From patchwork Fri Nov 7 10:20:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 73925 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 635CDCCFA1A for ; Fri, 7 Nov 2025 10:21:09 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8256.1762510867620913736 for ; Fri, 07 Nov 2025 02:21:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=f/qDVVKd; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=3406543a8f=archana.polampalli@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5A74vOHO2487900 for ; Fri, 7 Nov 2025 02:21:07 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=PPS06212021; bh=g3qHSBU1hkjM3PYUjHoE iPIzcU/P+z1XkdbKTrUw+Lo=; b=f/qDVVKd1zce6DQuuNL3dtkRVPO9NSxXlRBB yOIP0ETrAblx+Aep8mToO1Dj9OXe2Tr32wwhpKrXeOWv8fdPnTdoD0Z0njAtl3i/ bCy+2LptaQiBI6ULHQtrS64QypkAPXrBBu8jXoUyIgpu3s0czl1qvPQ2H6q1+RvZ ANg0Q18LZM5ygejsomVQ1fu1TDrvf7Za/QeeWAdWaQJaq6fJg20g2NhtoNS5mCEy Bf+xRx3oUZr/zUoQKiSBIdVe4nSOCbHmUqY4lWASxIHwsdEuBSJ0BigEnt4eh6Md Graa5Rx3JywloPPhtELng5C8FsQZcWGupUbzXVkKBa/5GUe8iA== Received: from ala-exchng02.corp.ad.wrs.com ([128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4a96ym8d08-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Nov 2025 02:21:07 -0800 (PST) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Fri, 7 Nov 2025 02:21:06 -0800 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Fri, 7 Nov 2025 02:21:05 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 1/7] go: fix CVE-2025-58185 Date: Fri, 7 Nov 2025 15:50:57 +0530 Message-ID: <20251107102103.436637-1-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: g_Jc4r9t7fVlrXSWwp9TCf1-Hw5MshUK X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTA3MDA4MyBTYWx0ZWRfX7W5atUHvAY/+ kM1MGwwnTFEE3kLlgeyazqfMYFwygQvcChmovtH0TiUEgLzMb8hx3+68QvAaYWU/GKoQR50OpFe fX6uq5LTaYK2VEOtHdjItfLfOGkSFwCDexn7y6+Q0cA0k+bPP5Vcocvw35pSwjFBMzy/ejlzgav Nhnex/jZ80RahgX52vB1e+tWqRsLuP/WQrz9S3TxMQZyCOu3PDegsYJEzq4dlelR2hW8mz0qdLs rDoxT5dhGrwYXQAQ5tPQry1frsR0ewjKGj2/72bIzZNwYtxfxPHlriv/uBKre0n5WcSmMif84Db rxcFK6hByqHMlIWZeFfthuYA3BmsKJ2zHRvqinfsWhrjOdRUBw154IlNEvzvbWvDjhQuCz3TP8i imQMBMiT0AoiZ/r0SFE6FseHkXBKUw== X-Proofpoint-GUID: g_Jc4r9t7fVlrXSWwp9TCf1-Hw5MshUK X-Authority-Analysis: v=2.4 cv=NqPcssdJ c=1 sm=1 tr=0 ts=690dc813 cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=Oh2cFVv5AAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=1XWaLZrsAAAA:8 a=pM9yUfARAAAA:8 a=m-fl97lkFUjkAqCwY5kA:9 a=7KeoIwV6GZqOttXkcoxL:22 a=FdTzh2GWekK77mhwV6Dw:22 a=YH-7kEGJnRg4CV3apUU-:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-07_02,2025-11-06_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 impostorscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 phishscore=0 adultscore=0 spamscore=0 malwarescore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511070083 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Nov 2025 10:21:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226024 From: Archana Polampalli Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Signed-off-by: Archana Polampalli --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2025-58185.patch | 142 ++++++++++++++++++ 2 files changed, 143 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58185.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index a364e1aae8..38992219c8 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -21,6 +21,7 @@ SRC_URI += "\ file://CVE-2025-47907-pre.patch \ file://CVE-2025-47907.patch \ file://CVE-2025-47906.patch \ + file://CVE-2025-58185.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2025-58185.patch b/meta/recipes-devtools/go/go/CVE-2025-58185.patch new file mode 100644 index 0000000000..63250614ce --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-58185.patch @@ -0,0 +1,142 @@ +From 5c3d61c886f7ecfce9a6d6d3c97e6d5a8afb17d1 Mon Sep 17 00:00:00 2001 +From: Nicholas Husin +Date: Wed, 3 Sep 2025 09:30:56 -0400 +Subject: [PATCH] [release-branch.go1.24] encoding/asn1: prevent memory + exhaustion when parsing using internal/saferio + +Within parseSequenceOf, +reflect.MakeSlice is being used to pre-allocate a slice that is needed in +order to fully validate the given DER payload. The size of the slice +allocated are also multiple times larger than the input DER: + +- When using asn1.Unmarshal directly, the allocated slice is ~28x + larger. +- When passing in DER using x509.ParseCertificateRequest, the allocated + slice is ~48x larger. +- When passing in DER using ocsp.ParseResponse, the allocated slice is + ~137x larger. + +As a result, a malicious actor can craft a big empty DER payload, +resulting in an unnecessary large allocation of memories. This can be a +way to cause memory exhaustion. + +To prevent this, we now use SliceCapWithSize within internal/saferio to +enforce a memory allocation cap. + +Thanks to Jakub Ciolek for reporting this issue. + +For #75671 +Fixes #75704 +Fixes CVE-2025-58185 + +Change-Id: Id50e76187eda43f594be75e516b9ca1d2ae6f428 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2700 +Reviewed-by: Roland Shoemaker +Reviewed-by: Damien Neil +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2984 +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-review.googlesource.com/c/go/+/709841 +Reviewed-by: Carlos Amedee +Auto-Submit: Michael Pratt +TryBot-Bypass: Michael Pratt + +CVE: CVE-2025-58185 + +Upstream-Status: Backport [https://github.com/golang/go/commit/5c3d61c886f7ecfce9a6d6d3c97e6d5a8afb17d1] + +Signed-off-by: Archana Polampalli +--- + src/encoding/asn1/asn1.go | 10 ++++++++- + src/encoding/asn1/asn1_test.go | 38 ++++++++++++++++++++++++++++++++++ + 2 files changed, 47 insertions(+), 1 deletion(-) + +diff --git a/src/encoding/asn1/asn1.go b/src/encoding/asn1/asn1.go +index 781ab87..16c7138 100644 +--- a/src/encoding/asn1/asn1.go ++++ b/src/encoding/asn1/asn1.go +@@ -22,6 +22,7 @@ package asn1 + import ( + "errors" + "fmt" ++ "internal/saferio" + "math" + "math/big" + "reflect" +@@ -643,10 +644,17 @@ func parseSequenceOf(bytes []byte, sliceType reflect.Type, elemType reflect.Type + offset += t.length + numElements++ + } +- ret = reflect.MakeSlice(sliceType, numElements, numElements) ++ elemSize := uint64(elemType.Size()) ++ safeCap := saferio.SliceCapWithSize(elemSize, uint64(numElements)) ++ if safeCap < 0 { ++ err = SyntaxError{fmt.Sprintf("%s slice too big: %d elements of %d bytes", elemType.Kind(), numElements, elemSize)} ++ return ++ } ++ ret = reflect.MakeSlice(sliceType, 0, safeCap) + params := fieldParameters{} + offset := 0 + for i := 0; i < numElements; i++ { ++ ret = reflect.Append(ret, reflect.Zero(elemType)) + offset, err = parseField(ret.Index(i), bytes, offset, params) + if err != nil { + return +diff --git a/src/encoding/asn1/asn1_test.go b/src/encoding/asn1/asn1_test.go +index 9a605e2..249d4e4 100644 +--- a/src/encoding/asn1/asn1_test.go ++++ b/src/encoding/asn1/asn1_test.go +@@ -7,10 +7,12 @@ package asn1 + import ( + "bytes" + "encoding/hex" ++ "errors" + "fmt" + "math" + "math/big" + "reflect" ++ "runtime" + "strings" + "testing" + "time" +@@ -1175,3 +1177,39 @@ func BenchmarkObjectIdentifierString(b *testing.B) { + _ = oidPublicKeyRSA.String() + } + } ++ ++func TestParsingMemoryConsumption(t *testing.T) { ++ // Craft a syntatically valid, but empty, ~10 MB DER bomb. A successful ++ // unmarshal of this bomb should yield ~280 MB. However, the parsing should ++ // fail due to the empty content; and, in such cases, we want to make sure ++ // that we do not unnecessarily allocate memories. ++ derBomb := make([]byte, 10_000_000) ++ for i := range derBomb { ++ derBomb[i] = 0x30 ++ } ++ derBomb = append([]byte{0x30, 0x83, 0x98, 0x96, 0x80}, derBomb...) ++ ++ var m runtime.MemStats ++ runtime.GC() ++ runtime.ReadMemStats(&m) ++ memBefore := m.TotalAlloc ++ ++ var out []struct { ++ Id []int ++ Critical bool `asn1:"optional"` ++ Value []byte ++ } ++ _, err := Unmarshal(derBomb, &out) ++ if !errors.As(err, &SyntaxError{}) { ++ t.Fatalf("Incorrect error result: want (%v), but got (%v) instead", &SyntaxError{}, err) ++ } ++ ++ runtime.ReadMemStats(&m) ++ memDiff := m.TotalAlloc - memBefore ++ ++ // Ensure that the memory allocated does not exceed 10<<21 (~20 MB) when ++ // the parsing fails. ++ if memDiff > 10<<21 { ++ t.Errorf("Too much memory allocated while parsing DER: %v MiB", memDiff/1024/1024) ++ } ++} +-- +2.40.0 From patchwork Fri Nov 7 10:20:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 73926 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E0E3CCF9F8 for ; Fri, 7 Nov 2025 10:21:09 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8257.1762510869074430861 for ; Fri, 07 Nov 2025 