1 files changed, 116 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
new file mode 100644
index 0000000000..5dcfd27f16
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
@@ -0,0 +1,116 @@
+From d10fc3a84e3344f2421c1dd3046faa50709ab4d5 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 25 Aug 2022 11:01:21 +0530
+Subject: [PATCH] CVE-2022-30631
+Upstream-Status: Backport [https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3]
+CVE: CVE-2022-30631
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/compress/gzip/gunzip.go      | 60 +++++++++++++++-----------------
+ src/compress/gzip/gunzip_test.go | 16 +++++++++
+ 2 files changed, 45 insertions(+), 31 deletions(-)
+diff --git a/src/compress/gzip/gunzip.go b/src/compress/gzip/gunzip.go
+index 924bce1..237b2b9 100644
+--- a/src/compress/gzip/gunzip.go
+++ b/src/compress/gzip/gunzip.go
+@@ -248,42 +248,40 @@ func (z *Reader) Read(p []byte) (n int, err error) {
+                return 0, z.err
+        }
+ 
+-       n, z.err = z.decompressor.Read(p)
+-       z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
+-       z.size += uint32(n)
+-       if z.err != io.EOF {
+-               // In the normal case we return here.
+-               return n, z.err
+-       }
+       for n == 0 {
+               n, z.err = z.decompressor.Read(p)
+               z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
+               z.size += uint32(n)
+               if z.err != io.EOF {
+                       // In the normal case we return here.
+                       return n, z.err
+               }
+ 
+-       // Finished file; check checksum and size.
+-       if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil {
+-               z.err = noEOF(err)
+-               return n, z.err
+-       }
+-       digest := le.Uint32(z.buf[:4])
+-       size := le.Uint32(z.buf[4:8])
+-       if digest != z.digest || size != z.size {
+-               z.err = ErrChecksum
+-               return n, z.err
+-       }
+-       z.digest, z.size = 0, 0
+               // Finished file; check checksum and size.
+               if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil {
+                       z.err = noEOF(err)
+                       return n, z.err
+               }
+               digest := le.Uint32(z.buf[:4])
+               size := le.Uint32(z.buf[4:8])
+               if digest != z.digest || size != z.size {
+                       z.err = ErrChecksum
+                       return n, z.err
+               }
+               z.digest, z.size = 0, 0
+ 
+-       // File is ok; check if there is another.
+-       if !z.multistream {
+-               return n, io.EOF
+-       }
+-       z.err = nil // Remove io.EOF
+               // File is ok; check if there is another.
+               if !z.multistream {
+                       return n, io.EOF
+               }
+               z.err = nil // Remove io.EOF
+ 
+-       if _, z.err = z.readHeader(); z.err != nil {
+-               return n, z.err
+               if _, z.err = z.readHeader(); z.err != nil {
+                       return n, z.err
+               }
+        }
+ 
+-       // Read from next file, if necessary.
+-       if n > 0 {
+-               return n, nil
+-       }
+-       return z.Read(p)
+       return n, nil
+ }
+ 
+ // Close closes the Reader. It does not close the underlying io.Reader.
+diff --git a/src/compress/gzip/gunzip_test.go b/src/compress/gzip/gunzip_test.go
+index 1b01404..95220ae 100644
+--- a/src/compress/gzip/gunzip_test.go
+++ b/src/compress/gzip/gunzip_test.go
+@@ -516,3 +516,19 @@ func TestTruncatedStreams(t *testing.T) {
+                }
+        }
+ }
+
+func TestCVE202230631(t *testing.T) {
+       var empty = []byte{0x1f, 0x8b, 0x08, 0x00, 0xa7, 0x8f, 0x43, 0x62, 0x00,
+               0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
+       r := bytes.NewReader(bytes.Repeat(empty, 4e6))
+       z, err := NewReader(r)
+       if err != nil {
+               t.Fatalf("NewReader: got %v, want nil", err)
+       }
+       // Prior to CVE-2022-30631 fix, this would cause an unrecoverable panic due
+       // to stack exhaustion.
