diff options
| author | Archana Polampalli <archana.polampalli@windriver.com> | 2025-11-07 15:51:00 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-11-14 06:45:29 -0800 |
| commit | b3b8ae23172be1e4f2deee24116612dda73f585c (patch) | |
| tree | 3f923820ec0020b3ffbf9973d2b03cc6dd74a211 | |
| parent | 8c87818a10f709ca29b17e52f64bbb533294f698 (diff) | |
| download | poky-b3b8ae23172be1e4f2deee24116612dda73f585c.tar.gz | |
go: fix CVE-2025-58189
When Conn.Handshake fails during ALPN negotiation the error contains attacker
controlled information (the ALPN protocols sent by the client) which is not escaped.
(From OE-Core rev: e734cf62f24640d116c901dd97e09ddbb1f0cc4f)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-devtools/go/go-1.22.12.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/go/go/CVE-2025-58189.patch | 50 |
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index b619fc48f4..1e4139148e 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc | |||
| @@ -24,6 +24,7 @@ SRC_URI += "\ | |||
| 24 | file://CVE-2025-58185.patch \ | 24 | file://CVE-2025-58185.patch \ |
| 25 | file://CVE-2025-58187.patch \ | 25 | file://CVE-2025-58187.patch \ |
| 26 | file://CVE-2025-58188.patch \ | 26 | file://CVE-2025-58188.patch \ |
| 27 | file://CVE-2025-58189.patch \ | ||
| 27 | " | 28 | " |
| 28 | SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" | 29 | SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" |
| 29 | 30 | ||
diff --git a/meta/recipes-devtools/go/go/CVE-2025-58189.patch b/meta/recipes-devtools/go/go/CVE-2025-58189.patch new file mode 100644 index 0000000000..4908cf6400 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-58189.patch | |||
| @@ -0,0 +1,50 @@ | |||
| 1 | From 2e1e356e33b9c792a9643749a7626a1789197bb9 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Roland Shoemaker <roland@golang.org> | ||
| 3 | Date: Mon, 29 Sep 2025 10:11:56 -0700 | ||
| 4 | Subject: [PATCH] crypto/tls: quote protocols in ALPN error message | ||
| 5 | |||
| 6 | Quote the protocols sent by the client when returning the ALPN | ||
| 7 | negotiation error message. | ||
| 8 | |||
| 9 | Fixes CVE-2025-58189 | ||
| 10 | Updates #75652 | ||
| 11 | Fixes #75660 | ||
| 12 | |||
| 13 | Change-Id: Ie7b3a1ed0b6efcc1705b71f0f1e8417126661330 | ||
| 14 | Reviewed-on: https://go-review.googlesource.com/c/go/+/707776 | ||
| 15 | Auto-Submit: Roland Shoemaker <roland@golang.org> | ||
| 16 | Reviewed-by: Neal Patel <nealpatel@google.com> | ||
| 17 | Reviewed-by: Nicholas Husin <nsh@golang.org> | ||
| 18 | Auto-Submit: Nicholas Husin <nsh@golang.org> | ||
| 19 | Reviewed-by: Nicholas Husin <husin@google.com> | ||
| 20 | TryBot-Bypass: Roland Shoemaker <roland@golang.org> | ||
| 21 | Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> | ||
| 22 | (cherry picked from commit 4e9006a716533fe1c7ee08df02dfc73078f7dc19) | ||
| 23 | Reviewed-on: https://go-review.googlesource.com/c/go/+/708096 | ||
| 24 | LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> | ||
| 25 | Reviewed-by: Carlos Amedee <carlos@golang.org> | ||
| 26 | |||
| 27 | CVE: CVE-2025-58189 | ||
| 28 | |||
| 29 | Upstream-Status: Backport [https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9] | ||
| 30 | |||
| 31 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
| 32 | --- | ||
| 33 | src/crypto/tls/handshake_server.go | 2 +- | ||
| 34 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 35 | |||
| 36 | diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go | ||
| 37 | index 4e84aa9..17b6891 100644 | ||
| 38 | --- a/src/crypto/tls/handshake_server.go | ||
| 39 | +++ b/src/crypto/tls/handshake_server.go | ||
| 40 | @@ -312,7 +312,7 @@ func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, erro | ||
| 41 | if http11fallback { | ||
| 42 | return "", nil | ||
| 43 | } | ||
| 44 | - return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos) | ||
| 45 | + return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos) | ||
| 46 | } | ||
| 47 | |||
| 48 | // supportsECDHE returns whether ECDHE key exchanges can be used with this | ||
| 49 | -- | ||
| 50 | 2.40.0 | ||