02:21:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=sLPBfecO; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=3406543a8f=archana.polampalli@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5A77QRM42732854 for ; Fri, 7 Nov 2025 02:21:08 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=T3Tx4S+27HYoHpoCOkyZJYGYI04eq9+X1wcQqHXUAWA=; b=sLPBfecOJpjc Wp54fPGTeE+7FM3tfgO5e6fL+8zK696o0/Hg5GKe2RfOOx5NlZnj/Du/J4zNdJTC 39YZgkVcYc8tT/hEvFRPsxu5BhiUMDgjuFxYziIRYGm5321VebQzlbX0nKiXog0T LND0hzp1NR7obvGUC+ZbJU1i2NyxxJZOSeKqFRaMlLPvHklVnesxNX44hH/oMTDP ZhA+9z6wT6x46uEWmYVqal8+3xNADq2cLs44Zfe3mJXEjiAfYESX21+tyWRo+j6H a1Gd62H7LZQoyGVl7hVBg+/bXLLWLcJpSsm6+u3b7OHCML9Gk62i7JUa7Qli6zFG La3o6LeGMQ== Received: from ala-exchng02.corp.ad.wrs.com ([128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4a96ym8d09-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Nov 2025 02:21:08 -0800 (PST) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Fri, 7 Nov 2025 02:21:08 -0800 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Fri, 7 Nov 2025 02:21:07 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 2/7] go: fix CVE-2025-58187 Date: Fri, 7 Nov 2025 15:50:58 +0530 Message-ID: <20251107102103.436637-2-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251107102103.436637-1-archana.polampalli@windriver.com> References: <20251107102103.436637-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: qQIUn-0A8ZTmzi2BYOK_b-SUcITG7BUp X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTA3MDA4MyBTYWx0ZWRfX9RbHkmnG8JmO nKLk+fVLzrNzm5YZag0Cm9yESgY9rezqmdgu8hbAQPZUVLUhBHnMDr27lJ6DZpdlpx4HG5ePKYn YhDbUPiqR2yUxLdvi995pdJ1EWqflEeUL08Z2eSj9BTdnUdwy86Wt1tNGobvapuVGpYn89P3KEv gzaUYlJkFrd1vW2uUGD9w+OTZXEk2UwAwBSoYVkVyBdidjMR5Oy2ii1fWuJeylGANyjOpRYlopi vLuLSOvRTu8de/DBAXmIPyVebGm3vGVxhA1KGVlwuDn9R8QQTnTHkk7IguGGWUpDIsKKO8mZaB9 n4W7nkTtXET+7HtyB0nUub3LpzZbbXRnmQm4okFlmKy5jotGYwQsqgqlk84iyko70vjxmyxTXT6 PYmYIyKFZKqsMcZBwXm7TFu6t9ZTYQ== X-Proofpoint-GUID: qQIUn-0A8ZTmzi2BYOK_b-SUcITG7BUp X-Authority-Analysis: v=2.4 cv=NqPcssdJ c=1 sm=1 tr=0 ts=690dc814 cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=Oh2cFVv5AAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=1XWaLZrsAAAA:8 a=pM9yUfARAAAA:8 a=A1X0JdhQAAAA:8 a=p8bv-Q6xvW1aGLmNwggA:9 a=7KeoIwV6GZqOttXkcoxL:22 a=FdTzh2GWekK77mhwV6Dw:22 a=YH-7kEGJnRg4CV3apUU-:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-07_02,2025-11-06_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 impostorscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 phishscore=0 adultscore=0 spamscore=0 malwarescore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511070083 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Nov 2025 10:21:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226025 From: Archana Polampalli Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Signed-off-by: Archana Polampalli --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2025-58187.patch | 349 ++++++++++++++++++ 2 files changed, 350 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58187.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 38992219c8..a1c14ea684 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -22,6 +22,7 @@ SRC_URI += "\ file://CVE-2025-47907.patch \ file://CVE-2025-47906.patch \ file://CVE-2025-58185.patch \ + file://CVE-2025-58187.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2025-58187.patch b/meta/recipes-devtools/go/go/CVE-2025-58187.patch new file mode 100644 index 0000000000..d3b7dd5264 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-58187.patch @@ -0,0 +1,349 @@ +From f334417e71f8b078ad64035bddb6df7f8910da6c Mon Sep 17 00:00:00 2001 +From: Neal Patel +Date: Mon, 15 Sep 2025 16:31:22 -0400 +Subject: [PATCH] [release-branch.go1.24] crypto/x509: improve domain name + verification + +Don't use domainToReverseLabels to check if domain names are +valid, since it is not particularly performant, and can contribute to DoS +vectors. Instead just iterate over the name and enforce the properties we +care about. + +This also enforces that DNS names, both in SANs and name constraints, +are valid. We previously allowed invalid SANs, because some +intermediates had these weird names (see #23995), but there are +currently no trusted intermediates that have this property, and since we +target the web PKI, supporting this particular case is not a high +priority. + +Thank you to Jakub Ciolek for reporting this issue. + +Fixes CVE-2025-58187 +For #75681 +Fixes #75714 + +Change-Id: I6ebce847dcbe5fc63ef2f9a74f53f11c4c56d3d1 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2820 +Reviewed-by: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2982 +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-review.googlesource.com/c/go/+/709839 +Auto-Submit: Michael Pratt +Reviewed-by: Carlos Amedee +TryBot-Bypass: Michael Pratt + +CVE: CVE-2025-58187 + +Upstream-Status: Backport [https://github.com/golang/go/commit/f334417e71f8b078ad64035bddb6df7f8910da6c] + +Signed-off-by: Archana Polampalli +--- + src/crypto/x509/name_constraints_test.go | 66 ++------------------ + src/crypto/x509/parser.go | 77 ++++++++++++++---------- + src/crypto/x509/parser_test.go | 43 +++++++++++++ + src/crypto/x509/verify.go | 1 + + 4 files changed, 95 insertions(+), 92 deletions(-) + +diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go +index 78263fc..9aaa6d7 100644 +--- a/src/crypto/x509/name_constraints_test.go ++++ b/src/crypto/x509/name_constraints_test.go +@@ -1456,63 +1456,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + expectedError: "incompatible key usage", + }, + +- // An invalid DNS SAN should be detected only at validation time so +- // that we can process CA certificates in the wild that have invalid SANs. +- // See https://github.com/golang/go/issues/23995 +- +- // #77: an invalid DNS or mail SAN will not be detected if name constraint +- // checking is not triggered. +- { +- roots: make([]constraintsSpec, 1), +- intermediates: [][]constraintsSpec{ +- { +- {}, +- }, +- }, +- leaf: leafSpec{ +- sans: []string{"dns:this is invalid", "email:this @ is invalid"}, +- }, +- }, +- +- // #78: an invalid DNS SAN will be detected if any name constraint checking +- // is triggered. +- { +- roots: []constraintsSpec{ +- { +- bad: []string{"uri:"}, +- }, +- }, +- intermediates: [][]constraintsSpec{ +- { +- {}, +- }, +- }, +- leaf: leafSpec{ +- sans: []string{"dns:this is invalid"}, +- }, +- expectedError: "cannot parse dnsName", +- }, +- +- // #79: an invalid email SAN will be detected if any name constraint +- // checking is triggered. +- { +- roots: []constraintsSpec{ +- { +- bad: []string{"uri:"}, +- }, +- }, +- intermediates: [][]constraintsSpec{ +- { +- {}, +- }, +- }, +- leaf: leafSpec{ +- sans: []string{"email:this @ is invalid"}, +- }, +- expectedError: "cannot parse rfc822Name", +- }, +- +- // #80: if several EKUs are requested, satisfying any of them is sufficient. ++ // #77: if several EKUs are requested, satisfying any of them is sufficient. + { + roots: make([]constraintsSpec, 1), + intermediates: [][]constraintsSpec{ +@@ -1527,7 +1471,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + requestedEKUs: []ExtKeyUsage{ExtKeyUsageClientAuth, ExtKeyUsageEmailProtection}, + }, + +- // #81: EKUs that are not asserted in VerifyOpts are not required to be ++ // #78: EKUs that are not asserted in VerifyOpts are not required to be + // nested. + { + roots: make([]constraintsSpec, 1), +@@ -1546,7 +1490,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + }, + }, + +- // #82: a certificate without SANs and CN is accepted in a constrained chain. ++ // #79: a certificate without SANs and CN is accepted in a constrained chain. + { + roots: []constraintsSpec{ + { +@@ -1563,7 +1507,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + }, + }, + +- // #83: a certificate without SANs and with a CN that does not parse as a ++ // #80: a certificate without SANs and with a CN that does not parse as a + // hostname is accepted in a constrained chain. + { + roots: []constraintsSpec{ +@@ -1582,7 +1526,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + }, + }, + +- // #84: a certificate with SANs and CN is accepted in a constrained chain. ++ // #81: a certificate with SANs and CN is accepted in a constrained chain. + { + roots: []constraintsSpec{ + { +diff --git a/src/crypto/x509/parser.go b/src/crypto/x509/parser.go +index 812b0d2..9a3bcd6 100644 +--- a/src/crypto/x509/parser.go ++++ b/src/crypto/x509/parser.go +@@ -378,10 +378,14 @@ func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string + if err := isIA5String(email); err != nil { + return errors.New("x509: SAN