+       _, err = z.Read(make([]byte, 10))
+       if err != io.EOF {
+               t.Errorf("Reader.Read: got %v, want %v", err, io.EOF)
+       }
+}
+-- 
+2.25.1

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch new file mode 100644 index 0000000000..5dcfd27f16 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
@@ -0,0 +1,116 @@
	1	From d10fc3a84e3344f2421c1dd3046faa50709ab4d5 Mon Sep 17 00:00:00 2001
	2	From: Hitendra Prajapati <hprajapati@mvista.com>
	3	Date: Thu, 25 Aug 2022 11:01:21 +0530
	4	Subject: [PATCH] CVE-2022-30631
	5
	6	Upstream-Status: Backport [https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3]
	7	CVE: CVE-2022-30631
	8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	9	---
	10	src/compress/gzip/gunzip.go \| 60 +++++++++++++++-----------------
	11	src/compress/gzip/gunzip_test.go \| 16 +++++++++
	12	2 files changed, 45 insertions(+), 31 deletions(-)
	13
	14	diff --git a/src/compress/gzip/gunzip.go b/src/compress/gzip/gunzip.go
	15	index 924bce1..237b2b9 100644
	16	--- a/src/compress/gzip/gunzip.go
	17	+++ b/src/compress/gzip/gunzip.go
	18	@@ -248,42 +248,40 @@ func (z *Reader) Read(p []byte) (n int, err error) {
	19	return 0, z.err
	20	}
	21
	22	- n, z.err = z.decompressor.Read(p)
	23	- z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
	24	- z.size += uint32(n)
	25	- if z.err != io.EOF {
	26	- // In the normal case we return here.
	27	- return n, z.err
	28	- }
	29	+ for n == 0 {
	30	+ n, z.err = z.decompressor.Read(p)
	31	+ z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
	32	+ z.size += uint32(n)
	33	+ if z.err != io.EOF {
	34	+ // In the normal case we return here.
	35	+ return n, z.err
	36	+ }
	37
	38	- // Finished file; check checksum and size.
	39	- if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil {
	40	- z.err = noEOF(err)
	41	- return n, z.err
	42	- }
	43	- digest := le.Uint32(z.buf[:4])
	44	- size := le.Uint32(z.buf[4:8])
	45	- if digest != z.digest \|\| size != z.size {
	46	- z.err = ErrChecksum
	47	- return n, z.err
	48	- }
	49	- z.digest, z.size = 0, 0
	50	+ // Finished file; check checksum and size.
	51	+ if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil {
	52	+ z.err = noEOF(err)
	53	+ return n, z.err
	54	+ }
	55	+ digest := le.Uint32(z.buf[:4])
	56	+ size := le.Uint32(z.buf[4:8])
	57	+ if digest != z.digest \|\| size != z.size {
	58	+ z.err = ErrChecksum
	59	+ return n, z.err
	60	+ }
	61	+ z.digest, z.size = 0, 0
	62
	63	- // File is ok; check if there is another.
	64	- if !z.multistream {
	65	- return n, io.EOF
	66	- }
	67	- z.err = nil // Remove io.EOF
	68	+ // File is ok; check if there is another.
	69	+ if !z.multistream {
	70	+ return n, io.EOF
	71	+ }
	72	+ z.err = nil // Remove io.EOF
	73
	74	- if _, z.err = z.readHeader(); z.err != nil {
	75	- return n, z.err
	76	+ if _, z.err = z.readHeader(); z.err != nil {
	77	+ return n, z.err
	78	+ }
	79	}
	80
	81	- // Read from next file, if necessary.
	82	- if n > 0 {
	83	- return n, nil
	84	- }
	85	- return z.Read(p)
	86	+ return n, nil
	87	}
	88
	89	// Close closes the Reader. It does not close the underlying io.Reader.
	90	diff --git a/src/compress/gzip/gunzip_test.go b/src/compress/gzip/gunzip_test.go
	91	index 1b01404..95220ae 100644
	92	--- a/src/compress/gzip/gunzip_test.go
	93	+++ b/src/compress/gzip/gunzip_test.go
	94	@@ -516,3 +516,19 @@ func TestTruncatedStreams(t *testing.T) {
	95	}
	96	}
	97	}
	98	+
	99	+func TestCVE202230631(t *testing.T) {
	100	+ var empty = []byte{0x1f, 0x8b, 0x08, 0x00, 0xa7, 0x8f, 0x43, 0x62, 0x00,
	101	+ 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
	102	+ r := bytes.NewReader(bytes.Repeat(empty, 4e6))
	103	+ z, err := NewReader(r)
	104	+ if err != nil {
	105	+ t.Fatalf("NewReader: got %v, want nil", err)
	106	+ }
	107	+ // Prior to CVE-2022-30631 fix, this would cause an unrecoverable panic due
	108	+ // to stack exhaustion.
	109	+ _, err = z.Read(make([]byte, 10))
	110	+ if err != io.EOF {
	111	+ t.Errorf("Reader.Read: got %v, want %v", err, io.EOF)
	112	+ }
	113	+}
	114	--
	115	2.25.1
	116