2 files changed, 206 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 69b65f3eb2..9c7ceda891 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -91,6 +91,7 @@ SRC_URI += "\
    file://CVE-2023-45289.patch \
    file://CVE-2023-45290.patch \
    file://CVE-2024-24785.patch \
+    file://CVE-2024-24784.patch \
 "
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch b/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch
new file mode 100644
index 0000000000..e9d9d972b9
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch
@@ -0,0 +1,205 @@
+From 5330cd225ba54c7dc78c1b46dcdf61a4671a632c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Wed, 10 Jan 2024 11:02:14 -0800
+Subject: [PATCH] [release-branch.go1.22] net/mail: properly handle special
+ characters in phrase and obs-phrase
+Fixes a couple of misalignments with RFC 5322 which introduce
+significant diffs between (mostly) conformant parsers.
+This change reverts the changes made in CL50911, which allowed certain
+special RFC 5322 characters to appear unquoted in the "phrase" syntax.
+It is unclear why this change was made in the first place, and created
+a divergence from comformant parsers. In particular this resulted in
+treating comments in display names incorrectly.
+Additionally properly handle trailing malformed comments in the group
+syntax.
+For #65083
+Fixed #65849
+Change-Id: I00dddc044c6ae3381154e43236632604c390f672
+Reviewed-on: https://go-review.googlesource.com/c/go/+/555596
+Reviewed-by: Damien Neil <dneil@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/566215
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Upstream-Status: Backport [https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c]
+CVE: CVE-2024-24784
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ src/net/mail/message.go      | 30 +++++++++++++++------------
+ src/net/mail/message_test.go | 40 ++++++++++++++++++++++++++----------
+ 2 files changed, 46 insertions(+), 24 deletions(-)
+diff --git a/src/net/mail/message.go b/src/net/mail/message.go
+index af516fc30f470..fc2a9e46f811b 100644
+--- a/src/net/mail/message.go
+++ b/src/net/mail/message.go
+@@ -280,7 +280,7 @@ func (a *Address) String() string {
+        // Add quotes if needed
+        quoteLocal := false
+        for i, r := range local {
+-               if isAtext(r, false, false) {
+               if isAtext(r, false) {
+                        continue
+                }
+                if r == '.' {
+@@ -444,7 +444,7 @@ func (p *addrParser) parseAddress(handleGroup bool) ([]*Address, error) {
+        if !p.consume('<') {
+                atext := true
+                for _, r := range displayName {
+-                       if !isAtext(r, true, false) {
+                       if !isAtext(r, true) {
+                                atext = false
+                                break
+                        }
+@@ -479,7 +479,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
+        // handle empty group.
+        p.skipSpace()
+        if p.consume(';') {
+-               p.skipCFWS()
+               if !p.skipCFWS() {
+                       return nil, errors.New("mail: misformatted parenthetical comment")
+               }
+                return group, nil
+        }
+ 
+@@ -496,7 +498,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
+                        return nil, errors.New("mail: misformatted parenthetical comment")
+                }
+                if p.consume(';') {
+-                       p.skipCFWS()
+                       if !p.skipCFWS() {
+                               return nil, errors.New("mail: misformatted parenthetical comment")
+                       }
+                        break
+                }
+                if !p.consume(',') {
+@@ -566,6 +570,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) {
+        var words []string
+        var isPrevEncoded bool
+        for {
+               // obs-phrase allows CFWS after one word
+               if len(words) > 0 {
+                       if !p.skipCFWS() {
+                               return "", errors.New("mail: misformatted parenthetical comment")
+                       }
+               }
+                // word = atom / quoted-string
+                var word string
+                p.skipSpace()
+@@ -661,7 +671,6 @@ Loop:
+ // If dot is true, consumeAtom parses an RFC 5322 dot-atom instead.
+ // If permissive is true, consumeAtom will not fail on:
+ // - leading/trailing/double dots in the atom (see golang.org/issue/4938)
+-// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018)
+ func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) {
+        i := 0
+ 
+@@ -672,7 +681,7 @@ Loop:
+                case size == 1 && r == utf8.RuneError:
+                        return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s)
+ 
+-               case size == 0 || !isAtext(r, dot, permissive):
+               case size == 0 || !isAtext(r, dot):
+                        break Loop
+ 
+                default:
+@@ -850,18 +859,13 @@ func (e charsetError) Error() string {
+ 
+ // isAtext reports whether r is an RFC 5322 atext character.
