go: Backport fix CVE-2024-24784 & CVE-2024-24785

Backport fixes for : CVE-2024-24784 - Upstream-Status: Backport from https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c CVE-2024-24785 - Upstream-Status: Backport from https://github.com/golang/go/commit/056b0edcb8c152152021eebf4cf42adbfbe77992 (From OE-Core rev: 408f86a5268cadd680f45e2d934451a321241706) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vivek Kumbhar <vkumbhar@mvista.com> 2024-03-11 11:14:00 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-03-13 07:36:50 -1000
commit: 3a82461fadc41018d3b96bc30b71b742eb6fc21b (patch)
tree: 2f6a3ed542eb7ae1df4aa09022eff31266a93a21 /meta
parent: ae66c42f9ea2cf1283fef982efb998910de6e2fc (diff)
download: poky-3a82461fadc41018d3b96bc30b71b742eb6fc21b.tar.gz
3 files changed, 405 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index e635445579..768961de2c 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -53,6 +53,8 @@ SRC_URI += "\
    file://CVE-2023-45287.patch \
    file://CVE-2023-45289.patch \
    file://CVE-2023-45290.patch \
+    file://CVE-2024-24784.patch \
+    file://CVE-2024-24785.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch b/meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch
new file mode 100644
index 0000000000..d3fc6b0313
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch
@@ -0,0 +1,207 @@
+From 5330cd225ba54c7dc78c1b46dcdf61a4671a632c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Wed, 10 Jan 2024 11:02:14 -0800
+Subject: [PATCH] [release-branch.go1.22] net/mail: properly handle special
+ characters in phrase and obs-phrase
+Fixes a couple of misalignments with RFC 5322 which introduce
+significant diffs between (mostly) conformant parsers.
+This change reverts the changes made in CL50911, which allowed certain
+special RFC 5322 characters to appear unquoted in the "phrase" syntax.
+It is unclear why this change was made in the first place, and created
+a divergence from comformant parsers. In particular this resulted in
+treating comments in display names incorrectly.
+Additionally properly handle trailing malformed comments in the group
+syntax.
+For #65083
+Fixed #65849
+Change-Id: I00dddc044c6ae3381154e43236632604c390f672
+Reviewed-on: https://go-review.googlesource.com/c/go/+/555596
+Reviewed-by: Damien Neil <dneil@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/566215
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Upstream-Status: Backport [https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c]
+CVE: CVE-2024-24784
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/net/mail/message.go      | 30 +++++++++++++++------------
+ src/net/mail/message_test.go | 40 ++++++++++++++++++++++++++----------
+ 2 files changed, 46 insertions(+), 24 deletions(-)
+diff --git a/src/net/mail/message.go b/src/net/mail/message.go
+index 47bbf6c..84f48f0 100644
+--- a/src/net/mail/message.go
+++ b/src/net/mail/message.go
+@@ -231,7 +231,7 @@ func (a *Address) String() string {
+        // Add quotes if needed
+        quoteLocal := false
+        for i, r := range local {
+-               if isAtext(r, false, false) {
+               if isAtext(r, false) {
+                        continue
+                }
+                if r == '.' {
+@@ -395,7 +395,7 @@ func (p *addrParser) parseAddress(handleGroup bool) ([]*Address, error) {
+        if !p.consume('<') {
+                atext := true
+                for _, r := range displayName {
+-                       if !isAtext(r, true, false) {
+                       if !isAtext(r, true) {
+                                atext = false
+                                break
+                        }
+@@ -430,7 +430,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
+        // handle empty group.
+        p.skipSpace()
+        if p.consume(';') {
+-               p.skipCFWS()
+               if !p.skipCFWS() {
+                       return nil, errors.New("mail: misformatted parenthetical comment")
+               }
+                return group, nil
+        }
+@@ -447,7 +449,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
+                        return nil, errors.New("mail: misformatted parenthetical comment")
+                }
+                if p.consume(';') {
+-                       p.skipCFWS()
+                       if !p.skipCFWS() {
+                               return nil, errors.New("mail: misformatted parenthetical comment")
+                       }
+                        break
+                }
+                if !p.consume(',') {
+@@ -517,6 +521,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) {
+        var words []string
+        var isPrevEncoded bool
+        for {
+               // obs-phrase allows CFWS after one word
+               if len(words) > 0 {
+                       if !p.skipCFWS() {
+                               return "", errors.New("mail: misformatted parenthetical comment")
+                       }
+               }
+                // word = atom / quoted-string
+                var word string
+                p.skipSpace()
+@@ -612,7 +622,6 @@ Loop:
+ // If dot is true, consumeAtom parses an RFC 5322 dot-atom instead.
