte{
+               0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x08, 0x08,
+               0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x02,
+               0x03, 0x62, 0x61, 0x65, 0x03, 0x04, 0x00, 0x00,
+               0xff, 0xff, 0x50, 0x4b, 0x07, 0x08, 0xbe, 0x20,
+               0x5c, 0x6c, 0x09, 0x00, 0x00, 0x00, 0x03, 0x00,
+               0x00, 0x00, 0x50, 0x4b, 0x01, 0x02, 0x14, 0x00,
+               0x14, 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0xbe, 0x20, 0x5c, 0x6c, 0x09, 0x00,
+               0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x03, 0x00,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x01, 0x02, 0x03, 0x50, 0x4b, 0x06, 0x06, 0x2c,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+               0x00, 0x2d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,
+               0xff, 0xff, 0xff, 0x31, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x50, 0x4b, 0x06, 0x07, 0x00,
+               0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50,
+               0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0xff,
+               0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+               0xff, 0xff, 0xff, 0x00, 0x00,
+       }
+       _, err := NewReader(bytes.NewReader(data), int64(len(data)))
+       if err != ErrFormat {
+               t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
+       }
+
+       // Also check that an archive containing a handful of empty
+       // files doesn't cause an issue
+       b := bytes.NewBuffer(nil)
+       w := NewWriter(b)
+       for i := 0; i < 5; i++ {
+               _, err := w.Create("")
+               if err != nil {
+                       t.Fatalf("Writer.Create failed: %s", err)
+               }
+       }
+       if err := w.Close(); err != nil {
+               t.Fatalf("Writer.Close failed: %s", err)
+       }
+       r, err := NewReader(bytes.NewReader(b.Bytes()), int64(b.Len()))
+       if err != nil {
+               t.Fatalf("NewReader failed: %s", err)
+       }
+       if len(r.File) != 5 {
+               t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
+       }
+}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch
new file mode 100644
index 0000000000..2052b1d3db
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch
@@ -0,0 +1,152 @@
+From cbd1ca84453fecf3825a6bb9f985823e8bc32b76 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Fri, 21 May 2021 14:02:30 -0400
+Subject: [PATCH] [release-branch.go1.15] net/http/httputil: always remove
+ hop-by-hop headers
+Previously, we'd fail to remove the Connection header from a request
+like this:
+    Connection:
+    Connection: x-header
+Updates #46313
+Fixes #46314
+Fixes CVE-2021-33197
+Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d
+Reviewed-on: https://go-review.googlesource.com/c/go/+/321929
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Trust: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/323091
+Run-TryBot: Katie Hockman <katie@golang.org>
+Upstream-Status: Backport
+CVE: CVE-2021-33197
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/net/http/httputil/reverseproxy.go      | 22 ++++----
+ src/net/http/httputil/reverseproxy_test.go | 63 +++++++++++++++++++++-
+ 2 files changed, 70 insertions(+), 15 deletions(-)
+Index: go/src/net/http/httputil/reverseproxy.go
+===================================================================
+--- go.orig/src/net/http/httputil/reverseproxy.go
+++ go/src/net/http/httputil/reverseproxy.go
+@@ -221,22 +221,18 @@ func (p *ReverseProxy) ServeHTTP(rw http
+        // important is "Connection" because we want a persistent
+        // connection, regardless of what the client sent to us.
+        for _, h := range hopHeaders {
+-               hv := outreq.Header.Get(h)
+-               if hv == "" {
+-                       continue
+-               }
+-               if h == "Te" && hv == "trailers" {
+-                       // Issue 21096: tell backend applications that
+-                       // care about trailer support that we support
+-                       // trailers. (We do, but we don't go out of
+-                       // our way to advertise that unless the
+-                       // incoming client request thought it was
+-                       // worth mentioning)
+-                       continue
+-               }
+                outreq.Header.Del(h)
+        }
+ 
+       // Issue 21096: tell backend applications that care about trailer support
+       // that we support trailers. (We do, but we don't go out of our way to
+       // advertise that unless the incoming client request thought it was worth
+       // mentioning.) Note that we look at req.Header, not outreq.Header, since
+       // the latter has passed through removeConnectionHeaders.
