1 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch
new file mode 100644
index 0000000000..767225b888
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch
@@ -0,0 +1,98 @@
+From 5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43 Mon Sep 17 00:00:00 2001
+From: Russ Cox <rsc@golang.org>
+Date: Thu, 3 Dec 2020 09:45:07 -0500
+Subject: [PATCH] mime/multipart: handle ReadForm(math.MaxInt64) better
+Returning an error about integer overflow is needlessly pedantic.
+The meaning of ReadForm(MaxInt64) is easily understood
+(accept a lot of data) and can be implemented.
+Fixes #40430.
+Change-Id: I8a522033dd9a2f9ad31dd2ad82cf08d553736ab9
+Reviewed-on: https://go-review.googlesource.com/c/go/+/275112
+Trust: Russ Cox <rsc@golang.org>
+Run-TryBot: Russ Cox <rsc@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Ian Lance Taylor <iant@golang.org>
+Upstream-Status: Backport [https://github.com/golang/go/commit/5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43]
+CVE: CVE-2022-41725 #Dependency Patch3
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/mime/multipart/formdata.go      |  8 ++++++--
+ src/mime/multipart/formdata_test.go | 14 +++++---------
+ src/net/http/request_test.go        |  2 +-
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
+index 4eb31012941ac..9c42ea8c023b5 100644
+--- a/src/mime/multipart/formdata.go
+++ b/src/mime/multipart/formdata.go
+@@ -7,9 +7,9 @@ package multipart
+ import (
+        "bytes"
+        "errors"
+-       "fmt"
+        "io"
+        "io/ioutil"
+       "math"
+        "net/textproto"
+        "os"
+ )
+@@ -43,7 +43,11 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+        // Reserve an additional 10 MB for non-file parts.
+        maxValueBytes := maxMemory + int64(10<<20)
+        if maxValueBytes <= 0 {
+-               return nil, fmt.Errorf("multipart: integer overflow from maxMemory(%d) + 10MiB for non-file parts", maxMemory)
+               if maxMemory < 0 {
+                       maxValueBytes = 0
+               } else {
+                       maxValueBytes = math.MaxInt64
+               }
+        }
+        for {
+                p, err := r.NextPart()
+diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
+index 7112e0d3727fe..e3a3a3eae8e15 100644
+--- a/src/mime/multipart/formdata_test.go
+++ b/src/mime/multipart/formdata_test.go
+@@ -53,20 +53,16 @@ func TestReadFormWithNamelessFile(t *testing.T) {
+        }
+ }
+ 
+-// Issue 40430: Ensure that we report integer overflows in additions of maxMemory,
+-// instead of silently and subtly failing without indication.
+// Issue 40430: Handle ReadForm(math.MaxInt64)
+ func TestReadFormMaxMemoryOverflow(t *testing.T) {
+        b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))
+        r := NewReader(b, boundary)
+        f, err := r.ReadForm(math.MaxInt64)
+-       if err == nil {
+-               t.Fatal("Unexpected a non-nil error")
+-       }
+-       if f != nil {
+-               t.Fatalf("Unexpected returned a non-nil form: %v\n", f)
+       if err != nil {
+               t.Fatalf("ReadForm(MaxInt64): %v", err)
+        }
+-       if g, w := err.Error(), "integer overflow from maxMemory"; !strings.Contains(g, w) {
+-               t.Errorf(`Error mismatch\n%q\ndid not contain\n%q`, g, w)
+       if f == nil {
+               t.Fatal("ReadForm(MaxInt64): missing form")
+        }
+ }
+ 
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index 19526b9ad791a..689498e19d5dd 100644
+--- a/src/net/http/request_test.go
+++ b/src/net/http/request_test.go
+@@ -285,7 +285,7 @@ func TestMaxInt64ForMultipartFormMaxMemoryOverflow(t *testing.T) {
+                t.Fatal(err)
+        }
+        res.Body.Close()
+-       if g, w := res.StatusCode, StatusBadRequest; g != w {
+       if g, w := res.StatusCode, StatusOK; g != w {
+                t.Fatalf("Status code mismatch: got %d, want %d", g, w)
+        }
+ }

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch new file mode 100644 index 0000000000..767225b888 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch
@@ -0,0 +1,98 @@
	1	From 5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43 Mon Sep 17 00:00:00 2001
	2	From: Russ Cox <rsc@golang.org>
	3	Date: Thu, 3 Dec 2020 09:45:07 -0500
	4	Subject: [PATCH] mime/multipart: handle ReadForm(math.MaxInt64) better
	5
	6	Returning an error about integer overflow is needlessly pedantic.
	7	The meaning of ReadForm(MaxInt64) is easily understood
	8	(accept a lot of data) and can be implemented.
