From patchwork Fri Nov 28 16:07:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 75555 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C071D116F1 for ; Fri, 28 Nov 2025 16:08:11 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.19469.1764346086765880137 for ; Fri, 28 Nov 2025 08:08:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=nfHUNfEh; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4427058972=archana.polampalli@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5ASDlRMQ036400 for ; Fri, 28 Nov 2025 16:08:05 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=PPS06212021; bh=1WrgocrMPCmfqq/VYH/G XQQ2x3UUWM3+iRyUDz9x9ek=; b=nfHUNfEh2AAFyAekscCMVuLqU1fvRDrRQM57 72RnLSze0MxGn8MgLUVXH7Iu6HLJvZCYEcy17GXQ888IA1U4txOFED1VzG9lcn+y KYYl/AO6mRv+VfXFds5hkDYG6f/KVHntddFrIKWneggJWQ1Me4fbk6IKKePcbhxh cmg3g3ngPoNFq+LwW1Tqn1OdWs/30to6rl5xpc6WzrGQusE60ra5MpAUv4ophvnF wKRbMmdfkv33i3pFIUeACwj3AKKUobxa9BkLugU99NiwjWtU/L8zBV6gP4f9z1wV H/rkl1IHpYqPXH6JYeghZsYJi31QOFvGuI1rvV7uDh67axU/XA== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4ak455q2dk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 28 Nov 2025 16:08:05 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Fri, 28 Nov 2025 08:08:03 -0800 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Fri, 28 Nov 2025 08:08:02 -0800 From: To: Subject: [oe-core][kirkstone][PATCH 1/4] go: fix CVE-2025-58187 Date: Fri, 28 Nov 2025 21:37:56 +0530 Message-ID: <20251128160759.331036-1-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: g4BrGTRbYZSlj5l4wAFwEVaMD2fDeqbQ X-Proofpoint-GUID: g4BrGTRbYZSlj5l4wAFwEVaMD2fDeqbQ X-Authority-Analysis: v=2.4 cv=T6eBjvKQ c=1 sm=1 tr=0 ts=6929c8e5 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=pM9yUfARAAAA:8 a=Oh2cFVv5AAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=1XWaLZrsAAAA:8 a=A1X0JdhQAAAA:8 a=p8bv-Q6xvW1aGLmNwggA:9 a=YH-7kEGJnRg4CV3apUU-:22 a=7KeoIwV6GZqOttXkcoxL:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTI4MDExOCBTYWx0ZWRfX3PKnPSZZZM4Q FghvWQLMUS09nT4TMM8DvwPG+d5E6Z/kqAWQfny0GjadHmrnxZzhwbHKVKjt2z+TvA6rS75Jmxe 7zrpic/TkiTFlVYAr4TeuW1vEDIKSUnau6zqkFXcInIPQvksbei+yS4HNwD5tYRKfwkicZoycpS x6XSqjBPHr9zNqaAsZ6JLqggOmPiptf5TgmUebqF6CdyzgrbbVw6pB29O7jo7b6tzz6QdY99yvm vq5jugKlvmjKaQ7svmzlU0e5FXgomAe26mhBkvnyILIJjJ9UiXEjqmAyJH7X9gUdk7TX93MpzqA zTOR60WJEGruzrQpIm1dhhps2Z5/PdqJkxbFYNnsOaA6Lwd3hCqHzjSePRXyvwiNL8n8Q2zZItk d0hThgXAkGjyl5QkJzs2DW1IaVn70g== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-28_08,2025-11-27_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 spamscore=0 lowpriorityscore=0 clxscore=1015 bulkscore=0 phishscore=0 suspectscore=0 priorityscore=1501 impostorscore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511280118 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 16:08:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226918 From: Archana Polampalli Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Signed-off-by: Archana Polampalli --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.18/CVE-2025-58187.patch | 349 ++++++++++++++++++ 2 files changed, 350 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-58187.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 465f24e108..c5aa3f9786 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -69,6 +69,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ file://CVE-2025-47907.patch \ file://CVE-2025-47906.patch \ file://CVE-2024-24783.patch \ + file://CVE-2025-58187.