1 files changed, 124 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch
new file mode 100644
index 0000000000..2e2dc62c49
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch
@@ -0,0 +1,124 @@
+From 74242baa4136c7a9132a8ccd9881354442788c8c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Tue, 11 May 2021 11:31:31 -0700
+Subject: [PATCH] archive/zip: only preallocate File slice if reasonably sized
+Since the number of files in the EOCD record isn't validated, it isn't
+safe to preallocate Reader.Files using that field. A malformed archive
+can indicate it contains up to 1 << 128 - 1 files. We can still safely
+preallocate the slice by checking if the specified number of files in
+the archive is reasonable, given the size of the archive.
+Thanks to the OSS-Fuzz project for discovering this issue and to
+Emmanuel Odeke for reporting it.
+Fixes #46242
+Fixes CVE-2021-33196
+Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76
+Reviewed-on: https://go-review.googlesource.com/c/go/+/318909
+Trust: Roland Shoemaker <roland@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Trust: Joe Tsai <thebrokentoaster@gmail.com>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
+Upstream-Status: Backport
+CVE: CVE-2021-33196
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/archive/zip/reader.go      | 10 +++++-
+ src/archive/zip/reader_test.go | 59 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+), 1 deletion(-)
+Index: go/src/archive/zip/reader.go
+===================================================================
+--- go.orig/src/archive/zip/reader.go
+++ go/src/archive/zip/reader.go
+@@ -84,7 +84,15 @@ func (z *Reader) init(r io.ReaderAt, siz
+                return err
+        }
+        z.r = r
+-       z.File = make([]*File, 0, end.directoryRecords)
+       // Since the number of directory records is not validated, it is not
+       // safe to preallocate z.File without first checking that the specified
+       // number of files is reasonable, since a malformed archive may
+       // indicate it contains up to 1 << 128 - 1 files. Since each file has a
+       // header which will be _at least_ 30 bytes we can safely preallocate
+       // if (data size / 30) >= end.directoryRecords.
+       if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
+               z.File = make([]*File, 0, end.directoryRecords)
+       }
+        z.Comment = end.comment
+        rs := io.NewSectionReader(r, 0, size)
+        if _, err = rs.Seek(int64(end.directoryOffset), io.SeekStart); err != nil {
+Index: go/src/archive/zip/reader_test.go
+===================================================================
+--- go.orig/src/archive/zip/reader_test.go
+++ go/src/archive/zip/reader_test.go
+@@ -1070,3 +1070,62 @@ func TestIssue12449(t *testing.T) {
+                t.Errorf("Error reading the archive: %v", err)
+        }
+ }
+
+func TestCVE202133196(t *testing.T) {
+       // Archive that indicates it has 1 << 128 -1 files,
+       // this would previously cause a panic due to attempting
+       // to allocate a slice with 1 << 128 -1 elements.
+       data := []byte{
+               0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x08, 0x08,
+               0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x02,
+               0x03, 0x62, 0x61, 0x65, 0x03, 0x04, 0x00, 0x00,
+               0xff, 0xff, 0x50, 0x4b, 0x07, 0x08, 0xbe, 0x20,
+               0x5c, 0x6c, 0x09, 0x00, 0x00, 0x00, 0x03, 0x00,
+               0x00, 0x00, 0x50, 0x4b, 0x01, 0x02, 0x14, 0x00,
+               0x14, 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0xbe, 0x20, 0x5c, 0x6c, 0x09, 0x00,
+               0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x03, 0x00,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x01, 0x02, 0x03, 0x50, 0x4b, 0x06, 0x06, 0x2c,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+               0x00, 0x2d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,
+               0xff, 0xff, 0xff, 0x31, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x50, 0x4b, 0x06, 0x07, 0x00,
+               0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50,
+               0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0xff,
+               0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+               0xff, 0xff, 0xff, 0x00, 0x00,
+       }
+       _, err := NewReader(bytes.NewReader(data), int64(len(data)))
+       if err != ErrFormat {
+               t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
+       }
+
+       // Also check that an archive containing a handful of empty
+       // files doesn't cause an issue
+       b := bytes.NewBuffer(nil)
+       w := NewWriter(b)
+       for i := 0; i < 5; i++ {
+               _, err := w.Create("")
+               if err != nil {
+                       t.Fatalf("Writer.Create failed: %s", err)
+               }
+       }
+       if err := w.Close(); err != nil {
+               t.Fatalf("Writer.Close failed: %s", err)
+       }
+       r, err := NewReader(bytes.NewReader(b.Bytes()), int64(b.Len()))
+       if err != nil {
+               t.Fatalf("NewReader failed: %s", err)
+       }
+       if len(r.File) != 5 {
+               t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
+       }
+}

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch new file mode 100644 index 0000000000..2e2dc62c49 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch
@@ -0,0 +1,124 @@
	1	From 74242baa4136c7a9132a8ccd9881354442788c8c Mon Sep 17 00:00:00 2001
	2	From: Roland Shoemaker <roland@golang.org>
	3	Date: Tue, 11 May 2021 11:31:31 -0700
	4	Subject: [PATCH] archive/zip: only preallocate File slice if reasonably sized
	5
	6	Since the number of files in the EOCD record isn't validated, it isn't
	7	safe to preallocate Reader.Files using that field. A malformed archive
	8	can indicate it contains up to 1 << 128 - 1 files. We can still safely
	9	preallocate the slice by checking if the specified number of files in
	10	the archive is reasonable, given the size of the archive.
