3 files changed, 116 insertions, 1 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 6fc07bb910..c02da60f68 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -38,7 +38,8 @@ SRC_URI += "\
    file://CVE-2023-29405.patch \
    file://CVE-2023-29402.patch \
    file://CVE-2023-29400.patch \
-    file://CVE-2023-29406.patch \
+    file://CVE-2023-29406-1.patch \
+    file://CVE-2023-29406-2.patch \
    file://CVE-2023-24536_1.patch \
    file://CVE-2023-24536_2.patch \
    file://CVE-2023-24536_3.patch \
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-1.patch
index a326cda5c4..a326cda5c4 100644
--- a/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-1.patch
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-2.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-2.patch
new file mode 100644
index 0000000000..637f46a537
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-2.patch
@@ -0,0 +1,114 @@
+From c08a5fa413a34111c9a37fd9e545de27ab0978b1 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 19 Jul 2023 10:30:46 -0700
+Subject: [PATCH] [release-branch.go1.19] net/http: permit requests with
+ invalid Host headers
+Historically, the Transport has silently truncated invalid
+Host headers at the first '/' or ' ' character. CL 506996 changed
+this behavior to reject invalid Host headers entirely.
+Unfortunately, Docker appears to rely on the previous behavior.
+When sending a HTTP/1 request with an invalid Host, send an empty
+Host header. This is safer than truncation: If you care about the
+Host, then you should get the one you set; if you don't care,
+then an empty Host should be fine.
+Continue to fully validate Host headers sent to a proxy,
+since proxies generally can't productively forward requests
+without a Host.
+For #60374
+Fixes #61431
+Fixes #61825
+Change-Id: If170c7dd860aa20eb58fe32990fc93af832742b6
+Reviewed-on: https://go-review.googlesource.com/c/go/+/511155
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+(cherry picked from commit b9153f6ef338baee5fe02a867c8fbc83a8b29dd1)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/518855
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Upstream-Status: Backport [https://github.com/golang/go/commit/c08a5fa413a34111c9a37fd9e545de27ab0978b1]
+CVE: CVE-2023-29406
+Signed-off-by: Ming Liu <liu.ming50@gmail.com>
+---
+ src/net/http/request.go      | 23 ++++++++++++++++++++++-
+ src/net/http/request_test.go | 17 ++++++++++++-----
+ 2 files changed, 34 insertions(+), 6 deletions(-)
+diff --git a/src/net/http/request.go b/src/net/http/request.go
+index 3100037386..91cb8a66b9 100644
+--- a/src/net/http/request.go
+++ b/src/net/http/request.go
+@@ -582,8 +582,29 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
+        if err != nil {
+                return err
+        }
+       // Validate that the Host header is a valid header in general,
+       // but don't validate the host itself. This is sufficient to avoid
+       // header or request smuggling via the Host field.
+       // The server can (and will, if it's a net/http server) reject
+       // the request if it doesn't consider the host valid.
+        if !httpguts.ValidHostHeader(host) {
+-               return errors.New("http: invalid Host header")
+               // Historically, we would truncate the Host header after '/' or ' '.
+               // Some users have relied on this truncation to convert a network
+               // address such as Unix domain socket path into a valid, ignored
+               // Host header (see https://go.dev/issue/61431).
+               //
+               // We don't preserve the truncation, because sending an altered
+               // header field opens a smuggling vector. Instead, zero out the
+               // Host header entirely if it isn't valid. (An empty Host is valid;
+               // see RFC 9112 Section 3.2.)
+               //
+               // Return an error if we're sending to a proxy, since the proxy
+               // probably can't do anything useful with an empty Host header.
