summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorHitendra Prajapati <hprajapati@mvista.com>2025-11-03 11:43:36 +0530
committerSteve Sakoman <steve@sakoman.com>2025-11-06 07:14:05 -0800
commit8641f0fec992d079cd0c1d7ba0032e5568d194cf (patch)
tree0ce215a6f1a78dffe0ddcdc2b101030d06bd9649 /meta
parent484d31c23d941f1bb9d084a21148ae17aeacea80 (diff)
downloadpoky-8641f0fec992d079cd0c1d7ba0032e5568d194cf.tar.gz
go: fix CVE-2024-24783
Upstream-Status: Backport https://github.com/golang/go/commit/be5b52bea674190ef7de272664be6c7ae93ec5a0 (From OE-Core rev: b7d89fae22b317199b8f72978712075078a17005) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/go/go-1.17.13.inc1
-rw-r--r--meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch83
2 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index aab8e85c22..465f24e108 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -68,6 +68,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \
68 file://CVE-2025-47907-pre-0002.patch \ 68 file://CVE-2025-47907-pre-0002.patch \
69 file://CVE-2025-47907.patch \ 69 file://CVE-2025-47907.patch \
70 file://CVE-2025-47906.patch \ 70 file://CVE-2025-47906.patch \
71 file://CVE-2024-24783.patch \
71 " 72 "
72SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" 73SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
73 74
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch b/meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch
new file mode 100644
index 0000000000..952258be20
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch
@@ -0,0 +1,83 @@
1From be5b52bea674190ef7de272664be6c7ae93ec5a0 Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <bracewell@google.com>
3Date: Thu, 18 Jan 2024 12:51:13 -0800
4Subject: [PATCH] [release-branch.go1.21] crypto/x509: make sure pub key is
5 non-nil before interface conversion
6
7alreadyInChain assumes all keys fit a interface which contains the
8Equal method (which they do), but this ignores that certificates may
9have a nil key when PublicKeyAlgorithm is UnknownPublicKeyAlgorithm. In
10this case alreadyInChain panics.
11
12Check that the key is non-nil as part of considerCandidate (we are never
13going to build a chain containing UnknownPublicKeyAlgorithm anyway).
14
15For #65390
16Fixes #65392
17Fixes CVE-2024-24783
18
19Change-Id: Ibdccc0a487e3368b6812be35daad2512220243f3
20Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2137282
21Reviewed-by: Damien Neil <dneil@google.com>
22Run-TryBot: Roland Shoemaker <bracewell@google.com>
23Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
24Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173774
25Reviewed-by: Roland Shoemaker <bracewell@google.com>
26Reviewed-by: Carlos Amedee <amedee@google.com>
27Reviewed-on: https://go-review.googlesource.com/c/go/+/569238
28Auto-Submit: Michael Knyszek <mknyszek@google.com>
29LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
30Reviewed-by: Carlos Amedee <carlos@golang.org>
31
32CVE: CVE-2024-24783
33Upstream-Status: Backport [https://github.com/golang/go/commit/be5b52bea674190ef7de272664be6c7ae93ec5a0]
34Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
35---
36 src/crypto/x509/verify.go | 3 +++
37 src/crypto/x509/verify_test.go | 19 +++++++++++++++++++
38 2 files changed, 22 insertions(+)
39
40diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
41index 9ef1146..3e95808 100644
42--- a/src/crypto/x509/verify.go
43+++ b/src/crypto/x509/verify.go
44@@ -819,6 +819,9 @@ func (c *Certificate) buildChains(cache map[*Certificate][][]*Certificate, curre
45 )
46
47 considerCandidate := func(certType int, candidate *Certificate) {
48+ if candidate.PublicKey == nil {
49+ return
50+ }
51 for _, cert := range currentChain {
52 if cert.Equal(candidate) {
53 return
54diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
55index 9954a67..9da39ca 100644
56--- a/src/crypto/x509/verify_test.go
57+++ b/src/crypto/x509/verify_test.go
58@@ -1968,3 +1968,22 @@ func TestSystemRootsErrorUnwrap(t *testing.T) {
59 t.Error("errors.Is failed, wanted success")
60 }
61 }
62+
63+func TestVerifyNilPubKey(t *testing.T) {
64+ c := &Certificate{
65+ RawIssuer: []byte{1, 2, 3},
66+ AuthorityKeyId: []byte{1, 2, 3},
67+ }
68+ opts := &VerifyOptions{}
69+ opts.Roots = NewCertPool()
70+ r := &Certificate{
71+ RawSubject: []byte{1, 2, 3},
72+ SubjectKeyId: []byte{1, 2, 3},
73+ }
74+ opts.Roots.AddCert(r)
75+
76+ _, err := c.buildChains(nil, []*Certificate{r}, nil, opts)
77+ if _, ok := err.(UnknownAuthorityError); !ok {
78+ t.Fatalf("buildChains returned unexpected error, got: %v, want %v", err, UnknownAuthorityError{})
79+ }
80+}
81--
822.50.1
83