| Message ID | 20240626043553.41521-1-hprajapati@mvista.com |
|---|---|
| State | Superseded |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [scarthgap] go: fix CVE-2024-24789 | expand |
Hi Hitendra, I sent a backport with the latest golang 1.22.4 from master https://lists.openembedded.org/g/openembedded-core/message/201157 Jose Hitendra Prajapati via lists.openembedded.org <hprajapati= mvista.com@lists.openembedded.org> escreveu (quarta, 26/06/2024 à(s) 05:36): > Upstream-Status: Backport from > https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > --- > meta/recipes-devtools/go/go-1.22.2.inc | 1 + > .../go/go/CVE-2024-24789.patch | 77 +++++++++++++++++++ > 2 files changed, 78 insertions(+) > create mode 100644 meta/recipes-devtools/go/go/CVE-2024-24789.patch > > diff --git a/meta/recipes-devtools/go/go-1.22.2.inc > b/meta/recipes-devtools/go/go-1.22.2.inc > index b399207311..1a57a1bae6 100644 > --- a/meta/recipes-devtools/go/go-1.22.2.inc > +++ b/meta/recipes-devtools/go/go-1.22.2.inc > @@ -14,5 +14,6 @@ SRC_URI += "\ > > file://0007-exec.go-filter-out-build-specific-paths-from-linker-.patch \ > > file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ > file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ > + file://CVE-2024-24789.patch \ > " > SRC_URI[main.sha256sum] = > "374ea82b289ec738e968267cac59c7d5ff180f9492250254784b2044e90df5a9" > diff --git a/meta/recipes-devtools/go/go/CVE-2024-24789.patch > b/meta/recipes-devtools/go/go/CVE-2024-24789.patch > new file mode 100644 > index 0000000000..684407112d > --- /dev/null > +++ b/meta/recipes-devtools/go/go/CVE-2024-24789.patch > @@ -0,0 +1,77 @@ > +From c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc Mon Sep 17 00:00:00 2001 > +From: Damien Neil <dneil@google.com> > +Date: Tue, 14 May 2024 14:39:10 -0700 > +Subject: [PATCH] [release-branch.go1.21] archive/zip: treat truncated > EOCDR > + comment as an error > + > +When scanning for an end of central directory record, > +treat an EOCDR signature with a record containing a truncated > +comment as an error. Previously, we would skip over the invalid > +record and look for another one. Other implementations do not > +do this (they either consider this a hard error, or just ignore > +the truncated comment). This parser misalignment allowed > +presenting entirely different archive contents to Go programs > +and other zip decoders. > + > +For #66869 > +Fixes #67553 > + > +Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6 > +Reviewed-on: https://go-review.googlesource.com/c/go/+/585397 > +Reviewed-by: Joseph Tsai <joetsai@digital-static.net> > +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> > +LUCI-TryBot-Result: Go LUCI < > golang-scoped@luci-project-accounts.iam.gserviceaccount.com> > +(cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5) > +Reviewed-on: https://go-review.googlesource.com/c/go/+/588795 > +Reviewed-by: Matthew Dempsky <mdempsky@google.com> > + > +Upstream-Status: Backport [ > https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc > ] > +CVE: CVE-2024-24789 > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + src/archive/zip/reader.go | 8 ++++++-- > + src/archive/zip/reader_test.go | 8 ++++++++ > + 2 files changed, 14 insertions(+), 2 deletions(-) > + > +diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go > +index ff6fedf..60b34b7 100644 > +--- a/src/archive/zip/reader.go > ++++ b/src/archive/zip/reader.go > +@@ -699,9 +699,13 @@ func findSignatureInBlock(b []byte) int { > + if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && > b[i+3] == 0x06 { > + // n is length of comment > + n := int(b[i+directoryEndLen-2]) | > int(b[i+directoryEndLen-1])<<8 > +- if n+directoryEndLen+i <= len(b) { > +- return i > ++ if n+directoryEndLen+i > len(b) { > ++ // Truncated comment. > ++ // Some parsers (such as Info-ZIP) ignore > the truncated comment > ++ // rather than treating it as a hard error. > ++ return -1 > + } > ++ return i > + } > + } > + return -1 > +diff --git a/src/archive/zip/reader_test.go > b/src/archive/zip/reader_test.go > +index 631515c..9a77c1a 100644 > +--- a/src/archive/zip/reader_test.go > ++++ b/src/archive/zip/reader_test.go > +@@ -570,6 +570,14 @@ var tests = []ZipTest{ > + }, > + }, > + }, > ++ // Issue 66869: Don't skip over an EOCDR with