1 files changed, 271 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch
new file mode 100644
index 0000000000..4bc012be21
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch
@@ -0,0 +1,271 @@
+From 1eb931d60a24501a9668e5cb4647593e19115507 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Fri, 17 Jun 2022 12:22:53 +0530
+Subject: [PATCH] CVE-2022-24675
+Upstream-Status: Backport [https://go-review.googlesource.com/c/go/+/399816/]
+CVE: CVE-2022-24675
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/encoding/pem/pem.go      | 174 +++++++++++++++--------------------
+ src/encoding/pem/pem_test.go |  28 +++++-
+ 2 files changed, 101 insertions(+), 101 deletions(-)
+diff --git a/src/encoding/pem/pem.go b/src/encoding/pem/pem.go
+index a7272da..1bee1c1 100644
+--- a/src/encoding/pem/pem.go
+++ b/src/encoding/pem/pem.go
+@@ -87,123 +87,97 @@ func Decode(data []byte) (p *Block, rest []byte) {
+        // pemStart begins with a newline. However, at the very beginning of
+        // the byte array, we'll accept the start string without it.
+        rest = data
+-       if bytes.HasPrefix(data, pemStart[1:]) {
+-               rest = rest[len(pemStart)-1 : len(data)]
+-       } else if i := bytes.Index(data, pemStart); i >= 0 {
+-               rest = rest[i+len(pemStart) : len(data)]
+-       } else {
+-               return nil, data
+-       }
+-
+-       typeLine, rest := getLine(rest)
+-       if !bytes.HasSuffix(typeLine, pemEndOfLine) {
+-               return decodeError(data, rest)
+-       }
+-       typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)]
+-
+-       p = &Block{
+-               Headers: make(map[string]string),
+-               Type:    string(typeLine),
+-       }
+-
+        for {
+-               // This loop terminates because getLine's second result is
+-               // always smaller than its argument.
+-               if len(rest) == 0 {
+               if bytes.HasPrefix(rest, pemStart[1:]) {
+                       rest = rest[len(pemStart)-1:]
+               } else if i := bytes.Index(rest, pemStart); i >= 0 {
+                       rest = rest[i+len(pemStart) : len(rest)]
+               } else {
+                        return nil, data
+                }
+-               line, next := getLine(rest)
+ 
+-               i := bytes.IndexByte(line, ':')
+-               if i == -1 {
+-                       break
+               var typeLine []byte
+               typeLine, rest = getLine(rest)
+               if !bytes.HasSuffix(typeLine, pemEndOfLine) {
+                       continue
+                }
+               typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)]
+ 
+-               // TODO(agl): need to cope with values that spread across lines.
+-               key, val := line[:i], line[i+1:]
+-               key = bytes.TrimSpace(key)
+-               val = bytes.TrimSpace(val)
+-               p.Headers[string(key)] = string(val)
+-               rest = next
+-       }
+               p = &Block{
+                       Headers: make(map[string]string),
+                       Type:    string(typeLine),
+               }
+ 
+-       var endIndex, endTrailerIndex int
+               for {
+                       // This loop terminates because getLine's second result is
+                       // always smaller than its argument.
+                       if len(rest) == 0 {
+                               return nil, data
+                       }
+                       line, next := getLine(rest)
+ 
+-       // If there were no headers, the END line might occur
+-       // immediately, without a leading newline.
+-       if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) {
+-               endIndex = 0
+-               endTrailerIndex = len(pemEnd) - 1
+-       } else {
+-               endIndex = bytes.Index(rest, pemEnd)
+-               endTrailerIndex = endIndex + len(pemEnd)
+-       }
+                       i := bytes.IndexByte(line, ':')
+                       if i == -1 {
+                               break
+                       }
+ 
+-       if endIndex < 0 {
+-               return decodeError(data, rest)
+-       }
+                       // TODO(agl): need to cope with values that spread across lines.
+                       key, val := line[:i], line[i+1:]
+                       key = bytes.TrimSpace(key)
+                       val = bytes.TrimSpace(val)
+                       p.Headers[string(key)] = string(val)
+                       rest = next
+               }
+ 
+-       // After the "-----" of the ending line, there should be the same type
+-       // and then a final five dashes.
