1 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch
new file mode 100644
index 0000000000..4bdff3aed4
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch
@@ -0,0 +1,82 @@
+From f61e428699cbb52bab31fe2c124f49d085a209fe Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Fri, 12 Aug 2022 16:21:09 -0700
+Subject: [PATCH 4/4] net/url: consistently remove ../ elements in JoinPath
+JoinPath would fail to remove relative elements from the start of
+the path when the first path element is "".
+In addition, JoinPath would return the original path unmodified
+when provided with no elements to join, violating the documented
+behavior of always cleaning the resulting path.
+Correct both these cases.
+    JoinPath("http://go.dev", "../go")
+    // before: http://go.dev/../go
+    // after:  http://go.dev/go
+    JoinPath("http://go.dev/../go")
+    // before: http://go.dev/../go
+    // after:  http://go.dev/go
+For #54385.
+Fixes #54635.
+Fixes CVE-2022-32190.
+Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9
+Reviewed-on: https://go-review.googlesource.com/c/go/+/423514
+Reviewed-by: David Chase <drchase@google.com>
+Reviewed-by: Alan Donovan <adonovan@google.com>
+(cherry picked from commit 0765da5884adcc8b744979303a36a27092d8fc51)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/425357
+Run-TryBot: Damien Neil <dneil@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Upstream-Status: Backport [https://github.com/golang/go/commit/28335508913a46e05ef0c04a18e8a1a6beb775ec]
+CVE: CVE-2022-32190
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/net/url/url.go | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index 73079a5..1e8baf9 100644
+--- a/src/net/url/url.go
+++ b/src/net/url/url.go
+@@ -1109,17 +1109,23 @@ func (u *URL) UnmarshalBinary(text []byte) error {
+ // any existing path and the resulting path cleaned of any ./ or ../ elements.
+ // Any sequences of multiple / characters will be reduced to a single /.
+ func (u *URL) JoinPath(elem ...string) *URL {
+-       url := *u
+-       if len(elem) > 0 {
+-               elem = append([]string{u.EscapedPath()}, elem...)
+-               p := path.Join(elem...)
+-               // path.Join will remove any trailing slashes.
+-               // Preserve at least one.
+-               if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
+-                       p += "/"
+-               }
+-               url.setPath(p)
+       elem = append([]string{u.EscapedPath()}, elem...)
+       var p string
+       if !strings.HasPrefix(elem[0], "/") {
+               // Return a relative path if u is relative,
+               // but ensure that it contains no ../ elements.
+               elem[0] = "/" + elem[0]
+               p = path.Join(elem...)[1:]
+       } else {
+               p = path.Join(elem...)
+        }
+       // path.Join will remove any trailing slashes.
+       // Preserve at least one.
+       if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
+               p += "/"
+       }
+       url := *u
+       url.setPath(p)
+        return &url
+ }
+--
+2.7.4

diff --git a/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch new file mode 100644 index 0000000000..4bdff3aed4 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch
@@ -0,0 +1,82 @@
	1	From f61e428699cbb52bab31fe2c124f49d085a209fe Mon Sep 17 00:00:00 2001
	2	From: Damien Neil <dneil@google.com>
	3	Date: Fri, 12 Aug 2022 16:21:09 -0700
	4	Subject: [PATCH 4/4] net/url: consistently remove ../ elements in JoinPath
	5
	6	JoinPath would fail to remove relative elements from the start of
	7	the path when the first path element is "".
	8
	9	In addition, JoinPath would return the original path unmodified
	10	when provided with no elements to join, violating the documented
	11	behavior of always cleaning the resulting path.
	12
	13	Correct both these cases.
	14
	15	JoinPath("http://go.dev", "../go")
	16	// before: http://go.dev/../go
	17	// after: http://go.dev/go
	18
	19	JoinPath("http://go.dev/../go")
	20	// before: http://go.dev/../go
	21	// after: http://go.dev/go
	22
	23	For #54385.
	24	Fixes #54635.
	25	Fixes CVE-2022-32190.
	26
	27	Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9
	28	Reviewed-on: https://go-review.googlesource.com/c/go/+/423514
	29	Reviewed-by: David Chase <drchase@google.com>
	30	Reviewed-by: Alan Donovan <adonovan@google.com>
	31	(cherry picked from commit 0765da5884adcc8b744979303a36a27092d8fc51)
	32	Reviewed-on: https://go-review.googlesource.com/c/go/+/425357
	33	Run-TryBot: Damien Neil <dneil@google.com>
	34	TryBot-Result: Gopher Robot <gobot@golang.org>
	35
	36	Upstream-Status: Backport [https://github.com/golang/go/commit/28335508913a46e05ef0c04a18e8a1a6beb775ec]
	37	CVE: CVE-2022-32190
	38	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
	39	---
	40	src/net/url/url.go \| 26 ++++++++++++++++----------
	41	1 file changed, 16 insertions(+), 10 deletions(-)
	42
	43	diff --git a/src/net/url/url.go b/src/net/url/url.go
	44	index 73079a5..1e8baf9 100644
	45	--- a/src/net/url/url.go
	46	+++ b/src/net/url/url.go
	47	@@ -1109,17 +1109,23 @@ func (u *URL) UnmarshalBinary(text []byte) error {
	48	// any existing path and the resulting path cleaned of any ./ or ../ elements.
	49	// Any sequences of multiple / characters will be reduced to a single /.
	50	func (u URL) JoinPath(elem ...string) URL {
	51	- url := *u
	52	- if len(elem) > 0 {
	53	- elem = append([]string{u.EscapedPath()}, elem...)
	54	- p := path.Join(elem...)
	55	- // path.Join will remove any trailing slashes.
	56	- // Preserve at least one.
	57	- if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
	58	- p += "/"
	59	- }
	60	- url.setPath(p)
	61	+ elem = append([]string{u.EscapedPath()}, elem...)
	62	+ var p string
	63	+ if !strings.HasPrefix(elem[0], "/") {
	64	+ // Return a relative path if u is relative,
	65	+ // but ensure that it contains no ../ elements.
	66	+ elem[0] = "/" + elem[0]
	67	+ p = path.Join(elem...)[1:]
	68	+ } else {
	69	+ p = path.Join(elem...)
	70	}
	71	+ // path.Join will remove any trailing slashes.
	72	+ // Preserve at least one.
	73	+ if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
	74	+ p += "/"
	75	+ }
	76	+ url := *u
	77	+ url.setPath(p)
	78	return &url
	79	}
	80
	81	--
	82	2.7.4