a truncated comment. > ++ // The test file sneakily hides a second EOCDR before the first > one; > ++ // previously we would extract one file ("file") from this archive, > ++ // while most other tools would reject the file or extract a > different one ("FILE"). > ++ { > ++ Name: "comment-truncated.zip", > ++ Error: ErrFormat, > ++ }, > + } > + > + func TestReader(t *testing.T) { > +-- > +2.25.1 > + > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#201149): > https://lists.openembedded.org/g/openembedded-core/message/201149 > Mute This Topic: https://lists.openembedded.org/mt/106884660/5052612 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > quaresma.jose@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
diff --git a/meta/recipes-devtools/go/go-1.22.2.inc b/meta/recipes-devtools/go/go-1.22.2.inc index b399207311..1a57a1bae6 100644 --- a/meta/recipes-devtools/go/go-1.22.2.inc +++ b/meta/recipes-devtools/go/go-1.22.2.inc @@ -14,5 +14,6 @@ SRC_URI += "\ file://0007-exec.go-filter-out-build-specific-paths-from-linker-.patch \ file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ + file://CVE-2024-24789.patch \ " SRC_URI[main.sha256sum] = "374ea82b289ec738e968267cac59c7d5ff180f9492250254784b2044e90df5a9" diff --git a/meta/recipes-devtools/go/go/CVE-2024-24789.patch b/meta/recipes-devtools/go/go/CVE-2024-24789.patch new file mode 100644 index 0000000000..684407112d --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2024-24789.patch @@ -0,0 +1,77 @@ +From c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Tue, 14 May 2024 14:39:10 -0700 +Subject: [PATCH] [release-branch.go1.21] archive/zip: treat truncated EOCDR + comment as an error + +When scanning for an end of central directory record, +treat an EOCDR signature with a record containing a truncated +comment as an error. Previously, we would skip over the invalid +record and look for another one. Other implementations do not +do this (they either consider this a hard error, or just ignore +the truncated comment). This parser misalignment allowed +presenting entirely different archive contents to Go programs +and other zip decoders. + +For #66869 +Fixes #67553 + +Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6 +Reviewed-on: https://go-review.googlesource.com/c/go/+/585397 +Reviewed-by: Joseph Tsai <joetsai@digital-static.net> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +(cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5) +Reviewed-on: https://go-review.googlesource.com/c/go/+/588795 +Reviewed-by: Matthew Dempsky <mdempsky@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc] +CVE: CVE-2024-24789 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/archive/zip/reader.go | 8 ++++++-- + src/archive/zip/reader_test.go | 8 ++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go +index ff6fedf..60b34b7 100644 +--- a/src/archive/zip/reader.go ++++ b/src/archive/zip/reader.go +@@ -699,9 +699,13 @@ func findSignatureInBlock(b []byte) int { + if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 { + // n is length of comment + n := int(b[i+directoryEndLen-2]) | int(b[i+directoryEndLen-1])<<8 +- if n+directoryEndLen+i <= len(b) { +- return i ++ if n+directoryEndLen+i > len(b) { ++ // Truncated comment. ++ // Some parsers (such as Info-ZIP) ignore the truncated comment ++ // rather than treating it as a hard error. ++ return -1 + } ++ return i + } + } + return -1 +diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go +index 631515c..9a77c1a 100644 +--- a/src/archive/zip/reader_test.go ++++ b/src/archive/zip/reader_test.go +@@ -570,6 +570,14 @@ var tests = []ZipTest{ + }, + }, + }, ++ // Issue 66869: Don't skip over an EOCDR with a truncated comment. ++ // The test file sneakily hides a second EOCDR before the first one; ++ // previously we would extract one file ("file") from this archive, ++ // while most other tools would reject the file or extract a different one ("FILE"). ++ { ++ Name: "comment-truncated.zip", ++ Error: ErrFormat, ++ }, + } + + func TestReader(t *testing.T) { +-- +2.25.1 +
Upstream-Status: Backport from https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- meta/recipes-devtools/go/go-1.22.2.inc | 1 + .../go/go/CVE-2024-24789.patch | 77 +++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2024-24789.patch