@@ -25,6 +25,8 @@ SRC_URI += "\
file://CVE-2021-44717.patch \
file://CVE-2022-24675.patch \
file://CVE-2021-31525.patch \
+ file://CVE-2022-30629.patch \
+ file://CVE-2022-30631.patch \
"
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
new file mode 100644
@@ -0,0 +1,47 @@
+From 8d0bbb5a6280c2cf951241ec7f6579c90d38df57 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 25 Aug 2022 10:55:08 +0530
+Subject: [PATCH] CVE-2022-30629
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c]
+CVE: CVE-2022-30629
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/crypto/tls/handshake_server_tls13.go | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
+index 5432145..d91797e 100644
+--- a/src/crypto/tls/handshake_server_tls13.go
++++ b/src/crypto/tls/handshake_server_tls13.go
+@@ -9,6 +9,7 @@ import (
+ "crypto"
+ "crypto/hmac"
+ "crypto/rsa"
++ "encoding/binary"
+ "errors"
+ "hash"
+ "io"
+@@ -742,6 +743,19 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
+ }
+ m.lifetime = uint32(maxSessionTicketLifetime / time.Second)
+
++ // ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1
++ // The value is not stored anywhere; we never need to check the ticket age
++ // because 0-RTT is not supported.
++ ageAdd := make([]byte, 4)
++ _, err = hs.c.config.rand().Read(ageAdd)
++ if err != nil {
++ return err
++ }
++ m.ageAdd = binary.LittleEndian.Uint32(ageAdd)
++
++ // ticket_nonce, which must be unique per connection, is always left at
++ // zero because we only ever send one ticket per connection.
++
+ if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {
+ return err
+ }
+--
+2.25.1
+
new file mode 100644
@@ -0,0 +1,116 @@
+From d10fc3a84e3344f2421c1dd3046faa50709ab4d5 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 25 Aug 2022 11:01:21 +0530
+Subject: [PATCH] CVE-2022-30631
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3]
+CVE: CVE-2022-30631
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/compress/gzip/gunzip.go | 60 +++++++++++++++-----------------
+ src/compress/gzip/gunzip_test.go | 16 +++++++++
+ 2 files changed, 45 insertions(+), 31 deletions(-)
+
+diff --git a/src/compress/gzip/gunzip.go b/src/compress/gzip/gunzip.go
+index 924bce1..237b2b9 100644
+--- a/src/compress/gzip/gunzip.go
++++ b/src/compress/gzip/gunzip.go
+@@ -248,42 +248,40 @@ func (z *Reader) Read(p []byte) (n int, err error) {
+ return 0, z.err
+ }
+
+- n, z.err = z.decompressor.Read(p)
+- z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
+- z.size += uint32(n)
+- if z.err != io.EOF {
+- // In the normal case we return here.
+- return n, z.err
+- }
++ for n == 0 {
++ n, z.err = z.decompressor.Read(p)
++ z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
++ z.size += uint32(n)
++ if z.err != io.EOF {
++ // In the normal case we return here.
++ return n, z.err
++ }
+
+- // Finished file; check checksum and size.
+- if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil {
+- z.err = noEOF(err)
+- return n, z.err
+- }
+- digest := le.Uint32(z.buf[:4])
+- size := le.Uint32(z.buf[4:8])
+- if digest != z.digest || size != z.size {
+- z.err = ErrChecksum
+- return n, z.err
+- }
+- z.digest, z.size = 0, 0
++ // Finished file; check checksum and size.
++ if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil {
++ z.err = noEOF(err)
++ return n, z.err
++ }
++ digest := le.Uint32(z.buf[:4])
++ size := le.Uint32(z.buf[4:8])
++ if digest != z.digest || size != z.size {
++ z.err = ErrChecksum
++ return n, z.err
++ }
++ z.digest, z.size = 0, 0
+
+- // File is ok; check if there is another.
+- if !z.multistream {
+- return n, io.EOF
+- }
+- z.err = nil // Remove io.EOF
++ // File is ok; check if there is another.
++ if !z.multistream {
++ return n, io.EOF
++ }
++ z.err = nil // Remove io.EOF
+
+- if _, z.err = z.readHeader(); z.err != nil {
+- return n, z.err
++ if _, z.err = z.readHeader(); z.err != nil {
++ return n, z.err
++ }
+ }
+
+- // Read from next file, if necessary.
+- if n > 0 {
+- return n, nil
+- }
+- return z.Read(p)
++ return n, nil
+ }
+
+ // Close closes the Reader. It does not close the underlying io.Reader.
+diff --git a/src/compress/gzip/gunzip_test.go b/src/compress/gzip/gunzip_test.go
+index 1b01404..95220ae 100644
+--- a/src/compress/gzip/gunzip_test.go
++++ b/src/compress/gzip/gunzip_test.go
+@@ -516,3 +516,19 @@ func TestTruncatedStreams(t *testing.T) {
+ }
+ }
+ }
++
++func TestCVE202230631(t *testing.T) {
++ var empty = []byte{0x1f, 0x8b, 0x08, 0x00, 0xa7, 0x8f, 0x43, 0x62, 0x00,
++ 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
++ r := bytes.NewReader(bytes.Repeat(empty, 4e6))
++ z, err := NewReader(r)
++ if err != nil {
++ t.Fatalf("NewReader: got %v, want nil", err)
++ }
++ // Prior to CVE-2022-30631 fix, this would cause an unrecoverable panic due
++ // to stack exhaustion.
++ _, err = z.Read(make([]byte, 10))
++ if err != io.EOF {
++ t.Errorf("Reader.Read: got %v, want %v", err, io.EOF)
++ }
++}
+--
+2.25.1
+
Source: https://github.com/golang/go MR: 120613, 120613 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c && https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3 ChangeID: 366db775dec045d7b312b8da0436af36ab322046 Description: Fixed CVE: 1. CVE-2022-30629 2. CVE-2022-30631 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- meta/recipes-devtools/go/go-1.14.inc | 2 + .../go/go-1.14/CVE-2022-30629.patch | 47 +++++++ .../go/go-1.14/CVE-2022-30631.patch | 116 ++++++++++++++++++ 3 files changed, 165 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch