1 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch
new file mode 100644
index 0000000000..637f46a537
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch
@@ -0,0 +1,114 @@
+From c08a5fa413a34111c9a37fd9e545de27ab0978b1 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 19 Jul 2023 10:30:46 -0700
+Subject: [PATCH] [release-branch.go1.19] net/http: permit requests with
+ invalid Host headers
+Historically, the Transport has silently truncated invalid
+Host headers at the first '/' or ' ' character. CL 506996 changed
+this behavior to reject invalid Host headers entirely.
+Unfortunately, Docker appears to rely on the previous behavior.
+When sending a HTTP/1 request with an invalid Host, send an empty
+Host header. This is safer than truncation: If you care about the
+Host, then you should get the one you set; if you don't care,
+then an empty Host should be fine.
+Continue to fully validate Host headers sent to a proxy,
+since proxies generally can't productively forward requests
+without a Host.
+For #60374
+Fixes #61431
+Fixes #61825
+Change-Id: If170c7dd860aa20eb58fe32990fc93af832742b6
+Reviewed-on: https://go-review.googlesource.com/c/go/+/511155
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+(cherry picked from commit b9153f6ef338baee5fe02a867c8fbc83a8b29dd1)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/518855
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Upstream-Status: Backport [https://github.com/golang/go/commit/c08a5fa413a34111c9a37fd9e545de27ab0978b1]
+CVE: CVE-2023-29406
+Signed-off-by: Ming Liu <liu.ming50@gmail.com>
+---
+ src/net/http/request.go      | 23 ++++++++++++++++++++++-
+ src/net/http/request_test.go | 17 ++++++++++++-----
+ 2 files changed, 34 insertions(+), 6 deletions(-)
+diff --git a/src/net/http/request.go b/src/net/http/request.go
+index 3100037386..91cb8a66b9 100644
+--- a/src/net/http/request.go
+++ b/src/net/http/request.go
+@@ -582,8 +582,29 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
+        if err != nil {
+                return err
+        }
+       // Validate that the Host header is a valid header in general,
+       // but don't validate the host itself. This is sufficient to avoid
+       // header or request smuggling via the Host field.
+       // The server can (and will, if it's a net/http server) reject
+       // the request if it doesn't consider the host valid.
+        if !httpguts.ValidHostHeader(host) {
+-               return errors.New("http: invalid Host header")
+               // Historically, we would truncate the Host header after '/' or ' '.
+               // Some users have relied on this truncation to convert a network
+               // address such as Unix domain socket path into a valid, ignored
+               // Host header (see https://go.dev/issue/61431).
+               //
+               // We don't preserve the truncation, because sending an altered
+               // header field opens a smuggling vector. Instead, zero out the
+               // Host header entirely if it isn't valid. (An empty Host is valid;
+               // see RFC 9112 Section 3.2.)
+               //
+               // Return an error if we're sending to a proxy, since the proxy
+               // probably can't do anything useful with an empty Host header.
+               if !usingProxy {
+                       host = ""
+               } else {
+                       return errors.New("http: invalid Host header")
+               }
+        }
+ 
+        // According to RFC 6874, an HTTP client, proxy, or other
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index fddc85d6a9..dd1e2dc2a1 100644
+--- a/src/net/http/request_test.go
+++ b/src/net/http/request_test.go
+@@ -770,16 +770,23 @@ func TestRequestWriteBufferedWriter(t *testing.T) {
+        }
+ }
+ 
+-func TestRequestBadHost(t *testing.T) {
+func TestRequestBadHostHeader(t *testing.T) {
+        got := []string{}
+        req, err := NewRequest("GET", "http://foo/after", nil)
+        if err != nil {
+                t.Fatal(err)
+        }
+-       req.Host = "foo.com with spaces"
+-       req.URL.Host = "foo.com with spaces"
+-       if err := req.Write(logWrites{t, &got}); err == nil {
+-               t.Errorf("Writing request with invalid Host: succeded, want error")
+       req.Host = "foo.com\nnewline"
+       req.URL.Host = "foo.com\nnewline"
+       req.Write(logWrites{t, &got})
+       want := []string{
+               "GET /after HTTP/1.1\r\n",
+               "Host: \r\n",
+               "User-Agent: " + DefaultUserAgent + "\r\n",
+               "\r\n",
+       }
+       if !reflect.DeepEqual(got, want) {
+               t.Errorf("Writes = %q\n  Want = %q", got, want)
+        }
+ }
+ 
+-- 
+2.34.1

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch new file mode 100644 index 0000000000..637f46a537 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch
@@ -0,0 +1,114 @@
	1	From c08a5fa413a34111c9a37fd9e545de27ab0978b1 Mon Sep 17 00:00:00 2001
	2	From: Damien Neil <dneil@google.com>
	3	Date: Wed, 19 Jul 2023 10:30:46 -0700
	4	Subject: [PATCH] [release-branch.go1.19] net/http: permit requests with
	5	invalid Host headers
	6
	7	Historically, the Transport has silently truncated invalid
	8	Host headers at the first '/' or ' ' character. CL 506996 changed
	9	this behavior to reject invalid Host headers entirely.