+       if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") {
+               outreq.Header.Set("Te", "trailers")
+       }
+
+        // After stripping all the hop-by-hop connection headers above, add back any
+        // necessary for protocol upgrades, such as for websockets.
+        if reqUpType != "" {
+Index: go/src/net/http/httputil/reverseproxy_test.go
+===================================================================
+--- go.orig/src/net/http/httputil/reverseproxy_test.go
+++ go/src/net/http/httputil/reverseproxy_test.go
+@@ -91,8 +91,9 @@ func TestReverseProxy(t *testing.T) {
+ 
+        getReq, _ := http.NewRequest("GET", frontend.URL, nil)
+        getReq.Host = "some-name"
+-       getReq.Header.Set("Connection", "close")
+-       getReq.Header.Set("Te", "trailers")
+       getReq.Header.Set("Connection", "close, TE")
+       getReq.Header.Add("Te", "foo")
+       getReq.Header.Add("Te", "bar, trailers")
+        getReq.Header.Set("Proxy-Connection", "should be deleted")
+        getReq.Header.Set("Upgrade", "foo")
+        getReq.Close = true
+@@ -236,6 +237,64 @@ func TestReverseProxyStripHeadersPresent
+        }
+ }
+ 
+func TestReverseProxyStripEmptyConnection(t *testing.T) {
+       // See Issue 46313.
+       const backendResponse = "I am the backend"
+
+       // someConnHeader is some arbitrary header to be declared as a hop-by-hop header
+       // in the Request's Connection header.
+       const someConnHeader = "X-Some-Conn-Header"
+
+       backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+               if c := r.Header.Values("Connection"); len(c) != 0 {
+                       t.Errorf("handler got header %q = %v; want empty", "Connection", c)
+               }
+               if c := r.Header.Get(someConnHeader); c != "" {
+                       t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
+               }
+               w.Header().Add("Connection", "")
+               w.Header().Add("Connection", someConnHeader)
+               w.Header().Set(someConnHeader, "should be deleted")
+               io.WriteString(w, backendResponse)
+       }))
+       defer backend.Close()
+       backendURL, err := url.Parse(backend.URL)
+       if err != nil {
+               t.Fatal(err)
+       }
+       proxyHandler := NewSingleHostReverseProxy(backendURL)
+       frontend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+               proxyHandler.ServeHTTP(w, r)
+               if c := r.Header.Get(someConnHeader); c != "should be deleted" {
+                       t.Errorf("handler modified header %q = %q; want %q", someConnHeader, c, "should be deleted")
+               }
+       }))
+       defer frontend.Close()
+
+       getReq, _ := http.NewRequest("GET", frontend.URL, nil)
+       getReq.Header.Add("Connection", "")
+       getReq.Header.Add("Connection", someConnHeader)
+       getReq.Header.Set(someConnHeader, "should be deleted")
+       res, err := frontend.Client().Do(getReq)
+       if err != nil {
+               t.Fatalf("Get: %v", err)
+       }
+       defer res.Body.Close()
+       bodyBytes, err := ioutil.ReadAll(res.Body)
+       if err != nil {
+               t.Fatalf("reading body: %v", err)
+       }
+       if got, want := string(bodyBytes), backendResponse; got != want {
+               t.Errorf("got body %q; want %q", got, want)
+       }
+       if c := res.Header.Get("Connection"); c != "" {
+               t.Errorf("handler got header %q = %q; want empty", "Connection", c)
+       }
+       if c := res.Header.Get(someConnHeader); c != "" {
+               t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
+       }
+}
+
+ func TestXForwardedFor(t *testing.T) {
+        const prevForwardedFor = "client ip"
+        const backendResponse = "I am the backend"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch
new file mode 100644
index 0000000000..8fb346d622
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch
@@ -0,0 +1,51 @@
+From a98589711da5e9d935e8d690cfca92892e86d557 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 9 Jun 2021 11:31:27 -0700
+Subject: [PATCH] crypto/tls: test key type when casting
+When casting the certificate public key in generateClientKeyExchange,
+check the type is appropriate. This prevents a panic when a server
+agrees to a RSA based key exchange, but then sends an ECDSA (or
+other) certificate.