+ // If permissive is true, consumeAtom will not fail on:
+ // - leading/trailing/double dots in the atom (see golang.org/issue/4938)
+-// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018)
+ func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) {
+        i := 0
+@@ -623,7 +632,7 @@ Loop:
+                case size == 1 && r == utf8.RuneError:
+                        return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s)
+-               case size == 0 || !isAtext(r, dot, permissive):
+               case size == 0 || !isAtext(r, dot):
+                        break Loop
+                default:
+@@ -777,18 +786,13 @@ func (e charsetError) Error() string {
+ // isAtext reports whether r is an RFC 5322 atext character.
+ // If dot is true, period is included.
+-// If permissive is true, RFC 5322 3.2.3 specials is included,
+-// except '<', '>', ':' and '"'.
+-func isAtext(r rune, dot, permissive bool) bool {
+func isAtext(r rune, dot bool) bool {
+        switch r {
+        case '.':
+                return dot
+        // RFC 5322 3.2.3. specials
+-       case '(', ')', '[', ']', ';', '@', '\\', ',':
+-               return permissive
+-
+-       case '<', '>', '"', ':':
+       case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials
+                return false
+        }
+        return isVchar(r)
+diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go
+index 80a17b2..00bc93e 100644
+--- a/src/net/mail/message_test.go
+++ b/src/net/mail/message_test.go
+@@ -334,8 +334,11 @@ func TestAddressParsingError(t *testing.T) {
+                13: {"group not closed: null@example.com", "expected comma"},
+                14: {"group: first@example.com, second@example.com;", "group with multiple addresses"},
+                15: {"john.doe", "missing '@' or angle-addr"},
+-               16: {"john.doe@", "no angle-addr"},
+               16: {"john.doe@", "missing '@' or angle-addr"},
+                17: {"John Doe@foo.bar", "no angle-addr"},
+               18: {" group: null@example.com; (asd", "misformatted parenthetical comment"},
+               19: {" group: ; (asd", "misformatted parenthetical comment"},
+               20: {`(John) Doe <jdoe@machine.example>`, "missing word in phrase:"},
+        }
+        for i, tc := range mustErrTestCases {
+@@ -374,24 +377,19 @@ func TestAddressParsing(t *testing.T) {
+                                Address: "john.q.public@example.com",
+                        }},
+                },
+-               {
+-                       `"John (middle) Doe" <jdoe@machine.example>`,
+-                       []*Address{{
+-                               Name:    "John (middle) Doe",
+-                               Address: "jdoe@machine.example",
+-                       }},
+-               },
+               // Comment in display name
+                {
+                        `John (middle) Doe <jdoe@machine.example>`,
+                        []*Address{{
+-                               Name:    "John (middle) Doe",
+                               Name:    "John Doe",
+                                Address: "jdoe@machine.example",
+                        }},
+                },
+               // Display name is quoted string, so comment is not a comment
+                {
+-                       `John !@M@! Doe <jdoe@machine.example>`,
+                       `"John (middle) Doe" <jdoe@machine.example>`,
+                        []*Address{{
+-                               Name:    "John !@M@! Doe",
+                               Name:    "John (middle) Doe",
+                                Address: "jdoe@machine.example",
+                        }},
+                },
+@@ -726,6 +724,26 @@ func TestAddressParsing(t *testing.T) {
+                                },
+                        },
+                },
+               // Comment in group display name
+               {
+                       `group (comment:): a@example.com, b@example.com;`,
+                       []*Address{
+                               {
+                                       Address: "a@example.com",
+                               },
+                               {
+                                       Address: "b@example.com",
+                               },
+                       },
+               },
+               {
+                       `x(:"):"@a.example;("@b.example;`,
+                       []*Address{
+                               {
+                                       Address: `@a.example;(@b.example`,
+                               },
+                       },
+               },
+        }
+        for _, test := range tests {
+                if len(test.exp) == 1 {
+--
+2.39.3
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2024-24785.patch b/meta/recipes-devtools/go/go-1.18/CVE-2024-24785.patch
new file mode 100644
index 0000000000..5c8244e89a
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2024-24785.patch
@@ -0,0 +1,196 @@
+From 056b0edcb8c152152021eebf4cf42adbfbe77992 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 14 Feb 2024 17:18:36 -0800
+Subject: [PATCH] [release-branch.go1.22] html/template: escape additional
+ tokens in MarshalJSON errors
+Escape "</script" and "<!--" in errors returned from MarshalJSON errors
+when attempting to marshal types in script blocks. This prevents any
+user controlled content from prematurely terminating the script block.
