go: Backport fix for CVE-2024-24784

Upstream-Status: Backport [https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c]
(From OE-Core rev: b58dae3401bcf6747a36e87106285d4bc944d25d)

Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

2 files changed, 206 insertions, 0 deletions

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 69b65f3eb2..9c7ceda891 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -91,6 +91,7 @@ SRC_URI += "\
     file://CVE-2023-45289.patch \
     file://CVE-2023-45290.patch \
     file://CVE-2024-24785.patch \
+    file://CVE-2024-24784.patch \
 "
 
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch b/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch
new file mode 100644
index 0000000000..e9d9d972b9
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch
@@ -0,0 +1,205 @@
+From 5330cd225ba54c7dc78c1b46dcdf61a4671a632c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Wed, 10 Jan 2024 11:02:14 -0800
+Subject: [PATCH] [release-branch.go1.22] net/mail: properly handle special
+ characters in phrase and obs-phrase
+
+Fixes a couple of misalignments with RFC 5322 which introduce
+significant diffs between (mostly) conformant parsers.
+
+This change reverts the changes made in CL50911, which allowed certain
+special RFC 5322 characters to appear unquoted in the "phrase" syntax.
+It is unclear why this change was made in the first place, and created
+a divergence from comformant parsers. In particular this resulted in
+treating comments in display names incorrectly.
+
+Additionally properly handle trailing malformed comments in the group
+syntax.
+
+For #65083
+Fixed #65849
+
+Change-Id: I00dddc044c6ae3381154e43236632604c390f672
+Reviewed-on: https://go-review.googlesource.com/c/go/+/555596
+Reviewed-by: Damien Neil <dneil@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/566215
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c]
+CVE: CVE-2024-24784
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ src/net/mail/message.go      | 30 +++++++++++++++------------
+ src/net/mail/message_test.go | 40 ++++++++++++++++++++++++++----------
+ 2 files changed, 46 insertions(+), 24 deletions(-)
+
+diff --git a/src/net/mail/message.go b/src/net/mail/message.go
+index af516fc30f470..fc2a9e46f811b 100644
+--- a/src/net/mail/message.go
++++ b/src/net/mail/message.go
+@@ -280,7 +280,7 @@ func (a *Address) String() string {
+        // Add quotes if needed
+        quoteLocal := false
+        for i, r := range local {
+-               if isAtext(r, false, false) {
++               if isAtext(r, false) {
+                        continue
+                }
+                if r == '.' {
+@@ -444,7 +444,7 @@ func (p *addrParser) parseAddress(handleGroup bool) ([]*Address, error) {
+        if !p.consume('<') {
+                atext := true
+                for _, r := range displayName {
+-                       if !isAtext(r, true, false) {
++                       if !isAtext(r, true) {
+                                atext = false
+                                break
+                        }
+@@ -479,7 +479,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
+        // handle empty group.
+        p.skipSpace()
+        if p.consume(';') {
+-               p.skipCFWS()
++               if !p.skipCFWS() {
++                       return nil, errors.New("mail: misformatted parenthetical comment")
++               }
+                return group, nil
+        }
+ 
+@@ -496,7 +498,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
+                        return nil, errors.New("mail: misformatted parenthetical comment")
+                }
+                if p.consume(';') {
+-                       p.skipCFWS()
++                       if !p.skipCFWS() {
++                               return nil, errors.New("mail: misformatted parenthetical comment")
++                       }
+                        break
+                }
+                if !p.consume(',') {
+@@ -566,6 +570,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) {
+        var words []string
+        var isPrevEncoded bool
+        for {
++               // obs-phrase allows CFWS after one word
++               if len(words) > 0 {
++                       if !p.skipCFWS() {
++                               return "", errors.New("mail: misformatted parenthetical comment")
++                       }
++               }
+                // word = atom / quoted-string
+                var word string
+                p.skipSpace()
+@@ -661,7 +671,6 @@ Loop:
+ // If dot is true, consumeAtom parses an RFC 5322 dot-atom instead.
+ // If permissive is true, consumeAtom will not fail on:
