1 files changed, 71 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
new file mode 100644
index 0000000000..c54ef56a0e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
@@ -0,0 +1,71 @@
+From 35d1dfe9746029aea9027b405c75555d41ffd2f8 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 25 Aug 2022 13:12:40 +0530
+Subject: [PATCH] CVE-2022-30632
+Upstream-Status: Backport [https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df]
+CVE: CVE-2022-30632
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/path/filepath/match.go      | 16 +++++++++++++++-
+ src/path/filepath/match_test.go | 10 ++++++++++
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go
+index 46badb5..ba68daa 100644
+--- a/src/path/filepath/match.go
+++ b/src/path/filepath/match.go
+@@ -232,6 +232,20 @@ func getEsc(chunk string) (r rune, nchunk string, err error) {
+ // The only possible returned error is ErrBadPattern, when pattern
+ // is malformed.
+ func Glob(pattern string) (matches []string, err error) {
+       return globWithLimit(pattern, 0)
+}
+
+func globWithLimit(pattern string, depth int) (matches []string, err error) {
+       // This limit is used prevent stack exhaustion issues. See CVE-2022-30632.
+       const pathSeparatorsLimit = 10000
+       if depth == pathSeparatorsLimit {
+               return nil, ErrBadPattern
+       }
+
+       // Check pattern is well-formed.
+       if _, err := Match(pattern, ""); err != nil {
+               return nil, err
+       }
+        if !hasMeta(pattern) {
+                if _, err = os.Lstat(pattern); err != nil {
+                        return nil, nil
+@@ -257,7 +271,7 @@ func Glob(pattern string) (matches []string, err error) {
+        }
+ 
+        var m []string
+-       m, err = Glob(dir)
+       m, err = globWithLimit(dir, depth+1)
+        if err != nil {
+                return
+        }
+diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go
+index b865762..c37c812 100644
+--- a/src/path/filepath/match_test.go
+++ b/src/path/filepath/match_test.go
+@@ -154,6 +154,16 @@ func TestGlob(t *testing.T) {
+        }
+ }
+ 
+func TestCVE202230632(t *testing.T) {
+       // Prior to CVE-2022-30632, this would cause a stack exhaustion given a
+       // large number of separators (more than 4,000,000). There is now a limit
+       // of 10,000.
+       _, err := Glob("/*" + strings.Repeat("/", 10001))
+       if err != ErrBadPattern {
+               t.Fatalf("Glob returned err=%v, want ErrBadPattern", err)
+       }
+}
+
+ func TestGlobError(t *testing.T) {
+        _, err := Glob("[]")
+        if err == nil {
+-- 
+2.25.1

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch new file mode 100644 index 0000000000..c54ef56a0e --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
@@ -0,0 +1,71 @@
	1	From 35d1dfe9746029aea9027b405c75555d41ffd2f8 Mon Sep 17 00:00:00 2001
	2	From: Hitendra Prajapati <hprajapati@mvista.com>
	3	Date: Thu, 25 Aug 2022 13:12:40 +0530
	4	Subject: [PATCH] CVE-2022-30632
	5
	6	Upstream-Status: Backport [https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df]
	7	CVE: CVE-2022-30632
	8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	9	---
	10	src/path/filepath/match.go \| 16 +++++++++++++++-
	11	src/path/filepath/match_test.go \| 10 ++++++++++
	12	2 files changed, 25 insertions(+), 1 deletion(-)
	13
	14	diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go
	15	index 46badb5..ba68daa 100644
	16	--- a/src/path/filepath/match.go
	17	+++ b/src/path/filepath/match.go
	18	@@ -232,6 +232,20 @@ func getEsc(chunk string) (r rune, nchunk string, err error) {
	19	// The only possible returned error is ErrBadPattern, when pattern
	20	// is malformed.
	21	func Glob(pattern string) (matches []string, err error) {
	22	+ return globWithLimit(pattern, 0)
	23	+}
	24	+
	25	+func globWithLimit(pattern string, depth int) (matches []string, err error) {
	26	+ // This limit is used prevent stack exhaustion issues. See CVE-2022-30632.
	27	+ const pathSeparatorsLimit = 10000
	28	+ if depth == pathSeparatorsLimit {
	29	+ return nil, ErrBadPattern
	30	+ }
	31	+
	32	+ // Check pattern is well-formed.
	33	+ if _, err := Match(pattern, ""); err != nil {
	34	+ return nil, err
	35	+ }
	36	if !hasMeta(pattern) {
	37	if _, err = os.Lstat(pattern); err != nil {
	38	return nil, nil
	39	@@ -257,7 +271,7 @@ func Glob(pattern string) (matches []string, err error) {
	40	}
	41
	42	var m []string
	43	- m, err = Glob(dir)
	44	+ m, err = globWithLimit(dir, depth+1)
	45	if err != nil {
	46	return
	47	}
	48	diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go
	49	index b865762..c37c812 100644
	50	--- a/src/path/filepath/match_test.go
	51	+++ b/src/path/filepath/match_test.go
	52	@@ -154,6 +154,16 @@ func TestGlob(t *testing.T) {
	53	}
	54	}
	55
	56	+func TestCVE202230632(t *testing.T) {
	57	+ // Prior to CVE-2022-30632, this would cause a stack exhaustion given a
	58	+ // large number of separators (more than 4,000,000). There is now a limit
	59	+ // of 10,000.
	60	+ _, err := Glob("/*" + strings.Repeat("/", 10001))
	61	+ if err != ErrBadPattern {
	62	+ t.Fatalf("Glob returned err=%v, want ErrBadPattern", err)
	63	+ }
	64	+}
	65	+
	66	func TestGlobError(t *testing.T) {
	67	_, err := Glob("[]")
	68	if err == nil {
	69	--
	70	2.25.1
	71