summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/go
Commit message (Collapse)AuthorAgeFilesLines
* go: Fix CVE-2025-61729Vijay Anusuri2026-01-022-0/+173
| | | | | | | | | Upstream-Status: Backport from https://github.com/golang/go/commit/3a842bd5c6aa8eefa13c0174de3ab361e50bd672 (From OE-Core rev: 0057fc49725db8637656fac10631d8f89799bad3) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix CVE-2025-61727Vijay Anusuri2026-01-022-0/+230
| | | | | | | | | Upstream-Status: Backport from https://github.com/golang/go/commit/04db77a423cac75bb82cc9a6859991ae9c016344 (From OE-Core rev: dc1d95e3edfeaa5458fc564910ae5c9445a6f942) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Update CVE-2025-58187Vijay Anusuri2026-01-023-1/+518
| | | | | | | | | Upstream-Status: Backport from https://github.com/golang/go/commit/ca6a5545ba18844a97c88a90a385eb6335bb7526 (From OE-Core rev: 43b3d2b2ef77c97b323b86bd6ee54996c38e46ed) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix CVE-2023-39323Libo Chen2025-12-312-0/+56
| | | | | | | | | | | | | | | | | | | | | | | Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex. Made below changes for Go 1.17 backport: - drop the modifications of test codes References: https://nvd.nist.gov/vuln/detail/CVE-2023-39323 Upstream-patch: https://github.com/golang/go/commit/e7c142a19d8b3944c2f1b9ab7fd94c63d8d0c555 (From OE-Core rev: 62f4c3aec8f80a259472ce19104596d08741c101) Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2025-61724Archana Polampalli2025-12-052-0/+75
| | | | | | | | | | | The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. (From OE-Core rev: 188dbac037809d6e8f0e1667f563fea997ea04b8) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2025-61723Archana Polampalli2025-12-052-0/+222
| | | | | | | | | | The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. (From OE-Core rev: cfafebef95330e531ab7bb590e5fb566dd5a3dce) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2025-58189Archana Polampalli2025-12-052-0/+52
| | | | | | | | | | When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. (From OE-Core rev: b3f055df67cf345c9a17c5c1c874c778d538ba9e) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2025-58187Archana Polampalli2025-12-052-0/+350
| | | | | | | | | | | Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. (From OE-Core rev: cea9fcf1b21b1b35b88986b676d712ab8ffa9d67) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2024-24783Hitendra Prajapati2025-11-062-0/+84
| | | | | | | | | Upstream-Status: Backport https://github.com/golang/go/commit/be5b52bea674190ef7de272664be6c7ae93ec5a0 (From OE-Core rev: b7d89fae22b317199b8f72978712075078a17005) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2025-47906Archana Polampalli2025-10-142-0/+172
| | | | | | | | | | | | If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. (From OE-Core rev: c4d81e32ee3fb7d05db2cfbfaaa8081841bc16ce) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2025-47907Praveen Kumar2025-10-034-61/+977
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error. Made below changes for Go 1.17 backport: - Replaced `atomic.Pointer[error]` with `atomic.Value`, since atomic pointers are not supported in Go 1.17. - Used errp.(*error) to retrieve and dereference the stored *error, Without this, build fails with: invalid indirect of errp (type interface{}). - Replaced Go 1.18 `any` keyword with `interface{}` for backward compatibility with Go 1.17. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-47907 Upstream-patch: https://github.com/golang/go/commit/8a924caaf348fdc366bab906424616b2974ad4e9 https://github.com/golang/go/commit/298fe517a9333c05143a8a8e1f9d5499f0c6e59b https://github.com/golang/go/commit/c23579f031ecd09bf37c644723b33736dffa8b92 (From OE-Core rev: af9c43c39764ce9ce37785c44dfb83e25cb24703) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: ignore CVE-2024-24790Hitendra Prajapati2025-09-191-1/+2
| | | | | | | | | CVE-2024-24790: net/netip module was introduced in go1.18beta1 via a59e33224e42d60a97fa720a45e1b74eb6aaa3d0 (From OE-Core rev: e304b139a8c43a88604ceb93aa933057b1e1748c) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: ignore CVE-2025-0913Peter Marko2025-08-181-1/+1
| | | | | | | | | | | | | | | | | | This is problem on Windows platform only. Per NVD report [1], CPE has "and" clause Running on/with cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* Also linked patch [2] changes Windows files only (and tests). [1] https://nvd.nist.gov/vuln/detail/CVE-2025-0913 [2] https://go-review.googlesource.com/c/go/+/672396 (From OE-Core rev: 473da932a8f94b7454e0e13912753a7e7545fc17) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2025-4673Praveen Kumar2025-06-272-0/+71
| | | | | | | | | | | | | | | | Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-4673 Upstream-patch: https://github.com/golang/go/commit/b897e97c36cb62629a458bc681723ca733404e32 (From OE-Core rev: c07547c19e5372ed5eaac8530b2dd651302542a8) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: ignore CVE-2024-3566Peter Marko2025-06-252-0/+6
| | | | | | | | | | | | | | | | | NVD ([1]) tracks this as: cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* Running on/with cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* Yocto cve-check ignores the "Running on/with", so it needs to be ignored explicitly. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-3566 (From OE-Core rev: 571fd82e29fe809c63a5743e534ed7816d787963) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2025-22871Hitendra Prajapati2025-04-182-0/+173
| | | | | | | | | Upstream-Status: Backport from https://github.com/golang/go/commit/15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931 (From OE-Core rev: 2a9f47eb507cf57b58c4aa1baf0ef645b699fd6c) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix CVE-2024-45336Praveen Kumar2025-02-152-0/+395
| | | | | | | | | | | | | | | | | | | | The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45336 Upstream-patch: https://github.com/golang/go/commit/b72d56f98d6620ebe07626dca4bb67ea8e185379 (From OE-Core rev: 63e84b64f055ad7c91de67194e6739c96fb95496) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix CVE-2024-34158Archana Polampalli2025-01-182-0/+206
| | | | | | | | | | | | | | | | Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-34158 Upstream-patch: https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (From OE-Core rev: eb14e9722d023b4d1668c55ce4bc6ef02f8ce6c2) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix CVE-2024-34156Archana Polampalli2025-01-182-0/+151
| | | | | | | | | | | | | | | | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-34156 Upstream-patch: https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (From OE-Core rev: 3aeeee86a53cee14bb1a6a485f8781459b6f2ffc) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix CVE-2024-34155Archana Polampalli2025-01-182-0/+72
| | | | | | | | | | | | | | | | Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-34155 Upstream-patch: https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (From OE-Core rev: 9d21d527e2448e202030ae7ad38c88e25943a2f3) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2024-24791Archana Polampalli2024-08-162-0/+360
| | | | | | | (From OE-Core rev: f012f6a6e1d3111d6cae74c9c846d8bd0fca5dd5) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix CVE-2024-24789Soumya Sambu2024-08-082-0/+79
| | | | | | | | | | | | | | | | | | | The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. References: https://nvd.nist.gov/vuln/detail/CVE-2024-24789 Upstream-patch: https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc (From OE-Core rev: f198fdc392c6e3b99431383ab6577749e83f1cb3) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix for CVE-2023-45288Vijay Anusuri2024-05-022-0/+96
| | | | | | | | | Upstream-Status: Backport from https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b (From OE-Core rev: 9ad10bf355665ff799cefd40fb0d1938b0104b08) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Backport fix CVE-2024-24784 & CVE-2024-24785Vivek Kumbhar2024-03-133-0/+405
| | | | | | | | | | | | Backport fixes for : CVE-2024-24784 - Upstream-Status: Backport from https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c CVE-2024-24785 - Upstream-Status: Backport from https://github.com/golang/go/commit/056b0edcb8c152152021eebf4cf42adbfbe77992 (From OE-Core rev: 408f86a5268cadd680f45e2d934451a321241706) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* golang: Fix CVE-2023-45289 & CVE-2023-45290Hitendra Prajapati2024-03-123-0/+393
| | | | | | | | | | | Backport fixes for: CVE-2023-45289 - Upstream-Status: Backport from https://github.com/golang/go/commit/3a855208e3efed2e9d7c20ad023f1fa78afcc0be CVE-2023-45290 - Upstream-Status: Backport from https://github.com/golang/go/commit/041a47712e765e94f86d841c3110c840e76d8f82 (From OE-Core rev: e5aae8a371717215a7d78459788ad67dfaefe37e) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: add a complementary fix for CVE-2023-29406Ming Liu2024-02-283-1/+116
| | | | | | | | | | The original CVE-2023-29406.patch is not complete, causing docker failures at runtime, backport a complementary fix from golang upstream. (From OE-Core rev: 973901530c98bc3f1b10d8bb89d55decf6848713) Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix CVE-2023-45285 and CVE-2023-45287Soumya Sambu2024-02-153-0/+1807
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2023-45285: Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). CVE-2023-45287: Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels. References: https://nvd.nist.gov/vuln/detail/CVE-2023-45285 https://nvd.nist.gov/vuln/detail/CVE-2023-45287 https://security-tracker.debian.org/tracker/CVE-2023-45285 https://security-tracker.debian.org/tracker/CVE-2023-45287 (From OE-Core rev: 616857b9918e8d2e576239b3db2f9f077d1a7222) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix CVE-2023-39326Soumya Sambu2023-12-222-0/+183
| | | | | | | | | | | | | | | | | | | | | | | | A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. References: https://nvd.nist.gov/vuln/detail/CVE-2023-39326 https://security-tracker.debian.org/tracker/CVE-2023-39326 (From OE-Core rev: 448df3bb9277287dd8586987199223b7314fdd01) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix issue in DNS resolverChaitanya Vadrevu2023-11-282-0/+52
| | | | | | | | | | | | | | | | This change adds a patch that is a partial backport of an upstream commit[1]. It fixes a bug in go's DNS resolver that was causing a docker issue where the first "docker pull" always fails after system boot if docker daemon is started before networking is completely up. [1] https://github.com/golang/go/commit/d52883f443e1d564b0300acdd382af1769bf0477 (From OE-Core rev: 8c8b01e84844a7e721c668d5ffbc7161e67f0862) Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: ignore CVE-2023-45283 and CVE-2023-45284Peter Marko2023-11-281-2/+2
| | | | | | | | | These CVEs affect path handling on Windows. (From OE-Core rev: 60f75fd6a671fcbfeefb634fe88f6faa17b446b7) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Update fix for CVE-2023-24538 & CVE-2023-39318Shubham Kulkarni2023-10-054-17/+802
| | | | | | | | | | | | | Add missing files in fix for CVE-2023-24538 & CVE-2023-39318 Upstream Link - CVE-2023-24538: https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b CVE-2023-39318: https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c (From OE-Core rev: 0d8f7062d4fb5525f34427b1a7304f165bee0cfc) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix CVE-2023-39318Siddharth Doshi2023-09-302-0/+239
| | | | | | | | | Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] CVE: CVE-2023-39318 (From OE-Core rev: 35fa5c12f86bda2c8542bdb57074f55808697a42) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix CVE-2023-39319Soumya Sambu2023-09-232-1/+256
| | | | | | | | | | | | | | | | The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. References: https://nvd.nist.gov/vuln/detail/CVE-2023-39319 (From OE-Core rev: afdc322ecff4cfd8478c89a03f7fce748a132b48) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix CVE-2023-29409Soumya Sambu2023-08-302-0/+176
| | | | | | | | | | | | | | | | | | | | | | Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. References: https://nvd.nist.gov/vuln/detail/CVE-2023-29409 (From OE-Core rev: 51c2fee0e4bb4b3131c61d91510394cd4b4f9eb9) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2023-24531Sakib Sajal2023-08-073-1/+302
| | | | | | | | | Backport required patches from go1.21 to fix CVE-2023-24531. (From OE-Core rev: 6d892c52bd5806507a05e8b6f749c54bbd9e9da6) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2023-24536Sakib Sajal2023-08-074-0/+676
| | | | | | | | | Backport required patches to fix CVE-2023-24536. (From OE-Core rev: a774c895f4a425979cef8e05e8dd17c2dcb67654) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2023-29406 net/http insufficient sanitization of Host headerVivek Kumbhar2023-08-022-0/+211
| | | | | | | (From OE-Core rev: 5dc74138649ab7a2c0158a43225dc7a8fd732355) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2023-29400 html/template improper handling of empty HTML attributesVivek Kumbhar2023-07-122-0/+100
| | | | | | | (From OE-Core rev: 3224084a1ca301ff4fb4735ccc80d24aaec13257) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2023-29402Archana Polampalli2023-07-012-0/+195
| | | | | | | | | | | | | | | | | | | | The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). References: https://nvd.nist.gov/vuln/detail/CVE-2023-29402 Upstream patches: https://github.com/golang/go/commit/4dae3bbe0e6a5700037bb996ae84d6f457c4f58a (From OE-Core rev: aeb0829e52c60a77a2135af8332435b6e2db5b3d) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2023-29405Archana Polampalli2023-07-012-0/+110
| | | | | | | | | | | | | | | | | | | | | The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler. References: https://nvd.nist.gov/vuln/detail/CVE-2023-29405 Upstream patches: https://github.com/golang/go/commit/6d8af00a630aa51134e54f0f321658621c6410f0 (From OE-Core rev: 7ce6d0029effc06cff500271a124150f1a7db7b3) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2023-29404Archana Polampalli2023-07-012-0/+79