+Fixes #47143
+Fixes CVE-2021-34558
+Thanks to Imre Rad for reporting this issue.
+Change-Id: Iabccacca6052769a605cccefa1216a9f7b7f6aea
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1116723
+Reviewed-by: Filippo Valsorda <valsorda@google.com>
+Reviewed-by: Katie Hockman <katiehockman@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/334031
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+Upstream-Status: Backport 
+https://github.com/golang/go/commit/a98589711da5e9d935e8d690cfca92892e86d557
+CVE: CVE-2021-34558
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/crypto/tls/key_agreement.go | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+Index: go/src/crypto/tls/key_agreement.go
+===================================================================
+--- go.orig/src/crypto/tls/key_agreement.go
+++ go/src/crypto/tls/key_agreement.go
+@@ -67,7 +67,11 @@ func (ka rsaKeyAgreement) generateClient
+                return nil, nil, err
+        }
+ 
+-       encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret)
+       rsaKey, ok := cert.PublicKey.(*rsa.PublicKey)
+       if !ok {
+               return nil, nil, errors.New("tls: server certificate contains incorrect key type for selected ciphersuite")
+       }
+       encrypted, err := rsa.EncryptPKCS1v15(config.rand(), rsaKey, preMasterSecret)
+        if err != nil {
+                return nil, nil, err
+        }
author	Armin Kuster <akuster@mvista.com>	2021-09-09 16:55:21 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-14 17:27:42 +0100
commit	9bae357b12a6374b0f415c555083ea4f9e8eac48 (patch)
tree	ad6cdaede100fd49d61206080edd71b37d909257 /meta/recipes-devtools
parent	d3f4731220e66a97d5eff60df8de6d0683169cda (diff)
download	poky-9bae357b12a6374b0f415c555083ea4f9e8eac48.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 50136ca841..abc6f42184 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -16,6 +16,9 @@ SRC_URI += "\
16	file://0006-cmd-dist-separate-host-and-target-builds.patch \	16	file://0006-cmd-dist-separate-host-and-target-builds.patch \
17	file://0007-cmd-go-make-GOROOT-precious-by-default.patch \	17	file://0007-cmd-go-make-GOROOT-precious-by-default.patch \
18	file://0008-use-GOBUILDMODE-to-set-buildmode.patch \	18	file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
		19	file://CVE-2021-34558.patch \
		20	file://CVE-2021-33196.patch \
		21	file://CVE-2021-33197.patch \
19	"	22	"
20	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"	23	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
21	SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"	24	SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"


diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch new file mode 100644 index 0000000000..2e2dc62c49 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch
@@ -0,0 +1,124 @@
		1	From 74242baa4136c7a9132a8ccd9881354442788c8c Mon Sep 17 00:00:00 2001
		2	From: Roland Shoemaker <roland@golang.org>
		3	Date: Tue, 11 May 2021 11:31:31 -0700
		4	Subject: [PATCH] archive/zip: only preallocate File slice if reasonably sized
		5
		6	Since the number of files in the EOCD record isn't validated, it isn't
		7	safe to preallocate Reader.Files using that field. A malformed archive
		8	can indicate it contains up to 1 << 128 - 1 files. We can still safely
		9	preallocate the slice by checking if the specified number of files in
		10	the archive is reasonable, given the size of the archive.