	9
	10	Fixes #40430.
	11
	12	Change-Id: I8a522033dd9a2f9ad31dd2ad82cf08d553736ab9
	13	Reviewed-on: https://go-review.googlesource.com/c/go/+/275112
	14	Trust: Russ Cox <rsc@golang.org>
	15	Run-TryBot: Russ Cox <rsc@golang.org>
	16	TryBot-Result: Go Bot <gobot@golang.org>
	17	Reviewed-by: Ian Lance Taylor <iant@golang.org>
	18
	19	Upstream-Status: Backport [https://github.com/golang/go/commit/5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43]
	20	CVE: CVE-2022-41725 #Dependency Patch3
	21	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	22	---
	23	src/mime/multipart/formdata.go \| 8 ++++++--
	24	src/mime/multipart/formdata_test.go \| 14 +++++---------
	25	src/net/http/request_test.go \| 2 +-
	26	3 files changed, 12 insertions(+), 12 deletions(-)
	27
	28	diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
	29	index 4eb31012941ac..9c42ea8c023b5 100644
	30	--- a/src/mime/multipart/formdata.go
	31	+++ b/src/mime/multipart/formdata.go
	32	@@ -7,9 +7,9 @@ package multipart
	33	import (
	34	"bytes"
	35	"errors"
	36	- "fmt"
	37	"io"
	38	"io/ioutil"
	39	+ "math"
	40	"net/textproto"
	41	"os"
	42	)
	43	@@ -43,7 +43,11 @@ func (r Reader) readForm(maxMemory int64) (_ Form, err error) {
	44	// Reserve an additional 10 MB for non-file parts.
	45	maxValueBytes := maxMemory + int64(10<<20)
	46	if maxValueBytes <= 0 {
	47	- return nil, fmt.Errorf("multipart: integer overflow from maxMemory(%d) + 10MiB for non-file parts", maxMemory)
	48	+ if maxMemory < 0 {
	49	+ maxValueBytes = 0
	50	+ } else {
	51	+ maxValueBytes = math.MaxInt64
	52	+ }
	53	}
	54	for {
	55	p, err := r.NextPart()
	56	diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
	57	index 7112e0d3727fe..e3a3a3eae8e15 100644
	58	--- a/src/mime/multipart/formdata_test.go
	59	+++ b/src/mime/multipart/formdata_test.go
	60	@@ -53,20 +53,16 @@ func TestReadFormWithNamelessFile(t *testing.T) {
	61	}
	62	}
	63
	64	-// Issue 40430: Ensure that we report integer overflows in additions of maxMemory,
	65	-// instead of silently and subtly failing without indication.
	66	+// Issue 40430: Handle ReadForm(math.MaxInt64)
	67	func TestReadFormMaxMemoryOverflow(t *testing.T) {
	68	b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))
	69	r := NewReader(b, boundary)
	70	f, err := r.ReadForm(math.MaxInt64)
	71	- if err == nil {
	72	- t.Fatal("Unexpected a non-nil error")
	73	- }
	74	- if f != nil {
	75	- t.Fatalf("Unexpected returned a non-nil form: %v\n", f)
	76	+ if err != nil {
	77	+ t.Fatalf("ReadForm(MaxInt64): %v", err)
	78	}
	79	- if g, w := err.Error(), "integer overflow from maxMemory"; !strings.Contains(g, w) {
	80	- t.Errorf(`Error mismatch\n%q\ndid not contain\n%q`, g, w)
	81	+ if f == nil {
	82	+ t.Fatal("ReadForm(MaxInt64): missing form")
	83	}
	84	}
	85
	86	diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
	87	index 19526b9ad791a..689498e19d5dd 100644
	88	--- a/src/net/http/request_test.go
	89	+++ b/src/net/http/request_test.go
	90	@@ -285,7 +285,7 @@ func TestMaxInt64ForMultipartFormMaxMemoryOverflow(t *testing.T) {
	91	t.Fatal(err)
	92	}
	93	res.Body.Close()
	94	- if g, w := res.StatusCode, StatusBadRequest; g != w {
	95	+ if g, w := res.StatusCode, StatusOK; g != w {
	96	t.Fatalf("Status code mismatch: got %d, want %d", g, w)
	97	}
	98	}