diff options
author | Ralph Siemsen <ralph.siemsen@linaro.org> | 2022-11-17 11:54:51 -0500 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-12-07 15:06:36 +0000 |
commit | cf0e66cf7a38216161c8f74196d82e8877c93bee (patch) | |
tree | 7595315cae9d417f1c4a9fd5385328d4e7767584 /meta/recipes-devtools | |
parent | 40df9e039a7b7d1d4d11bf7411739cc9e7f4fbba (diff) | |
download | poky-cf0e66cf7a38216161c8f74196d82e8877c93bee.tar.gz |
golang: fix CVE-2022-28327
Upstream-Status: Backport [https://github.com/golang/go/commit/7139e8b024604ab168b51b99c6e8168257a5bf58]
CVE: CVE-2022-28327
(From OE-Core rev: aab2a343be4b0b21dcaf22a7fbf77007d48c08d6)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch | 36 |
2 files changed, 37 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 525a3e77c5..6e596f4141 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc | |||
@@ -48,6 +48,7 @@ SRC_URI += "\ | |||
48 | file://CVE-2021-44716.patch \ | 48 | file://CVE-2021-44716.patch \ |
49 | file://CVE-2022-24921.patch \ | 49 | file://CVE-2022-24921.patch \ |
50 | file://CVE-2022-28131.patch \ | 50 | file://CVE-2022-28131.patch \ |
51 | file://CVE-2022-28327.patch \ | ||
51 | " | 52 | " |
52 | 53 | ||
53 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" | 54 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" |
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch new file mode 100644 index 0000000000..6361deec7d --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 34d9ab78568d63d8097911237897b188bdaba9c2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Filippo Valsorda <filippo@golang.org> | ||
3 | Date: Thu, 31 Mar 2022 12:31:58 -0400 | ||
4 | Subject: [PATCH] crypto/elliptic: tolerate zero-padded scalars in generic | ||
5 | P-256 | ||
6 | |||
7 | Upstream-Status: Backport [https://github.com/golang/go/commit/7139e8b024604ab168b51b99c6e8168257a5bf58] | ||
8 | CVE: CVE-2022-28327 | ||
9 | Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> | ||
10 | |||
11 | |||
12 | Updates #52075 | ||
13 | Fixes #52076 | ||
14 | Fixes CVE-2022-28327 | ||
15 | |||
16 | Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27 | ||
17 | Reviewed-on: https://go-review.googlesource.com/c/go/+/397136 | ||
18 | Trust: Filippo Valsorda <filippo@golang.org> | ||
19 | Reviewed-by: Julie Qiu <julie@golang.org> | ||
20 | --- | ||
21 | src/crypto/elliptic/p256.go | 2 +- | ||
22 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/src/crypto/elliptic/p256.go b/src/crypto/elliptic/p256.go | ||
25 | index c23e414..787e3e7 100644 | ||
26 | --- a/src/crypto/elliptic/p256.go | ||
27 | +++ b/src/crypto/elliptic/p256.go | ||
28 | @@ -51,7 +51,7 @@ func p256GetScalar(out *[32]byte, in []byte) { | ||
29 | n := new(big.Int).SetBytes(in) | ||
30 | var scalarBytes []byte | ||
31 | |||
32 | - if n.Cmp(p256Params.N) >= 0 { | ||
33 | + if n.Cmp(p256Params.N) >= 0 || len(in) > len(out) { | ||
34 | n.Mod(n, p256Params.N) | ||
35 | scalarBytes = n.Bytes() | ||
36 | } else { | ||