+Updates #65697
+Fixes #65969
+Change-Id: Icf0e26c54ea7d9c1deed0bff11b6506c99ddef1b
+Reviewed-on: https://go-review.googlesource.com/c/go/+/564196
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit ccbc725f2d678255df1bd326fa511a492aa3a0aa)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/567535
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Upstream-Status: Backport [https://github.com/golang/go/commit/056b0edcb8c152152021eebf4cf42adbfbe77992]
+CVE: CVE-2024-24785
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/html/template/js.go      | 22 ++++++++-
+ src/html/template/js_test.go | 96 ++++++++++++++++++++----------------
+ 2 files changed, 74 insertions(+), 44 deletions(-)
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index 35994f0..4d3b25d 100644
+--- a/src/html/template/js.go
+++ b/src/html/template/js.go
+@@ -171,13 +171,31 @@ func jsValEscaper(args ...interface{}) string {
+        // cyclic data. This may be an unacceptable DoS risk.
+        b, err := json.Marshal(a)
+        if err != nil {
+-               // Put a space before comment so that if it is flush against
+               // While the standard JSON marshaller does not include user controlled
+               // information in the error message, if a type has a MarshalJSON method,
+               // the content of the error message is not guaranteed. Since we insert
+               // the error into the template, as part of a comment, we attempt to
+               // prevent the error from either terminating the comment, or the script
+               // block itself.
+               //
+               // In particular we:
+               //   * replace "*/" comment end tokens with "* /", which does not
+               //     terminate the comment
+               //   * replace "</script" with "\x3C/script", and "<!--" with
+               //     "\x3C!--", which prevents confusing script block termination
+               //     semantics
+               //
+               // We also put a space before the comment so that if it is flush against
+                // a division operator it is not turned into a line comment:
+                //     x/{{y}}
+                // turning into
+                //     x//* error marshaling y:
+                //          second line of error message */null
+-               return fmt.Sprintf(" /* %s */null ", strings.ReplaceAll(err.Error(), "*/", "* /"))
+               errStr := err.Error()
+               errStr = strings.ReplaceAll(errStr, "*/", "* /")
+               errStr = strings.ReplaceAll(errStr, "</script", `\x3C/script`)
+               errStr = strings.ReplaceAll(errStr, "<!--", `\x3C!--`)
+               return fmt.Sprintf(" /* %s */null ", errStr)
+        }
+        // TODO: maybe post-process output to prevent it from containing
+diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
+index de9ef28..0eaec11 100644
+--- a/src/html/template/js_test.go
+++ b/src/html/template/js_test.go
+@@ -5,6 +5,7 @@
+ package template
+ import (
+        "errors"
+        "bytes"
+        "math"
+        "strings"
+@@ -104,61 +105,72 @@ func TestNextJsCtx(t *testing.T) {
+        }
+ }
+type jsonErrType struct{}
+
+func (e *jsonErrType) MarshalJSON() ([]byte, error) {
+       return nil, errors.New("beep */ boop </script blip <!--")
+}
+
+ func TestJSValEscaper(t *testing.T) {
+        tests := []struct {
+-               x  interface{}
+-               js string
+               x        any
+               js       string
+               skipNest bool
+        }{
+-               {int(42), " 42 "},
+-               {uint(42), " 42 "},
+-               {int16(42), " 42 "},
+-               {uint16(42), " 42 "},
+-               {int32(-42), " -42 "},
+-               {uint32(42), " 42 "},
+-               {int16(-42), " -42 "},
+-               {uint16(42), " 42 "},
+-               {int64(-42), " -42 "},
+-               {uint64(42), " 42 "},
+-               {uint64(1) << 53, " 9007199254740992 "},
+               {int(42), " 42 ", false},
+               {uint(42), " 42 ", false},
+               {int16(42), " 42 ", false},
+               {uint16(42), " 42 ", false},
+               {int32(-42), " -42 ", false},
+               {uint32(42), " 42 ", false},
+               {int16(-42), " -42 ", false},
+               {uint16(42), " 42 ", false},
+               {int64(-42), " -42 ", false},
+               {uint64(42), " 42 ", false},
+               {uint64(1) << 53, " 9007199254740992 ", false},
+                // ulp(1 << 53) > 1 so this loses precision in JS
+                // but it is still a representable integer literal.