+ // If dot is true, period is included.
+-// If permissive is true, RFC 5322 3.2.3 specials is included,
+-// except '<', '>', ':' and '"'.
+-func isAtext(r rune, dot, permissive bool) bool {
+func isAtext(r rune, dot bool) bool {
+        switch r {
+        case '.':
+                return dot
+ 
+        // RFC 5322 3.2.3. specials
+-       case '(', ')', '[', ']', ';', '@', '\\', ',':
+-               return permissive
+-
+-       case '<', '>', '"', ':':
+       case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials
+                return false
+        }
+        return isVchar(r)
+diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go
+index 1e1bb4092f659..1f2f62afbf406 100644
+--- a/src/net/mail/message_test.go
+++ b/src/net/mail/message_test.go
+@@ -385,8 +385,11 @@ func TestAddressParsingError(t *testing.T) {
+                13: {"group not closed: null@example.com", "expected comma"},
+                14: {"group: first@example.com, second@example.com;", "group with multiple addresses"},
+                15: {"john.doe", "missing '@' or angle-addr"},
+-               16: {"john.doe@", "no angle-addr"},
+               16: {"john.doe@", "missing '@' or angle-addr"},
+                17: {"John Doe@foo.bar", "no angle-addr"},
+               18: {" group: null@example.com; (asd", "misformatted parenthetical comment"},
+               19: {" group: ; (asd", "misformatted parenthetical comment"},
+               20: {`(John) Doe <jdoe@machine.example>`, "missing word in phrase:"},
+        }
+ 
+        for i, tc := range mustErrTestCases {
+@@ -436,24 +439,19 @@ func TestAddressParsing(t *testing.T) {
+                                Address: "john.q.public@example.com",
+                        }},
+                },
+-               {
+-                       `"John (middle) Doe" <jdoe@machine.example>`,
+-                       []*Address{{
+-                               Name:    "John (middle) Doe",
+-                               Address: "jdoe@machine.example",
+-                       }},
+-               },
+               // Comment in display name
+                {
+                        `John (middle) Doe <jdoe@machine.example>`,
+                        []*Address{{
+-                               Name:    "John (middle) Doe",
+                               Name:    "John Doe",
+                                Address: "jdoe@machine.example",
+                        }},
+                },
+               // Display name is quoted string, so comment is not a comment
+                {
+-                       `John !@M@! Doe <jdoe@machine.example>`,
+                       `"John (middle) Doe" <jdoe@machine.example>`,
+                        []*Address{{
+-                               Name:    "John !@M@! Doe",
+                               Name:    "John (middle) Doe",
+                                Address: "jdoe@machine.example",
+                        }},
+                },
+@@ -788,6 +786,26 @@ func TestAddressParsing(t *testing.T) {
+                                },
+                        },
+                },
+               // Comment in group display name
+               {
+                       `group (comment:): a@example.com, b@example.com;`,
+                       []*Address{
+                               {
+                                       Address: "a@example.com",
+                               },
+                               {
+                                       Address: "b@example.com",
+                               },
+                       },
+               },
+               {
+                       `x(:"):"@a.example;("@b.example;`,
+                       []*Address{
+                               {
+                                       Address: `@a.example;(@b.example`,
+                               },
+                       },
+               },
+        }
+        for _, test := range tests {
+                if len(test.exp) == 1 {

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 69b65f3eb2..9c7ceda891 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -91,6 +91,7 @@ SRC_URI += "\
91	file://CVE-2023-45289.patch \	91	file://CVE-2023-45289.patch \
92	file://CVE-2023-45290.patch \	92	file://CVE-2023-45290.patch \
93	file://CVE-2024-24785.patch \	93	file://CVE-2024-24785.patch \
		94	file://CVE-2024-24784.patch \
94	"	95	"
95		96
96	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"	97	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"


diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch b/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch new file mode 100644 index 0000000000..e9d9d972b9 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch
@@ -0,0 +1,205 @@
		1	From 5330cd225ba54c7dc78c1b46dcdf61a4671a632c Mon Sep 17 00:00:00 2001
		2	From: Roland Shoemaker <bracewell@google.com>
		3	Date: Wed, 10 Jan 2024 11:02:14 -0800
		4	Subject: [PATCH] [release-branch.go1.22] net/mail: properly handle special
		5	characters in phrase and obs-phrase
		6
		7	Fixes a couple of misalignments with RFC 5322 which introduce
		8	significant diffs between (mostly) conformant parsers.