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2025-58187.patch b/meta/recipes-devtools/go/go-1.18/CVE-2025-58187.patch new file mode 100644 index 0000000000..810487674c --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2025-58187.patch @@ -0,0 +1,349 @@ +From f334417e71f8b078ad64035bddb6df7f8910da6c Mon Sep 17 00:00:00 2001 +From: Neal Patel +Date: Mon, 15 Sep 2025 16:31:22 -0400 +Subject: [PATCH] crypto/x509: improve domain name verification + +Don't use domainToReverseLabels to check if domain names are valid, +since it is not particularly performant, and can contribute to DoS +vectors. Instead just iterate over the name and enforce the properties +we care about. + +This also enforces that DNS names, both in SANs and name constraints, +are valid. We previously allowed invalid SANs, because some +intermediates had these weird names (see #23995), but there are +currently no trusted intermediates that have this property, and since we +target the web PKI, supporting this particular case is not a high +priority. + +Thank you to Jakub Ciolek for reporting this issue. + +Fixes CVE-2025-58187 +For #75681 +Fixes #75714 + +Change-Id: I6ebce847dcbe5fc63ef2f9a74f53f11c4c56d3d1 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2820 +Reviewed-by: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2982 +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-review.googlesource.com/c/go/+/709839 +Auto-Submit: Michael Pratt +Reviewed-by: Carlos Amedee +TryBot-Bypass: Michael Pratt + +CVE: CVE-2025-58187 + +Upstream-Status: Backport [https://github.com/golang/go/commit/f334417e71f8b078ad64035bddb6df7f8910da6c] + +Signed-off-by: Archana Polampalli +--- + src/crypto/x509/name_constraints_test.go | 66 ++------------------ + src/crypto/x509/parser.go | 77 ++++++++++++++---------- + src/crypto/x509/parser_test.go | 43 +++++++++++++ + src/crypto/x509/verify.go | 1 + + 4 files changed, 95 insertions(+), 92 deletions(-) + +diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go +index c59a7dc..d4f7d41 100644 +--- a/src/crypto/x509/name_constraints_test.go ++++ b/src/crypto/x509/name_constraints_test.go +@@ -1452,63 +1452,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + requestedEKUs: []ExtKeyUsage{ExtKeyUsageServerAuth}, + }, + +- // An invalid DNS SAN should be detected only at validation time so +- // that we can process CA certificates in the wild that have invalid SANs. +- // See https://github.com/golang/go/issues/23995 +- +- // #77: an invalid DNS or mail SAN will not be detected if name constraint +- // checking is not triggered. +- { +- roots: make([]constraintsSpec, 1), +- intermediates: [][]constraintsSpec{ +- { +- {}, +- }, +- }, +- leaf: leafSpec{ +- sans: []string{"dns:this is invalid", "email:this @ is invalid"}, +- }, +- }, +- +- // #78: an invalid DNS SAN will be detected if any name constraint checking +- // is triggered. +- { +- roots: []constraintsSpec{ +- { +- bad: []string{"uri:"}, +- }, +- }, +- intermediates: [][]constraintsSpec{ +- { +- {}, +- }, +- }, +- leaf: leafSpec{ +- sans: []string{"dns:this is invalid"}, +- }, +- expectedError: "cannot parse dnsName", +- }, +- +- // #79: an invalid email SAN will be detected if any name constraint +- // checking is triggered. +- { +- roots: []constraintsSpec{ +- { +- bad: []string{"uri:"}, +- }, +- }, +- intermediates: [][]constraintsSpec{ +- { +- {}, +- }, +- }, +- leaf: leafSpec{ +- sans: []string{"email:this @ is invalid"}, +- }, +- expectedError: "cannot parse rfc822Name", +- }, +- +- // #80: if several EKUs are requested, satisfying any of them is sufficient. ++ // #77: if several EKUs are requested, satisfying any of them is sufficient. + { + roots: make([]constraintsSpec, 1), + intermediates: [][]constraintsSpec{ +@@ -1523,7 +1467,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + requestedEKUs: []ExtKeyUsage{ExtKeyUsageClientAuth, ExtKeyUsageEmailProtection}, + }, + +- // #81: EKUs that are not asserted in VerifyOpts are not required to be ++ // #78: EKUs that are not asserted in VerifyOpts are not required to be + // nested. + { + roots: make([]constraintsSpec, 1), +@@ -1542,7 +1486,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + }, + }, + +- // #82: a certificate without SANs and CN is accepted in a constrained chain. ++ // #79: a certificate without SANs and CN is accepted in a constrained chain. + { + roots: []constraintsSpec{ + { +@@ -1559,7 +1503,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + }, + }, + +- // #83: a certificate without SANs and with a CN that does not parse as a ++ // #80: a certificate without SANs and with a CN that does not parse as a + // hostname is accepted in a constrained chain. + { + roots: []constraintsSpec{ +@@ -1578,7 +1522,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + }, + }, + +- // #84: a certificate with SANs and CN is accepted in a constrained chain. ++ // #81: a certificate with SANs and CN is accepted in a constrained chain. + { + roots: []constraintsSpec{ + { +diff --git a/src/crypto/x509/parser.go b/src/crypto/x509/parser.go +index 635e74b..0788210 100644 +--- a/src/crypto/x509/parser.go ++++ b/src/crypto/x509/parser.go +@@ -391,10 +391,14 @@ func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string + if err := isIA5String(email); err != nil { + return errors.New("x509: SAN rfc822Name is malformed") + } ++ parsed, ok := parseRFC2821Mailbox(email) ++ if !ok || (ok && !domainNameValid(parsed.domain, false)) { ++ return errors.New("x509: SAN rfc822Name is malformed") ++ } + emailAddresses = append(emailAddresses, email) + case nameTypeDNS: + name := string(data) +- if err := isIA5String(name); err != nil { ++ if err := isIA5String(name); err != nil || (err == nil && !domainNameValid(name, false)) { + return errors.New("x509: SAN dNSName is malformed") + } + dnsNames = append(dnsNames, string(name)) +@@ -404,14 +408,9 @@ func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string + return errors.New("x509: SAN uniformResourceIdentifier is malformed") + } + uri, err := url.Parse(uriStr) +- if err != nil { ++ if err != nil || (err == nil && uri.Host != "" && !domainNameValid(uri.Host, false)) { + return fmt.Errorf("x509: cannot parse URI %q: %s", uriStr, err) + } +- if len(uri.Host) > 0 { +- if _, ok := domainToReverseLabels(uri.Host); !ok { +- return fmt.Errorf("x509: cannot parse URI %q: invalid domain", uriStr) +- } +- } + uris = append(uris, uri) + case nameTypeIP: + switch len(data) { +@@ -551,15 +550,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle + return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) + } + +- trimmedDomain := domain +- if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' { +- // constraints can have a leading +- // period to exclude the domain +- // itself, but that's not valid in a +- // normal domain name. +- trimmedDomain = trimmedDomain[1:] +- } +- if _, ok := domainToReverseLabels(trimmedDomain); !ok { ++ if !domainNameValid(domain, true) { + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain) + } + dnsNames = append(dnsNames, domain) +@@ -600,12 +591,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint) + } + } else { +- // Otherwise it's a domain name. +- domain := constraint +- if len(domain) > 0 && domain[0] == '.' { +- domain = domain[1:] +- } +- if _, ok := domainToReverseLabels(domain); !ok { ++ if !domainNameValid(constraint, true) { + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint) + } + } +@@ -621,15 +607,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain) + } + +- trimmedDomain := domain +- if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' { +- // constraints can have a leading +- // period to exclude the domain itself, +- // but that's not valid in a normal +- // domain name. +- trimmedDomain = trimmedDomain[1:] +- } +- if _, ok := domainToReverseLabels(trimmedDomain); !ok { ++ if !domainNameValid(domain, true) { + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain) + } + uriDomains = append(uriDomains, domain) +@@ -1011,3 +989,40 @@ func ParseCertificates(der []byte) ([]*Certificate, error) { + } + return certs, nil + } ++ ++// domainNameValid does minimal domain name validity checking. In particular it ++// enforces the following properties: ++// - names cannot have the trailing period ++// - names can only have a leading period if constraint is true ++// - names must be <= 253 