+-               {uint64(1)<<53 + 1, " 9007199254740993 "},
+-               {float32(1.0), " 1 "},
+-               {float32(-1.0), " -1 "},
+-               {float32(0.5), " 0.5 "},
+-               {float32(-0.5), " -0.5 "},
+-               {float32(1.0) / float32(256), " 0.00390625 "},
+-               {float32(0), " 0 "},
+-               {math.Copysign(0, -1), " -0 "},
+-               {float64(1.0), " 1 "},
+-               {float64(-1.0), " -1 "},
+-               {float64(0.5), " 0.5 "},
+-               {float64(-0.5), " -0.5 "},
+-               {float64(0), " 0 "},
+-               {math.Copysign(0, -1), " -0 "},
+-               {"", `""`},
+-               {"foo", `"foo"`},
+               {uint64(1)<<53 + 1, " 9007199254740993 ", false},
+               {float32(1.0), " 1 ", false},
+               {float32(-1.0), " -1 ", false},
+               {float32(0.5), " 0.5 ", false},
+               {float32(-0.5), " -0.5 ", false},
+               {float32(1.0) / float32(256), " 0.00390625 ", false},
+               {float32(0), " 0 ", false},
+               {math.Copysign(0, -1), " -0 ", false},
+               {float64(1.0), " 1 ", false},
+               {float64(-1.0), " -1 ", false},
+               {float64(0.5), " 0.5 ", false},
+               {float64(-0.5), " -0.5 ", false},
+               {float64(0), " 0 ", false},
+               {math.Copysign(0, -1), " -0 ", false},
+               {"", `""`, false},
+               {"foo", `"foo"`, false},
+                // Newlines.
+-               {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
+               {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`, false},
+                // "\v" == "v" on IE 6 so use "\u000b" instead.
+-               {"\t\x0b", `"\t\u000b"`},
+-               {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
+-               {[]interface{}{}, "[]"},
+-               {[]interface{}{42, "foo", nil}, `[42,"foo",null]`},
+-               {[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`},
+-               {"<!--", `"\u003c!--"`},
+-               {"-->", `"--\u003e"`},
+-               {"<![CDATA[", `"\u003c![CDATA["`},
+-               {"]]>", `"]]\u003e"`},
+-               {"</script", `"\u003c/script"`},
+-               {"\U0001D11E", "\"\U0001D11E\""}, // or "\uD834\uDD1E"
+-               {nil, " null "},
+               {"\t\x0b", `"\t\u000b"`, false},
+               {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`, false},
+               {[]any{}, "[]", false},
+               {[]any{42, "foo", nil}, `[42,"foo",null]`, false},
+               {[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`, false},
+               {"<!--", `"\u003c!--"`, false},
+               {"-->", `"--\u003e"`, false},
+               {"<![CDATA[", `"\u003c![CDATA["`, false},
+               {"]]>", `"]]\u003e"`, false},
+               {"</script", `"\u003c/script"`, false},
+               {"\U0001D11E", "\"\U0001D11E\"", false}, // or "\uD834\uDD1E"
+               {nil, " null ", false},
+               {&jsonErrType{}, " /* json: error calling MarshalJSON for type *template.jsonErrType: beep * / boop \\x3C/script blip \\x3C!-- */null ", true},
+        }
+        for _, test := range tests {
+                if js := jsValEscaper(test.x); js != test.js {
+                        t.Errorf("%+v: want\n\t%q\ngot\n\t%q", test.x, test.js, js)
+                }
+               if test.skipNest {
+                       continue
+               }
+                // Make sure that escaping corner cases are not broken
+                // by nesting.
+                a := []interface{}{test.x}
+--
+2.39.3
author	Vivek Kumbhar <vkumbhar@mvista.com>	2024-03-11 11:14:00 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-03-13 07:36:50 -1000
commit	3a82461fadc41018d3b96bc30b71b742eb6fc21b (patch)
tree	2f6a3ed542eb7ae1df4aa09022eff31266a93a21 /meta
parent	ae66c42f9ea2cf1283fef982efb998910de6e2fc (diff)
download	poky-3a82461fadc41018d3b96bc30b71b742eb6fc21b.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index e635445579..768961de2c 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -53,6 +53,8 @@ SRC_URI += "\
53	file://CVE-2023-45287.patch \	53	file://CVE-2023-45287.patch \
54	file://CVE-2023-45289.patch \	54	file://CVE-2023-45289.patch \
55	file://CVE-2023-45290.patch \	55	file://CVE-2023-45290.patch \
		56	file://CVE-2024-24784.patch \
		57	file://CVE-2024-24785.patch \
56	"	58	"
57	SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"	59	SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
58		60


diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch b/meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch new file mode 100644 index 0000000000..d3fc6b0313 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch
@@ -0,0 +1,207 @@
		1	From 5330cd225ba54c7dc78c1b46dcdf61a4671a632c Mon Sep 17 00:00:00 2001
		2	From: Roland Shoemaker <bracewell@google.com>
		3	Date: Wed, 10 Jan 2024 11:02:14 -0800
		4	Subject: [PATCH] [release-branch.go1.22] net/mail: properly handle special
		5	characters in phrase and obs-phrase
		6
		7	Fixes a couple of misalignments with RFC 5322 which introduce
		8	significant diffs between (mostly) conformant parsers.
