diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch new file mode 100644 index 0000000000..88fca9cad9 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From 6c480017ae600b2c90a264a922e041df04dfa785 Mon Sep 17 00:00:00 2001 | ||
2 | From: Roland Shoemaker <roland@golang.org> | ||
3 | Date: Wed, 18 Aug 2021 11:49:29 -0700 | ||
4 | Subject: [PATCH] [release-branch.go1.16] archive/zip: prevent preallocation | ||
5 | check from overflowing | ||
6 | |||
7 | If the indicated directory size in the archive header is so large that | ||
8 | subtracting it from the archive size overflows a uint64, the check that | ||
9 | the indicated number of files in the archive can be effectively | ||
10 | bypassed. Prevent this from happening by checking that the indicated | ||
11 | directory size is less than the size of the archive. | ||
12 | |||
13 | Thanks to the OSS-Fuzz project for discovering this issue and to | ||
14 | Emmanuel Odeke for reporting it. | ||
15 | |||
16 | Fixes #47985 | ||
17 | Updates #47801 | ||
18 | Fixes CVE-2021-39293 | ||
19 | |||
20 | Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24 | ||
21 | Reviewed-on: https://go-review.googlesource.com/c/go/+/343434 | ||
22 | Trust: Roland Shoemaker <roland@golang.org> | ||
23 | Run-TryBot: Roland Shoemaker <roland@golang.org> | ||
24 | TryBot-Result: Go Bot <gobot@golang.org> | ||
25 | Reviewed-by: Russ Cox <rsc@golang.org> | ||
26 | (cherry picked from commit bacbc33439b124ffd7392c91a5f5d96eca8c0c0b) | ||
27 | Reviewed-on: https://go-review.googlesource.com/c/go/+/345409 | ||
28 | Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com> | ||
29 | Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com> | ||
30 | Trust: Cherry Mui <cherryyz@google.com> | ||
31 | |||
32 | https://github.com/golang/go/commit/6c480017ae600b2c90a264a922e041df04dfa785 | ||
33 | CVE: CVE-2021-39293 | ||
34 | Upstream-Status: Backport | ||
35 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
36 | --- | ||
37 | src/archive/zip/reader.go | 2 +- | ||
38 | src/archive/zip/reader_test.go | 18 ++++++++++++++++++ | ||
39 | 2 files changed, 19 insertions(+), 1 deletion(-) | ||
40 | |||
41 | diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go | ||
42 | index ddef2b7b5a517..801d1313b6c32 100644 | ||
43 | --- a/src/archive/zip/reader.go | ||
44 | +++ b/src/archive/zip/reader.go | ||
45 | @@ -105,7 +105,7 @@ func (z *Reader) init(r io.ReaderAt, size int64) error { | ||
46 | // indicate it contains up to 1 << 128 - 1 files. Since each file has a | ||
47 | // header which will be _at least_ 30 bytes we can safely preallocate | ||
48 | // if (data size / 30) >= end.directoryRecords. | ||
49 | - if (uint64(size)-end.directorySize)/30 >= end.directoryRecords { | ||
50 | + if end.directorySize < uint64(size) && (uint64(size)-end.directorySize)/30 >= end.directoryRecords { | ||
51 | z.File = make([]*File, 0, end.directoryRecords) | ||
52 | } | ||
53 | z.Comment = end.comment | ||
54 | diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go | ||
55 | index 471be27bb1004..99f13345d8d06 100644 | ||
56 | --- a/src/archive/zip/reader_test.go | ||
57 | +++ b/src/archive/zip/reader_test.go | ||
58 | @@ -1225,3 +1225,21 @@ func TestCVE202133196(t *testing.T) { | ||
59 | t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File)) | ||
60 | } | ||
61 | } | ||
62 | + | ||
63 | +func TestCVE202139293(t *testing.T) { | ||
64 | + // directory size is so large, that the check in Reader.init | ||
65 | + // overflows when subtracting from the archive size, causing | ||
66 | + // the pre-allocation check to be bypassed. | ||
67 | + data := []byte{ | ||
68 | + 0x50, 0x4b, 0x06, 0x06, 0x05, 0x06, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b, | ||
69 | + 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, | ||
70 | + 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b, | ||
71 | + 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, | ||
72 | + 0x00, 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, | ||
73 | + 0xff, 0x50, 0xfe, 0x00, 0xff, 0x00, 0x3a, 0x00, 0x00, 0x00, 0xff, | ||
74 | + } | ||
75 | + _, err := NewReader(bytes.NewReader(data), int64(len(data))) | ||
76 | + if err != ErrFormat { | ||
77 | + t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat) | ||
78 | + } | ||
79 | +} | ||