+               if !usingProxy {
+                       host = ""
+               } else {
+                       return errors.New("http: invalid Host header")
+               }
+        }
+ 
+        // According to RFC 6874, an HTTP client, proxy, or other
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index fddc85d6a9..dd1e2dc2a1 100644
+--- a/src/net/http/request_test.go
+++ b/src/net/http/request_test.go
+@@ -770,16 +770,23 @@ func TestRequestWriteBufferedWriter(t *testing.T) {
+        }
+ }
+ 
+-func TestRequestBadHost(t *testing.T) {
+func TestRequestBadHostHeader(t *testing.T) {
+        got := []string{}
+        req, err := NewRequest("GET", "http://foo/after", nil)
+        if err != nil {
+                t.Fatal(err)
+        }
+-       req.Host = "foo.com with spaces"
+-       req.URL.Host = "foo.com with spaces"
+-       if err := req.Write(logWrites{t, &got}); err == nil {
+-               t.Errorf("Writing request with invalid Host: succeded, want error")
+       req.Host = "foo.com\nnewline"
+       req.URL.Host = "foo.com\nnewline"
+       req.Write(logWrites{t, &got})
+       want := []string{
+               "GET /after HTTP/1.1\r\n",
+               "Host: \r\n",
+               "User-Agent: " + DefaultUserAgent + "\r\n",
+               "\r\n",
+       }
+       if !reflect.DeepEqual(got, want) {
+               t.Errorf("Writes = %q\n  Want = %q", got, want)
+        }
+ }
+ 
+-- 
+2.34.1

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 6fc07bb910..c02da60f68 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -38,7 +38,8 @@ SRC_URI += "\
38	file://CVE-2023-29405.patch \	38	file://CVE-2023-29405.patch \
39	file://CVE-2023-29402.patch \	39	file://CVE-2023-29402.patch \
40	file://CVE-2023-29400.patch \	40	file://CVE-2023-29400.patch \
41	file://CVE-2023-29406.patch \	41	file://CVE-2023-29406-1.patch \
		42	file://CVE-2023-29406-2.patch \
42	file://CVE-2023-24536_1.patch \	43	file://CVE-2023-24536_1.patch \
43	file://CVE-2023-24536_2.patch \	44	file://CVE-2023-24536_2.patch \
44	file://CVE-2023-24536_3.patch \	45	file://CVE-2023-24536_3.patch \


diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-1.patch index a326cda5c4..a326cda5c4 100644 --- a/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-1.patch


diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-2.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-2.patch new file mode 100644 index 0000000000..637f46a537 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-2.patch
@@ -0,0 +1,114 @@
		1	From c08a5fa413a34111c9a37fd9e545de27ab0978b1 Mon Sep 17 00:00:00 2001
		2	From: Damien Neil <dneil@google.com>
		3	Date: Wed, 19 Jul 2023 10:30:46 -0700
		4	Subject: [PATCH] [release-branch.go1.19] net/http: permit requests with
		5	invalid Host headers
		6
		7	Historically, the Transport has silently truncated invalid
		8	Host headers at the first '/' or ' ' character. CL 506996 changed
		9	this behavior to reject invalid Host headers entirely.
		10	Unfortunately, Docker appears to rely on the previous behavior.
		11
		12	When sending a HTTP/1 request with an invalid Host, send an empty
		13	Host header. This is safer than truncation: If you care about the
		14	Host, then you should get the one you set; if you don't care,
		15	then an empty Host should be fine.
		16
		17	Continue to fully validate Host headers sent to a proxy,
		18	since proxies generally can't productively forward requests
		19	without a Host.