		9
		10	This change reverts the changes made in CL50911, which allowed certain
		11	special RFC 5322 characters to appear unquoted in the "phrase" syntax.
		12	It is unclear why this change was made in the first place, and created
		13	a divergence from comformant parsers. In particular this resulted in
		14	treating comments in display names incorrectly.
		15
		16	Additionally properly handle trailing malformed comments in the group
		17	syntax.
		18
		19	For #65083
		20	Fixed #65849
		21
		22	Change-Id: I00dddc044c6ae3381154e43236632604c390f672
		23	Reviewed-on: https://go-review.googlesource.com/c/go/+/555596
		24	Reviewed-by: Damien Neil <dneil@google.com>
		25	LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
		26	Reviewed-on: https://go-review.googlesource.com/c/go/+/566215
		27	Reviewed-by: Carlos Amedee <carlos@golang.org>
		28
		29	Upstream-Status: Backport [https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c]
		30	CVE: CVE-2024-24784
		31	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		32
		33	src/net/mail/message.go \| 30 +++++++++++++++------------
		34	src/net/mail/message_test.go \| 40 ++++++++++++++++++++++++++----------
		35	2 files changed, 46 insertions(+), 24 deletions(-)
		36
		37	diff --git a/src/net/mail/message.go b/src/net/mail/message.go
		38	index af516fc30f470..fc2a9e46f811b 100644
		39	--- a/src/net/mail/message.go
		40	+++ b/src/net/mail/message.go
		41	@@ -280,7 +280,7 @@ func (a *Address) String() string {
		42	// Add quotes if needed
		43	quoteLocal := false
		44	for i, r := range local {
		45	- if isAtext(r, false, false) {
		46	+ if isAtext(r, false) {
		47	continue
		48	}
		49	if r == '.' {
		50	@@ -444,7 +444,7 @@ func (p addrParser) parseAddress(handleGroup bool) ([]Address, error) {
		51	if !p.consume('<') {
		52	atext := true
		53	for _, r := range displayName {
		54	- if !isAtext(r, true, false) {
		55	+ if !isAtext(r, true) {
		56	atext = false
		57	break
		58	}
		59	@@ -479,7 +479,9 @@ func (p addrParser) consumeGroupList() ([]Address, error) {
		60	// handle empty group.
		61	p.skipSpace()
		62	if p.consume(';') {
		63	- p.skipCFWS()
		64	+ if !p.skipCFWS() {
		65	+ return nil, errors.New("mail: misformatted parenthetical comment")
		66	+ }
		67	return group, nil
		68	}
		69
		70	@@ -496,7 +498,9 @@ func (p addrParser) consumeGroupList() ([]Address, error) {
		71	return nil, errors.New("mail: misformatted parenthetical comment")
		72	}
		73	if p.consume(';') {
		74	- p.skipCFWS()
		75	+ if !p.skipCFWS() {
		76	+ return nil, errors.New("mail: misformatted parenthetical comment")
		77	+ }
		78	break
		79	}
		80	if !p.consume(',') {
		81	@@ -566,6 +570,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) {
		82	var words []string
		83	var isPrevEncoded bool
		84	for {
		85	+ // obs-phrase allows CFWS after one word
		86	+ if len(words) > 0 {
		87	+ if !p.skipCFWS() {
		88	+ return "", errors.New("mail: misformatted parenthetical comment")
		89	+ }
		90	+ }
		91	// word = atom / quoted-string
		92	var word string
		93	p.skipSpace()
		94	@@ -661,7 +671,6 @@ Loop:
		95	// If dot is true, consumeAtom parses an RFC 5322 dot-atom instead.