+-       endTrailer := rest[endTrailerIndex:]
+-       endTrailerLen := len(typeLine) + len(pemEndOfLine)
+-       if len(endTrailer) < endTrailerLen {
+-               return decodeError(data, rest)
+-       }
+               var endIndex, endTrailerIndex int
+ 
+-       restOfEndLine := endTrailer[endTrailerLen:]
+-       endTrailer = endTrailer[:endTrailerLen]
+-       if !bytes.HasPrefix(endTrailer, typeLine) ||
+-               !bytes.HasSuffix(endTrailer, pemEndOfLine) {
+-               return decodeError(data, rest)
+-       }
+               // If there were no headers, the END line might occur
+               // immediately, without a leading newline.
+               if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) {
+                       endIndex = 0
+                       endTrailerIndex = len(pemEnd) - 1
+               } else {
+                       endIndex = bytes.Index(rest, pemEnd)
+                       endTrailerIndex = endIndex + len(pemEnd)
+               }
+ 
+-       // The line must end with only whitespace.
+-       if s, _ := getLine(restOfEndLine); len(s) != 0 {
+-               return decodeError(data, rest)
+-       }
+               if endIndex < 0 {
+                       continue
+               }
+ 
+-       base64Data := removeSpacesAndTabs(rest[:endIndex])
+-       p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
+-       n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
+-       if err != nil {
+-               return decodeError(data, rest)
+-       }
+-       p.Bytes = p.Bytes[:n]
+               // After the "-----" of the ending line, there should be the same type
+               // and then a final five dashes.
+               endTrailer := rest[endTrailerIndex:]
+               endTrailerLen := len(typeLine) + len(pemEndOfLine)
+               if len(endTrailer) < endTrailerLen {
+                       continue
+               }
+
+               restOfEndLine := endTrailer[endTrailerLen:]
+               endTrailer = endTrailer[:endTrailerLen]
+               if !bytes.HasPrefix(endTrailer, typeLine) ||
+                       !bytes.HasSuffix(endTrailer, pemEndOfLine) {
+                       continue
+               }
+ 
+-       // the -1 is because we might have only matched pemEnd without the
+-       // leading newline if the PEM block was empty.
+-       _, rest = getLine(rest[endIndex+len(pemEnd)-1:])
+               // The line must end with only whitespace.
+               if s, _ := getLine(restOfEndLine); len(s) != 0 {
+                       continue
+               }
+ 
+-       return
+-}
+               base64Data := removeSpacesAndTabs(rest[:endIndex])
+               p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
+               n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
+               if err != nil {
+                       continue
+               }
+               p.Bytes = p.Bytes[:n]
+ 
+-func decodeError(data, rest []byte) (*Block, []byte) {
+-       // If we get here then we have rejected a likely looking, but
+-       // ultimately invalid PEM block. We need to start over from a new
+-       // position. We have consumed the preamble line and will have consumed
+-       // any lines which could be header lines. However, a valid preamble
+-       // line is not a valid header line, therefore we cannot have consumed
+-       // the preamble line for the any subsequent block. Thus, we will always
+-       // find any valid block, no matter what bytes precede it.
+-       //
+-       // For example, if the input is
+-       //
+-       //    -----BEGIN MALFORMED BLOCK-----
+-       //    junk that may look like header lines
+-       //   or data lines, but no END line
+-       //
+-       //    -----BEGIN ACTUAL BLOCK-----
+-       //    realdata
+-       //    -----END ACTUAL BLOCK-----
+-       //
+-       // we've failed to parse using the first BEGIN line
+-       // and now will try again, using the second BEGIN line.
+-       p, rest := Decode(rest)
+-       if p == nil {
+-               rest = data
+               // the -1 is because we might have only matched pemEnd without the
+               // leading newline if the PEM block was empty.