		11
		12	Thanks to the OSS-Fuzz project for discovering this issue and to
		13	Emmanuel Odeke for reporting it.
		14
		15	Fixes #46242
		16	Fixes CVE-2021-33196
		17
		18	Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76
		19	Reviewed-on: https://go-review.googlesource.com/c/go/+/318909
		20	Trust: Roland Shoemaker <roland@golang.org>
		21	Trust: Katie Hockman <katie@golang.org>
		22	Trust: Joe Tsai <thebrokentoaster@gmail.com>
		23	Run-TryBot: Roland Shoemaker <roland@golang.org>
		24	TryBot-Result: Go Bot <gobot@golang.org>
		25	Reviewed-by: Katie Hockman <katie@golang.org>
		26	Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
		27
		28	Upstream-Status: Backport
		29	CVE: CVE-2021-33196
		30	Signed-off-by: Armin Kuster <akuster@mvista.com>
		31
		32	---
		33	src/archive/zip/reader.go \| 10 +++++-
		34	src/archive/zip/reader_test.go \| 59 ++++++++++++++++++++++++++++++++++
		35	2 files changed, 68 insertions(+), 1 deletion(-)
		36
		37	Index: go/src/archive/zip/reader.go
		38	===================================================================
		39	--- go.orig/src/archive/zip/reader.go
		40	+++ go/src/archive/zip/reader.go
		41	@@ -84,7 +84,15 @@ func (z *Reader) init(r io.ReaderAt, siz
		42	return err
		43	}
		44	z.r = r
		45	- z.File = make([]*File, 0, end.directoryRecords)
		46	+ // Since the number of directory records is not validated, it is not
		47	+ // safe to preallocate z.File without first checking that the specified
		48	+ // number of files is reasonable, since a malformed archive may
		49	+ // indicate it contains up to 1 << 128 - 1 files. Since each file has a
		50	+ // header which will be _at least_ 30 bytes we can safely preallocate
		51	+ // if (data size / 30) >= end.directoryRecords.
		52	+ if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
		53	+ z.File = make([]*File, 0, end.directoryRecords)
		54	+ }
		55	z.Comment = end.comment
		56	rs := io.NewSectionReader(r, 0, size)
		57	if _, err = rs.Seek(int64(end.directoryOffset), io.SeekStart); err != nil {
		58	Index: go/src/archive/zip/reader_test.go
		59	===================================================================
		60	--- go.orig/src/archive/zip/reader_test.go
		61	+++ go/src/archive/zip/reader_test.go
		62	@@ -1070,3 +1070,62 @@ func TestIssue12449(t *testing.T) {
		63	t.Errorf("Error reading the archive: %v", err)
		64	}
		65	}
		66	+
		67	+func TestCVE202133196(t *testing.T) {
		68	+ // Archive that indicates it has 1 << 128 -1 files,
		69	+ // this would previously cause a panic due to attempting
		70	+ // to allocate a slice with 1 << 128 -1 elements.
