diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch | 201 |
1 files changed, 201 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch new file mode 100644 index 0000000000..01eed9fe1b --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch | |||
@@ -0,0 +1,201 @@ | |||
1 | rom c160b49b6d328c86bd76ca2fff9009a71347333f Mon Sep 17 00:00:00 2001 | ||
2 | From: "Bryan C. Mills" <bcmills@google.com> | ||
3 | Date: Fri, 12 May 2023 14:15:16 -0400 | ||
4 | Subject: [PATCH] [release-branch.go1.19] cmd/go: disallow package directories | ||
5 | containing newlines | ||
6 | |||
7 | Directory or file paths containing newlines may cause tools (such as | ||
8 | cmd/cgo) that emit "//line" or "#line" -directives to write part of | ||
9 | the path into non-comment lines in generated source code. If those | ||
10 | lines contain valid Go code, it may be injected into the resulting | ||
11 | binary. | ||
12 | |||
13 | (Note that Go import paths and file paths within module zip files | ||
14 | already could not contain newlines.) | ||
15 | |||
16 | Thanks to Juho Nurminen of Mattermost for reporting this issue. | ||
17 | |||
18 | Updates #60167. | ||
19 | Fixes #60515. | ||
20 | Fixes CVE-2023-29402. | ||
21 | |||
22 | Change-Id: If55d0400c02beb7a5da5eceac60f1abeac99f064 | ||
23 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1882606 | ||
24 | Reviewed-by: Roland Shoemaker <bracewell@google.com> | ||
25 | Run-TryBot: Roland Shoemaker <bracewell@google.com> | ||
26 | Reviewed-by: Russ Cox <rsc@google.com> | ||
27 | Reviewed-by: Damien Neil <dneil@google.com> | ||
28 | (cherry picked from commit 41f9046495564fc728d6f98384ab7276450ac7e2) | ||
29 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902229 | ||
30 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904343 | ||
31 | Reviewed-by: Michael Knyszek <mknyszek@google.com> | ||
32 | Reviewed-by: Bryan Mills <bcmills@google.com> | ||
33 | Reviewed-on: https://go-review.googlesource.com/c/go/+/501218 | ||
34 | Run-TryBot: David Chase <drchase@google.com> | ||
35 | Auto-Submit: Michael Knyszek <mknyszek@google.com> | ||
36 | TryBot-Result: Gopher Robot <gobot@golang.org> | ||
37 | |||
38 | Upstream-Status: Backport [https://github.com/golang/go/commit/c160b49b6d328c86bd76ca2fff9009a71347333f] | ||
39 | CVE: CVE-2023-29402 | ||
40 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
41 | --- | ||
42 | src/cmd/go/internal/load/pkg.go | 4 + | ||
43 | src/cmd/go/internal/work/exec.go | 6 ++ | ||
44 | src/cmd/go/script_test.go | 1 + | ||
45 | .../go/testdata/script/build_cwd_newline.txt | 100 ++++++++++++++++++ | ||
46 | 4 files changed, 111 insertions(+) | ||
47 | create mode 100644 src/cmd/go/testdata/script/build_cwd_newline.txt | ||
48 | |||
49 | diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go | ||
50 | index 369a79b..d2b63b0 100644 | ||
51 | --- a/src/cmd/go/internal/load/pkg.go | ||
52 | +++ b/src/cmd/go/internal/load/pkg.go | ||
53 | @@ -1697,6 +1697,10 @@ func (p *Package) load(stk *ImportStack, bp *build.Package, err error) { | ||
54 | setError(ImportErrorf(p.ImportPath, "invalid import path %q", p.ImportPath)) | ||
55 | return | ||
56 | } | ||
57 | + if strings.ContainsAny(p.Dir, "\r\n") { | ||
58 | + setError(fmt.Errorf("invalid package directory %q", p.Dir)) | ||
59 | + return | ||
60 | + } | ||
61 | |||
62 | // Build list of imported packages and full dependency list. | ||
63 | imports := make([]*Package, 0, len(p.Imports)) | ||
64 | diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go | ||
65 | index 9a9650b..050b785 100644 | ||
66 | --- a/src/cmd/go/internal/work/exec.go | ||
67 | +++ b/src/cmd/go/internal/work/exec.go | ||
68 | @@ -458,6 +458,12 @@ func (b *Builder) build(a *Action) (err error) { | ||
69 | b.Print(a.Package.ImportPath + "\n") | ||
70 | } | ||
71 | |||
72 | + if p.Error != nil { | ||
73 | + // Don't try to build anything for packages with errors. There may be a | ||
74 | + // problem with the inputs that makes the package unsafe to build. | ||
75 | + return p.Error | ||
76 | + } | ||
77 | + | ||
78 | if a.Package.BinaryOnly { | ||
79 | p.Stale = true | ||
80 | p.StaleReason = "binary-only packages are no longer supported" | ||
81 | diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go | ||