		20
		21	For #60374
		22	Fixes #61431
		23	Fixes #61825
		24
		25	Change-Id: If170c7dd860aa20eb58fe32990fc93af832742b6
		26	Reviewed-on: https://go-review.googlesource.com/c/go/+/511155
		27	TryBot-Result: Gopher Robot <gobot@golang.org>
		28	Reviewed-by: Roland Shoemaker <roland@golang.org>
		29	Run-TryBot: Damien Neil <dneil@google.com>
		30	(cherry picked from commit b9153f6ef338baee5fe02a867c8fbc83a8b29dd1)
		31	Reviewed-on: https://go-review.googlesource.com/c/go/+/518855
		32	Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
		33	Run-TryBot: Roland Shoemaker <roland@golang.org>
		34	Reviewed-by: Russ Cox <rsc@golang.org>
		35
		36	Upstream-Status: Backport [https://github.com/golang/go/commit/c08a5fa413a34111c9a37fd9e545de27ab0978b1]
		37	CVE: CVE-2023-29406
		38	Signed-off-by: Ming Liu <liu.ming50@gmail.com>
		39	---
		40	src/net/http/request.go \| 23 ++++++++++++++++++++++-
		41	src/net/http/request_test.go \| 17 ++++++++++++-----
		42	2 files changed, 34 insertions(+), 6 deletions(-)
		43
		44	diff --git a/src/net/http/request.go b/src/net/http/request.go
		45	index 3100037386..91cb8a66b9 100644
		46	--- a/src/net/http/request.go
		47	+++ b/src/net/http/request.go
		48	@@ -582,8 +582,29 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
		49	if err != nil {
		50	return err
		51	}
		52	+ // Validate that the Host header is a valid header in general,
		53	+ // but don't validate the host itself. This is sufficient to avoid
		54	+ // header or request smuggling via the Host field.
		55	+ // The server can (and will, if it's a net/http server) reject
		56	+ // the request if it doesn't consider the host valid.
		57	if !httpguts.ValidHostHeader(host) {
		58	- return errors.New("http: invalid Host header")
		59	+ // Historically, we would truncate the Host header after '/' or ' '.
		60	+ // Some users have relied on this truncation to convert a network
		61	+ // address such as Unix domain socket path into a valid, ignored
		62	+ // Host header (see https://go.dev/issue/61431).
		63	+ //
		64	+ // We don't preserve the truncation, because sending an altered
		65	+ // header field opens a smuggling vector. Instead, zero out the
		66	+ // Host header entirely if it isn't valid. (An empty Host is valid;
		67	+ // see RFC 9112 Section 3.2.)
		68	+ //
		69	+ // Return an error if we're sending to a proxy, since the proxy
		70	+ // probably can't do anything useful with an empty Host header.
		71	+ if !usingProxy {
		72	+ host = ""
		73	+ } else {
		74	+ return errors.New("http: invalid Host header")
		75	+ }
		76	}
		77
		78	// According to RFC 6874, an HTTP client, proxy, or other
		79	diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
		80	index fddc85d6a9..dd1e2dc2a1 100644
		81	--- a/src/net/http/request_test.go
		82	+++ b/src/net/http/request_test.go
		83	@@ -770,16 +770,23 @@ func TestRequestWriteBufferedWriter(t *testing.T) {
		84	}
		85	}
		86
		87	-func TestRequestBadHost(t *testing.T) {
		88	+func TestRequestBadHostHeader(t *testing.T) {
		89	got := []string{}
		90	req, err := NewRequest("GET", "http://foo/after", nil)
		91	if err != nil {
		92	t.Fatal(err)
		93	}
		94	- req.Host = "foo.com with spaces"
		95	- req.URL.Host = "foo.com with spaces"
		96	- if err := req.Write(logWrites{t, &got}); err == nil {
		97	- t.Errorf("Writing request with invalid Host: succeded, want error")
		98	+ req.Host = "foo.com\nnewline"
		99	+ req.URL.Host = "foo.com\nnewline"
		100	+ req.Write(logWrites{t, &got})
		101	+ want := []string{
		102	+ "GET /after HTTP/1.1\r\n",
		103	+ "Host: \r\n",
		104	+ "User-Agent: " + DefaultUserAgent + "\r\n",
		105	+ "\r\n",
		106	+ }
		107	+ if !reflect.DeepEqual(got, want) {
		108	+ t.Errorf("Writes = %q\n Want = %q", got, want)
		109	}
		110	}
		111
		112	--
		113	2.34.1
		114