+               _, rest = getLine(rest[endIndex+len(pemEnd)-1:])
+               return p, rest
+        }
+-       return p, rest
+ }
+ 
+ const pemLineLength = 64
+diff --git a/src/encoding/pem/pem_test.go b/src/encoding/pem/pem_test.go
+index 8515b46..4485581 100644
+--- a/src/encoding/pem/pem_test.go
+++ b/src/encoding/pem/pem_test.go
+@@ -107,6 +107,12 @@ const pemMissingEndingSpace = `
+ dGVzdA==
+ -----ENDBAR-----`
+ 
+const pemMissingEndLine = `
+-----BEGIN FOO-----
+Header: 1`
+
+var pemRepeatingBegin = strings.Repeat("-----BEGIN \n", 10)
+
+ var badPEMTests = []struct {
+        name  string
+        input string
+@@ -131,14 +137,34 @@ var badPEMTests = []struct {
+                "missing ending space",
+                pemMissingEndingSpace,
+        },
+       {
+               "repeating begin",
+               pemRepeatingBegin,
+       },
+       {
+               "missing end line",
+               pemMissingEndLine,
+       },
+ }
+ 
+ func TestBadDecode(t *testing.T) {
+        for _, test := range badPEMTests {
+-               result, _ := Decode([]byte(test.input))
+               result, rest := Decode([]byte(test.input))
+                if result != nil {
+                        t.Errorf("unexpected success while parsing %q", test.name)
+                }
+               if string(rest) != test.input {
+                       t.Errorf("unexpected rest: %q; want = %q", rest, test.input)
+               }
+       }
+}
+
+func TestCVE202224675(t *testing.T) {
+       // Prior to CVE-2022-24675, this input would cause a stack overflow.
+       input := []byte(strings.Repeat("-----BEGIN \n", 10000000))
+       result, rest := Decode(input)
+       if result != nil || !reflect.DeepEqual(rest, input) {
+               t.Errorf("Encode of %#v decoded as %#v", input, rest)
+        }
+ }
+ 
+-- 
+2.25.1

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch new file mode 100644 index 0000000000..4bc012be21 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch
@@ -0,0 +1,271 @@
	1	From 1eb931d60a24501a9668e5cb4647593e19115507 Mon Sep 17 00:00:00 2001
	2	From: Hitendra Prajapati <hprajapati@mvista.com>
	3	Date: Fri, 17 Jun 2022 12:22:53 +0530
	4	Subject: [PATCH] CVE-2022-24675
	5
	6	Upstream-Status: Backport [https://go-review.googlesource.com/c/go/+/399816/]
	7	CVE: CVE-2022-24675
	8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	9	---
	10	src/encoding/pem/pem.go \| 174 +++++++++++++++--------------------
	11	src/encoding/pem/pem_test.go \| 28 +++++-
	12	2 files changed, 101 insertions(+), 101 deletions(-)
	13
	14	diff --git a/src/encoding/pem/pem.go b/src/encoding/pem/pem.go
	15	index a7272da..1bee1c1 100644
	16	--- a/src/encoding/pem/pem.go
	17	+++ b/src/encoding/pem/pem.go
	18	@@ -87,123 +87,97 @@ func Decode(data []byte) (p *Block, rest []byte) {
	19	// pemStart begins with a newline. However, at the very beginning of
	20	// the byte array, we'll accept the start string without it.
	21	rest = data
	22	- if bytes.HasPrefix(data, pemStart[1:]) {
	23	- rest = rest[len(pemStart)-1 : len(data)]
	24	- } else if i := bytes.Index(data, pemStart); i >= 0 {
	25	- rest = rest[i+len(pemStart) : len(data)]
	26	- } else {
	27	- return nil, data
	28	- }
	29	-
	30	- typeLine, rest := getLine(rest)
	31	- if !bytes.HasSuffix(typeLine, pemEndOfLine) {
	32	- return decodeError(data, rest)
	33	- }
	34	- typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)]
	35	-
	36	- p = &Block{
	37	- Headers: make(map[string]string),
	38	- Type: string(typeLine),
	39	- }
	40	-
	41	for {
	42	- // This loop terminates because getLine's second result is
	43	- // always smaller than its argument.
	44	- if len(rest) == 0 {
	45	+ if bytes.HasPrefix(rest, pemStart[1:]) {
	46	+ rest = rest[len(pemStart)-1:]
	47	+ } else if i := bytes.Index(rest, pemStart); i >= 0 {
	48	+ rest = rest[i+len(pemStart) : len(rest)]
	49	+ } else {
	50	return nil, data
	51	}
	52	- line, next := getLine(rest)
	53
	54	- i := bytes.IndexByte(line, ':')
	55	- if i == -1 {
	56	- break
	57	+ var typeLine []byte
	58	+ typeLine, rest = getLine(rest)
	59	+ if !bytes.HasSuffix(typeLine, pemEndOfLine) {
	60	+ continue
	61	}
	62	+ typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)]
	63
	64	- // TODO(agl): need to cope with values that spread across lines.
