diff options
| author | Hitendra Prajapati <hprajapati@mvista.com> | 2025-11-03 11:43:36 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-11-06 07:14:05 -0800 |
| commit | 8641f0fec992d079cd0c1d7ba0032e5568d194cf (patch) | |
| tree | 0ce215a6f1a78dffe0ddcdc2b101030d06bd9649 /meta | |
| parent | 484d31c23d941f1bb9d084a21148ae17aeacea80 (diff) | |
| download | poky-8641f0fec992d079cd0c1d7ba0032e5568d194cf.tar.gz | |
go: fix CVE-2024-24783
Upstream-Status: Backport https://github.com/golang/go/commit/be5b52bea674190ef7de272664be6c7ae93ec5a0
(From OE-Core rev: b7d89fae22b317199b8f72978712075078a17005)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-devtools/go/go-1.17.13.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch | 83 |
2 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index aab8e85c22..465f24e108 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc | |||
| @@ -68,6 +68,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ | |||
| 68 | file://CVE-2025-47907-pre-0002.patch \ | 68 | file://CVE-2025-47907-pre-0002.patch \ |
| 69 | file://CVE-2025-47907.patch \ | 69 | file://CVE-2025-47907.patch \ |
| 70 | file://CVE-2025-47906.patch \ | 70 | file://CVE-2025-47906.patch \ |
| 71 | file://CVE-2024-24783.patch \ | ||
| 71 | " | 72 | " |
| 72 | SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" | 73 | SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" |
| 73 | 74 | ||
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch b/meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch new file mode 100644 index 0000000000..952258be20 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch | |||
| @@ -0,0 +1,83 @@ | |||
| 1 | From be5b52bea674190ef7de272664be6c7ae93ec5a0 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Roland Shoemaker <bracewell@google.com> | ||
| 3 | Date: Thu, 18 Jan 2024 12:51:13 -0800 | ||
| 4 | Subject: [PATCH] [release-branch.go1.21] crypto/x509: make sure pub key is | ||
| 5 | non-nil before interface conversion | ||
| 6 | |||
| 7 | alreadyInChain assumes all keys fit a interface which contains the | ||
| 8 | Equal method (which they do), but this ignores that certificates may | ||
| 9 | have a nil key when PublicKeyAlgorithm is UnknownPublicKeyAlgorithm. In | ||
| 10 | this case alreadyInChain panics. | ||
| 11 | |||
| 12 | Check that the key is non-nil as part of considerCandidate (we are never | ||
| 13 | going to build a chain containing UnknownPublicKeyAlgorithm anyway). | ||
| 14 | |||
| 15 | For #65390 | ||
| 16 | Fixes #65392 | ||
| 17 | Fixes CVE-2024-24783 | ||
| 18 | |||
| 19 | Change-Id: Ibdccc0a487e3368b6812be35daad2512220243f3 | ||
| 20 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2137282 | ||
| 21 | Reviewed-by: Damien Neil <dneil@google.com> | ||
| 22 | Run-TryBot: Roland Shoemaker <bracewell@google.com> | ||
| 23 | Reviewed-by: Tatiana Bradley <tatianabradley@google.com> | ||
| 24 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173774 | ||
| 25 | Reviewed-by: Roland Shoemaker <bracewell@google.com> | ||
| 26 | Reviewed-by: Carlos Amedee <amedee@google.com> | ||
| 27 | Reviewed-on: https://go-review.googlesource.com/c/go/+/569238 | ||
| 28 | Auto-Submit: Michael Knyszek <mknyszek@google.com> | ||
| 29 | LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> | ||
| 30 | Reviewed-by: Carlos Amedee <carlos@golang.org> | ||
| 31 | |||
| 32 | CVE: CVE-2024-24783 | ||
| 33 | Upstream-Status: Backport [https://github.com/golang/go/commit/be5b52bea674190ef7de272664be6c7ae93ec5a0] | ||
| 34 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 35 | --- | ||
| 36 | src/crypto/x509/verify.go | 3 +++ | ||
| 37 | src/crypto/x509/verify_test.go | 19 +++++++++++++++++++ | ||
| 38 | 2 files changed, 22 insertions(+) | ||
| 39 | |||
| 40 | diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go | ||
| 41 | index 9ef1146..3e95808 100644 | ||
| 42 | --- a/src/crypto/x509/verify.go | ||
| 43 | +++ b/src/crypto/x509/verify.go | ||
| 44 | @@ -819,6 +819,9 @@ func (c *Certificate) buildChains(cache map[*Certificate][][]*Certificate, curre | ||
| 45 | ) | ||
| 46 | |||
| 47 | considerCandidate := func(certType int, candidate *Certificate) { | ||
| 48 | + if candidate.PublicKey == nil { | ||
| 49 | + return | ||
| 50 | + } | ||
| 51 | for _, cert := range currentChain { | ||
| 52 | if cert.Equal(candidate) { | ||
| 53 | return | ||
| 54 | diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go | ||
| 55 | index 9954a67..9da39ca 100644 | ||
| 56 | --- a/src/crypto/x509/verify_test.go | ||
| 57 | +++ b/src/crypto/x509/verify_test.go | ||
| 58 | @@ -1968,3 +1968,22 @@ func TestSystemRootsErrorUnwrap(t *testing.T) { | ||
| 59 | t.Error("errors.Is failed, wanted success") | ||
| 60 | } | ||
| 61 | } | ||
| 62 | + | ||
| 63 | +func TestVerifyNilPubKey(t *testing.T) { | ||
| 64 | + c := &Certificate{ | ||
| 65 | + RawIssuer: []byte{1, 2, 3}, | ||
| 66 | + AuthorityKeyId: []byte{1, 2, 3}, | ||
| 67 | + } | ||
| 68 | + opts := &VerifyOptions{} | ||
| 69 | + opts.Roots = NewCertPool() | ||
| 70 | + r := &Certificate{ | ||
| 71 | + RawSubject: []byte{1, 2, 3}, | ||
| 72 | + SubjectKeyId: []byte{1, 2, 3}, | ||
| 73 | + } | ||
| 74 | + opts.Roots.AddCert(r) | ||
| 75 | + | ||
| 76 | + _, err := c.buildChains(nil, []*Certificate{r}, nil, opts) | ||
| 77 | + if _, ok := err.(UnknownAuthorityError); !ok { | ||
| 78 | + t.Fatalf("buildChains returned unexpected error, got: %v, want %v", err, UnknownAuthorityError{}) | ||
| 79 | + } | ||
| 80 | +} | ||
| 81 | -- | ||
| 82 | 2.50.1 | ||
| 83 | |||