		71	+ data := []byte{
		72	+ 0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x08, 0x08,
		73	+ 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		74	+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		75	+ 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x02,
		76	+ 0x03, 0x62, 0x61, 0x65, 0x03, 0x04, 0x00, 0x00,
		77	+ 0xff, 0xff, 0x50, 0x4b, 0x07, 0x08, 0xbe, 0x20,
		78	+ 0x5c, 0x6c, 0x09, 0x00, 0x00, 0x00, 0x03, 0x00,
		79	+ 0x00, 0x00, 0x50, 0x4b, 0x01, 0x02, 0x14, 0x00,
		80	+ 0x14, 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x00,
		81	+ 0x00, 0x00, 0xbe, 0x20, 0x5c, 0x6c, 0x09, 0x00,
		82	+ 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x03, 0x00,
		83	+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		84	+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		85	+ 0x01, 0x02, 0x03, 0x50, 0x4b, 0x06, 0x06, 0x2c,
		86	+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
		87	+ 0x00, 0x2d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		88	+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
		89	+ 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,
		90	+ 0xff, 0xff, 0xff, 0x31, 0x00, 0x00, 0x00, 0x00,
		91	+ 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
		92	+ 0x00, 0x00, 0x00, 0x50, 0x4b, 0x06, 0x07, 0x00,
		93	+ 0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x00,
		94	+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50,
		95	+ 0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0xff,
		96	+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
		97	+ 0xff, 0xff, 0xff, 0x00, 0x00,
		98	+ }
		99	+ _, err := NewReader(bytes.NewReader(data), int64(len(data)))
		100	+ if err != ErrFormat {
		101	+ t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
		102	+ }
		103	+
		104	+ // Also check that an archive containing a handful of empty
		105	+ // files doesn't cause an issue
		106	+ b := bytes.NewBuffer(nil)
		107	+ w := NewWriter(b)
		108	+ for i := 0; i < 5; i++ {
		109	+ _, err := w.Create("")
		110	+ if err != nil {
		111	+ t.Fatalf("Writer.Create failed: %s", err)
		112	+ }
		113	+ }
		114	+ if err := w.Close(); err != nil {
		115	+ t.Fatalf("Writer.Close failed: %s", err)
		116	+ }
		117	+ r, err := NewReader(bytes.NewReader(b.Bytes()), int64(b.Len()))
		118	+ if err != nil {
		119	+ t.Fatalf("NewReader failed: %s", err)
		120	+ }
		121	+ if len(r.File) != 5 {
		122	+ t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
		123	+ }
		124	+}


diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch new file mode 100644 index 0000000000..2052b1d3db --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch
@@ -0,0 +1,152 @@
		1	From cbd1ca84453fecf3825a6bb9f985823e8bc32b76 Mon Sep 17 00:00:00 2001
		2	From: Filippo Valsorda <filippo@golang.org>
		3	Date: Fri, 21 May 2021 14:02:30 -0400
		4	Subject: [PATCH] [release-branch.go1.15] net/http/httputil: always remove
		5	hop-by-hop headers
		6
		7	Previously, we'd fail to remove the Connection header from a request
		8	like this:
		9
		10	Connection:
		11	Connection: x-header
		12
		13	Updates #46313
		14	Fixes #46314
		15	Fixes CVE-2021-33197
		16
		17	Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d
		18	Reviewed-on: https://go-review.googlesource.com/c/go/+/321929
		19	Run-TryBot: Filippo Valsorda <filippo@golang.org>
		20	Reviewed-by: Katie Hockman <katie@golang.org>
		21	Trust: Katie Hockman <katie@golang.org>
		22	Trust: Filippo Valsorda <filippo@golang.org>
		23	TryBot-Result: Go Bot <gobot@golang.org>
		24	Reviewed-on: https://go-review.googlesource.com/c/go/+/323091
		25	Run-TryBot: Katie Hockman <katie@golang.org>
		26
		27	Upstream-Status: Backport
		28	CVE: CVE-2021-33197
		29	Signed-off-by: Armin Kuster <akuster@mvista.com>
		30
		31	---
		32	src/net/http/httputil/reverseproxy.go \| 22 ++++----
		33	src/net/http/httputil/reverseproxy_test.go \| 63 +++++++++++++++++++++-
		34	2 files changed, 70 insertions(+), 15 deletions(-)
		35
		36	Index: go/src/net/http/httputil/reverseproxy.go
		37	===================================================================
		38	--- go.orig/src/net/http/httputil/reverseproxy.go
		39	+++ go/src/net/http/httputil/reverseproxy.go
		40	@@ -221,22 +221,18 @@ func (p *ReverseProxy) ServeHTTP(rw http
		41	// important is "Connection" because we want a persistent
		42	// connection, regardless of what the client sent to us.