	65	- key, val := line[:i], line[i+1:]
	66	- key = bytes.TrimSpace(key)
	67	- val = bytes.TrimSpace(val)
	68	- p.Headers[string(key)] = string(val)
	69	- rest = next
	70	- }
	71	+ p = &Block{
	72	+ Headers: make(map[string]string),
	73	+ Type: string(typeLine),
	74	+ }
	75
	76	- var endIndex, endTrailerIndex int
	77	+ for {
	78	+ // This loop terminates because getLine's second result is
	79	+ // always smaller than its argument.
	80	+ if len(rest) == 0 {
	81	+ return nil, data
	82	+ }
	83	+ line, next := getLine(rest)
	84
	85	- // If there were no headers, the END line might occur
	86	- // immediately, without a leading newline.
	87	- if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) {
	88	- endIndex = 0
	89	- endTrailerIndex = len(pemEnd) - 1
	90	- } else {
	91	- endIndex = bytes.Index(rest, pemEnd)
	92	- endTrailerIndex = endIndex + len(pemEnd)
	93	- }
	94	+ i := bytes.IndexByte(line, ':')
	95	+ if i == -1 {
	96	+ break
	97	+ }
	98
	99	- if endIndex < 0 {
	100	- return decodeError(data, rest)
	101	- }
	102	+ // TODO(agl): need to cope with values that spread across lines.
	103	+ key, val := line[:i], line[i+1:]
	104	+ key = bytes.TrimSpace(key)
	105	+ val = bytes.TrimSpace(val)
	106	+ p.Headers[string(key)] = string(val)
	107	+ rest = next
	108	+ }
	109
	110	- // After the "-----" of the ending line, there should be the same type
	111	- // and then a final five dashes.
	112	- endTrailer := rest[endTrailerIndex:]
	113	- endTrailerLen := len(typeLine) + len(pemEndOfLine)
	114	- if len(endTrailer) < endTrailerLen {
	115	- return decodeError(data, rest)
	116	- }
	117	+ var endIndex, endTrailerIndex int
	118
	119	- restOfEndLine := endTrailer[endTrailerLen:]
	120	- endTrailer = endTrailer[:endTrailerLen]
	121	- if !bytes.HasPrefix(endTrailer, typeLine) \|\|
	122	- !bytes.HasSuffix(endTrailer, pemEndOfLine) {
	123	- return decodeError(data, rest)
	124	- }
	125	+ // If there were no headers, the END line might occur
	126	+ // immediately, without a leading newline.
	127	+ if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) {
	128	+ endIndex = 0
	129	+ endTrailerIndex = len(pemEnd) - 1
	130	+ } else {
	131	+ endIndex = bytes.Index(rest, pemEnd)
	132	+ endTrailerIndex = endIndex + len(pemEnd)
	133	+ }
	134
	135	- // The line must end with only whitespace.
	136	- if s, _ := getLine(restOfEndLine); len(s) != 0 {
	137	- return decodeError(data, rest)
	138	- }
	139	+ if endIndex < 0 {
	140	+ continue
	141	+ }
	142
	143	- base64Data := removeSpacesAndTabs(rest[:endIndex])
	144	- p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
	145	- n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
	146	- if err != nil {
	147	- return decodeError(data, rest)
	148	- }
	149	- p.Bytes = p.Bytes[:n]
	150	+ // After the "-----" of the ending line, there should be the same type
	151	+ // and then a final five dashes.
	152	+ endTrailer := rest[endTrailerIndex:]
	153	+ endTrailerLen := len(typeLine) + len(pemEndOfLine)
	154	+ if len(endTrailer) < endTrailerLen {
	155	+ continue
	156	+ }
	157	+
	158	+ restOfEndLine := endTrailer[endTrailerLen:]
	159	+ endTrailer = endTrailer[:endTrailerLen]
	160	+ if !bytes.HasPrefix(endTrailer, typeLine) \|\|
	161	+ !bytes.HasSuffix(endTrailer, pemEndOfLine) {
	162	+ continue
	163	+ }
	164
	165	- // the -1 is because we might have only matched pemEnd without the
	166	- // leading newline if the PEM block was empty.