rfc822Name is malformed") + } ++ parsed, ok := parseRFC2821Mailbox(email) ++ if !ok || (ok && !domainNameValid(parsed.domain, false)) { ++ return errors.New("x509: SAN rfc822Name is malformed") ++ } + emailAddresses = append(emailAddresses, email) + case nameTypeDNS: + name := string(data) +- if err := isIA5String(name); err != nil { ++ if err := isIA5String(name); err != nil || (err == nil && !domainNameValid(name, false)) { + return errors.New("x509: SAN dNSName is malformed") + } + dnsNames = append(dnsNames, string(name)) +@@ -391,14 +395,9 @@ func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string + return errors.New("x509: SAN uniformResourceIdentifier is malformed") + } + uri, err := url.Parse(uriStr) +- if err != nil { ++ if err != nil || (err == nil && uri.Host != "" && !domainNameValid(uri.Host, false)) { + return fmt.Errorf("x509: cannot parse URI %q: %s", uriStr, err) + } +- if len(uri.Host) > 0 { +- if _, ok := domainToReverseLabels(uri.Host); !ok { +- return fmt.Errorf("x509: cannot parse URI %q: invalid domain", uriStr) +- } +- } + uris = append(uris, uri) + case nameTypeIP: + switch len(data) { +@@ -538,15 +537,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle + return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) + } + +- trimmedDomain := domain +- if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' { +- // constraints can have a leading +- // period to exclude the domain +- // itself, but that's not valid in a +- // normal domain name. +- trimmedDomain = trimmedDomain[1:] +- } +- if _, ok := domainToReverseLabels(trimmedDomain); !ok { ++ if !domainNameValid(domain, true) { + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain) + } + dnsNames = append(dnsNames, domain) +@@ -587,12 +578,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint) + } + } else { +- // Otherwise it's a domain name. +- domain := constraint +- if len(domain) > 0 && domain[0] == '.' { +- domain = domain[1:] +- } +- if _, ok := domainToReverseLabels(domain); !ok { ++ if !domainNameValid(constraint, true) { + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint) + } + } +@@ -608,15 +594,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain) + } + +- trimmedDomain := domain +- if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' { +- // constraints can have a leading +- // period to exclude the domain itself, +- // but that's not valid in a normal +- // domain name. +- trimmedDomain = trimmedDomain[1:] +- } +- if _, ok := domainToReverseLabels(trimmedDomain); !ok { ++ if !domainNameValid(domain, true) { + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain) + } + uriDomains = append(uriDomains, domain) +@@ -1197,3 +1175,40 @@ func ParseRevocationList(der []byte) (*RevocationList, error) { + + return rl, nil + } ++ ++// domainNameValid does minimal domain name validity checking. In particular it ++// enforces the following properties: ++// - names cannot have the trailing period ++// - names can only have a leading period if constraint is true ++// - names must be <= 253 characters ++// - names cannot have empty labels ++// - names cannot labels that are longer than 63 characters ++// ++// Note that this does not enforce the LDH requirements for domain names. ++func domainNameValid(s string, constraint bool) bool { ++ if len(s) == 0 && constraint { ++ return true ++ } ++ if len(s) == 0 || (!constraint && s[0] == '.') || s[len(s)-1] == '.' || len(s) > 253 { ++ return false ++ } ++ lastDot := -1 ++ if constraint && s[0] == '.' { ++ s = s[1:] ++ } ++ ++ for i := 0; i <= len(s); i++ { ++ if i == len(s) || s[i] == '.' { ++ labelLen := i ++ if lastDot >= 0 { ++ labelLen -= lastDot + 1 ++ } ++ if labelLen == 0 || labelLen > 63 { ++ return false ++ } ++ lastDot = i ++ } ++ } ++ ++ return true ++} +diff --git a/src/crypto/x509/parser_test.go b/src/crypto/x509/parser_test.go +index b31f9cd..a6cdfb8 100644 +--- a/src/crypto/x509/parser_test.go ++++ b/src/crypto/x509/parser_test.go +@@ -6,6 +6,7 @@ package x509 + + import ( + "encoding/asn1" ++ "strings" + "testing" + + cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" +@@ -101,3 +102,45 @@ func TestParseASN1String(t *testing.T) { + }) + } + } ++ ++func TestDomainNameValid(t *testing.T) { ++ for _, tc := range []struct { ++ name string ++ dnsName string ++ constraint bool ++ valid bool ++ }{ ++ {"empty name, name", "", false, false}, ++ {"empty name, constraint", "", true, true}, ++ {"empty label, name", "a..a", false, false}, ++ {"empty label, constraint", "a..a", true, false}, ++ {"period, name", ".", false, false}, ++ {"period, constraint", ".", true, false}, // TODO(roland): not entirely clear if this is a valid constraint (require at least one label?) ++ {"valid, name", "a.b.c", false, true}, ++ {"valid, constraint", "a.b.c", true, true}, ++ {"leading period, name", ".a.b.c", false, false}, ++ {"leading period, constraint", ".a.b.c", true, true}, ++ {"trailing period, name", "a.", false, false}, ++ {"trailing period, constraint", "a.", true, false}, ++ {"bare label, name", "a", false, true}, ++ {"bare label, constraint", "a", true, true}, ++ {"254 char label, name", strings.Repeat("a.a", 84) + "aaa", false, false}, ++ {"254 char label, constraint", strings.Repeat("a.a", 84) + "aaa", true, false}, ++ {"253 char label, name", strings.Repeat("a.a", 84) + "aa", false, false}, ++ {"253 char label, constraint", strings.Repeat("a.a", 84) + "aa", true, false}, ++ {"64 char single label, name", strings.Repeat("a", 64), false, false}, ++ {"64 char single label, constraint", strings.Repeat("a", 64), true, false}, ++ {"63 char single label, name", strings.Repeat("a", 63), false, true}, ++ {"63 char single label, constraint", strings.Repeat("a", 63), true, true}, ++ {"64 char label, name", "a." + strings.Repeat("a", 64), false, false}, ++ {"64 char label, constraint", "a." + strings.Repeat("a", 64), true, false}, ++ {"63 char label, name", "a." + strings.Repeat("a", 63), false, true}, ++ {"63 char label, constraint", "a." + strings.Repeat("a", 63), true, true}, ++ } { ++ t.Run(tc.name, func(t *testing.T) { ++ if tc.valid != domainNameValid(tc.dnsName, tc.constraint) { ++ t.Errorf("domainNameValid(%q, %t) = %v; want %v", tc.dnsName, tc.constraint, !tc.valid, tc.valid) ++ } ++ }) ++ } ++} +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 2d2a271..4502d4c 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -360,6 +360,7 @@ func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) { + // domainToReverseLabels converts a textual domain name like foo.example.com to + // the list of labels in reverse order, e.g. ["com", "example", "foo"]. + func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) { ++ reverseLabels = make([]string, 0, strings.Count(domain, ".")+1) + for len(domain) > 0 { + if i := strings.LastIndexByte(domain, '.'); i == -1 { + reverseLabels = append(reverseLabels, domain) +-- +2.40.0 From patchwork Fri Nov 7 10:20:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 73927 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E146CCFA1A for ; Fri, 7 Nov 2025 10:21:19 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8259.1762510870469360980 for ; Fri, 07 Nov 2025 02:21:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=hTNi6hrM; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=3406543a8f=archana.polampalli@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5A76Z2cL2647700 for ; Fri, 7 Nov 2025 02:21:10 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=B+TN3ikaSp245xEkmsQND3FXW6SKhQ/2EWBWZRUbW8s=; b=hTNi6hrMBSzg T3hvHU2ELAojR5mvDe1KAEo/OvVlQPYYVrGouhX18sYK+rP5irqhC0PjVkRuhq34 E3OuPoV46xccY0YstLkJEf7QGGFaSKT5ZN712PB8G31i9QanK4ftmRU1jg7Oqn+y z6/45uoJrQZmvP4/dEZLyfbmDfG5+j3jIjEV0O4P8/ysPb4PFafB8EiENAhSJcwc ZUGw1KoZfSXfyZEkUpEtyL1vZtgOCsGFRfLi44jJ9DKtXG0NeQrjSpdtkpEfN0xX e6IpDLNzquSITzvUuWeVEBuFSHNIUIkDCxk7TumcFqvThWzeoH06jVevaZHmAk11 0IrqawDbKw== Received: from ala-exchng02.corp.ad.wrs.com ([128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4a96ym8d0a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Nov 2025 02:21:10 -0800 (PST) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Fri, 7 Nov 2025 02:21:09 -0800 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Fri, 7 Nov 2025 02:21:08 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 3/7] go: fix CVE-2025-58188 Date: Fri, 7 Nov 2025 15:50:59 +0530 Message-ID: <20251107102103.436637-3-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251107102103.436637-1-archana.polampalli@windriver.com> References: <20251107102103.436637-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: 2hxX3J2Qt3q8OK6lupRczuj6GEOIFFUT