characters ++// - names cannot have empty labels ++// - names cannot labels that are longer than 63 characters ++// ++// Note that this does not enforce the LDH requirements for domain names. ++func domainNameValid(s string, constraint bool) bool { ++ if len(s) == 0 && constraint { ++ return true ++ } ++ if len(s) == 0 || (!constraint && s[0] == '.') || s[len(s)-1] == '.' || len(s) > 253 { ++ return false ++ } ++ lastDot := -1 ++ if constraint && s[0] == '.' { ++ s = s[1:] ++ } ++ ++ for i := 0; i <= len(s); i++ { ++ if i == len(s) || s[i] == '.' { ++ labelLen := i ++ if lastDot >= 0 { ++ labelLen -= lastDot + 1 ++ } ++ if labelLen == 0 || labelLen > 63 { ++ return false ++ } ++ lastDot = i ++ } ++ } ++ ++ return true ++} +diff --git a/src/crypto/x509/parser_test.go b/src/crypto/x509/parser_test.go +index d7cf7ea..95ed116 100644 +--- a/src/crypto/x509/parser_test.go ++++ b/src/crypto/x509/parser_test.go +@@ -5,6 +5,7 @@ package x509 + + import ( + "encoding/asn1" ++ "strings" + "testing" + + cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" +@@ -100,3 +101,45 @@ func TestParseASN1String(t *testing.T) { + }) + } + } ++ ++func TestDomainNameValid(t *testing.T) { ++ for _, tc := range []struct { ++ name string ++ dnsName string ++ constraint bool ++ valid bool ++ }{ ++ {"empty name, name", "", false, false}, ++ {"empty name, constraint", "", true, true}, ++ {"empty label, name", "a..a", false, false}, ++ {"empty label, constraint", "a..a", true, false}, ++ {"period, name", ".", false, false}, ++ {"period, constraint", ".", true, false}, // TODO(roland): not entirely clear if this is a valid constraint (require at least one label?) ++ {"valid, name", "a.b.c", false, true}, ++ {"valid, constraint", "a.b.c", true, true}, ++ {"leading period, name", ".a.b.c", false, false}, ++ {"leading period, constraint", ".a.b.c", true, true}, ++ {"trailing period, name", "a.", false, false}, ++ {"trailing period, constraint", "a.", true, false}, ++ {"bare label, name", "a", false, true}, ++ {"bare label, constraint", "a", true, true}, ++ {"254 char label, name", strings.Repeat("a.a", 84) + "aaa", false, false}, ++ {"254 char label, constraint", strings.Repeat("a.a", 84) + "aaa", true, false}, ++ {"253 char label, name", strings.Repeat("a.a", 84) + "aa", false, false}, ++ {"253 char label, constraint", strings.Repeat("a.a", 84) + "aa", true, false}, ++ {"64 char single label, name", strings.Repeat("a", 64), false, false}, ++ {"64 char single label, constraint", strings.Repeat("a", 64), true, false}, ++ {"63 char single label, name", strings.Repeat("a", 63), false, true}, ++ {"63 char single label, constraint", strings.Repeat("a", 63), true, true}, ++ {"64 char label, name", "a." + strings.Repeat("a", 64), false, false}, ++ {"64 char label, constraint", "a." + strings.Repeat("a", 64), true, false}, ++ {"63 char label, name", "a." + strings.Repeat("a", 63), false, true}, ++ {"63 char label, constraint", "a." + strings.Repeat("a", 63), true, true}, ++ } { ++ t.Run(tc.name, func(t *testing.T) { ++ if tc.valid != domainNameValid(tc.dnsName, tc.constraint) { ++ t.Errorf("domainNameValid(%q, %t) = %v; want %v", tc.dnsName, tc.constraint, !tc.valid, tc.valid) ++ } ++ }) ++ } ++} +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 3e95808..fb2f4b2 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -357,6 +357,7 @@ func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) { + // domainToReverseLabels converts a textual domain name like foo.example.com to + // the list of labels in reverse order, e.g. ["com", "example", "foo"]. + func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) { ++ reverseLabels = make([]string, 0, strings.Count(domain, ".")