2 files changed, 211 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 73921852fc..36904a92fb 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -36,6 +36,7 @@ SRC_URI += "\
    file://CVE-2023-29405.patch \
    file://CVE-2023-29402.patch \
    file://CVE-2023-29400.patch \
+    file://CVE-2023-29406.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch
new file mode 100644
index 0000000000..a326cda5c4
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch
@@ -0,0 +1,210 @@
+From 5fa6923b1ea891400153d04ddf1545e23b40041b Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 28 Jun 2023 13:20:08 -0700
+Subject: [PATCH] [release-branch.go1.19] net/http: validate Host header before
+ sending
+Verify that the Host header we send is valid.
+Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
+adding an X-Evil header to HTTP/1 requests.
+Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
+header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
+the header and will go into a retry loop when the server rejects it.
+CL 506995 adds the necessary validation to x/net/http2.
+Updates #60374
+Fixes #61075
+For CVE-2023-29406
+Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
+Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/507358
+Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Upstream-Status: Backport [https://github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b]
+CVE: CVE-2023-29406
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/net/http/http_test.go      | 29 ----------------------
+ src/net/http/request.go        | 45 ++++++++--------------------------
+ src/net/http/request_test.go   | 11 ++-------
+ src/net/http/transport_test.go | 18 ++++++++++++++
+ 4 files changed, 30 insertions(+), 73 deletions(-)
+diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go
+index 0d92fe5..f03272a 100644
+--- a/src/net/http/http_test.go
+++ b/src/net/http/http_test.go
+@@ -48,35 +48,6 @@ func TestForeachHeaderElement(t *testing.T) {
+        }
+ }
+-func TestCleanHost(t *testing.T) {
+-       tests := []struct {
+-               in, want string
+-       }{
+-               {"www.google.com", "www.google.com"},
+-               {"www.google.com foo", "www.google.com"},
+-               {"www.google.com/foo", "www.google.com"},
+-               {" first character is a space", ""},
+-               {"[1::6]:8080", "[1::6]:8080"},
+-
+-               // Punycode:
+-               {"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"},
+-               {"bücher.de", "xn--bcher-kva.de"},
+-               {"bücher.de:8080", "xn--bcher-kva.de:8080"},
+-               // Verify we convert to lowercase before punycode:
+-               {"BÜCHER.de", "xn--bcher-kva.de"},
+-               {"BÜCHER.de:8080", "xn--bcher-kva.de:8080"},
+-               // Verify we normalize to NFC before punycode:
+-               {"gophér.nfc", "xn--gophr-esa.nfc"},            // NFC input; no work needed
+-               {"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input
+-       }
+-       for _, tt := range tests {
+-               got := cleanHost(tt.in)
+-               if tt.want != got {
+-                       t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got, tt.want)
+-               }
+-       }
+-}
+-
+ // Test that cmd/go doesn't link in the HTTP server.
+ //
+ // This catches accidental dependencies between the HTTP transport and
+diff --git a/src/net/http/request.go b/src/net/http/request.go
+index 09cb0c7..2f4e740 100644
+--- a/src/net/http/request.go
+++ b/src/net/http/request.go
+@@ -17,7 +17,6 @@ import (
+        "io"
+        "mime"
+        "mime/multipart"
+-       "net"
+        "net/http/httptrace"
+        "net/http/internal/ascii"
+        "net/textproto"
+@@ -27,6 +26,7 @@ import (
+        "strings"
+        "sync"
+       "golang.org/x/net/http/httpguts"
+        "golang.org/x/net/idna"
+ )
+@@ -568,12 +568,19 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
+        // is not given, use the host from the request URL.
+        //
+        // Clean the host, in case it arrives with unexpected stuff in it.
+-       host := cleanHost(r.Host)
+       host := r.Host
+        if host == "" {
+                if r.URL == nil {
+                        return errMissingHost
+                }
+-               host = cleanHost(r.URL.Host)
+               host = r.URL.Host
+       }
+       host, err = httpguts.PunycodeHostPort(host)
+       if err != nil {
+               return err
+       }
+       if !httpguts.ValidHostHeader(host) {
+               return errors.New("http: invalid Host header")
+        }
+        // According to RFC 6874, an HTTP client, proxy, or other
+@@ -730,38 +737,6 @@ func idnaASCII(v string) (string, error) {
+        return idna.Lookup.ToASCII(v)
+ }
+-// cleanHost cleans up the host sent in request's Host header.