X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTA3MDA4MyBTYWx0ZWRfX1Wf55EZTYWPz ZZMIS+OhGO0LH2hdP810JgmeeWWwxrd8RWx7gUcHIVaOuYiaIWaWNyIHKbIS4zoNKr/sxn/RsIL OE+Vmfu4/4gPvCcGeart+swx+s3Unpm0TetKqiC0W0UG3i70YlJ0KuSrwsYWoT40vKdj76oJ/w+ cP5emYRZSTlJYcjGikq0uIkPFGfZTXbsx8+bFcR3oyhECzzMoJxNk2JvQT5Tn7ofeKVHo0130NV FPmc8lzyTR5f3QMBw9lDvG6AR510H9qN78tM++RR9jqCnTtcX4lp8FxdSO+zCOA5nYbhX0L3h35 7SGlyS3352NB0msa2w9ZWNxsoNSB3F9htcfGZBOzeNMM/U6d21ehHhdPmCiUzg14iIV15idy49n Xs/DKNRfATnMhAZNQGtV8N6pckC6Pg== X-Proofpoint-GUID: 2hxX3J2Qt3q8OK6lupRczuj6GEOIFFUT X-Authority-Analysis: v=2.4 cv=NqPcssdJ c=1 sm=1 tr=0 ts=690dc816 cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=Oh2cFVv5AAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=1XWaLZrsAAAA:8 a=pM9yUfARAAAA:8 a=LMaPaQqZR-gsADwCKQUA:9 a=7KeoIwV6GZqOttXkcoxL:22 a=FdTzh2GWekK77mhwV6Dw:22 a=YH-7kEGJnRg4CV3apUU-:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-07_02,2025-11-06_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 impostorscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 phishscore=0 adultscore=0 spamscore=0 malwarescore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511070083 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Nov 2025 10:21:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226026 From: Archana Polampalli Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Signed-off-by: Archana Polampalli --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2025-58188.patch | 194 ++++++++++++++++++ 2 files changed, 195 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58188.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index a1c14ea684..b619fc48f4 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -23,6 +23,7 @@ SRC_URI += "\ file://CVE-2025-47906.patch \ file://CVE-2025-58185.patch \ file://CVE-2025-58187.patch \ + file://CVE-2025-58188.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2025-58188.patch b/meta/recipes-devtools/go/go/CVE-2025-58188.patch new file mode 100644 index 0000000000..5787527414 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-58188.patch @@ -0,0 +1,194 @@ +From f9f198ab05e3282cbf6b13251d47d9141981e401 Mon Sep 17 00:00:00 2001 +From: Neal Patel +Date: Thu, 11 Sep 2025 16:27:04 -0400 +Subject: [PATCH] [release-branch.go1.24] crypto/x509: mitigate DoS vector when + intermediate certificate contains DSA public key An attacker could craft an + intermediate X.509 certificate containing a DSA public key and can crash a + remote host with an unauthenticated call to any endpoint that verifies the + certificate chain. + +Thank you to Jakub Ciolek for reporting this issue. + +Fixes CVE-2025-58188 +For #75675 +Fixes #75702 + +Change-Id: I2ecbb87b9b8268dbc55c8795891e596ab60f0088 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2780 +Reviewed-by: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/709836 +TryBot-Bypass: Michael Pratt +Reviewed-by: Carlos Amedee +Auto-Submit: Michael Pratt + +CVE: CVE-2025-58188 + +Upstream-Status: Backport [https://github.com/golang/go/commit/f9f198ab05e3282cbf6b13251d47d9141981e401] + +Signed-off-by: Archana Polampalli +--- + src/crypto/x509/verify.go | 5 +- + src/crypto/x509/verify_test.go | 126 +++++++++++++++++++++++++++++++++ + 2 files changed, 130 insertions(+), 1 deletion(-) + +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 4502d4c..14cd23f 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -868,7 +868,10 @@ func alreadyInChain(candidate *Certificate, chain []*Certificate) bool { + if !bytes.Equal(candidate.RawSubject, cert.RawSubject) { + continue + } +- if !candidate.PublicKey.(pubKeyEqual).Equal(cert.PublicKey) { ++ // We enforce the canonical encoding of SPKI (by only allowing the ++ // correct AI paremeter encodings in parseCertificate), so it's safe to ++ // directly compare the raw bytes. ++ if !bytes.Equal(candidate.RawSubjectPublicKeyInfo, cert.RawSubjectPublicKeyInfo) { + continue + } + var certSAN *pkix.Extension +diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go +index 8a7a5f6..4a7d8da 100644 +--- a/src/crypto/x509/verify_test.go ++++ b/src/crypto/x509/verify_test.go +@@ -6,6 +6,7 @@ package x509 + + import ( + "crypto" ++ "crypto/dsa" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" +@@ -2811,3 +2812,128 @@ func TestVerifyNilPubKey(t *testing.T) { + t.Fatalf("buildChains returned unexpected error, got: %v, want %v", err, UnknownAuthorityError{}) + } + } ++func TestCertificateChainSignedByECDSA(t *testing.T) { ++ caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) ++ if err != nil { ++ t.Fatal(err) ++ } ++ root := &Certificate{ ++ SerialNumber: big.NewInt(1), ++ Subject: pkix.Name{CommonName: "X"}, ++ NotBefore: time.Now().Add(-time.Hour), ++ NotAfter: time.Now().Add(365 * 24 * time.Hour), ++ IsCA: true, ++ KeyUsage: KeyUsageCertSign | KeyUsageCRLSign, ++ BasicConstraintsValid: true, ++ } ++ caDER, err := CreateCertificate(rand.Reader, root, root, &caKey.PublicKey, caKey) ++ if err != nil { ++ t.Fatal(err) ++ } ++ root, err = ParseCertificate(caDER) ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ leafKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) ++ leaf := &Certificate{ ++ SerialNumber: big.NewInt(42), ++ Subject: pkix.Name{CommonName: "leaf"}, ++ NotBefore: time.Now().Add(-10 * time.Minute), ++ NotAfter: time.Now().Add(24 * time.Hour), ++ KeyUsage: KeyUsageDigitalSignature, ++ ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageServerAuth}, ++ BasicConstraintsValid: true, ++ } ++ leafDER, err := CreateCertificate(rand.Reader, leaf, root, &leafKey.PublicKey, caKey) ++ if err != nil { ++ t.Fatal(err) ++ } ++ leaf, err = ParseCertificate(leafDER) ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ inter, err := ParseCertificate(dsaSelfSignedCNX(t)) ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ inters := NewCertPool() ++ inters.AddCert(root) ++ inters.AddCert(inter) ++ ++ wantErr := "certificate signed by unknown authority" ++ _, err = leaf.Verify(VerifyOptions{Intermediates: inters, Roots: NewCertPool()}) ++ if !strings.Contains(err.Error(), wantErr) { ++ t.Errorf("got %v, want %q", err, wantErr) ++ } ++} ++ ++// dsaSelfSignedCNX produces DER-encoded ++// certificate with the properties: ++// ++// Subject=Issuer=CN=X ++// DSA SPKI ++// Matching inner/outer signature OIDs ++// Dummy ECDSA signature ++func dsaSelfSignedCNX(t *testing.T) []byte { ++ t.Helper() ++ var params dsa.Parameters ++ if err := dsa.GenerateParameters(¶ms, rand.Reader, dsa.L1024N160); err != nil { ++ t.Fatal(err) ++ } ++ ++ var dsaPriv dsa.PrivateKey ++ dsaPriv.Parameters = params ++ if err := dsa.GenerateKey(&dsaPriv, rand.Reader); err != nil { ++ t.Fatal(err) ++ } ++ dsaPub := &dsaPriv.PublicKey ++ ++ type dsaParams struct{ P, Q, G *big.Int } ++ paramDER, err := asn1.Marshal(dsaParams{dsaPub.P, dsaPub.Q, dsaPub.G}) ++ if err != nil { ++ t.Fatal(err) ++ } ++ yDER, err := asn1.Marshal(dsaPub.Y) ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ spki := publicKeyInfo{ ++ Algorithm: pkix.AlgorithmIdentifier{ ++ Algorithm: oidPublicKeyDSA, ++ Parameters: asn1.RawValue{FullBytes: paramDER}, ++ }, ++ PublicKey: asn1.BitString{Bytes: yDER, BitLength: 8 * len(yDER)}, ++ } ++ ++ rdn := pkix.Name{CommonName: "X"}.ToRDNSequence() ++ b, err := asn1.Marshal(rdn) ++ if err != nil { ++ t.Fatal(err) ++ } ++ rawName := asn1.RawValue{FullBytes: b} ++ ++ algoIdent := pkix.AlgorithmIdentifier{Algorithm: oidSignatureDSAWithSHA256} ++ tbs := tbsCertificate{ ++ Version: 0, ++ SerialNumber: big.NewInt(1002), ++ SignatureAlgorithm: algoIdent, ++ Issuer: rawName, ++ Validity: validity{NotBefore: time.Now().Add(-time.Hour), NotAfter: time.Now().Add(24 * time.Hour)}, ++ Subject: rawName, ++ PublicKey: spki, ++ } ++ c := certificate{ ++ TBSCertificate: tbs, ++ SignatureAlgorithm: algoIdent, ++ SignatureValue: asn1.BitString{Bytes: []byte{0}, BitLength: 8}, ++ } ++ dsaDER, err := asn1.Marshal(c) ++ if err != nil { ++ t.Fatal(err) ++ } ++ return dsaDER ++} +-- +2.40.0 From patchwork Fri Nov 7 10:21:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 73929 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5CFC1CCFA05 for ; Fri, 7 Nov 2025 10:21:19 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8261.1762510872113354726 for ; Fri, 07 Nov 2025 02:21:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=YL0tcnP5; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=3406543a8f=archana.polampalli@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5A77Pxbt2731672 for ; Fri, 7 Nov 2025 02:21:11 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=BokN8ZmRPWI395hRAXXFo034ef3nYiK8r/f9d+N/G28=; b=YL0tcnP5pfEl 