+1) + for len(domain) > 0 { + if i := strings.LastIndexByte(domain, '.'); i == -1 { + reverseLabels = append(reverseLabels, domain) +-- +2.40.0 + From patchwork Fri Nov 28 16:07:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 75554 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 764B9D116E2 for ; Fri, 28 Nov 2025 16:08:11 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.19470.1764346086809427219 for ; Fri, 28 Nov 2025 08:08:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=dau7BxQy; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=4427058972=archana.polampalli@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5ASDjw893449973 for ; Fri, 28 Nov 2025 08:08:06 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=WRy47CImMlhntThGbgwVCHXZ2kHsEyJDBy5ZGITWB+g=; b=dau7BxQyh3Pb ipoNCgiz4vNaBFDauREGS3oRTPH76uNFmDG1QKBPxw7SlvM4c1UuiJkZjywE5/9Q qi/sX0h9Hmh+yNgK/1ZKYxbxnpdL85I+GTwFwqP4NLyUorwNJuXhKr6eZ0UmCWYt zDDTzK1LWF+jFRM97Ar++xBqs9NkY63CGojOEA8weWxVTVz4SM32vh+xf7QDwL/0 aT8blATAauyAHu7s4TVqi/lHWA7mZqCttPZl8m8W7B2A6IHaQZf9DyfXMf1rCWHt MXZpQMLyjkjTo+R/E8jfRa/bBD8YQ9MQALsgSKX5B2dzihPsOQ7WBOwBMixepmjZ w0nUTkU+VA== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4ak9b5ewc4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 28 Nov 2025 08:08:05 -0800 (PST) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Fri, 28 Nov 2025 08:08:05 -0800 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Fri, 28 Nov 2025 08:08:04 -0800 From: To: Subject: [oe-core][kirkstone][PATCH 2/4] go: fix CVE-2025-58189 Date: Fri, 28 Nov 2025 21:37:57 +0530 Message-ID: <20251128160759.331036-2-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251128160759.331036-1-archana.polampalli@windriver.com> References: <20251128160759.331036-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=fozRpV4f c=1 sm=1 tr=0 ts=6929c8e6 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=pM9yUfARAAAA:8 a=Oh2cFVv5AAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=1XWaLZrsAAAA:8 a=1w1LfWAyAAAA:8 a=yhUri8FnAAAA:8 a=5R-fWCJ7wIqqrW0gSnkA:9 a=YH-7kEGJnRg4CV3apUU-:22 a=7KeoIwV6GZqOttXkcoxL:22 a=FdTzh2GWekK77mhwV6Dw:22 a=DTEug4J5-LymngTEnqh0:22 a=8nbOMqh3J4Vhtx036jbE:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTI4MDExOCBTYWx0ZWRfXwWiknSChjmKP J7Z1Eq5SC1Gt58sAPqyQEq7aHPbvorA9vsA5nDMaeSil17wmmrAnBwvd+Krhgl92HnKxHNgoULY o5Qyt5wHO6amJMd667COR+PoWnLP5+yYNv+HEJCQ9Dqhl9aTdveZXRGJxF2HoJMsbFlWJldd6Rh onsN6tdnHdfXxpYSeUHMesmp0lPbFgXgSdQSV9W714OlYNM2lFxkfsWf8+gq5ricuG73Rv4jUWf O2TWjm0P/PeKAss0VmfnHuJ3r1B4OQ8hCnh5giN5+4UCn5WpvrFjYLfWH3QE0UJtB7J+YTYO4UW bZkfY+t+pMbwA9Q/X7HcELKNIMubIWAVgdNt04lOCMXG7XblxTj3UXfe75UHkcLUSo4ESVbDil5 wft6aqU5R8C+0y03gTTTGa8jhgLN8Q== X-Proofpoint-GUID: pnLTdfNoHFyQ_kDe6-kFBkcbR1-chKOm X-Proofpoint-ORIG-GUID: pnLTdfNoHFyQ_kDe6-kFBkcbR1-chKOm X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-28_08,2025-11-27_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 clxscore=1015 spamscore=0 impostorscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511280118 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 16:08:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226917 From: Archana Polampalli When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Signed-off-by: Archana Polampalli --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.18/CVE-2025-58189.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index c5aa3f9786..61fee12cf9 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -70,6 +70,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ file://CVE-2025-47906.patch \ file://CVE-2024-24783.patch \ file://CVE-2025-58187.patch \ + file://CVE-2025-58189.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch b/meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch new file mode 100644 index 0000000000..835f071733 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch @@ -0,0 +1,51 @@ +From 2e1e356e33b9c792a9643749a7626a1789197bb9 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Mon, 29 Sep 2025 10:11:56 -0700 +Subject: [PATCH] crypto/tls: quote protocols in ALPN error message + +Quote the protocols sent by the client when returning the ALPN +negotiation error message. + +Fixes CVE-2025-58189 +Updates #75652 +Fixes #75660 + +Change-Id: Ie7b3a1ed0b6efcc1705b71f0f1e8417126661330 +Reviewed-on: https://go-review.googlesource.com/c/go/+/707776 +Auto-Submit: Roland Shoemaker +Reviewed-by: Neal Patel +Reviewed-by: Nicholas Husin +Auto-Submit: Nicholas Husin +Reviewed-by: Nicholas Husin +TryBot-Bypass: Roland Shoemaker +Reviewed-by: Daniel McCarney +(cherry picked from commit 4e9006a716533fe1c7ee08df02dfc73078f7dc19) +Reviewed-on: https://go-review.googlesource.com/c/go/+/708096 +LUCI-TryBot-Result: Go LUCI +Reviewed-by: Carlos Amedee + +CVE: CVE-2025-58189 + +Upstream-Status: Backport [https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9] + +Signed-off-by: Archana Polampalli +--- + src/crypto/tls/handshake_server.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go +index 4e84aa9..17b6891 100644 +--- a/src/crypto/tls/handshake_server.go ++++ b/src/crypto/tls/handshake_server.go +@@ -312,7 +312,7 @@ func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, erro + if http11fallback { + return "", nil + } +- return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos) ++ return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos) + } + + // supportsECDHE returns whether ECDHE key exchanges can be used with this +-- +2.40.0 + From patchwork Fri Nov 28 16:07:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 75557 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7CB7FD116F3 for ; Fri, 28 Nov 2025 16:08:11 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.19473.1764346089743828918 for ; Fri, 28 Nov 2025 08:08:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=Nhl/5kgy; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4427058972=archana.polampalli@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5ASDlO7G036329 for ; Fri, 28 Nov 2025 16:08:08 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=l6k1iijPXMhgSVM4uTPf75gQUSOMC+Ze7IRU0cPfllw=; b=Nhl/5kgy6g9B IYdFbHpPfmy5JCZIDmY9AkYxlsUvxdAAf+rRh6YojiifnAdFD6p+Ke/BSSTriNES 79O8Y0AiUDWUepeTtHGQxnZbJ+LKrWyFsvusFYkdQYheiJ/udM/dVFp9wbjnzPAd mlEl9QFYwa6hJT5oE+9wWkQS2MN/FQHjTSrggQQnC6bNNd8HOrnpyaU3TQwbKDYu TkgpeCnXUkswCW710Wz0Cy0xcH5FBOhBs/5WB0cphWzDJb5ppKEKG3aNdSIlazLK ZQTYD5qZbU44v0ZxrmugmW3nEVLPi9JyUCNwnwDQYU+bQ//cUupmhCoyD1jjJ9dt 7yT2jve9+A== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4ak455q2dn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 28 Nov 2025 16:08:08 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Fri, 28 Nov 2025 08:08:07 -0800 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Fri, 28 Nov 2025 08:08:06 -0800 From: To: Subject: [oe-core][kirkstone][PATCH 3/4] go: fix CVE-2025-61723 Date: Fri, 28 Nov 2025 21:37:58 +0530 Message-ID: <20251128160759.331036-3-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251128160759.331036-1-archana.polampalli@windriver.com> References: <20251128160759.331036-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: hOjlqj41rLXItTryMmlHAC5Ytdnm9BYc X-Proofpoint-GUID: hOjlqj41rLXItTryMmlHAC5Ytdnm9BYc X-Authority-Analysis: v=2.4 cv=T6eBjvKQ c=1 sm=1 tr=0 ts=6929c8e8 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=pM9yUfARAAAA:8 a=Oh2cFVv5AAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=1XWaLZrsAAAA:8 a=jwAe1Q9Omu7ZGOGPRCUA:9 a=YH-7kEGJnRg4CV3apUU-:22 a=7KeoIwV6GZqOttXkcoxL:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTI4MDExOCBTYWx0ZWRfX+J96a4CewfM5 IrLAjKcq1aQBW/r/KEtPa/JlqSTN5sJMo9+0eRK8NdqQl0t30gmQmJu0Wkph42aaul4FQPFAosM D+i7aw2T79V30h+UYRmINV45iY7s9Yu7dEX80yE6OHfH65aKs/2A13eya5IgmumGJwJVK2qfhFX aPmgqDMmFF6Ujyy7BlJ5dBgK0SoBogdGjHoOWgz6cdO1oBMBo0WSvO+jh/x1+ObzTQQCn22NLep KxvE30nebpGEn07HeU2+o74+BkZ8FVf93Bj0Ft8nfkEiCtkGJPN1sEgke3SzHBPRhKtChvLeexf ALb3lR5fiV04rl9R0VHqAuN+MSxWm+1TpDF15lPJM16niDUzHbZEYq6O5/9qBCrMUyYEAMBNxly E1+bjGsYOSy72H9vkxF5q2BOx/0iMw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-28_08,2025-11-27_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 spamscore=0 lowpriorityscore=0 clxscore=1015 bulkscore=0 phishscore=0 suspectscore=0 priorityscore=1501 impostorscore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511280118 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 16:08:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226919 From: Archana Polampalli The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Signed-off-by: Archana Polampalli --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.18/CVE-2025-61723.patch | 221 ++++++++++++++++++ 2 files changed, 222 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-61723.