		9
		10	This change reverts the changes made in CL50911, which allowed certain
		11	special RFC 5322 characters to appear unquoted in the "phrase" syntax.
		12	It is unclear why this change was made in the first place, and created
		13	a divergence from comformant parsers. In particular this resulted in
		14	treating comments in display names incorrectly.
		15
		16	Additionally properly handle trailing malformed comments in the group
		17	syntax.
		18
		19	For #65083
		20	Fixed #65849
		21
		22	Change-Id: I00dddc044c6ae3381154e43236632604c390f672
		23	Reviewed-on: https://go-review.googlesource.com/c/go/+/555596
		24	Reviewed-by: Damien Neil <dneil@google.com>
		25	LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
		26	Reviewed-on: https://go-review.googlesource.com/c/go/+/566215
		27	Reviewed-by: Carlos Amedee <carlos@golang.org>
		28
		29	Upstream-Status: Backport [https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c]
		30	CVE: CVE-2024-24784
		31	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		32	---
		33	src/net/mail/message.go \| 30 +++++++++++++++------------
		34	src/net/mail/message_test.go \| 40 ++++++++++++++++++++++++++----------
		35	2 files changed, 46 insertions(+), 24 deletions(-)
		36
		37	diff --git a/src/net/mail/message.go b/src/net/mail/message.go
		38	index 47bbf6c..84f48f0 100644
		39	--- a/src/net/mail/message.go
		40	+++ b/src/net/mail/message.go
		41	@@ -231,7 +231,7 @@ func (a *Address) String() string {
		42	// Add quotes if needed
		43	quoteLocal := false
		44	for i, r := range local {
		45	- if isAtext(r, false, false) {
		46	+ if isAtext(r, false) {
		47	continue
		48	}
		49	if r == '.' {
		50	@@ -395,7 +395,7 @@ func (p addrParser) parseAddress(handleGroup bool) ([]Address, error) {
		51	if !p.consume('<') {
		52	atext := true
		53	for _, r := range displayName {
		54	- if !isAtext(r, true, false) {
		55	+ if !isAtext(r, true) {
		56	atext = false
		57	break
		58	}
		59	@@ -430,7 +430,9 @@ func (p addrParser) consumeGroupList() ([]Address, error) {
		60	// handle empty group.
		61	p.skipSpace()
		62	if p.consume(';') {
		63	- p.skipCFWS()
		64	+ if !p.skipCFWS() {
		65	+ return nil, errors.New("mail: misformatted parenthetical comment")
		66	+ }
		67	return group, nil
		68	}
		69
		70	@@ -447,7 +449,9 @@ func (p addrParser) consumeGroupList() ([]Address, error) {
		71	return nil, errors.New("mail: misformatted parenthetical comment")
		72	}
		73	if p.consume(';') {
		74	- p.skipCFWS()
		75	+ if !p.skipCFWS() {
		76	+ return nil, errors.New("mail: misformatted parenthetical comment")
		77	+ }
		78	break
		79	}
		80	if !p.consume(',') {
		81	@@ -517,6 +521,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) {
		82	var words []string
		83	var isPrevEncoded bool
		84	for {
		85	+ // obs-phrase allows CFWS after one word
		86	+ if len(words) > 0 {
		87	+ if !p.skipCFWS() {
		88	+ return "", errors.New("mail: misformatted parenthetical comment")
		89	+ }
		90	+ }
		91	// word = atom / quoted-string
		92	var word string
		93	p.skipSpace()
		94	@@ -612,7 +622,6 @@ Loop:
		95	// If dot is true, consumeAtom parses an RFC 5322 dot-atom instead.
		96	// If permissive is true, consumeAtom will not fail on:
		97	// - leading/trailing/double dots in the atom (see golang.org/issue/4938)
		98	-// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018)
		99	func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) {
		100	i := 0
		101
		102	@@ -623,7 +632,7 @@ Loop:
		103	case size == 1 && r == utf8.RuneError:
		104	return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s)
		105
		106	- case size == 0 \|\| !isAtext(r, dot, permissive):
		107	+ case size == 0 \|\| !isAtext(r, dot):
		108	break Loop
		109
		110	default:
		111	@@ -777,18 +786,13 @@ func (e charsetError) Error() string {
		112
		113	// isAtext reports whether r is an RFC 5322 atext character.