	167	- _, rest = getLine(rest[endIndex+len(pemEnd)-1:])
	168	+ // The line must end with only whitespace.
	169	+ if s, _ := getLine(restOfEndLine); len(s) != 0 {
	170	+ continue
	171	+ }
	172
	173	- return
	174	-}
	175	+ base64Data := removeSpacesAndTabs(rest[:endIndex])
	176	+ p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
	177	+ n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
	178	+ if err != nil {
	179	+ continue
	180	+ }
	181	+ p.Bytes = p.Bytes[:n]
	182
	183	-func decodeError(data, rest []byte) (*Block, []byte) {
	184	- // If we get here then we have rejected a likely looking, but
	185	- // ultimately invalid PEM block. We need to start over from a new
	186	- // position. We have consumed the preamble line and will have consumed
	187	- // any lines which could be header lines. However, a valid preamble
	188	- // line is not a valid header line, therefore we cannot have consumed
	189	- // the preamble line for the any subsequent block. Thus, we will always
	190	- // find any valid block, no matter what bytes precede it.
	191	- //
	192	- // For example, if the input is
	193	- //
	194	- // -----BEGIN MALFORMED BLOCK-----
	195	- // junk that may look like header lines
	196	- // or data lines, but no END line
	197	- //
	198	- // -----BEGIN ACTUAL BLOCK-----
	199	- // realdata
	200	- // -----END ACTUAL BLOCK-----
	201	- //
	202	- // we've failed to parse using the first BEGIN line
	203	- // and now will try again, using the second BEGIN line.
	204	- p, rest := Decode(rest)
	205	- if p == nil {
	206	- rest = data
	207	+ // the -1 is because we might have only matched pemEnd without the
	208	+ // leading newline if the PEM block was empty.
	209	+ _, rest = getLine(rest[endIndex+len(pemEnd)-1:])
	210	+ return p, rest
	211	}
	212	- return p, rest
	213	}
	214
	215	const pemLineLength = 64
	216	diff --git a/src/encoding/pem/pem_test.go b/src/encoding/pem/pem_test.go
	217	index 8515b46..4485581 100644
	218	--- a/src/encoding/pem/pem_test.go
	219	+++ b/src/encoding/pem/pem_test.go
	220	@@ -107,6 +107,12 @@ const pemMissingEndingSpace = `
	221	dGVzdA==
	222	-----ENDBAR-----`
	223
	224	+const pemMissingEndLine = `
	225	+-----BEGIN FOO-----
	226	+Header: 1`
	227	+
	228	+var pemRepeatingBegin = strings.Repeat("-----BEGIN \n", 10)
	229	+
	230	var badPEMTests = []struct {
	231	name string
	232	input string
	233	@@ -131,14 +137,34 @@ var badPEMTests = []struct {
	234	"missing ending space",
	235	pemMissingEndingSpace,
	236	},
	237	+ {
	238	+ "repeating begin",
	239	+ pemRepeatingBegin,
	240	+ },
	241	+ {
	242	+ "missing end line",
	243	+ pemMissingEndLine,
	244	+ },
	245	}
	246
	247	func TestBadDecode(t *testing.T) {
	248	for _, test := range badPEMTests {
	249	- result, _ := Decode([]byte(test.input))
	250	+ result, rest := Decode([]byte(test.input))
	251	if result != nil {
	252	t.Errorf("unexpected success while parsing %q", test.name)
	253	}
	254	+ if string(rest) != test.input {
	255	+ t.Errorf("unexpected rest: %q; want = %q", rest, test.input)
	256	+ }
	257	+ }
	258	+}
	259	+
	260	+func TestCVE202224675(t *testing.T) {
	261	+ // Prior to CVE-2022-24675, this input would cause a stack overflow.
	262	+ input := []byte(strings.Repeat("-----BEGIN \n", 10000000))
	263	+ result, rest := Decode(input)
	264	+ if result != nil \|\| !reflect.DeepEqual(rest, input) {
	265	+ t.Errorf("Encode of %#v decoded as %#v", input, rest)
	266	}
	267	}
	268
	269	--
	270	2.25.1
	271