+-//
+-// It both strips anything after '/' or ' ', and puts the value
+-// into Punycode form, if necessary.
+-//
+-// Ideally we'd clean the Host header according to the spec:
+-//   https://tools.ietf.org/html/rfc7230#section-5.4 (Host = uri-host [ ":" port ]")
+-//   https://tools.ietf.org/html/rfc7230#section-2.7 (uri-host -> rfc3986's host)
+-//   https://tools.ietf.org/html/rfc3986#section-3.2.2 (definition of host)
+-// But practically, what we are trying to avoid is the situation in
+-// issue 11206, where a malformed Host header used in the proxy context
+-// would create a bad request. So it is enough to just truncate at the
+-// first offending character.
+-func cleanHost(in string) string {
+-       if i := strings.IndexAny(in, " /"); i != -1 {
+-               in = in[:i]
+-       }
+-       host, port, err := net.SplitHostPort(in)
+-       if err != nil { // input was just a host
+-               a, err := idnaASCII(in)
+-               if err != nil {
+-                       return in // garbage in, garbage out
+-               }
+-               return a
+-       }
+-       a, err := idnaASCII(host)
+-       if err != nil {
+-               return in // garbage in, garbage out
+-       }
+-       return net.JoinHostPort(a, port)
+-}
+-
+ // removeZone removes IPv6 zone identifier from host.
+ // E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080"
+ func removeZone(host string) string {
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index fac12b7..368e87a 100644
+--- a/src/net/http/request_test.go
+++ b/src/net/http/request_test.go
+@@ -776,15 +776,8 @@ func TestRequestBadHost(t *testing.T) {
+        }
+        req.Host = "foo.com with spaces"
+        req.URL.Host = "foo.com with spaces"
+-       req.Write(logWrites{t, &got})
+-       want := []string{
+-               "GET /after HTTP/1.1\r\n",
+-               "Host: foo.com\r\n",
+-               "User-Agent: " + DefaultUserAgent + "\r\n",
+-               "\r\n",
+-       }
+-       if !reflect.DeepEqual(got, want) {
+-               t.Errorf("Writes = %q\n  Want = %q", got, want)
+       if err := req.Write(logWrites{t, &got}); err == nil {
+               t.Errorf("Writing request with invalid Host: succeded, want error")
+        }
+ }
+diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
+index eeaa492..58f12af 100644
+--- a/src/net/http/transport_test.go
+++ b/src/net/http/transport_test.go
+@@ -6512,3 +6512,21 @@ func TestCancelRequestWhenSharingConnection(t *testing.T) {
+        close(r2c)
+        wg.Wait()
+ }
+
+func TestRequestSanitization(t *testing.T) {
+       setParallel(t)
+       defer afterTest(t)
+
+       ts := newClientServerTest(t, h1Mode, HandlerFunc(func(rw ResponseWriter, req *Request) {
+               if h, ok := req.Header["X-Evil"]; ok {
+                       t.Errorf("request has X-Evil header: %q", h)
+               }
+       })).ts
+       defer ts.Close()
+       req, _ := NewRequest("GET", ts.URL, nil)
+       req.Host = "go.dev\r\nX-Evil:evil"
+       resp, _ := ts.Client().Do(req)
+       if resp != nil {
+               resp.Body.Close()
+       }
+}
+--
+2.25.1

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 73921852fc..36904a92fb 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -36,6 +36,7 @@ SRC_URI += "\
36	file://CVE-2023-29405.patch \	36	file://CVE-2023-29405.patch \
37	file://CVE-2023-29402.patch \	37	file://CVE-2023-29402.patch \
38	file://CVE-2023-29400.patch \	38	file://CVE-2023-29400.patch \
		39	file://CVE-2023-29406.patch \
39	"	40	"
40	SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"	41	SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
41		42


diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch new file mode 100644 index 0000000000..a326cda5c4 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch
@@ -0,0 +1,210 @@
		1	From 5fa6923b1ea891400153d04ddf1545e23b40041b Mon Sep 17 00:00:00 2001
		2	From: Damien Neil <dneil@google.com>
		3	Date: Wed, 28 Jun 2023 13:20:08 -0700
		4	Subject: [PATCH] [release-branch.go1.19] net/http: validate Host header before
		5	sending
		6
		7	Verify that the Host header we send is valid.
		8	Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
		9	adding an X-Evil header to HTTP/1 requests.