		114	// If dot is true, period is included.
		115	-// If permissive is true, RFC 5322 3.2.3 specials is included,
		116	-// except '<', '>', ':' and '"'.
		117	-func isAtext(r rune, dot, permissive bool) bool {
		118	+func isAtext(r rune, dot bool) bool {
		119	switch r {
		120	case '.':
		121	return dot
		122
		123	// RFC 5322 3.2.3. specials
		124	- case '(', ')', '[', ']', ';', '@', '\\', ',':
		125	- return permissive
		126	-
		127	- case '<', '>', '"', ':':
		128	+ case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials
		129	return false
		130	}
		131	return isVchar(r)
		132	diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go
		133	index 80a17b2..00bc93e 100644
		134	--- a/src/net/mail/message_test.go
		135	+++ b/src/net/mail/message_test.go
		136	@@ -334,8 +334,11 @@ func TestAddressParsingError(t *testing.T) {
		137	13: {"group not closed: null@example.com", "expected comma"},
		138	14: {"group: first@example.com, second@example.com;", "group with multiple addresses"},
		139	15: {"john.doe", "missing '@' or angle-addr"},
		140	- 16: {"john.doe@", "no angle-addr"},
		141	+ 16: {"john.doe@", "missing '@' or angle-addr"},
		142	17: {"John Doe@foo.bar", "no angle-addr"},
		143	+ 18: {" group: null@example.com; (asd", "misformatted parenthetical comment"},
		144	+ 19: {" group: ; (asd", "misformatted parenthetical comment"},
		145	+ 20: {`(John) Doe <jdoe@machine.example>`, "missing word in phrase:"},
		146	}
		147
		148	for i, tc := range mustErrTestCases {
		149	@@ -374,24 +377,19 @@ func TestAddressParsing(t *testing.T) {
		150	Address: "john.q.public@example.com",
		151	}},
		152	},
		153	- {
		154	- `"John (middle) Doe" <jdoe@machine.example>`,
		155	- []*Address{{
		156	- Name: "John (middle) Doe",
		157	- Address: "jdoe@machine.example",
		158	- }},
		159	- },
		160	+ // Comment in display name
		161	{
		162	`John (middle) Doe <jdoe@machine.example>`,
		163	[]*Address{{
		164	- Name: "John (middle) Doe",
		165	+ Name: "John Doe",
		166	Address: "jdoe@machine.example",
		167	}},
		168	},
		169	+ // Display name is quoted string, so comment is not a comment
		170	{
		171	- `John !@M@! Doe <jdoe@machine.example>`,
		172	+ `"John (middle) Doe" <jdoe@machine.example>`,
		173	[]*Address{{
		174	- Name: "John !@M@! Doe",
		175	+ Name: "John (middle) Doe",
		176	Address: "jdoe@machine.example",
		177	}},
		178	},
		179	@@ -726,6 +724,26 @@ func TestAddressParsing(t *testing.T) {
		180	},
		181	},
		182	},
		183	+ // Comment in group display name
		184	+ {
		185	+ `group (comment:): a@example.com, b@example.com;`,
		186	+ []*Address{
		187	+ {
		188	+ Address: "a@example.com",
		189	+ },
		190	+ {
		191	+ Address: "b@example.com",
		192	+ },
		193	+ },
		194	+ },
		195	+ {
		196	+ `x(:"):"@a.example;("@b.example;`,
		197	+ []*Address{
		198	+ {
		199	+ Address: `@a.example;(@b.example`,
		200	+ },
		201	+ },
		202	+ },
		203	}
		204	for _, test := range tests {
		205	if len(test.exp) == 1 {
		206	--
		207	2.39.3


diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2024-24785.patch b/meta/recipes-devtools/go/go-1.18/CVE-2024-24785.patch new file mode 100644 index 0000000000..5c8244e89a --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2024-24785.patch
@@ -0,0 +1,196 @@
		1	From 056b0edcb8c152152021eebf4cf42adbfbe77992 Mon Sep 17 00:00:00 2001
		2	From: Roland Shoemaker <roland@golang.org>
		3	Date: Wed, 14 Feb 2024 17:18:36 -0800
		4	Subject: [PATCH] [release-branch.go1.22] html/template: escape additional
		5	tokens in MarshalJSON errors
		6
		7	Escape "</script" and "<!--" in errors returned from MarshalJSON errors
		8	when attempting to marshal types in script blocks. This prevents any
		9	user controlled content from prematurely terminating the script block.
