2 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 95fb572362..e83c4dfa80 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -56,6 +56,7 @@ SRC_URI += "\
    file://CVE-2024-24784.patch \
    file://CVE-2024-24785.patch \
    file://CVE-2023-45288.patch \
+    file://CVE-2024-24789.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch b/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch
new file mode 100644
index 0000000000..2679109a0e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch
@@ -0,0 +1,78 @@
+From c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Tue, 14 May 2024 14:39:10 -0700
+Subject: [PATCH] [release-branch.go1.21] archive/zip: treat truncated EOCDR
+ comment as an error
+When scanning for an end of central directory record,
+treat an EOCDR signature with a record containing a truncated
+comment as an error. Previously, we would skip over the invalid
+record and look for another one. Other implementations do not
+do this (they either consider this a hard error, or just ignore
+the truncated comment). This parser misalignment allowed
+presenting entirely different archive contents to Go programs
+and other zip decoders.
+For #66869
+Fixes #67553
+Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6
+Reviewed-on: https://go-review.googlesource.com/c/go/+/585397
+Reviewed-by: Joseph Tsai <joetsai@digital-static.net>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+(cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/588795
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+CVE: CVE-2024-24789
+Upstream-Status: Backport [https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/archive/zip/reader.go      | 8 ++++++--
+ src/archive/zip/reader_test.go | 8 ++++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
+index e40a2c6..987f543 100644
+--- a/src/archive/zip/reader.go
+++ b/src/archive/zip/reader.go
+@@ -644,9 +644,13 @@ func findSignatureInBlock(b []byte) int {
+                if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 {
+                        // n is length of comment
+                        n := int(b[i+directoryEndLen-2]) | int(b[i+directoryEndLen-1])<<8
+-                       if n+directoryEndLen+i <= len(b) {
+-                               return i
+                       if n+directoryEndLen+i > len(b) {
+                               // Truncated comment.
+                               // Some parsers (such as Info-ZIP) ignore the truncated comment
+                               // rather than treating it as a hard error.
+                               return -1
+                        }
+                       return i
+                }
+        }
+        return -1
+diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
+index a549153..7ac394d 100644
+--- a/src/archive/zip/reader_test.go
+++ b/src/archive/zip/reader_test.go
+@@ -487,6 +487,14 @@ var tests = []ZipTest{
+                        },
+                },
+        },
+       // Issue 66869: Don't skip over an EOCDR with a truncated comment.
+       // The test file sneakily hides a second EOCDR before the first one;
+       // previously we would extract one file ("file") from this archive,
+       // while most other tools would reject the file or extract a different one ("FILE").
+       {
+               Name:  "comment-truncated.zip",
+               Error: ErrFormat,
+       },
+ }
+ func TestReader(t *testing.T) {
+--
+2.40.0

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 95fb572362..e83c4dfa80 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -56,6 +56,7 @@ SRC_URI += "\
56	file://CVE-2024-24784.patch \	56	file://CVE-2024-24784.patch \
57	file://CVE-2024-24785.patch \	57	file://CVE-2024-24785.patch \
58	file://CVE-2023-45288.patch \	58	file://CVE-2023-45288.patch \
		59	file://CVE-2024-24789.patch \
59	"	60	"
60	SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"	61	SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
61		62


diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch b/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch new file mode 100644 index 0000000000..2679109a0e --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch
@@ -0,0 +1,78 @@
		1	From c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc Mon Sep 17 00:00:00 2001
		2	From: Damien Neil <dneil@google.com>
		3	Date: Tue, 14 May 2024 14:39:10 -0700
		4	Subject: [PATCH] [release-branch.go1.21] archive/zip: treat truncated EOCDR
		5	comment as an error
		6
		7	When scanning for an end of central directory record,
		8	treat an EOCDR signature with a record containing a truncated
		9	comment as an error. Previously, we would skip over the invalid
		10	record and look for another one. Other implementations do not
		11	do this (they either consider this a hard error, or just ignore
		12	the truncated comment). This parser misalignment allowed
		13	presenting entirely different archive contents to Go programs
		14	and other zip decoders.
		15
		16	For #66869
		17	Fixes #67553
		18
		19	Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6
		20	Reviewed-on: https://go-review.googlesource.com/c/go/+/585397
		21	Reviewed-by: Joseph Tsai <joetsai@digital-static.net>
		22	Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
		23	LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
		24	(cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5)
		25	Reviewed-on: https://go-review.googlesource.com/c/go/+/588795
		26	Reviewed-by: Matthew Dempsky <mdempsky@google.com>
		27
		28	CVE: CVE-2024-24789
		29
		30	Upstream-Status: Backport [https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc]
		31
		32	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		33	---
		34	src/archive/zip/reader.go \| 8 ++++++--
		35	src/archive/zip/reader_test.go \| 8 ++++++++
		36	2 files changed, 14 insertions(+), 2 deletions(-)
		37
		38	diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
		39	index e40a2c6..987f543 100644
		40	--- a/src/archive/zip/reader.go
		41	+++ b/src/archive/zip/reader.go
		42	@@ -644,9 +644,13 @@ func findSignatureInBlock(b []byte) int {
		43	if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 {
		44	// n is length of comment
		45	n := int(b[i+directoryEndLen-2]) \| int(b[i+directoryEndLen-1])<<8
		46	- if n+directoryEndLen+i <= len(b) {
		47	- return i
		48	+ if n+directoryEndLen+i > len(b) {
		49	+ // Truncated comment.
		50	+ // Some parsers (such as Info-ZIP) ignore the truncated comment
		51	+ // rather than treating it as a hard error.
		52	+ return -1
		53	}
		54	+ return i
		55	}
		56	}
		57	return -1
		58	diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
		59	index a549153..7ac394d 100644
		60	--- a/src/archive/zip/reader_test.go
		61	+++ b/src/archive/zip/reader_test.go
		62	@@ -487,6 +487,14 @@ var tests = []ZipTest{
		63	},
		64	},
		65	},
		66	+ // Issue 66869: Don't skip over an EOCDR with a truncated comment.
		67	+ // The test file sneakily hides a second EOCDR before the first one;
		68	+ // previously we would extract one file ("file") from this archive,
		69	+ // while most other tools would reject the file or extract a different one ("FILE").
		70	+ {
		71	+ Name: "comment-truncated.zip",
		72	+ Error: ErrFormat,
		73	+ },
		74	}
		75
		76	func TestReader(t *testing.T) {
		77	--
		78	2.40.0