		96	// If permissive is true, consumeAtom will not fail on:
		97	// - leading/trailing/double dots in the atom (see golang.org/issue/4938)
		98	-// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018)
		99	func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) {
		100	i := 0
		101
		102	@@ -672,7 +681,7 @@ Loop:
		103	case size == 1 && r == utf8.RuneError:
		104	return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s)
		105
		106	- case size == 0 \|\| !isAtext(r, dot, permissive):
		107	+ case size == 0 \|\| !isAtext(r, dot):
		108	break Loop
		109
		110	default:
		111	@@ -850,18 +859,13 @@ func (e charsetError) Error() string {
		112
		113	// isAtext reports whether r is an RFC 5322 atext character.
		114	// If dot is true, period is included.
		115	-// If permissive is true, RFC 5322 3.2.3 specials is included,
		116	-// except '<', '>', ':' and '"'.
		117	-func isAtext(r rune, dot, permissive bool) bool {
		118	+func isAtext(r rune, dot bool) bool {
		119	switch r {
		120	case '.':
		121	return dot
		122
		123	// RFC 5322 3.2.3. specials
		124	- case '(', ')', '[', ']', ';', '@', '\\', ',':
		125	- return permissive
		126	-
		127	- case '<', '>', '"', ':':
		128	+ case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials
		129	return false
		130	}
		131	return isVchar(r)
		132	diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go
		133	index 1e1bb4092f659..1f2f62afbf406 100644
		134	--- a/src/net/mail/message_test.go
		135	+++ b/src/net/mail/message_test.go
		136	@@ -385,8 +385,11 @@ func TestAddressParsingError(t *testing.T) {
		137	13: {"group not closed: null@example.com", "expected comma"},
		138	14: {"group: first@example.com, second@example.com;", "group with multiple addresses"},
		139	15: {"john.doe", "missing '@' or angle-addr"},
		140	- 16: {"john.doe@", "no angle-addr"},
		141	+ 16: {"john.doe@", "missing '@' or angle-addr"},
		142	17: {"John Doe@foo.bar", "no angle-addr"},
		143	+ 18: {" group: null@example.com; (asd", "misformatted parenthetical comment"},
		144	+ 19: {" group: ; (asd", "misformatted parenthetical comment"},
		145	+ 20: {`(John) Doe <jdoe@machine.example>`, "missing word in phrase:"},
		146	}
		147
		148	for i, tc := range mustErrTestCases {
		149	@@ -436,24 +439,19 @@ func TestAddressParsing(t *testing.T) {
		150	Address: "john.q.public@example.com",
		151	}},
		152	},
		153	- {
		154	- `"John (middle) Doe" <jdoe@machine.example>`,
		155	- []*Address{{
		156	- Name: "John (middle) Doe",
		157	- Address: "jdoe@machine.example",
		158	- }},
		159	- },
		160	+ // Comment in display name
		161	{
		162	`John (middle) Doe <jdoe@machine.example>`,
		163	[]*Address{{
		164	- Name: "John (middle) Doe",
		165	+ Name: "John Doe",
		166	Address: "jdoe@machine.example",
		167	}},
		168	},
		169	+ // Display name is quoted string, so comment is not a comment
		170	{
		171	- `John !@M@! Doe <jdoe@machine.example>`,
		172	+ `"John (middle) Doe" <jdoe@machine.example>`,
		173	[]*Address{{
		174	- Name: "John !@M@! Doe",
		175	+ Name: "John (middle) Doe",
		176	Address: "jdoe@machine.example",
		177	}},
		178	},
		179	@@ -788,6 +786,26 @@ func TestAddressParsing(t *testing.T) {
		180	},
		181	},
		182	},
		183	+ // Comment in group display name
		184	+ {
		185	+ `group (comment:): a@example.com, b@example.com;`,
		186	+ []*Address{
		187	+ {
		188	+ Address: "a@example.com",
		189	+ },
		190	+ {
		191	+ Address: "b@example.com",
		192	+ },
		193	+ },
		194	+ },
		195	+ {
		196	+ `x(:"):"@a.example;("@b.example;`,
		197	+ []*Address{
		198	+ {
		199	+ Address: `@a.example;(@b.example`,
		200	+ },
		201	+ },
		202	+ },
		203	}
		204	for _, test := range tests {
		205	if len(test.exp) == 1 {