		10
		11	Updates #65697
		12	Fixes #65969
		13
		14	Change-Id: Icf0e26c54ea7d9c1deed0bff11b6506c99ddef1b
		15	Reviewed-on: https://go-review.googlesource.com/c/go/+/564196
		16	LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
		17	Reviewed-by: Damien Neil <dneil@google.com>
		18	(cherry picked from commit ccbc725f2d678255df1bd326fa511a492aa3a0aa)
		19	Reviewed-on: https://go-review.googlesource.com/c/go/+/567535
		20	Reviewed-by: Carlos Amedee <carlos@golang.org>
		21
		22	Upstream-Status: Backport [https://github.com/golang/go/commit/056b0edcb8c152152021eebf4cf42adbfbe77992]
		23	CVE: CVE-2024-24785
		24	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		25	---
		26	src/html/template/js.go \| 22 ++++++++-
		27	src/html/template/js_test.go \| 96 ++++++++++++++++++++----------------
		28	2 files changed, 74 insertions(+), 44 deletions(-)
		29
		30	diff --git a/src/html/template/js.go b/src/html/template/js.go
		31	index 35994f0..4d3b25d 100644
		32	--- a/src/html/template/js.go
		33	+++ b/src/html/template/js.go
		34	@@ -171,13 +171,31 @@ func jsValEscaper(args ...interface{}) string {
		35	// cyclic data. This may be an unacceptable DoS risk.
		36	b, err := json.Marshal(a)
		37	if err != nil {
		38	- // Put a space before comment so that if it is flush against
		39	+ // While the standard JSON marshaller does not include user controlled
		40	+ // information in the error message, if a type has a MarshalJSON method,
		41	+ // the content of the error message is not guaranteed. Since we insert
		42	+ // the error into the template, as part of a comment, we attempt to
		43	+ // prevent the error from either terminating the comment, or the script
		44	+ // block itself.
		45	+ //
		46	+ // In particular we:
		47	+ // * replace "/" comment end tokens with " /", which does not
		48	+ // terminate the comment
		49	+ // * replace "</script" with "\x3C/script", and "<!--" with
		50	+ // "\x3C!--", which prevents confusing script block termination
		51	+ // semantics
		52	+ //
		53	+ // We also put a space before the comment so that if it is flush against
		54	// a division operator it is not turned into a line comment:
		55	// x/{{y}}
		56	// turning into
		57	// x//* error marshaling y:
		58	// second line of error message */null
		59	- return fmt.Sprintf(" /* %s /null ", strings.ReplaceAll(err.Error(), "/", "* /"))
		60	+ errStr := err.Error()
		61	+ errStr = strings.ReplaceAll(errStr, "/", " /")
		62	+ errStr = strings.ReplaceAll(errStr, "</script", `\x3C/script`)
		63	+ errStr = strings.ReplaceAll(errStr, "<!--", `\x3C!--`)
		64	+ return fmt.Sprintf(" /* %s */null ", errStr)
		65	}
		66
		67	// TODO: maybe post-process output to prevent it from containing
		68	diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
		69	index de9ef28..0eaec11 100644
		70	--- a/src/html/template/js_test.go
		71	+++ b/src/html/template/js_test.go
		72	@@ -5,6 +5,7 @@
		73	package template
		74
		75	import (
		76	+ "errors"
		77	"bytes"
		78	"math"
		79	"strings"
		80	@@ -104,61 +105,72 @@ func TestNextJsCtx(t *testing.T) {
		81	}
		82	}
		83
		84	+type jsonErrType struct{}
		85	+
		86	+func (e *jsonErrType) MarshalJSON() ([]byte, error) {
		87	+ return nil, errors.New("beep */ boop </script blip <!--")
		88	+}
		89	+
		90	func TestJSValEscaper(t *testing.T) {
		91	tests := []struct {
		92	- x interface{}
		93	- js string
		94	+ x any
		95	+ js string
		96	+ skipNest bool
		97	}{
		98	- {int(42), " 42 "},
		99	- {uint(42), " 42 "},
		100	- {int16(42), " 42 "},
		101	- {uint16(42), " 42 "},
		102	- {int32(-42), " -42 "},
		103	- {uint32(42), " 42 "},
		104	- {int16(-42), " -42 "},
		105	- {uint16(42), " 42 "},
		106	- {int64(-42), " -42 "},
		107	- {uint64(42), " 42 "},
		108	- {uint64(1) << 53, " 9007199254740992 "},
		109	+ {int(42), " 42 ", false},
		110	+ {uint(42), " 42 ", false},
		111	+ {int16(42), " 42 ", false},
		112	+ {uint16(42), " 42 ", false},
		113	+ {int32(-42), " -42 ", false},
		114	+ {uint32(42), " 42 ", false},
		115	+ {int16(-42), " -42 ", false},
		116	+ {uint16(42), " 42 ", false},
		117	+ {int64(-42), " -42 ", false},
		118	+ {uint64(42), " 42 ", false},
		119	+ {uint64(1) << 53, " 9007199254740992 ", false},
		120	// ulp(1 << 53) > 1 so this loses precision in JS
		121	// but it is still a representable integer literal.
