1 files changed, 85 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch
new file mode 100644
index 0000000000..37ebc41947
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch
@@ -0,0 +1,85 @@
+From 874b3132a84cf76da6a48978826c04c380a37a50 Mon Sep 17 00:00:00 2001
+From: avivklas <avivklas@gmail.com>
+Date: Fri, 7 Aug 2020 21:50:12 +0300
+Subject: [PATCH] mime/multipart: return overflow errors in Reader.ReadForm
+Updates Reader.ReadForm to check for overflow errors that may
+result from a leeway addition of 10MiB to the input argument
+maxMemory.
+Fixes #40430
+Change-Id: I510b8966c95c51d04695ba9d08fcfe005fd11a5d
+Reviewed-on: https://go-review.googlesource.com/c/go/+/247477
+Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
+Trust: Cuong Manh Le <cuong.manhle.vn@gmail.com>
+Trust: Emmanuel Odeke <emm.odeke@gmail.com>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
+Upstream-Status: Backport [https://github.com/golang/go/commit/874b3132a84cf76da6a48978826c04c380a37a50]
+CVE: CVE-2022-41725 #Dependency Patch1
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/mime/multipart/formdata.go      |  4 ++++
+ src/mime/multipart/formdata_test.go | 18 ++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
+index 832d0ad693666..4eb31012941ac 100644
+--- a/src/mime/multipart/formdata.go
+++ b/src/mime/multipart/formdata.go
+@@ -7,6 +7,7 @@ package multipart
+ import (
+        "bytes"
+        "errors"
+       "fmt"
+        "io"
+        "io/ioutil"
+        "net/textproto"
+@@ -41,6 +42,9 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ 
+        // Reserve an additional 10 MB for non-file parts.
+        maxValueBytes := maxMemory + int64(10<<20)
+       if maxValueBytes <= 0 {
+               return nil, fmt.Errorf("multipart: integer overflow from maxMemory(%d) + 10MiB for non-file parts", maxMemory)
+       }
+        for {
+                p, err := r.NextPart()
+                if err == io.EOF {
+diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
+index 7d756c8c244a0..7112e0d3727fe 100644
+--- a/src/mime/multipart/formdata_test.go
+++ b/src/mime/multipart/formdata_test.go
+@@ -7,6 +7,7 @@ package multipart
+ import (
+        "bytes"
+        "io"
+       "math"
+        "os"
+        "strings"
+        "testing"
+@@ -52,6 +53,23 @@ func TestReadFormWithNamelessFile(t *testing.T) {
+        }
+ }
+ 
+// Issue 40430: Ensure that we report integer overflows in additions of maxMemory,
+// instead of silently and subtly failing without indication.
+func TestReadFormMaxMemoryOverflow(t *testing.T) {
+       b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))
+       r := NewReader(b, boundary)
+       f, err := r.ReadForm(math.MaxInt64)
+       if err == nil {
+               t.Fatal("Unexpected a non-nil error")
+       }
+       if f != nil {
+               t.Fatalf("Unexpected returned a non-nil form: %v\n", f)
+       }
+       if g, w := err.Error(), "integer overflow from maxMemory"; !strings.Contains(g, w) {
+               t.Errorf(`Error mismatch\n%q\ndid not contain\n%q`, g, w)
+       }
+}
+
+ func TestReadFormWithTextContentType(t *testing.T) {
+        // From https://github.com/golang/go/issues/24041
+        b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch new file mode 100644 index 0000000000..37ebc41947 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch
@@ -0,0 +1,85 @@
	1	From 874b3132a84cf76da6a48978826c04c380a37a50 Mon Sep 17 00:00:00 2001
	2	From: avivklas <avivklas@gmail.com>
	3	Date: Fri, 7 Aug 2020 21:50:12 +0300
	4	Subject: [PATCH] mime/multipart: return overflow errors in Reader.ReadForm
	5
	6	Updates Reader.ReadForm to check for overflow errors that may
	7	result from a leeway addition of 10MiB to the input argument
	8	maxMemory.
	9
	10	Fixes #40430
	11
	12	Change-Id: I510b8966c95c51d04695ba9d08fcfe005fd11a5d
	13	Reviewed-on: https://go-review.googlesource.com/c/go/+/247477
	14	Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
	15	Trust: Cuong Manh Le <cuong.manhle.vn@gmail.com>
	16	Trust: Emmanuel Odeke <emm.odeke@gmail.com>
	17	TryBot-Result: Go Bot <gobot@golang.org>
	18	Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
	19
	20	Upstream-Status: Backport [https://github.com/golang/go/commit/874b3132a84cf76da6a48978826c04c380a37a50]
	21	CVE: CVE-2022-41725 #Dependency Patch1
	22	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	23	---
	24	src/mime/multipart/formdata.go \| 4 ++++
	25	src/mime/multipart/formdata_test.go \| 18 ++++++++++++++++++
	26	2 files changed, 22 insertions(+)
	27
	28	diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
	29	index 832d0ad693666..4eb31012941ac 100644
	30	--- a/src/mime/multipart/formdata.go
	31	+++ b/src/mime/multipart/formdata.go
	32	@@ -7,6 +7,7 @@ package multipart
	33	import (
	34	"bytes"
	35	"errors"
	36	+ "fmt"
	37	"io"
	38	"io/ioutil"
	39	"net/textproto"
	40	@@ -41,6 +42,9 @@ func (r Reader) readForm(maxMemory int64) (_ Form, err error) {
	41
	42	// Reserve an additional 10 MB for non-file parts.
	43	maxValueBytes := maxMemory + int64(10<<20)
	44	+ if maxValueBytes <= 0 {
	45	+ return nil, fmt.Errorf("multipart: integer overflow from maxMemory(%d) + 10MiB for non-file parts", maxMemory)
	46	+ }
	47	for {
	48	p, err := r.NextPart()
	49	if err == io.EOF {
	50	diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
	51	index 7d756c8c244a0..7112e0d3727fe 100644
	52	--- a/src/mime/multipart/formdata_test.go
	53	+++ b/src/mime/multipart/formdata_test.go
	54	@@ -7,6 +7,7 @@ package multipart
	55	import (
	56	"bytes"
	57	"io"
	58	+ "math"
	59	"os"
	60	"strings"
	61	"testing"
	62	@@ -52,6 +53,23 @@ func TestReadFormWithNamelessFile(t *testing.T) {
	63	}
	64	}
	65
	66	+// Issue 40430: Ensure that we report integer overflows in additions of maxMemory,
	67	+// instead of silently and subtly failing without indication.
	68	+func TestReadFormMaxMemoryOverflow(t *testing.T) {
	69	+ b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))
	70	+ r := NewReader(b, boundary)
	71	+ f, err := r.ReadForm(math.MaxInt64)
	72	+ if err == nil {
	73	+ t.Fatal("Unexpected a non-nil error")
	74	+ }
	75	+ if f != nil {
	76	+ t.Fatalf("Unexpected returned a non-nil form: %v\n", f)
	77	+ }
	78	+ if g, w := err.Error(), "integer overflow from maxMemory"; !strings.Contains(g, w) {
	79	+ t.Errorf(`Error mismatch\n%q\ndid not contain\n%q`, g, w)
	80	+ }
	81	+}
	82	+
	83	func TestReadFormWithTextContentType(t *testing.T) {
	84	// From https://github.com/golang/go/issues/24041
	85	b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))