		10
		11	Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
		12	header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
		13	the header and will go into a retry loop when the server rejects it.
		14	CL 506995 adds the necessary validation to x/net/http2.
		15
		16	Updates #60374
		17	Fixes #61075
		18	For CVE-2023-29406
		19
		20	Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
		21	Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
		22	Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
		23	TryBot-Result: Gopher Robot <gobot@golang.org>
		24	Run-TryBot: Damien Neil <dneil@google.com>
		25	(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2)
		26	Reviewed-on: https://go-review.googlesource.com/c/go/+/507358
		27	Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
		28	Reviewed-by: Roland Shoemaker <roland@golang.org>
		29
		30	Upstream-Status: Backport [https://github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b]
		31	CVE: CVE-2023-29406
		32	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		33	---
		34	src/net/http/http_test.go \| 29 ----------------------
		35	src/net/http/request.go \| 45 ++++++++--------------------------
		36	src/net/http/request_test.go \| 11 ++-------
		37	src/net/http/transport_test.go \| 18 ++++++++++++++
		38	4 files changed, 30 insertions(+), 73 deletions(-)
		39
		40	diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go
		41	index 0d92fe5..f03272a 100644
		42	--- a/src/net/http/http_test.go
		43	+++ b/src/net/http/http_test.go
		44	@@ -48,35 +48,6 @@ func TestForeachHeaderElement(t *testing.T) {
		45	}
		46	}
		47
		48	-func TestCleanHost(t *testing.T) {
		49	- tests := []struct {
		50	- in, want string
		51	- }{
		52	- {"www.google.com", "www.google.com"},
		53	- {"www.google.com foo", "www.google.com"},
		54	- {"www.google.com/foo", "www.google.com"},
		55	- {" first character is a space", ""},
		56	- {"[1::6]:8080", "[1::6]:8080"},
		57	-
		58	- // Punycode:
		59	- {"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"},
		60	- {"bücher.de", "xn--bcher-kva.de"},
		61	- {"bücher.de:8080", "xn--bcher-kva.de:8080"},
		62	- // Verify we convert to lowercase before punycode:
		63	- {"BÜCHER.de", "xn--bcher-kva.de"},
		64	- {"BÜCHER.de:8080", "xn--bcher-kva.de:8080"},
		65	- // Verify we normalize to NFC before punycode:
		66	- {"gophér.nfc", "xn--gophr-esa.nfc"}, // NFC input; no work needed
		67	- {"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input
		68	- }
		69	- for _, tt := range tests {
		70	- got := cleanHost(tt.in)
		71	- if tt.want != got {
		72	- t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got, tt.want)
		73	- }
		74	- }
		75	-}
		76	-
		77	// Test that cmd/go doesn't link in the HTTP server.
		78	//
		79	// This catches accidental dependencies between the HTTP transport and
		80	diff --git a/src/net/http/request.go b/src/net/http/request.go
		81	index 09cb0c7..2f4e740 100644
		82	--- a/src/net/http/request.go
		83	+++ b/src/net/http/request.go
		84	@@ -17,7 +17,6 @@ import (
		85	"io"
		86	"mime"
		87	"mime/multipart"
		88	- "net"
		89	"net/http/httptrace"
		90	"net/http/internal/ascii"
		91	"net/textproto"
		92	@@ -27,6 +26,7 @@ import (
		93	"strings"
		94	"sync"
		95
		96	+ "golang.org/x/net/http/httpguts"
		97	"golang.org/x/net/idna"
		98	)
		99
		100	@@ -568,12 +568,19 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
		101	// is not given, use the host from the request URL.
		102	//
		103	// Clean the host, in case it arrives with unexpected stuff in it.