7LjBgHDhzlNo/++9RE3MEevSYdH75/alo1ZBrlRaUrfTUsBENunvGbyldqeqpmi0 Jm02Yd1AnUCW/BQUcANv46qyb2jw87z+RC5sIUdegN/ARXdH0sL66ugXf3jJnaHs lHPwQJy5EeD6kZTppYLU0vnuE7dPDPyPMMR80s0uzy1jxPz6NMDes3zVmB/uCInY Pm2T2FfMG/2Y7Sbf4LB4JBI8zBwI/J4FX2bANoFv2u89MDuOmY/iOcNR0GUelIyl k2FWcfd1Kbpx08CZfBMrAtF2Obxie/uOWwrIgWwZI4PVUNis6Nc7yhzQgFWHLK9u Etwj3UfSTQ== Received: from ala-exchng02.corp.ad.wrs.com ([128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4a96ym8d0b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Nov 2025 02:21:11 -0800 (PST) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Fri, 7 Nov 2025 02:21:11 -0800 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Fri, 7 Nov 2025 02:21:10 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 4/7] go: fix CVE-2025-58189 Date: Fri, 7 Nov 2025 15:51:00 +0530 Message-ID: <20251107102103.436637-4-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251107102103.436637-1-archana.polampalli@windriver.com> References: <20251107102103.436637-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: by3xEN27GTn_mXQ3cEZ7YLaPCcqswqN7 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTA3MDA4MyBTYWx0ZWRfX2nAd2U/1Gtt/ A+kYOhmyGjkHvOpcZRO5fYdcnnDTdWDIv9RV9CmEhqz9ps6VW3L8M9gTz2vjOMl7aDyxJmYe7Ss JtnTVwveOOEp+irdVQWxZwdzxKaoLd9GWL+b/F89lJjsmDEKIPxDktOF77/bR7rTuDQkR1FiAic XI5jhG16WTwEWIL2vTg9tHjAGUgBI4bjsCkhNTiHc96EroeXI15GEHFAANmhyQiGQuub1g9fFLd lhVMvNWjv+c3XP8g/w4oxzdWITgzkCfaP1AOqlYNWV3u0OdQwhZT0w4esz01jDGT2CxBHYrGTDN wQHp5PByMUUhpKcUsDyKmEHfb+CXMUTknTDccVUEAhq04sycYb4JPYieeDt8ACFgUmZq7fih6Qs gNJhL6CNXj+tRK83RqZ8PwL948OnXg== X-Proofpoint-GUID: by3xEN27GTn_mXQ3cEZ7YLaPCcqswqN7 X-Authority-Analysis: v=2.4 cv=NqPcssdJ c=1 sm=1 tr=0 ts=690dc817 cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=Oh2cFVv5AAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=pM9yUfARAAAA:8 a=1XWaLZrsAAAA:8 a=1w1LfWAyAAAA:8 a=yhUri8FnAAAA:8 a=wXdO-bZgSI_5K8jihpEA:9 a=7KeoIwV6GZqOttXkcoxL:22 a=FdTzh2GWekK77mhwV6Dw:22 a=YH-7kEGJnRg4CV3apUU-:22 a=DTEug4J5-LymngTEnqh0:22 a=8nbOMqh3J4Vhtx036jbE:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-07_02,2025-11-06_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 impostorscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 phishscore=0 adultscore=0 spamscore=0 malwarescore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511070083 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Nov 2025 10:21:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226027 From: Archana Polampalli When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Signed-off-by: Archana Polampalli --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2025-58189.patch | 50 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58189.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index b619fc48f4..1e4139148e 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -24,6 +24,7 @@ SRC_URI += "\ file://CVE-2025-58185.patch \ file://CVE-2025-58187.patch \ file://CVE-2025-58188.patch \ + file://CVE-2025-58189.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2025-58189.patch b/meta/recipes-devtools/go/go/CVE-2025-58189.patch new file mode 100644 index 0000000000..4908cf6400 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-58189.patch @@ -0,0 +1,50 @@ +From 2e1e356e33b9c792a9643749a7626a1789197bb9 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Mon, 29 Sep 2025 10:11:56 -0700 +Subject: [PATCH] crypto/tls: quote protocols in ALPN error message + +Quote the protocols sent by the client when returning the ALPN +negotiation error message. + +Fixes CVE-2025-58189 +Updates #75652 +Fixes #75660 + +Change-Id: Ie7b3a1ed0b6efcc1705b71f0f1e8417126661330 +Reviewed-on: https://go-review.googlesource.com/c/go/+/707776 +Auto-Submit: Roland Shoemaker +Reviewed-by: Neal Patel +Reviewed-by: Nicholas Husin +Auto-Submit: Nicholas Husin +Reviewed-by: Nicholas Husin +TryBot-Bypass: Roland Shoemaker +Reviewed-by: Daniel McCarney +(cherry picked from commit 4e9006a716533fe1c7ee08df02dfc73078f7dc19) +Reviewed-on: https://go-review.googlesource.com/c/go/+/708096 +LUCI-TryBot-Result: Go LUCI +Reviewed-by: Carlos Amedee + +CVE: CVE-2025-58189 + +Upstream-Status: Backport [https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9] + +Signed-off-by: Archana Polampalli +--- + src/crypto/tls/handshake_server.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go +index 4e84aa9..17b6891 100644 +--- a/src/crypto/tls/handshake_server.go ++++ b/src/crypto/tls/handshake_server.go +@@ -312,7 +312,7 @@ func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, erro + if http11fallback { + return "", nil + } +- return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos) ++ return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos) + } + + // supportsECDHE returns whether ECDHE key exchanges can be used with this +-- +2.40.0 From patchwork Fri Nov 7 10:21:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 73931 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6262ECCFA1A for ; Fri, 7 Nov 2025 10:21:29 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.8353.1762510873786398939 for ; Fri, 07 Nov 2025 02:21:13 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=q3zVzRi5; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=3406543a8f=archana.polampalli@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5A77nEd22041923 for ; Fri, 7 Nov 2025 02:21:13 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=9JN4sIFs2q6R5vNb4UfiopIdbWLUCHy4BB0n+z8RTSA=; b=q3zVzRi56zjt Cv52awTO0rRdg8meQSCBwT7kCWep9/KZ3YnunjcgleD/L7UdQKUqJHidRZB2q59f TLeBA1L7JwSz4Jy+H4dOhqViOgY6hj4qx3g6297wH/Tk1UhjfASrzWDRwO4S595T mgHyB8u7EZRuXJtpgYEvvN+5R5Lxm6pr/uFzEWUj48O5sTxit256SadX1zYbzZVX o+toQx6OL1o1Z+eZXbF5taNmR7637ovzQmGiYJlW1YNSofe7KE3K0L8AleiW3VlQ Noe8cd2ovevcG4rh5uoYXKjEg+PI17loWY5ZK2cx15CuDM3EgJTouP+Y+5rDfWrU IpRFmg0trg== Received: from ala-exchng02.corp.ad.wrs.com ([128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4a975fgchr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Nov 2025 02:21:13 -0800 (PST) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Fri, 7 Nov 2025 02:21:12 -0800 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Fri, 7 Nov 2025 02:21:11 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 5/7] go: fix CVE-2025-47912 Date: Fri, 7 Nov 2025 15:51:01 +0530 Message-ID: <20251107102103.436637-5-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251107102103.436637-1-archana.polampalli@windriver.com> References: <20251107102103.436637-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTA3MDA4MyBTYWx0ZWRfX/+Ccq8aWhOtJ ZcLcZHPsVWWnSUpUf/9JzWa/34aZcltcZ9+PGGghT72OthvhGC6D8qKQUOAcPgwjr6kogtSiUql 5Sh35UOkYa/ZP9A827uge12VTqZay5qT7MEjUvWtUz/ulzRFHQacXaRDVTdwF4knjdI9hL69Uk7 Sr30h9Lh2K8z/kJcTVuWLoGWNZHwmCSRA525uqWV4Ef6r3HIHdhDPrh2KPhI4uBWaAtDFr3edg0 09o8Y8ysRDaPYPp7fW/XERVadhiYguiQh1I0IEPQ5+aLEuxTJT9hPA7jYeN7//+RdIFpVLkARbC J4BTrQoFvtBy2ZMNSG7v9rJi/yRMSC85uTn3odvRdJyOgOoiJyK5xAfuYfSUZ/aMfmn/rJ5QSks SlaaTygS9kpSmulimaXoqgtckjm68Q== X-Authority-Analysis: v=2.4 cv=MtVfKmae c=1 sm=1 tr=0 ts=690dc819 cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=Oh2cFVv5AAAA:8 a=NEAV23lmAAAA:8 a=r6LF-9bVAAAA:8 a=Rnsd1d2pAAAA:8 a=t7CeM3EgAAAA:8 a=1XWaLZrsAAAA:8 a=pM9yUfARAAAA:8 a=BNKJNmVg3hzWodVNJTAA:9 a=6bh5H5uOXvuRkT0d:21 a=lqcHg5cX4UMA:10 a=s5zKW874KtQA:10 a=7KeoIwV6GZqOttXkcoxL:22 a=sL0kBDm1BSwOBZmmfnro:22 a=QqdcJgvOKW8-iKOPt_co:22 a=FdTzh2GWekK77mhwV6Dw:22 a=YH-7kEGJnRg4CV3apUU-:22 a=Soy3cZ2v3rD3IzUh-QDm:22 a=pHzHmUro8NiASowvMSCR:22 a=Ew2E2A-JSTLzCXPT_086:22 X-Proofpoint-GUID: 7GSoFGz7A7l885rwch0_t1nKDw62u222 X-Proofpoint-ORIG-GUID: 7GSoFGz7A7l885rwch0_t1nKDw62u222 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-07_02,2025-11-06_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 lowpriorityscore=0 adultscore=0 clxscore=1015 bulkscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 impostorscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511070083 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Nov 2025 10:21:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226028 From: Archana Polampalli The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Signed-off-by: Archana Polampalli --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2025-47912.patch | 226 ++++++++++++++++++ 2 files changed, 227 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2025-47912.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 1e4139148e..2be5c8b519 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -25,6 +25,7 @@ SRC_URI += "\ file://CVE-2025-58187.patch \ file://CVE-2025-58188.patch \ file://CVE-2025-58189.patch \ + file://CVE-2025-47912.