| | | | | | | | | | | | | | | | | | | | | The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. References: https://nvd.nist.gov/vuln/detail/CVE-2023-29404 Upstream patches: https://github.com/golang/go/commit/bbeb55f5faf93659e1cfd6ab073ab3c9d126d195 (From OE-Core rev: 3e51122f8e2b4a7cd2a1c711175e6daf59b8368b) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2023-24539 html/template improper sanitization of CSS valuesVivek Kumbhar2023-06-142-0/+54
| | | | | | | | | | | | | | | | | | Angle brackets should not appear in CSS contexts, as they may affect token boundaries (such as closing a <style> tag, resulting in injection). Instead emit filterFailsafe, matching the behavior for other dangerous characters. Thanks to Juho Nurminen of Mattermost for reporting this issue. For #59720 Fixes #59811 Fixes CVE-2023-24539 (From OE-Core rev: 0a09194f3d4ad98d0cf0d070ec0c99e7a6c8a158) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2023-24540Sakib Sajal2023-05-302-0/+94
| | | | | | | | | | | | | References: https://nvd.nist.gov/vuln/detail/CVE-2023-24540 Upstream patch: https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797 (go 1.19.9) (From OE-Core rev: 5defed7d5dc8bc6f68f021d19c4f42832d33472b) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Security fix for CVE-2023-24538Shubham Kulkarni2023-05-102-0/+209
| | | | | | | | | | | html/template: disallow actions in JS template literals Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b (From OE-Core rev: 835462d697a5f294900843b8bcd628709c256605) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2023-24534 denial of service from excessive memory allocationVivek Kumbhar2023-05-102-0/+201
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A parsed MIME header is a map[string][]string. In the common case, a header contains many one-element []string slices. To avoid allocating a separate slice for each key, ReadMIMEHeader looks ahead in the input to predict the number of keys that will be parsed, and allocates a single []string of that length. The individual slices are then allocated out of the larger one. The prediction of the number of header keys was done by counting newlines in the input buffer, which does not take into account header continuation lines (where a header key/value spans multiple lines) or the end of the header block and the start of the body. This could lead to a substantial amount of overallocation, for example when the body consists of nothing but a large block of newlines. Fix header key count prediction to take into account the end of the headers (indicated by a blank line) and continuation lines (starting with whitespace). Thanks to Jakob Ackermann (@das7pad) for reporting this issue. Fixes CVE-2023-24534 For #58975 Fixes #59267 (From OE-Core rev: 28bfa033ce965d7316a8b4296d10f3ad74d711db) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2023-24537 Infinite loop in parsingVivek Kumbhar2023-04-262-0/+76
| | | | | | | | | | | | | | | | | Setting a large line or column number using a //line directive can cause integer overflow even in small source files. Limit line and column numbers in //line directives to 2^30-1, which is small enough to avoid int32 overflow on all reasonbly-sized files. Fixes CVE-2023-24537 Fixes #59273 For #59180 (From OE-Core rev: 15c07dff384ce4fb0e90f4f32c182a82101a1c82) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: ignore CVE-2022-41716Peter Marko2023-04-261-0/+3
| | | | | | | | | | | | | | This CVE is specific to Microsoft Windows, ignore it. Patch fixing it (https://go-review.googlesource.com/c/go/+/446916) also adds a redundant check to generic os/exec which could be backported but it should not be necessary as backport always takes a small risk to break old code. (From OE-Core rev: ae8167754ff1c02f2d92af03de804754ea77a3e5) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go-runtime: Security fix for CVE-2022-41722Shubham Kulkarni2023-04-262-0/+104
| | | | | | | | | | | path/filepath: do not Clean("a/../c:/b") into c:\b on Windows Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c (From OE-Core rev: f60637b3c9045656047d6ffcfaadbef5ad1d3d06) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2022-41724, 41725Joe Slater2023-04-194-1/+3131
| | | | | | | | | | | | | Backport from go-1.19. The godebug package is needed by the fix to CVE-2022-41725. Mostly a cherry-pick but exceptions are noted in comments marked "backport". (From OE-Core rev: e5cf04f55b4849ae6db1253b39ad8b037cf01af4) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go-runtime: Security fix for CVE-2022-41723Shubham Kulkarni2023-04-112-0/+157
| | | | | | | | | | | | | Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Backport from https://github.com/golang/go/commit/5c3e11bd0b5c0a86e5beffcd4339b86a902b21c3 (From OE-Core rev: 7440ebac50813e5df73da2d660a50fa97de650de) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>