+ // - leading/trailing/double dots in the atom (see golang.org/issue/4938)
+-// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018)
+ func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) {
+        i := 0
+ 
+@@ -672,7 +681,7 @@ Loop:
+                case size == 1 && r == utf8.RuneError:
+                        return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s)
+ 
+-               case size == 0 || !isAtext(r, dot, permissive):
++               case size == 0 || !isAtext(r, dot):
+                        break Loop
+ 
+                default:
+@@ -850,18 +859,13 @@ func (e charsetError) Error() string {
+ 
+ // isAtext reports whether r is an RFC 5322 atext character.
+ // If dot is true, period is included.
+-// If permissive is true, RFC 5322 3.2.3 specials is included,
+-// except '<', '>', ':' and '"'.
+-func isAtext(r rune, dot, permissive bool) bool {
++func isAtext(r rune, dot bool) bool {
+        switch r {
+        case '.':
+                return dot
+ 
+        // RFC 5322 3.2.3. specials
+-       case '(', ')', '[', ']', ';', '@', '\\', ',':
+-               return permissive
+-
+-       case '<', '>', '"', ':':
++       case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials
+                return false
+        }
+        return isVchar(r)
+diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go
+index 1e1bb4092f659..1f2f62afbf406 100644
+--- a/src/net/mail/message_test.go
++++ b/src/net/mail/message_test.go
+@@ -385,8 +385,11 @@ func TestAddressParsingError(t *testing.T) {
+                13: {"group not closed: null@example.com", "expected comma"},
+                14: {"group: first@example.com, second@example.com;", "group with multiple addresses"},
+                15: {"john.doe", "missing '@' or angle-addr"},
+-               16: {"john.doe@", "no angle-addr"},
++               16: {"john.doe@", "missing '@' or angle-addr"},
+                17: {"John Doe@foo.bar", "no angle-addr"},
++               18: {" group: null@example.com; (asd", "misformatted parenthetical comment"},
++               19: {" group: ; (asd", "misformatted parenthetical comment"},
++               20: {`(John) Doe <jdoe@machine.example>`, "missing word in phrase:"},
+        }
+ 
+        for i, tc := range mustErrTestCases {
+@@ -436,24 +439,19 @@ func TestAddressParsing(t *testing.T) {
+                                Address: "john.q.public@example.com",
+                        }},
+                },
+-               {
+-                       `"John (middle) Doe" <jdoe@machine.example>`,
+-                       []*Address{{
+-                               Name:    "John (middle) Doe",
+-                               Address: "jdoe@machine.example",
+-                       }},
+-               },
++               // Comment in display name
+                {
+                        `John (middle) Doe <jdoe@machine.example>`,
+                        []*Address{{
+-                               Name:    "John (middle) Doe",
++                               Name:    "John Doe",
+                                Address: "jdoe@machine.example",
+                        }},
+                },
++               // Display name is quoted string, so comment is not a comment
+                {
+-                       `John !@M@! Doe <jdoe@machine.example>`,
++                       `"John (middle) Doe" <jdoe@machine.example>`,
+                        []*Address{{
+-                               Name:    "John !@M@! Doe",
++                               Name:    "John (middle) Doe",
+                                Address: "jdoe@machine.example",
+                        }},
+                },
+@@ -788,6 +786,26 @@ func TestAddressParsing(t *testing.T) {
+                                },
+                        },
+                },
++               // Comment in group display name
++               {
++                       `group (comment:): a@example.com, b@example.com;`,
++                       []*Address{
++                               {
++                                       Address: "a@example.com",
++                               },
++                               {
++                                       Address: "b@example.com",
++                               },
++                       },
++               },
++               {
++                       `x(:"):"@a.example;("@b.example;`,
++                       []*Address{
++                               {
++                                       Address: `@a.example;(@b.example`,
++                               },
++                       },
++               },
+        }
+        for _, test := range tests {
+                if len(test.exp) == 1 {