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2025-47912.patch b/meta/recipes-devtools/go/go/CVE-2025-47912.patch new file mode 100644 index 0000000000..bc63b323ca --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-47912.patch @@ -0,0 +1,226 @@ +From d6d2f7bf76718f1db05461cd912ae5e30d7b77ea Mon Sep 17 00:00:00 2001 +From: Ethan Lee +Date: Fri, 29 Aug 2025 17:35:55 +0000 +Subject: [PATCH] [release-branch.go1.24] net/url: enforce stricter parsing of + + bracketed IPv6 hostnames - Previously, url.Parse did not enforce validation + of hostnames within square brackets. - RFC 3986 stipulates that only IPv6 + hostnames can be embedded within square brackets in a URL. - Now, the + parsing logic should strictly enforce that only IPv6 hostnames can be + resolved when in square brackets. IPv4, IPv4-mapped addresses and other + input will be rejected. - Update url_test to add test cases that cover the + above scenarios. + +Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua +University for reporting this issue. + +Fixes CVE-2025-47912 +Fixes #75678 +Fixes #75712 + +Change-Id: Iaa41432bf0ee86de95a39a03adae5729e4deb46c +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2680 +Reviewed-by: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2968 +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-review.googlesource.com/c/go/+/709838 +TryBot-Bypass: Michael Pratt +Reviewed-by: Carlos Amedee +Auto-Submit: Michael Pratt + +CVE: CVE-2025-47912 + +Upstream-Status: Backport [https://github.com/golang/go/commit/d6d2f7bf76718f1db05461cd912ae5e30d7b77ea] + +Signed-off-by: Archana Polampalli +--- + src/go/build/deps_test.go | 9 ++++++--- + src/net/url/url.go | 42 +++++++++++++++++++++++++++++---------- + src/net/url/url_test.go | 39 ++++++++++++++++++++++++++++++++++++ + 3 files changed, 77 insertions(+), 13 deletions(-) + +diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go +index 7ce8d34..9f2663f 100644 +--- a/src/go/build/deps_test.go ++++ b/src/go/build/deps_test.go +@@ -209,7 +209,6 @@ var depsRules = ` + internal/types/errors, + mime/quotedprintable, + net/internal/socktest, +- net/url, + runtime/trace, + text/scanner, + text/tabwriter; +@@ -252,6 +251,12 @@ var depsRules = ` + FMT + < text/template/parse; + ++ internal/bytealg, internal/itoa, math/bits, slices, strconv, unique ++ < net/netip; ++ ++ FMT, net/netip ++ < net/url; ++ + net/url, text/template/parse + < text/template + < internal/lazytemplate; +@@ -367,8 +372,6 @@ var depsRules = ` + internal/godebug + < internal/intern; + +- internal/bytealg, internal/intern, internal/itoa, math/bits, sort, strconv +- < net/netip; + + # net is unavoidable when doing any networking, + # so large dependencies must be kept out. +diff --git a/src/net/url/url.go b/src/net/url/url.go +index f362958..d2ae032 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -13,6 +13,7 @@ package url + import ( + "errors" + "fmt" ++ "net/netip" + "path" + "sort" + "strconv" +@@ -621,40 +622,61 @@ func parseAuthority(authority string) (user *Userinfo, host string, err error) { + // parseHost parses host as an authority without user + // information. That is, as host[:port]. + func parseHost(host string) (string, error) { +- if strings.HasPrefix(host, "[") { ++ if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx != -1 { + // Parse an IP-Literal in RFC 3986 and RFC 6874. + // E.g., "[fe80::1]", "[fe80::1%25en0]", "[fe80::1]:80". +- i := strings.LastIndex(host, "]") +- if i < 0 { ++ closeBracketIdx := strings.LastIndex(host, "]") ++ if closeBracketIdx < 0 { + return "", errors.New("missing ']' in host") + } +- colonPort := host[i+1:] ++ ++ colonPort := host[closeBracketIdx+1:] + if !validOptionalPort(colonPort) { + return "", fmt.Errorf("invalid port %q after host", colonPort) + } ++ unescapedColonPort, err := unescape(colonPort, encodeHost) ++ if err != nil { ++ return "", err ++ } + ++ hostname := host[openBracketIdx+1 : closeBracketIdx] ++ var unescapedHostname string + // RFC 6874 defines that %25 (%-encoded percent) introduces + // the zone identifier, and the zone identifier can use basically + // any %-encoding it likes. That's different from the host, which + // can only %-encode non-ASCII bytes. + // We do impose some restrictions on the zone, to avoid stupidity + // like newlines. +- zone := strings.Index(host[:i], "%25") +- if zone >= 0 { +- host1, err := unescape(host[:zone], encodeHost) ++ zoneIdx := strings.Index(hostname, "%25") ++ if zoneIdx >= 0 { ++ hostPart, err := unescape(hostname[:zoneIdx], encodeHost) + if err != nil { + return "", err + } +- host2, err := unescape(host[zone:i], encodeZone) ++ zonePart, err := unescape(hostname[zoneIdx:], encodeZone) + if err != nil { + return "", err + } +- host3, err := unescape(host[i:], encodeHost) ++ unescapedHostname = hostPart + zonePart ++ } else { ++ var err error ++ unescapedHostname, err = unescape(hostname, encodeHost) + if err != nil { + return "", err + } +- return host1 + host2 + host3, nil + } ++ ++ // Per RFC 3986, only a host identified by a valid ++ // IPv6 address can be enclosed by square brackets. ++ // This excludes any IPv4 or IPv4-mapped addresses. ++ addr, err := netip.ParseAddr(unescapedHostname) ++ if err != nil { ++ return "", fmt.Errorf("invalid host: %w", err) ++ } ++ if addr.Is4() || addr.Is4In6() { ++ return "", errors.New("invalid IPv6 host") ++ } ++ return "[" + unescapedHostname + "]" + unescapedColonPort, nil + } else if i := strings.LastIndex(host, ":"); i != -1 { + colonPort := host[i:] + if !validOptionalPort(colonPort) { +diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go +index 4aa20bb..fef236e 100644 +--- a/src/net/url/url_test.go ++++ b/src/net/url/url_test.go +@@ -383,6 +383,16 @@ var urltests = []URLTest{ + }, + "", + }, ++ // valid IPv6 host with port and path ++ { ++ "https://[2001:db8::1]:8443/test/path", ++ &URL{ ++ Scheme: "https", ++ Host: "[2001:db8::1]:8443", ++ Path: "/test/path", ++ }, ++ "", ++ }, + // host subcomponent; IPv6 address with zone identifier in RFC 6874 + { + "http://[fe80::1%25en0]/", // alphanum zone identifier +@@ -707,6 +717,24 @@ var parseRequestURLTests = []struct { + // RFC 6874. + {"http://[fe80::1%en0]/", false}, + {"http://[fe80::1%en0]:8080/", false}, ++ ++ // Tests exercising RFC 3986 compliance ++ {"https://[1:2:3:4:5:6:7:8]", true}, // full IPv6 address ++ {"https://[2001:db8::a:b:c:d]", true}, // compressed IPv6 address ++ {"https://[fe80::1%25eth0]", true}, // link-local address with zone ID (interface name) ++ {"https://[fe80::abc:def%254]", true}, // link-local address with zone ID (interface index) ++ {"https://[2001:db8::1]/path", true}, // compressed IPv6 address with path ++ {"https://[fe80::1%25eth0]/path?query=1", true}, // link-local with zone, path, and query ++ ++ {"https://[::ffff:192.0.2.1]", false}, ++ {"https://[:1] ", false}, ++ {"https://[1:2:3:4:5:6:7:8:9]", false}, ++ {"https://[1::1::1]", false}, ++ {"https://[1:2:3:]", false}, ++ {"https://[ffff::127.0.0.4000]", false}, ++ {"https://[0:0::test.com]:80", false}, ++ {"https://[2001:db8::test.com]", false}, ++ {"https://[test.com]", false}, + } + + func TestParseRequestURI(t *testing.T) { +@@ -1635,6 +1663,17 @@ func TestParseErrors(t *testing.T) { + {"cache_object:foo", true}, + {"cache_object:foo/bar", true}, + {"cache_object/:foo/bar", false}, ++ ++ {"http://[192.168.0.1]/", true}, // IPv4 in brackets ++ {"http://[192.168.0.1]:8080/", true}, // IPv4 in brackets with port ++ {"http://[::ffff:192.168.0.1]/", true}, // IPv4-mapped IPv6 in brackets ++ {"http://[::ffff:192.168.0.1]:8080/", true}, // IPv4-mapped IPv6 in brackets with port ++ {"http://[::ffff:c0a8:1]/", true}, // IPv4-mapped IPv6 in brackets (hex) ++ {"http://[not-an-ip]/", true}, // invalid IP string in brackets ++ {"http://[fe80::1%foo]/", true}, // invalid zone format in brackets ++ {"http://[fe80::1", true}, // missing closing bracket ++ {"http://fe80::1]/", true}, // missing opening bracket ++ {"http://[test.com]/", true}, // domain name in brackets + } + for _, tt := range tests { + u, err := Parse(tt.in) +-- +2.40.0 From patchwork Fri Nov 7 10:21:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 73928 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62927CCF9F8 for ; Fri, 7 Nov 2025 10:21:19 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8262.1762510875063997941 for ; Fri, 07 Nov 2025 02:21:15 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=pU6sUJP+; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=3406543a8f=archana.polampalli@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5A77nEd32041923 