		122	- {uint64(1)<<53 + 1, " 9007199254740993 "},
		123	- {float32(1.0), " 1 "},
		124	- {float32(-1.0), " -1 "},
		125	- {float32(0.5), " 0.5 "},
		126	- {float32(-0.5), " -0.5 "},
		127	- {float32(1.0) / float32(256), " 0.00390625 "},
		128	- {float32(0), " 0 "},
		129	- {math.Copysign(0, -1), " -0 "},
		130	- {float64(1.0), " 1 "},
		131	- {float64(-1.0), " -1 "},
		132	- {float64(0.5), " 0.5 "},
		133	- {float64(-0.5), " -0.5 "},
		134	- {float64(0), " 0 "},
		135	- {math.Copysign(0, -1), " -0 "},
		136	- {"", `""`},
		137	- {"foo", `"foo"`},
		138	+ {uint64(1)<<53 + 1, " 9007199254740993 ", false},
		139	+ {float32(1.0), " 1 ", false},
		140	+ {float32(-1.0), " -1 ", false},
		141	+ {float32(0.5), " 0.5 ", false},
		142	+ {float32(-0.5), " -0.5 ", false},
		143	+ {float32(1.0) / float32(256), " 0.00390625 ", false},
		144	+ {float32(0), " 0 ", false},
		145	+ {math.Copysign(0, -1), " -0 ", false},
		146	+ {float64(1.0), " 1 ", false},
		147	+ {float64(-1.0), " -1 ", false},
		148	+ {float64(0.5), " 0.5 ", false},
		149	+ {float64(-0.5), " -0.5 ", false},
		150	+ {float64(0), " 0 ", false},
		151	+ {math.Copysign(0, -1), " -0 ", false},
		152	+ {"", `""`, false},
		153	+ {"foo", `"foo"`, false},
		154	// Newlines.
		155	- {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
		156	+ {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`, false},
		157	// "\v" == "v" on IE 6 so use "\u000b" instead.
		158	- {"\t\x0b", `"\t\u000b"`},
		159	- {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
		160	- {[]interface{}{}, "[]"},
		161	- {[]interface{}{42, "foo", nil}, `[42,"foo",null]`},
		162	- {[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`},
		163	- {"<!--", `"\u003c!--"`},
		164	- {"-->", `"--\u003e"`},
		165	- {"<![CDATA[", `"\u003c![CDATA["`},
		166	- {"]]>", `"]]\u003e"`},
		167	- {"</script", `"\u003c/script"`},
		168	- {"\U0001D11E", "\"\U0001D11E\""}, // or "\uD834\uDD1E"
		169	- {nil, " null "},
		170	+ {"\t\x0b", `"\t\u000b"`, false},
		171	+ {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`, false},
		172	+ {[]any{}, "[]", false},
		173	+ {[]any{42, "foo", nil}, `[42,"foo",null]`, false},
		174	+ {[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`, false},
		175	+ {"<!--", `"\u003c!--"`, false},
		176	+ {"-->", `"--\u003e"`, false},
		177	+ {"<![CDATA[", `"\u003c![CDATA["`, false},
		178	+ {"]]>", `"]]\u003e"`, false},
		179	+ {"</script", `"\u003c/script"`, false},
		180	+ {"\U0001D11E", "\"\U0001D11E\"", false}, // or "\uD834\uDD1E"
		181	+ {nil, " null ", false},
		182	+ {&jsonErrType{}, " /* json: error calling MarshalJSON for type template.jsonErrType: beep / boop \\x3C/script blip \\x3C!-- */null ", true},
		183	}
		184
		185	for _, test := range tests {
		186	if js := jsValEscaper(test.x); js != test.js {
		187	t.Errorf("%+v: want\n\t%q\ngot\n\t%q", test.x, test.js, js)
		188	}
		189	+ if test.skipNest {
		190	+ continue
		191	+ }
		192	// Make sure that escaping corner cases are not broken
		193	// by nesting.
		194	a := []interface{}{test.x}
		195	--
		196	2.39.3