		104	- host := cleanHost(r.Host)
		105	+ host := r.Host
		106	if host == "" {
		107	if r.URL == nil {
		108	return errMissingHost
		109	}
		110	- host = cleanHost(r.URL.Host)
		111	+ host = r.URL.Host
		112	+ }
		113	+ host, err = httpguts.PunycodeHostPort(host)
		114	+ if err != nil {
		115	+ return err
		116	+ }
		117	+ if !httpguts.ValidHostHeader(host) {
		118	+ return errors.New("http: invalid Host header")
		119	}
		120
		121	// According to RFC 6874, an HTTP client, proxy, or other
		122	@@ -730,38 +737,6 @@ func idnaASCII(v string) (string, error) {
		123	return idna.Lookup.ToASCII(v)
		124	}
		125
		126	-// cleanHost cleans up the host sent in request's Host header.
		127	-//
		128	-// It both strips anything after '/' or ' ', and puts the value
		129	-// into Punycode form, if necessary.
		130	-//
		131	-// Ideally we'd clean the Host header according to the spec:
		132	-// https://tools.ietf.org/html/rfc7230#section-5.4 (Host = uri-host [ ":" port ]")
		133	-// https://tools.ietf.org/html/rfc7230#section-2.7 (uri-host -> rfc3986's host)
		134	-// https://tools.ietf.org/html/rfc3986#section-3.2.2 (definition of host)
		135	-// But practically, what we are trying to avoid is the situation in
		136	-// issue 11206, where a malformed Host header used in the proxy context
		137	-// would create a bad request. So it is enough to just truncate at the
		138	-// first offending character.
		139	-func cleanHost(in string) string {
		140	- if i := strings.IndexAny(in, " /"); i != -1 {
		141	- in = in[:i]
		142	- }
		143	- host, port, err := net.SplitHostPort(in)
		144	- if err != nil { // input was just a host
		145	- a, err := idnaASCII(in)
		146	- if err != nil {
		147	- return in // garbage in, garbage out
		148	- }
		149	- return a
		150	- }
		151	- a, err := idnaASCII(host)
		152	- if err != nil {
		153	- return in // garbage in, garbage out
		154	- }
		155	- return net.JoinHostPort(a, port)
		156	-}
		157	-
		158	// removeZone removes IPv6 zone identifier from host.
		159	// E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080"
		160	func removeZone(host string) string {
		161	diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
		162	index fac12b7..368e87a 100644
		163	--- a/src/net/http/request_test.go
		164	+++ b/src/net/http/request_test.go
		165	@@ -776,15 +776,8 @@ func TestRequestBadHost(t *testing.T) {
		166	}
		167	req.Host = "foo.com with spaces"
		168	req.URL.Host = "foo.com with spaces"
		169	- req.Write(logWrites{t, &got})
		170	- want := []string{
		171	- "GET /after HTTP/1.1\r\n",
		172	- "Host: foo.com\r\n",
		173	- "User-Agent: " + DefaultUserAgent + "\r\n",
		174	- "\r\n",
		175	- }
		176	- if !reflect.DeepEqual(got, want) {
		177	- t.Errorf("Writes = %q\n Want = %q", got, want)
		178	+ if err := req.Write(logWrites{t, &got}); err == nil {
		179	+ t.Errorf("Writing request with invalid Host: succeded, want error")
		180	}
		181	}
		182
		183	diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
		184	index eeaa492..58f12af 100644
		185	--- a/src/net/http/transport_test.go
		186	+++ b/src/net/http/transport_test.go
		187	@@ -6512,3 +6512,21 @@ func TestCancelRequestWhenSharingConnection(t *testing.T) {
		188	close(r2c)
		189	wg.Wait()
		190	}
		191	+
		192	+func TestRequestSanitization(t *testing.T) {
		193	+ setParallel(t)
		194	+ defer afterTest(t)
		195	+
		196	+ ts := newClientServerTest(t, h1Mode, HandlerFunc(func(rw ResponseWriter, req *Request) {
		197	+ if h, ok := req.Header["X-Evil"]; ok {
		198	+ t.Errorf("request has X-Evil header: %q", h)
		199	+ }
		200	+ })).ts
		201	+ defer ts.Close()
		202	+ req, _ := NewRequest("GET", ts.URL, nil)
		203	+ req.Host = "go.dev\r\nX-Evil:evil"
		204	+ resp, _ := ts.Client().Do(req)
		205	+ if resp != nil {
		206	+ resp.Body.Close()
		207	+ }
		208	+}
		209	--
		210	2.25.1