diff options
author | Ashish Sharma <asharma@mvista.com> | 2024-04-06 23:23:57 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-04-13 04:51:47 -0700 |
commit | 2e04c8f59a1fba0f07e09f6764d0d6b1d0114ea2 (patch) | |
tree | 8a15b40ed52a2813a1bae60696ec053a62389aff /meta | |
parent | 601f38e5cd14298c821162dec74570fbaeb24454 (diff) | |
download | poky-2e04c8f59a1fba0f07e09f6764d0d6b1d0114ea2.tar.gz |
go: Backport fix for CVE-2024-24784
Upstream-Status: Backport [https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c]
(From OE-Core rev: b58dae3401bcf6747a36e87106285d4bc944d25d)
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch | 205 |
2 files changed, 206 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 69b65f3eb2..9c7ceda891 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc | |||
@@ -91,6 +91,7 @@ SRC_URI += "\ | |||
91 | file://CVE-2023-45289.patch \ | 91 | file://CVE-2023-45289.patch \ |
92 | file://CVE-2023-45290.patch \ | 92 | file://CVE-2023-45290.patch \ |
93 | file://CVE-2024-24785.patch \ | 93 | file://CVE-2024-24785.patch \ |
94 | file://CVE-2024-24784.patch \ | ||
94 | " | 95 | " |
95 | 96 | ||
96 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" | 97 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" |
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch b/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch new file mode 100644 index 0000000000..e9d9d972b9 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch | |||
@@ -0,0 +1,205 @@ | |||
1 | From 5330cd225ba54c7dc78c1b46dcdf61a4671a632c Mon Sep 17 00:00:00 2001 | ||
2 | From: Roland Shoemaker <bracewell@google.com> | ||
3 | Date: Wed, 10 Jan 2024 11:02:14 -0800 | ||
4 | Subject: [PATCH] [release-branch.go1.22] net/mail: properly handle special | ||
5 | characters in phrase and obs-phrase | ||
6 | |||
7 | Fixes a couple of misalignments with RFC 5322 which introduce | ||
8 | significant diffs between (mostly) conformant parsers. | ||
9 | |||
10 | This change reverts the changes made in CL50911, which allowed certain | ||
11 | special RFC 5322 characters to appear unquoted in the "phrase" syntax. | ||
12 | It is unclear why this change was made in the first place, and created | ||
13 | a divergence from comformant parsers. In particular this resulted in | ||
14 | treating comments in display names incorrectly. | ||
15 | |||
16 | Additionally properly handle trailing malformed comments in the group | ||
17 | syntax. | ||
18 | |||
19 | For #65083 | ||
20 | Fixed #65849 | ||
21 | |||
22 | Change-Id: I00dddc044c6ae3381154e43236632604c390f672 | ||
23 | Reviewed-on: https://go-review.googlesource.com/c/go/+/555596 | ||
24 | Reviewed-by: Damien Neil <dneil@google.com> | ||
25 | LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> | ||
26 | Reviewed-on: https://go-review.googlesource.com/c/go/+/566215 | ||
27 | Reviewed-by: Carlos Amedee <carlos@golang.org> | ||
28 | |||
29 | Upstream-Status: Backport [https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c] | ||
30 | CVE: CVE-2024-24784 | ||
31 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
32 | |||
33 | src/net/mail/message.go | 30 +++++++++++++++------------ | ||
34 | src/net/mail/message_test.go | 40 ++++++++++++++++++++++++++---------- | ||
35 | 2 files changed, 46 insertions(+), 24 deletions(-) | ||
36 | |||
37 | diff --git a/src/net/mail/message.go b/src/net/mail/message.go | ||
38 | index af516fc30f470..fc2a9e46f811b 100644 | ||
39 | --- a/src/net/mail/message.go | ||
40 | +++ b/src/net/mail/message.go | ||
41 | @@ -280,7 +280,7 @@ func (a *Address) String() string { | ||
42 | // Add quotes if needed | ||
43 | quoteLocal := false | ||
44 | for i, r := range local { | ||
45 | - if isAtext(r, false, false) { | ||
46 | + if isAtext(r, false) { | ||
47 | continue | ||
48 | } | ||
49 | if r == '.' { | ||
50 | @@ -444,7 +444,7 @@ func (p *addrParser) parseAddress(handleGroup bool) ([]*Address, error) { | ||
51 | if !p.consume('<') { | ||
52 | atext := true | ||
53 | for _, r := range displayName { | ||
54 | - if !isAtext(r, true, false) { | ||
55 | + if !isAtext(r, true) { | ||
56 | atext = false | ||
57 | break | ||
58 | } | ||
59 | @@ -479,7 +479,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) { | ||
60 | // handle empty group. | ||
61 | p.skipSpace() | ||
62 | if p.consume(';') { | ||
63 | - p.skipCFWS() | ||
64 | + if !p.skipCFWS() { | ||
65 | + return nil, errors.New("mail: misformatted parenthetical comment") | ||
66 | + } | ||
67 | return group, nil | ||
68 | } | ||
69 | |||
70 | @@ -496,7 +498,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) { | ||
71 | return nil, errors.New("mail: misformatted parenthetical comment") | ||
72 | } | ||
73 | if p.consume(';') { | ||
74 | - p.skipCFWS() | ||
75 | + if !p.skipCFWS() { | ||
76 | + return nil, errors.New("mail: misformatted parenthetical comment") | ||
77 | + } | ||