82 | index ec498bb..a1398ad 100644 | ||
83 | --- a/src/cmd/go/script_test.go | ||
84 | +++ b/src/cmd/go/script_test.go | ||
85 | @@ -123,6 +123,7 @@ func (ts *testScript) setup() { | ||
86 | "devnull=" + os.DevNull, | ||
87 | "goversion=" + goVersion(ts), | ||
88 | ":=" + string(os.PathListSeparator), | ||
89 | + "newline=\n", | ||
90 | } | ||
91 | |||
92 | if runtime.GOOS == "plan9" { | ||
93 | diff --git a/src/cmd/go/testdata/script/build_cwd_newline.txt b/src/cmd/go/testdata/script/build_cwd_newline.txt | ||
94 | new file mode 100644 | ||
95 | index 0000000..61c6966 | ||
96 | --- /dev/null | ||
97 | +++ b/src/cmd/go/testdata/script/build_cwd_newline.txt | ||
98 | @@ -0,0 +1,100 @@ | ||
99 | +[windows] skip 'filesystem normalizes / to \' | ||
100 | +[plan9] skip 'filesystem disallows \n in paths' | ||
101 | + | ||
102 | +# If the directory path containing a package to be built includes a newline, | ||
103 | +# the go command should refuse to even try to build the package. | ||
104 | + | ||
105 | +env DIR=$WORK${/}${newline}'package main'${newline}'func main() { panic("uh-oh")'${newline}'/*' | ||
106 | + | ||
107 | +mkdir $DIR | ||
108 | +cd $DIR | ||
109 | +exec pwd | ||
110 | +cp $WORK/go.mod ./go.mod | ||
111 | +cp $WORK/main.go ./main.go | ||
112 | +cp $WORK/main_test.go ./main_test.go | ||
113 | + | ||
114 | +! go build -o $devnull . | ||
115 | +stderr 'package example: invalid package directory .*uh-oh' | ||
116 | + | ||
117 | +! go build -o $devnull main.go | ||
118 | +stderr 'package command-line-arguments: invalid package directory .*uh-oh' | ||
119 | + | ||
120 | +! go run . | ||
121 | +stderr 'package example: invalid package directory .*uh-oh' | ||
122 | + | ||
123 | +! go run main.go | ||
124 | +stderr 'package command-line-arguments: invalid package directory .*uh-oh' | ||
125 | + | ||
126 | +! go test . | ||
127 | +stderr 'package example: invalid package directory .*uh-oh' | ||
128 | + | ||
129 | +! go test -v main.go main_test.go | ||
130 | +stderr 'package command-line-arguments: invalid package directory .*uh-oh' | ||
131 | + | ||
132 | + | ||
133 | +# Since we do preserve $PWD (or set it appropriately) for commands, and we do | ||
134 | +# not resolve symlinks unnecessarily, referring to the contents of the unsafe | ||
135 | +# directory via a safe symlink should be ok, and should not inject the data from | ||
136 | +# the symlink target path. | ||
137 | + | ||
138 | +[!symlink] stop 'remainder of test checks symlink behavior' | ||
139 | +[short] stop 'links and runs binaries' | ||
140 | + | ||
141 | +symlink $WORK${/}link -> $DIR | ||
142 | + | ||
143 | +go run $WORK${/}link${/}main.go | ||
144 | +! stdout panic | ||
145 | +! stderr panic | ||
146 | +stderr '^ok$' | ||
147 | + | ||
148 | +go test -v $WORK${/}link${/}main.go $WORK${/}link${/}main_test.go | ||
149 | +! stdout panic | ||
150 | +! stderr panic | ||
151 | +stdout '^ok$' # 'go test' combines the test's stdout into stderr | ||
152 | + | ||
153 | +cd $WORK/link | ||
154 | + | ||
155 | +! go run $DIR${/}main.go | ||
156 | +stderr 'package command-line-arguments: invalid package directory .*uh-oh' | ||
157 | + | ||
158 | +go run . | ||
159 | +! stdout panic | ||
160 | +! stderr panic | ||
161 | +stderr '^ok$' | ||
162 | + | ||
163 | +go run main.go | ||
164 | +! stdout panic | ||
165 | +! stderr panic | ||
166 | +stderr '^ok$' | ||
167 | + | ||
168 | +go test -v | ||
169 | +! stdout panic | ||
170 | +! stderr panic | ||
171 | +stdout '^ok$' # 'go test' combines the test's stdout into stderr | ||
172 | + | ||
173 | +go test -v . | ||
174 | +! stdout panic | ||
175 | +! stderr panic | ||
176 | +stdout '^ok$' # 'go test' combines the test's stdout into stderr | ||
177 | + | ||
178 | + | ||
179 | +-- $WORK/go.mod -- | ||
180 | +module example | ||
181 | +go 1.19 | ||
182 | +-- $WORK/main.go -- | ||
183 | +package main | ||
184 | + | ||
185 | +import "C" | ||
186 | + | ||
187 | +func main() { | ||
188 | + /* nothing here */ | ||
189 | + println("ok") | ||
190 | +} | ||
191 | +-- $WORK/main_test.go -- | ||
192 | +package main | ||
193 | + | ||
194 | +import "testing" | ||
195 | + | ||
196 | +func TestMain(*testing.M) { | ||
197 | + main() | ||
198 | +} | ||
199 | -- | ||
200 | 2.25.1 | ||
201 | |||