	10	Unfortunately, Docker appears to rely on the previous behavior.
	11
	12	When sending a HTTP/1 request with an invalid Host, send an empty
	13	Host header. This is safer than truncation: If you care about the
	14	Host, then you should get the one you set; if you don't care,
	15	then an empty Host should be fine.
	16
	17	Continue to fully validate Host headers sent to a proxy,
	18	since proxies generally can't productively forward requests
	19	without a Host.
	20
	21	For #60374
	22	Fixes #61431
	23	Fixes #61825
	24
	25	Change-Id: If170c7dd860aa20eb58fe32990fc93af832742b6
	26	Reviewed-on: https://go-review.googlesource.com/c/go/+/511155
	27	TryBot-Result: Gopher Robot <gobot@golang.org>
	28	Reviewed-by: Roland Shoemaker <roland@golang.org>
	29	Run-TryBot: Damien Neil <dneil@google.com>
	30	(cherry picked from commit b9153f6ef338baee5fe02a867c8fbc83a8b29dd1)
	31	Reviewed-on: https://go-review.googlesource.com/c/go/+/518855
	32	Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
	33	Run-TryBot: Roland Shoemaker <roland@golang.org>
	34	Reviewed-by: Russ Cox <rsc@golang.org>
	35
	36	Upstream-Status: Backport [https://github.com/golang/go/commit/c08a5fa413a34111c9a37fd9e545de27ab0978b1]
	37	CVE: CVE-2023-29406
	38	Signed-off-by: Ming Liu <liu.ming50@gmail.com>
	39	---
	40	src/net/http/request.go \| 23 ++++++++++++++++++++++-
	41	src/net/http/request_test.go \| 17 ++++++++++++-----
	42	2 files changed, 34 insertions(+), 6 deletions(-)
	43
	44	diff --git a/src/net/http/request.go b/src/net/http/request.go
	45	index 3100037386..91cb8a66b9 100644
	46	--- a/src/net/http/request.go
	47	+++ b/src/net/http/request.go
	48	@@ -582,8 +582,29 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
	49	if err != nil {
	50	return err
	51	}
	52	+ // Validate that the Host header is a valid header in general,
	53	+ // but don't validate the host itself. This is sufficient to avoid
	54	+ // header or request smuggling via the Host field.
	55	+ // The server can (and will, if it's a net/http server) reject
	56	+ // the request if it doesn't consider the host valid.
	57	if !httpguts.ValidHostHeader(host) {
	58	- return errors.New("http: invalid Host header")
	59	+ // Historically, we would truncate the Host header after '/' or ' '.
	60	+ // Some users have relied on this truncation to convert a network
	61	+ // address such as Unix domain socket path into a valid, ignored
	62	+ // Host header (see https://go.dev/issue/61431).
	63	+ //
	64	+ // We don't preserve the truncation, because sending an altered
	65	+ // header field opens a smuggling vector. Instead, zero out the
	66	+ // Host header entirely if it isn't valid. (An empty Host is valid;
	67	+ // see RFC 9112 Section 3.2.)
	68	+ //
	69	+ // Return an error if we're sending to a proxy, since the proxy
	70	+ // probably can't do anything useful with an empty Host header.
	71	+ if !usingProxy {
	72	+ host = ""
	73	+ } else {
	74	+ return errors.New("http: invalid Host header")
	75	+ }
	76	}
	77
	78	// According to RFC 6874, an HTTP client, proxy, or other
	79	diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
	80	index fddc85d6a9..dd1e2dc2a1 100644
	81	--- a/src/net/http/request_test.go
	82	+++ b/src/net/http/request_test.go
	83	@@ -770,16 +770,23 @@ func TestRequestWriteBufferedWriter(t *testing.T) {
	84	}
	85	}
	86
	87	-func TestRequestBadHost(t *testing.T) {
	88	+func TestRequestBadHostHeader(t *testing.T) {
	89	got := []string{}
	90	req, err := NewRequest("GET", "http://foo/after", nil)
	91	if err != nil {
	92	t.Fatal(err)
	93	}
	94	- req.Host = "foo.com with spaces"
	95	- req.URL.Host = "foo.com with spaces"
	96	- if err := req.Write(logWrites{t, &got}); err == nil {
	97	- t.Errorf("Writing request with invalid Host: succeded, want error")
	98	+ req.Host = "foo.com\nnewline"
	99	+ req.URL.Host = "foo.com\nnewline"
	100	+ req.Write(logWrites{t, &got})
	101	+ want := []string{
	102	+ "GET /after HTTP/1.1\r\n",
	103	+ "Host: \r\n",
	104	+ "User-Agent: " + DefaultUserAgent + "\r\n",
	105	+ "\r\n",
	106	+ }
	107	+ if !reflect.DeepEqual(got, want) {
	108	+ t.Errorf("Writes = %q\n Want = %q", got, want)
	109	}
	110	}
	111
	112	--
	113	2.34.1
	114