		43	for _, h := range hopHeaders {
		44	- hv := outreq.Header.Get(h)
		45	- if hv == "" {
		46	- continue
		47	- }
		48	- if h == "Te" && hv == "trailers" {
		49	- // Issue 21096: tell backend applications that
		50	- // care about trailer support that we support
		51	- // trailers. (We do, but we don't go out of
		52	- // our way to advertise that unless the
		53	- // incoming client request thought it was
		54	- // worth mentioning)
		55	- continue
		56	- }
		57	outreq.Header.Del(h)
		58	}
		59
		60	+ // Issue 21096: tell backend applications that care about trailer support
		61	+ // that we support trailers. (We do, but we don't go out of our way to
		62	+ // advertise that unless the incoming client request thought it was worth
		63	+ // mentioning.) Note that we look at req.Header, not outreq.Header, since
		64	+ // the latter has passed through removeConnectionHeaders.
		65	+ if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") {
		66	+ outreq.Header.Set("Te", "trailers")
		67	+ }
		68	+
		69	// After stripping all the hop-by-hop connection headers above, add back any
		70	// necessary for protocol upgrades, such as for websockets.
		71	if reqUpType != "" {
		72	Index: go/src/net/http/httputil/reverseproxy_test.go
		73	===================================================================
		74	--- go.orig/src/net/http/httputil/reverseproxy_test.go
		75	+++ go/src/net/http/httputil/reverseproxy_test.go
		76	@@ -91,8 +91,9 @@ func TestReverseProxy(t *testing.T) {
		77
		78	getReq, _ := http.NewRequest("GET", frontend.URL, nil)
		79	getReq.Host = "some-name"
		80	- getReq.Header.Set("Connection", "close")
		81	- getReq.Header.Set("Te", "trailers")
		82	+ getReq.Header.Set("Connection", "close, TE")
		83	+ getReq.Header.Add("Te", "foo")
		84	+ getReq.Header.Add("Te", "bar, trailers")
		85	getReq.Header.Set("Proxy-Connection", "should be deleted")
		86	getReq.Header.Set("Upgrade", "foo")
		87	getReq.Close = true
		88	@@ -236,6 +237,64 @@ func TestReverseProxyStripHeadersPresent
		89	}
		90	}
		91
		92	+func TestReverseProxyStripEmptyConnection(t *testing.T) {
		93	+ // See Issue 46313.
		94	+ const backendResponse = "I am the backend"
		95	+
		96	+ // someConnHeader is some arbitrary header to be declared as a hop-by-hop header
		97	+ // in the Request's Connection header.
		98	+ const someConnHeader = "X-Some-Conn-Header"
		99	+
		100	+ backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		101	+ if c := r.Header.Values("Connection"); len(c) != 0 {
		102	+ t.Errorf("handler got header %q = %v; want empty", "Connection", c)
		103	+ }
		104	+ if c := r.Header.Get(someConnHeader); c != "" {
		105	+ t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
		106	+ }
		107	+ w.Header().Add("Connection", "")
		108	+ w.Header().Add("Connection", someConnHeader)
		109	+ w.Header().Set(someConnHeader, "should be deleted")
		110	+ io.WriteString(w, backendResponse)
		111	+ }))
		112	+ defer backend.Close()
		113	+ backendURL, err := url.Parse(backend.URL)
		114	+ if err != nil {
		115	+ t.Fatal(err)
		116	+ }
		117	+ proxyHandler := NewSingleHostReverseProxy(backendURL)
		118	+ frontend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		119	+ proxyHandler.ServeHTTP(w, r)
		120	+ if c := r.Header.Get(someConnHeader); c != "should be deleted" {
		121	+ t.Errorf("handler modified header %q = %q; want %q", someConnHeader, c, "should be deleted")
		122	+ }
