1 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch
new file mode 100644
index 0000000000..88fca9cad9
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch
@@ -0,0 +1,79 @@
+From 6c480017ae600b2c90a264a922e041df04dfa785 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 18 Aug 2021 11:49:29 -0700
+Subject: [PATCH] [release-branch.go1.16] archive/zip: prevent preallocation
+ check from overflowing
+If the indicated directory size in the archive header is so large that
+subtracting it from the archive size overflows a uint64, the check that
+the indicated number of files in the archive can be effectively
+bypassed. Prevent this from happening by checking that the indicated
+directory size is less than the size of the archive.
+Thanks to the OSS-Fuzz project for discovering this issue and to
+Emmanuel Odeke for reporting it.
+Fixes #47985
+Updates #47801
+Fixes CVE-2021-39293
+Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24
+Reviewed-on: https://go-review.googlesource.com/c/go/+/343434
+Trust: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Russ Cox <rsc@golang.org>
+(cherry picked from commit bacbc33439b124ffd7392c91a5f5d96eca8c0c0b)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/345409
+Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
+Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
+Trust: Cherry Mui <cherryyz@google.com>
+https://github.com/golang/go/commit/6c480017ae600b2c90a264a922e041df04dfa785
+CVE: CVE-2021-39293
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/archive/zip/reader.go      |  2 +-
+ src/archive/zip/reader_test.go | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
+index ddef2b7b5a517..801d1313b6c32 100644
+--- a/src/archive/zip/reader.go
+++ b/src/archive/zip/reader.go
+@@ -105,7 +105,7 @@ func (z *Reader) init(r io.ReaderAt, size int64) error {
+        // indicate it contains up to 1 << 128 - 1 files. Since each file has a
+        // header which will be _at least_ 30 bytes we can safely preallocate
+        // if (data size / 30) >= end.directoryRecords.
+-       if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
+       if end.directorySize < uint64(size) && (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
+                z.File = make([]*File, 0, end.directoryRecords)
+        }
+        z.Comment = end.comment
+diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
+index 471be27bb1004..99f13345d8d06 100644
+--- a/src/archive/zip/reader_test.go
+++ b/src/archive/zip/reader_test.go
+@@ -1225,3 +1225,21 @@ func TestCVE202133196(t *testing.T) {
+                t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
+        }
+ }
+
+func TestCVE202139293(t *testing.T) {
+       // directory size is so large, that the check in Reader.init
+       // overflows when subtracting from the archive size, causing
+       // the pre-allocation check to be bypassed.
+       data := []byte{
+               0x50, 0x4b, 0x06, 0x06, 0x05, 0x06, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
+               0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+               0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
+               0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+               0x00, 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
+               0xff, 0x50, 0xfe, 0x00, 0xff, 0x00, 0x3a, 0x00, 0x00, 0x00, 0xff,
+       }
+       _, err := NewReader(bytes.NewReader(data), int64(len(data)))
+       if err != ErrFormat {
+               t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
+       }
+}

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch new file mode 100644 index 0000000000..88fca9cad9 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch
@@ -0,0 +1,79 @@
	1	From 6c480017ae600b2c90a264a922e041df04dfa785 Mon Sep 17 00:00:00 2001
	2	From: Roland Shoemaker <roland@golang.org>
	3	Date: Wed, 18 Aug 2021 11:49:29 -0700
	4	Subject: [PATCH] [release-branch.go1.16] archive/zip: prevent preallocation
	5	check from overflowing
	6
	7	If the indicated directory size in the archive header is so large that
	8	subtracting it from the archive size overflows a uint64, the check that
	9	the indicated number of files in the archive can be effectively
	10	bypassed. Prevent this from happening by checking that the indicated
	11	directory size is less than the size of the archive.
	12
	13	Thanks to the OSS-Fuzz project for discovering this issue and to
	14	Emmanuel Odeke for reporting it.
	15
	16	Fixes #47985
	17	Updates #47801
	18	Fixes CVE-2021-39293
	19
	20	Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24
	21	Reviewed-on: https://go-review.googlesource.com/c/go/+/343434
	22	Trust: Roland Shoemaker <roland@golang.org>
	23	Run-TryBot: Roland Shoemaker <roland@golang.org>
	24	TryBot-Result: Go Bot <gobot@golang.org>
	25	Reviewed-by: Russ Cox <rsc@golang.org>
	26	(cherry picked from commit bacbc33439b124ffd7392c91a5f5d96eca8c0c0b)
	27	Reviewed-on: https://go-review.googlesource.com/c/go/+/345409
	28	Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
	29	Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
	30	Trust: Cherry Mui <cherryyz@google.com>
	31
	32	https://github.com/golang/go/commit/6c480017ae600b2c90a264a922e041df04dfa785
	33	CVE: CVE-2021-39293
	34	Upstream-Status: Backport
	35	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	36	---
	37	src/archive/zip/reader.go \| 2 +-
	38	src/archive/zip/reader_test.go \| 18 ++++++++++++++++++
	39	2 files changed, 19 insertions(+), 1 deletion(-)
	40
	41	diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
	42	index ddef2b7b5a517..801d1313b6c32 100644
	43	--- a/src/archive/zip/reader.go
	44	+++ b/src/archive/zip/reader.go
	45	@@ -105,7 +105,7 @@ func (z *Reader) init(r io.ReaderAt, size int64) error {
	46	// indicate it contains up to 1 << 128 - 1 files. Since each file has a
	47	// header which will be _at least_ 30 bytes we can safely preallocate
	48	// if (data size / 30) >= end.directoryRecords.
	49	- if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
	50	+ if end.directorySize < uint64(size) && (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
	51	z.File = make([]*File, 0, end.directoryRecords)
	52	}
	53	z.Comment = end.comment
	54	diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
	55	index 471be27bb1004..99f13345d8d06 100644
	56	--- a/src/archive/zip/reader_test.go
	57	+++ b/src/archive/zip/reader_test.go
	58	@@ -1225,3 +1225,21 @@ func TestCVE202133196(t *testing.T) {
	59	t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
	60	}
	61	}
	62	+
	63	+func TestCVE202139293(t *testing.T) {
	64	+ // directory size is so large, that the check in Reader.init
	65	+ // overflows when subtracting from the archive size, causing
	66	+ // the pre-allocation check to be bypassed.
	67	+ data := []byte{
	68	+ 0x50, 0x4b, 0x06, 0x06, 0x05, 0x06, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
	69	+ 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
	70	+ 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
	71	+ 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
	72	+ 0x00, 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
	73	+ 0xff, 0x50, 0xfe, 0x00, 0xff, 0x00, 0x3a, 0x00, 0x00, 0x00, 0xff,
	74	+ }
	75	+ _, err := NewReader(bytes.NewReader(data), int64(len(data)))
	76	+ if err != ErrFormat {
	77	+ t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
	78	+ }
	79	+}