78 | break | ||
79 | } | ||
80 | if !p.consume(',') { | ||
81 | @@ -566,6 +570,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) { | ||
82 | var words []string | ||
83 | var isPrevEncoded bool | ||
84 | for { | ||
85 | + // obs-phrase allows CFWS after one word | ||
86 | + if len(words) > 0 { | ||
87 | + if !p.skipCFWS() { | ||
88 | + return "", errors.New("mail: misformatted parenthetical comment") | ||
89 | + } | ||
90 | + } | ||
91 | // word = atom / quoted-string | ||
92 | var word string | ||
93 | p.skipSpace() | ||
94 | @@ -661,7 +671,6 @@ Loop: | ||
95 | // If dot is true, consumeAtom parses an RFC 5322 dot-atom instead. | ||
96 | // If permissive is true, consumeAtom will not fail on: | ||
97 | // - leading/trailing/double dots in the atom (see golang.org/issue/4938) | ||
98 | -// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018) | ||
99 | func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) { | ||
100 | i := 0 | ||
101 | |||
102 | @@ -672,7 +681,7 @@ Loop: | ||
103 | case size == 1 && r == utf8.RuneError: | ||
104 | return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s) | ||
105 | |||
106 | - case size == 0 || !isAtext(r, dot, permissive): | ||
107 | + case size == 0 || !isAtext(r, dot): | ||
108 | break Loop | ||
109 | |||
110 | default: | ||
111 | @@ -850,18 +859,13 @@ func (e charsetError) Error() string { | ||
112 | |||
113 | // isAtext reports whether r is an RFC 5322 atext character. | ||
114 | // If dot is true, period is included. | ||
115 | -// If permissive is true, RFC 5322 3.2.3 specials is included, | ||
116 | -// except '<', '>', ':' and '"'. | ||
117 | -func isAtext(r rune, dot, permissive bool) bool { | ||
118 | +func isAtext(r rune, dot bool) bool { | ||
119 | switch r { | ||
120 | case '.': | ||
121 | return dot | ||
122 | |||
123 | // RFC 5322 3.2.3. specials | ||
124 | - case '(', ')', '[', ']', ';', '@', '\\', ',': | ||
125 | - return permissive | ||
126 | - | ||
127 | - case '<', '>', '"', ':': | ||
128 | + case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials | ||
129 | return false | ||
130 | } | ||
131 | return isVchar(r) | ||
132 | diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go | ||
133 | index 1e1bb4092f659..1f2f62afbf406 100644 | ||
134 | --- a/src/net/mail/message_test.go | ||
135 | +++ b/src/net/mail/message_test.go | ||
136 | @@ -385,8 +385,11 @@ func TestAddressParsingError(t *testing.T) { | ||
137 | 13: {"group not closed: null@example.com", "expected comma"}, | ||
138 | 14: {"group: first@example.com, second@example.com;", "group with multiple addresses"}, | ||
139 | 15: {"john.doe", "missing '@' or angle-addr"}, | ||
140 | - 16: {"john.doe@", "no angle-addr"}, | ||
141 | + 16: {"john.doe@", "missing '@' or angle-addr"}, | ||
142 | 17: {"John Doe@foo.bar", "no angle-addr"}, | ||
143 | + 18: {" group: null@example.com; (asd", "misformatted parenthetical comment"}, | ||
144 | + 19: {" group: ; (asd", "misformatted parenthetical comment"}, | ||
145 | + 20: {`(John) Doe <jdoe@machine.example>`, "missing word in phrase:"}, | ||
146 | } | ||
147 | |||
148 | for i, tc := range mustErrTestCases { | ||
149 | @@ -436,24 +439,19 @@ func TestAddressParsing(t *testing.T) { | ||
150 | Address: "john.q.public@example.com", | ||
151 | }}, | ||
152 | }, | ||
153 | - { | ||
154 | - `"John (middle) Doe" <jdoe@machine.example>`, | ||
155 | - []*Address{{ | ||
156 | - Name: "John (middle) Doe", | ||
157 | - Address: "jdoe@machine.example", | ||
158 | - }}, | ||
159 | - }, | ||
160 | + // Comment in display name | ||
161 | { | ||
162 | `John (middle) Doe <jdoe@machine.example>`, | ||
163 | []*Address{{ | ||
164 | - Name: "John (middle) Doe", | ||
165 | + Name: "John Doe", | ||
166 | Address: "jdoe@machine.example", | ||
167 | }}, | ||
168 | }, | ||
169 | + // Display name is quoted string, so comment is not a comment | ||
170 | { | ||
171 | - `John !@M@! Doe <jdoe@machine.example>`, | ||
172 | + `"John (middle) Doe" <jdoe@machine.example>`, | ||
173 | []*Address{{ | ||
174 | - Name: "John !@M@! Doe", | ||
175 | + Name: "John (middle) Doe", | ||
176 | Address: "jdoe@machine.example", | ||
177 | }}, | ||
178 | }, | ||
179 | @@ -788,6 +786,26 @@ func TestAddressParsing(t *testing.T) { | ||
180 | }, | ||
181 | }, | ||
182 | }, | ||
183 | + // Comment in group display name | ||
184 | + { | ||
185 | + `group (comment:): a@example.com, b@example.com;`, | ||
186 | + []*Address{ | ||
187 | + { | ||
188 | + Address: "a@example.com", | ||
189 | + }, | ||
190 | + { | ||
191 | + Address: "b@example.com", | ||
192 | + }, | ||
193 | + }, | ||
194 | + }, | ||
195 | + { | ||
196 | + `x(:"):"@a.example;("@b.example;`, | ||
197 | + []*Address{ | ||
198 | + { | ||
199 | + Address: `@a.example;(@b.example`, | ||
200 | + }, | ||
201 | + }, | ||
202 | + }, | ||
203 | } | ||
204 | for _, test := range tests { | ||
205 | if len(test.exp) == 1 { | ||