		123	+ }))
		124	+ defer frontend.Close()
		125	+
		126	+ getReq, _ := http.NewRequest("GET", frontend.URL, nil)
		127	+ getReq.Header.Add("Connection", "")
		128	+ getReq.Header.Add("Connection", someConnHeader)
		129	+ getReq.Header.Set(someConnHeader, "should be deleted")
		130	+ res, err := frontend.Client().Do(getReq)
		131	+ if err != nil {
		132	+ t.Fatalf("Get: %v", err)
		133	+ }
		134	+ defer res.Body.Close()
		135	+ bodyBytes, err := ioutil.ReadAll(res.Body)
		136	+ if err != nil {
		137	+ t.Fatalf("reading body: %v", err)
		138	+ }
		139	+ if got, want := string(bodyBytes), backendResponse; got != want {
		140	+ t.Errorf("got body %q; want %q", got, want)
		141	+ }
		142	+ if c := res.Header.Get("Connection"); c != "" {
		143	+ t.Errorf("handler got header %q = %q; want empty", "Connection", c)
		144	+ }
		145	+ if c := res.Header.Get(someConnHeader); c != "" {
		146	+ t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
		147	+ }
		148	+}
		149	+
		150	func TestXForwardedFor(t *testing.T) {
		151	const prevForwardedFor = "client ip"
		152	const backendResponse = "I am the backend"


diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch new file mode 100644 index 0000000000..8fb346d622 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch
@@ -0,0 +1,51 @@
		1	From a98589711da5e9d935e8d690cfca92892e86d557 Mon Sep 17 00:00:00 2001
		2	From: Roland Shoemaker <roland@golang.org>
		3	Date: Wed, 9 Jun 2021 11:31:27 -0700
		4	Subject: [PATCH] crypto/tls: test key type when casting
		5
		6	When casting the certificate public key in generateClientKeyExchange,
		7	check the type is appropriate. This prevents a panic when a server
		8	agrees to a RSA based key exchange, but then sends an ECDSA (or
		9	other) certificate.
		10
		11	Fixes #47143
		12	Fixes CVE-2021-34558
		13
		14	Thanks to Imre Rad for reporting this issue.
		15
		16	Change-Id: Iabccacca6052769a605cccefa1216a9f7b7f6aea
		17	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1116723
		18	Reviewed-by: Filippo Valsorda <valsorda@google.com>
		19	Reviewed-by: Katie Hockman <katiehockman@google.com>
		20	Reviewed-on: https://go-review.googlesource.com/c/go/+/334031
		21	Trust: Filippo Valsorda <filippo@golang.org>
		22	Run-TryBot: Filippo Valsorda <filippo@golang.org>
		23	TryBot-Result: Go Bot <gobot@golang.org>
		24	Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
		25
		26	Upstream-Status: Backport
		27	https://github.com/golang/go/commit/a98589711da5e9d935e8d690cfca92892e86d557
		28	CVE: CVE-2021-34558
		29	Signed-off-by: Armin Kuster <akuster@mvista.com>
		30
		31	---
		32	src/crypto/tls/key_agreement.go \| 6 +++++-
		33	1 file changed, 5 insertions(+), 1 deletion(-)
		34
		35	Index: go/src/crypto/tls/key_agreement.go
		36	===================================================================
		37	--- go.orig/src/crypto/tls/key_agreement.go
		38	+++ go/src/crypto/tls/key_agreement.go
		39	@@ -67,7 +67,11 @@ func (ka rsaKeyAgreement) generateClient
		40	return nil, nil, err
		41	}
		42
		43	- encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret)
		44	+ rsaKey, ok := cert.PublicKey.(*rsa.PublicKey)
		45	+ if !ok {
		46	+ return nil, nil, errors.New("tls: server certificate contains incorrect key type for selected ciphersuite")
		47	+ }
		48	+ encrypted, err := rsa.EncryptPKCS1v15(config.rand(), rsaKey, preMasterSecret)
		49	if err != nil {
		50	return nil, nil, err
		51	}