for ; Fri, 7 Nov 2025 02:21:14 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=CrVWfBVR47AFQZUdqj7cTCsQOlvp2rZJhZoG1/AKmbo=; b=pU6sUJP+JnvR /O+NooOvcqJJw+Qdxze+5CpsGQe0fZ+4VlShnlEH1mk7GWM8ShII4Ks+DNQNYori gachh3QZ+9NSDQ3KQHQEBFaOORHrk/6th/mfV1DdyYMC3rXSXmbu9hSk6K3VxEQk c3+v4vhErGkkOO1u4fiuKuEUAzHkt2+zIOH0A6J9BHDp1eov+2hdnDcWExRuOtfv Q7L7F8I0Bu+yMRN5DBJus75smWGTpwNk/pMCtLxgf4xNxemZXf38mWnTcznJjNgO OiJ6gFWpJHDKK/BMEusHBubLvHw14R9QhS5ps+3C31TA7Zu4jeFfBD3tvWHo9IBZ 8KkD3x274g== Received: from ala-exchng02.corp.ad.wrs.com ([128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4a975fgchs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Nov 2025 02:21:14 -0800 (PST) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Fri, 7 Nov 2025 02:21:14 -0800 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Fri, 7 Nov 2025 02:21:13 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 6/7] go: fix CVE-2025-61723 Date: Fri, 7 Nov 2025 15:51:02 +0530 Message-ID: <20251107102103.436637-6-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251107102103.436637-1-archana.polampalli@windriver.com> References: <20251107102103.436637-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTA3MDA4MyBTYWx0ZWRfX6P3XXR/QlTDs Jg2tlDiMB/di0kNKeoTJTiP53ENWlFkq+MAg3E2TbNR3bwx3hvNSEhP5aill0JW6JxULOi4U7ha dmUQhsv+sQeE63bwUTFg4Rrq89Eu5xnOtNE3qB8a16W71RIDk+IsEVVpY7OVo+VDEkcFjxWTXN6 7lDHYy3bU8AeZwxK0ql+o+3HmDYKdH7A/lvYc16Snr0vId6M8pQLlkvZXCw/8NXRMaZIby7si44 gD9l6rSTdB55B3zS5lP5eMBZ6O3SDLQ7tCddbSEuPEIfmpKLBipzT3uzO5H+1Syf22pCVbwY6Ua rNov+bKC0Khw6LqAMOJn4xv0DTME/xjc50rXqKbD/RnFaO0Fy+8tJf4aNmFYRVQzCHnQMwrOgTT za816pYCpV3PgHy9CgFFDC9H846s4Q== X-Authority-Analysis: v=2.4 cv=MtVfKmae c=1 sm=1 tr=0 ts=690dc81a cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=Oh2cFVv5AAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=1XWaLZrsAAAA:8 a=pM9yUfARAAAA:8 a=GoZSH2nYNUFIAvPklPcA:9 a=7KeoIwV6GZqOttXkcoxL:22 a=FdTzh2GWekK77mhwV6Dw:22 a=YH-7kEGJnRg4CV3apUU-:22 X-Proofpoint-GUID: _ni9UdzK717Q5TzfavnBHVvi80iccOCO X-Proofpoint-ORIG-GUID: _ni9UdzK717Q5TzfavnBHVvi80iccOCO X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-07_02,2025-11-06_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 lowpriorityscore=0 adultscore=0 clxscore=1015 bulkscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 impostorscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511070083 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Nov 2025 10:21:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226029 From: Archana Polampalli The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Signed-off-by: Archana Polampalli --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2025-61723.patch | 223 ++++++++++++++++++ 2 files changed, 224 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2025-61723.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 2be5c8b519..9996cfb870 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -26,6 +26,7 @@ SRC_URI += "\ file://CVE-2025-58188.patch \ file://CVE-2025-58189.patch \ file://CVE-2025-47912.patch \ + file://CVE-2025-61723.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2025-61723.patch b/meta/recipes-devtools/go/go/CVE-2025-61723.patch new file mode 100644 index 0000000000..b1664e701d --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-61723.patch @@ -0,0 +1,223 @@ +From 74d4d836b91318a8764b94bc2b4b66ff599eb5f2 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 30 Sep 2025 11:16:56 -0700 +Subject: [PATCH] encoding/pem: make Decode complexity linear + +Because Decode scanned the input first for the first BEGIN line, and +then the first END line, the complexity of Decode is quadratic. If the +input contained a large number of BEGINs and then a single END right at +the end of the input, we would find the first BEGIN, and then scan the +entire input for the END, and fail to parse the block, so move onto the +next BEGIN, scan the entire input for the END, etc. + +Instead, look for the first END in the input, and then the first BEGIN +that precedes the found END. We then process the bytes between the BEGIN +and END, and move onto the bytes after the END for further processing. +This gives us linear complexity. + +Fixes CVE-2025-61723 +For #75676 +Fixes #75708 + +Change-Id: I813c4f63e78bca4054226c53e13865c781564ccf +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2921 +Reviewed-by: Nicholas Husin +Reviewed-by: Damien Neil +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2986 +Reviewed-on: https://go-review.googlesource.com/c/go/+/709842 +TryBot-Bypass: Michael Pratt +Auto-Submit: Michael Pratt +Reviewed-by: Carlos Amedee + +CVE: CVE-2025-61723 + +Upstream-Status: Backport [https://github.com/golang/go/commit/74d4d836b91318a8764b94bc2b4b66ff599eb5f2] + +Signed-off-by: Archana Polampalli +--- + src/encoding/pem/pem.go | 67 ++++++++++++++++++++---------------- + src/encoding/pem/pem_test.go | 13 +++---- + 2 files changed, 44 insertions(+), 36 deletions(-) + +diff --git a/src/encoding/pem/pem.go b/src/encoding/pem/pem.go +index 4b4f749..d365012 100644 +--- a/src/encoding/pem/pem.go ++++ b/src/encoding/pem/pem.go +@@ -37,7 +37,7 @@ type Block struct { + // line bytes. The remainder of the byte array (also not including the new line + // bytes) is also returned and this will always be smaller than the original + // argument. +-func getLine(data []byte) (line, rest []byte) { ++func getLine(data []byte) (line, rest []byte, consumed int) { + i := bytes.IndexByte(data, '\n') + var j int + if i < 0 { +@@ -49,7 +49,7 @@ func getLine(data []byte) (line, rest []byte) { + i-- + } + } +- return bytes.TrimRight(data[0:i], " \t"), data[j:] ++ return bytes.TrimRight(data[0:i], " \t"), data[j:], j + } + + // removeSpacesAndTabs returns a copy of its input with all spaces and tabs +@@ -90,20 +90,32 @@ func Decode(data []byte) (p *Block, rest []byte) { + // pemStart begins with a newline. However, at the very beginning of + // the byte array, we'll accept the start string without it. + rest = data ++ + for { +- if bytes.HasPrefix(rest, pemStart[1:]) { +- rest = rest[len(pemStart)-1:] +- } else if _, after, ok := bytes.Cut(rest, pemStart); ok { +- rest = after +- } else { ++ // Find the first END line, and then find the last BEGIN line before ++ // the end line. This lets us skip any repeated BEGIN lines that don't ++ // have a matching END. ++ endIndex := bytes.Index(rest, pemEnd) ++ if endIndex < 0 { ++ return nil, data ++ } ++ endTrailerIndex := endIndex + len(pemEnd) ++ beginIndex := bytes.LastIndex(rest[:endIndex], pemStart[1:]) ++ if beginIndex < 0 || beginIndex > 0 && rest[beginIndex-1] != '\n' { + return nil, data + } ++ rest = rest[beginIndex+len(pemStart)-1:] ++ endIndex -= beginIndex + len(pemStart) - 1 ++ endTrailerIndex -= beginIndex + len(pemStart) - 1 + + var typeLine []byte +- typeLine, rest = getLine(rest) ++ var consumed int ++ typeLine, rest, consumed = getLine(rest) + if !bytes.HasSuffix(typeLine, pemEndOfLine) { + continue + } ++ endIndex -= consumed ++ endTrailerIndex -= consumed + typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)] + + p = &Block{ +@@ -117,7 +129,7 @@ func Decode(data []byte) (p *Block, rest []byte) { + if len(rest) == 0 { + return nil, data + } +- line, next := getLine(rest) ++ line, next, consumed := getLine(rest) + + key, val, ok := bytes.Cut(line, colon) + if !ok { +@@ -129,21 +141,13 @@ func Decode(data []byte) (p *Block, rest []byte) { + val = bytes.TrimSpace(val) + p.Headers[string(key)] = string(val) + rest = next ++ endIndex -= consumed ++ endTrailerIndex -= consumed + } + +- var endIndex, endTrailerIndex int +- +- // If there were no headers, the END line might occur +- // immediately, without a leading newline. +- if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) { +- endIndex = 0 +- endTrailerIndex = len(pemEnd) - 1 +- } else { +- endIndex = bytes.Index(rest, pemEnd) +- endTrailerIndex = endIndex + len(pemEnd) +- } +- +- if endIndex < 0 { ++ // If there were headers, there must be a newline between the headers ++ // and the END line, so endIndex should be >= 0. ++ if len(p.Headers) > 0 && endIndex < 0 { + continue + } + +@@ -163,21 +167,24 @@ func Decode(data []byte) (p *Block, rest []byte) { + } + + // The line must end with only whitespace. +- if s, _ := getLine(restOfEndLine); len(s) != 0 { ++ if s, _, _ := getLine(restOfEndLine); len(s) != 0 { + continue + } + +- base64Data := removeSpacesAndTabs(rest[:endIndex]) +- p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data))) +- n, err := base64.StdEncoding.Decode(p.Bytes, base64Data) +- if err != nil { +- continue ++ p.Bytes = []byte{} ++ if