	11
	12	Thanks to the OSS-Fuzz project for discovering this issue and to
	13	Emmanuel Odeke for reporting it.
	14
	15	Fixes #46242
	16	Fixes CVE-2021-33196
	17
	18	Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76
	19	Reviewed-on: https://go-review.googlesource.com/c/go/+/318909
	20	Trust: Roland Shoemaker <roland@golang.org>
	21	Trust: Katie Hockman <katie@golang.org>
	22	Trust: Joe Tsai <thebrokentoaster@gmail.com>
	23	Run-TryBot: Roland Shoemaker <roland@golang.org>
	24	TryBot-Result: Go Bot <gobot@golang.org>
	25	Reviewed-by: Katie Hockman <katie@golang.org>
	26	Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
	27
	28	Upstream-Status: Backport
	29	CVE: CVE-2021-33196
	30	Signed-off-by: Armin Kuster <akuster@mvista.com>
	31
	32	---
	33	src/archive/zip/reader.go \| 10 +++++-
	34	src/archive/zip/reader_test.go \| 59 ++++++++++++++++++++++++++++++++++
	35	2 files changed, 68 insertions(+), 1 deletion(-)
	36
	37	Index: go/src/archive/zip/reader.go
	38	===================================================================
	39	--- go.orig/src/archive/zip/reader.go
	40	+++ go/src/archive/zip/reader.go
	41	@@ -84,7 +84,15 @@ func (z *Reader) init(r io.ReaderAt, siz
	42	return err
	43	}
	44	z.r = r
	45	- z.File = make([]*File, 0, end.directoryRecords)
	46	+ // Since the number of directory records is not validated, it is not
	47	+ // safe to preallocate z.File without first checking that the specified
	48	+ // number of files is reasonable, since a malformed archive may
	49	+ // indicate it contains up to 1 << 128 - 1 files. Since each file has a
	50	+ // header which will be _at least_ 30 bytes we can safely preallocate
	51	+ // if (data size / 30) >= end.directoryRecords.
	52	+ if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
	53	+ z.File = make([]*File, 0, end.directoryRecords)
	54	+ }
	55	z.Comment = end.comment
	56	rs := io.NewSectionReader(r, 0, size)
	57	if _, err = rs.Seek(int64(end.directoryOffset), io.SeekStart); err != nil {
	58	Index: go/src/archive/zip/reader_test.go
	59	===================================================================
	60	--- go.orig/src/archive/zip/reader_test.go
	61	+++ go/src/archive/zip/reader_test.go
	62	@@ -1070,3 +1070,62 @@ func TestIssue12449(t *testing.T) {
	63	t.Errorf("Error reading the archive: %v", err)
	64	}
	65	}
	66	+
	67	+func TestCVE202133196(t *testing.T) {
	68	+ // Archive that indicates it has 1 << 128 -1 files,
	69	+ // this would previously cause a panic due to attempting
	70	+ // to allocate a slice with 1 << 128 -1 elements.
	71	+ data := []byte{
	72	+ 0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x08, 0x08,
	73	+ 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	74	+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	75	+ 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x02,
	76	+ 0x03, 0x62, 0x61, 0x65, 0x03, 0x04, 0x00, 0x00,
	77	+ 0xff, 0xff, 0x50, 0x4b, 0x07, 0x08, 0xbe, 0x20,
	78	+ 0x5c, 0x6c, 0x09, 0x00, 0x00, 0x00, 0x03, 0x00,
	79	+ 0x00, 0x00, 0x50, 0x4b, 0x01, 0x02, 0x14, 0x00,
	80	+ 0x14, 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x00,
	81	+ 0x00, 0x00, 0xbe, 0x20, 0x5c, 0x6c, 0x09, 0x00,
	82	+ 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x03, 0x00,
	83	+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	84	+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	85	+ 0x01, 0x02, 0x03, 0x50, 0x4b, 0x06, 0x06, 0x2c,
	86	+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
	87	+ 0x00, 0x2d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	88	+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
	89	+ 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,
	90	+ 0xff, 0xff, 0xff, 0x31, 0x00, 0x00, 0x00, 0x00,
	91	+ 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
	92	+ 0x00, 0x00, 0x00, 0x50, 0x4b, 0x06, 0x07, 0x00,
	93	+ 0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x00,
	94	+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50,
	95	+ 0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0xff,
	96	+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	97	+ 0xff, 0xff, 0xff, 0x00, 0x00,
	98	+ }
	99	+ _, err := NewReader(bytes.NewReader(data), int64(len(data)))
	100	+ if err != ErrFormat {
	101	+ t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
	102	+ }
	103	+
	104	+ // Also check that an archive containing a handful of empty
	105	+ // files doesn't cause an issue
	106	+ b := bytes.NewBuffer(nil)
	107	+ w := NewWriter(b)
	108	+ for i := 0; i < 5; i++ {
	109	+ _, err := w.Create("")
	110	+ if err != nil {
	111	+ t.Fatalf("Writer.Create failed: %s", err)
	112	+ }
	113	+ }
	114	+ if err := w.Close(); err != nil {
	115	+ t.Fatalf("Writer.Close failed: %s", err)
	116	+ }
	117	+ r, err := NewReader(bytes.NewReader(b.Bytes()), int64(b.Len()))
	118	+ if err != nil {
	119	+ t.Fatalf("NewReader failed: %s", err)
	120	+ }
	121	+ if len(r.File) != 5 {
	122	+ t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
	123	+ }
	124	+}