endIndex > 0 { ++ base64Data := removeSpacesAndTabs(rest[:endIndex]) ++ p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data))) ++ n, err := base64.StdEncoding.Decode(p.Bytes, base64Data) ++ if err != nil { ++ continue ++ } ++ p.Bytes = p.Bytes[:n] + } +- p.Bytes = p.Bytes[:n] + + // the -1 is because we might have only matched pemEnd without the + // leading newline if the PEM block was empty. +- _, rest = getLine(rest[endIndex+len(pemEnd)-1:]) ++ _, rest, _ = getLine(rest[endIndex+len(pemEnd)-1:]) + return p, rest + } + } +diff --git a/src/encoding/pem/pem_test.go b/src/encoding/pem/pem_test.go +index 56a7754..7025277 100644 +--- a/src/encoding/pem/pem_test.go ++++ b/src/encoding/pem/pem_test.go +@@ -34,7 +34,7 @@ var getLineTests = []GetLineTest{ + + func TestGetLine(t *testing.T) { + for i, test := range getLineTests { +- x, y := getLine([]byte(test.in)) ++ x, y, _ := getLine([]byte(test.in)) + if string(x) != test.out1 || string(y) != test.out2 { + t.Errorf("#%d got:%+v,%+v want:%s,%s", i, x, y, test.out1, test.out2) + } +@@ -46,6 +46,7 @@ func TestDecode(t *testing.T) { + if !reflect.DeepEqual(result, certificate) { + t.Errorf("#0 got:%#v want:%#v", result, certificate) + } ++ + result, remainder = Decode(remainder) + if !reflect.DeepEqual(result, privateKey) { + t.Errorf("#1 got:%#v want:%#v", result, privateKey) +@@ -68,7 +69,7 @@ func TestDecode(t *testing.T) { + } + + result, remainder = Decode(remainder) +- if result == nil || result.Type != "HEADERS" || len(result.Headers) != 1 { ++ if result == nil || result.Type != "VALID HEADERS" || len(result.Headers) != 1 { + t.Errorf("#5 expected single header block but got :%v", result) + } + +@@ -381,15 +382,15 @@ ZWAaUoVtWIQ52aKS0p19G99hhb+IVANC4akkdHV4SP8i7MVNZhfUmg== + + # This shouldn't be recognised because of the missing newline after the + headers. +------BEGIN HEADERS----- ++-----BEGIN INVALID HEADERS----- + Header: 1 +------END HEADERS----- ++-----END INVALID HEADERS----- + + # This should be valid, however. +------BEGIN HEADERS----- ++-----BEGIN VALID HEADERS----- + Header: 1 + +------END HEADERS-----`) ++-----END VALID HEADERS-----`) + + var certificate = &Block{Type: "CERTIFICATE", + Headers: map[string]string{}, +-- +2.40.0 From patchwork Fri Nov 7 10:21:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 73930 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5CF62CCFA05 for ; Fri, 7 Nov 2025 10:21:29 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.8354.1762510876909943628 for ; Fri, 07 Nov 2025 02:21:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=US94t9jr; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=3406543a8f=archana.polampalli@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5A74vOHP2487900 for ; Fri, 7 Nov 2025 02:21:16 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=DeNFBHTLujcieQvRczOnSJHYAkGpaHc1MyPPrlhlgOs=; b=US94t9jrBBYq ndufgYFy2fD9eK2DXfE96lXYi9Wz99Xjb+ya0W79DTZCe7fEd7RcihDc9i+rx/D4 VxI0xB+sPtxaG4XOioPgGKqRC7gfkwTT3j+fpxwnCFnULkoWp60d4KttbQZwlOT/ ZZdUpxZnufYdTosnGMpdv98uC+HbZPP7llqDblefzViPlu7W66c5Petmlllcsqc7 FhGWgt+wONMvWjeF4hLKCfGzmLRK45JiKcdjWuLmOpm7OWuecmZ+C2ZHyvqhpJdB voMQ9aW068uy30/zBHQ8QErO13i/65FNjqYfSSpIpCSQkr1vHTdhtbdzvOTXHw9P gri2uMZpeA== Received: from ala-exchng02.corp.ad.wrs.com ([128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4a96ym8d0d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Nov 2025 02:21:16 -0800 (PST) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Fri, 7 Nov 2025 02:21:15 -0800 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Fri, 7 Nov 2025 02:21:14 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 7/7] go: fix CVE-2025-61724 Date: Fri, 7 Nov 2025 15:51:03 +0530 Message-ID: <20251107102103.436637-7-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251107102103.436637-1-archana.polampalli@windriver.com> References: <20251107102103.436637-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: ek7T1N6fMWDRpcOhSxUYyBpmacI2_YvK X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTA3MDA4MyBTYWx0ZWRfXw0bh6K/d5ci9 pO2bym1jGaeLIG9FpV2UG9FHu8m6/J8N8Sj/8rhW3XzaQ9wr2Puudy2p7Qw2XVmWP1kddGtqNrG pfvMxWxMyvBjd+wRNRWbZ20/CyJEhQyLK+UJIrCwwmH+nY2Hn/Hiv4yePkazvR2hp0rwVcJViZE tL8BzNoiF4F75bVISje6vWZCss8Y8YzXvHSFkauWy++0PxWzsGU5R9hLPD/vESnM9HMsmew68U9 KlC5IPCvxfDLx7SiNGkBVwfqOKsFQtmCBui45aiiJQM958nUbihPISaDISI3QWqsxWKJloiK1+6 TpN7sZYWVI3eBuWqOC2zm9elmlqDxL/C7u/flbmLzvI583eXBkmGMXImt8fwalYgCxoLVBdaizS yzgk4q72Oiu5JATaNa0bG/8EScG5RQ== X-Proofpoint-GUID: ek7T1N6fMWDRpcOhSxUYyBpmacI2_YvK X-Authority-Analysis: v=2.4 cv=NqPcssdJ c=1 sm=1 tr=0 ts=690dc81c cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=Oh2cFVv5AAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=1XWaLZrsAAAA:8 a=pM9yUfARAAAA:8 a=UGZXEnhljDJq2poRytIA:9 a=7KeoIwV6GZqOttXkcoxL:22 a=FdTzh2GWekK77mhwV6Dw:22 a=YH-7kEGJnRg4CV3apUU-:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-07_02,2025-11-06_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 impostorscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 phishscore=0 adultscore=0 spamscore=0 malwarescore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511070083 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Nov 2025 10:21:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226030 From: Archana Polampalli The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Signed-off-by: Archana Polampalli --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2025-61724.patch | 75 +++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2025-61724.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 9996cfb870..825b8f4d68 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -27,6 +27,7 @@ SRC_URI += "\ file://CVE-2025-58189.patch \ file://CVE-2025-47912.patch \ file://CVE-2025-61723.patch \ + file://CVE-2025-61724.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2025-61724.patch b/meta/recipes-devtools/go/go/CVE-2025-61724.patch new file mode 100644 index 0000000000..a91c24508e --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-61724.patch @@ -0,0 +1,75 @@ +From a402f4ad285514f5f3db90516d72047d591b307a Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Tue, 30 Sep 2025 15:11:16 -0700 +Subject: [PATCH] net/textproto: avoid quadratic complexity in + Reader.ReadResponse + +Reader.ReadResponse constructed a response string from repeated +string concatenation, permitting a malicious sender to cause excessive +memory allocation and CPU consumption by sending a response consisting +of many short lines. + +Use a strings.Builder to construct the string instead. + +Thanks to Jakub Ciolek for reporting this issue. + +Fixes CVE-2025-61724 +For #75716 +Fixes #75717 + +Change-Id: I1a98ce85a21b830cb25799f9ac9333a67400d736 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2940 +Reviewed-by: Roland Shoemaker +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2980 +Reviewed-by: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/go/+/709837 +Reviewed-by: Carlos Amedee +TryBot-Bypass: Michael Pratt +Auto-Submit: Michael Pratt + +CVE: CVE-2025-61724 + +Upstream-Status: Backport [https://github.com/golang/go/commit/a402f4ad285514f5f3db90516d72047d591b307a] + +Signed-off-by: Archana Polampalli +--- + src/net/textproto/reader.go | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index 7930211..0027efe 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -283,8 +283,10 @@ func (r *Reader) ReadCodeLine(expectCode int) (code int, message string, err err + // + // An expectCode <= 0 disables the check of the status code. + func (r *Reader) ReadResponse(expectCode int) (code int, message string, err error) { +- code, continued, message, err := r.readCodeLine(expectCode) ++ code, continued, first, err := r.readCodeLine(expectCode) + multi := continued ++ var messageBuilder strings.Builder ++ messageBuilder.WriteString(first) + for continued { + line, err := r.ReadLine() + if err != nil { +@@ -295,12 +297,15 @@ func (r *Reader) ReadResponse(expectCode int) (code int, message string, err err + var moreMessage string + code2, continued, moreMessage, err = parseCodeLine(line, 0) + if err != nil || code2 != code { +- message += "\n" + strings.TrimRight(line, "\r\n") ++ messageBuilder.WriteByte('\n') ++ messageBuilder.WriteString(strings.TrimRight(line, "\r\n")) + continued = true + continue + } +- message += "\n" + moreMessage ++ messageBuilder.WriteByte('\n') ++ messageBuilder.WriteString(moreMessage) + } ++ message = messageBuilder.String() + if err != nil && multi && message != "" { + // replace one line error message with all lines (full message) + err = &Error{code, message} +-- +2.40.0