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 61fee12cf9..b621fb189c 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -71,6 +71,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ file://CVE-2024-24783.patch \ file://CVE-2025-58187.patch \ file://CVE-2025-58189.patch \ + file://CVE-2025-61723.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2025-61723.patch b/meta/recipes-devtools/go/go-1.18/CVE-2025-61723.patch new file mode 100644 index 0000000000..8c838a6d8a --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2025-61723.patch @@ -0,0 +1,221 @@ +From 74d4d836b91318a8764b94bc2b4b66ff599eb5f2 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 30 Sep 2025 11:16:56 -0700 +Subject: [PATCH] encoding/pem: make Decode complexity linear Because Decode + scanned the input first for the first BEGIN line, and then the first END + line, the complexity of Decode is quadratic. If the input contained a large + number of BEGINs and then a single END right at the end of the input, we + would find the first BEGIN, and then scan the entire input for the END, and + fail to parse the block, so move onto the next BEGIN, scan the entire input + for the END, etc. + +Instead, look for the first END in the input, and then the first BEGIN +that precedes the found END. We then process the bytes between the BEGIN +and END, and move onto the bytes after the END for further processing. +This gives us linear complexity. + +Fixes CVE-2025-61723 +For #75676 +Fixes #75708 + +Change-Id: I813c4f63e78bca4054226c53e13865c781564ccf +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2921 +Reviewed-by: Nicholas Husin +Reviewed-by: Damien Neil +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2986 +Reviewed-on: https://go-review.googlesource.com/c/go/+/709842 +TryBot-Bypass: Michael Pratt +Auto-Submit: Michael Pratt +Reviewed-by: Carlos Amedee + +CVE: CVE-2025-61723 + +Upstream-Status: Backport [https://github.com/golang/go/commit/74d4d836b91318a8764b94bc2b4b66ff599eb5f2] + +Signed-off-by: Archana Polampalli +--- + src/encoding/pem/pem.go | 67 +++++++++++++++++++----------------- + src/encoding/pem/pem_test.go | 13 +++---- + 2 files changed, 43 insertions(+), 37 deletions(-) + +diff --git a/src/encoding/pem/pem.go b/src/encoding/pem/pem.go +index 1bee1c1..01bed75 100644 +--- a/src/encoding/pem/pem.go ++++ b/src/encoding/pem/pem.go +@@ -35,7 +35,7 @@ type Block struct { + // line bytes. The remainder of the byte array (also not including the new line + // bytes) is also returned and this will always be smaller than the original + // argument. +-func getLine(data []byte) (line, rest []byte) { ++func getLine(data []byte) (line, rest []byte, consumed int) { + i := bytes.IndexByte(data, '\n') + var j int + if i < 0 { +@@ -47,7 +47,7 @@ func getLine(data []byte) (line, rest []byte) { + i-- + } + } +- return bytes.TrimRight(data[0:i], " \t"), data[j:] ++ return bytes.TrimRight(data[0:i], " \t"), data[j:], j + } + + // removeSpacesAndTabs returns a copy of its input with all spaces and tabs +@@ -88,19 +88,29 @@ func Decode(data []byte) (p *Block, rest []byte) { + // the byte array, we'll accept the start string without it. + rest = data + for { +- if bytes.HasPrefix(rest, pemStart[1:]) { +- rest = rest[len(pemStart)-1:] +- } else if i := bytes.Index(rest, pemStart); i >= 0 { +- rest = rest[i+len(pemStart) : len(rest)] +- } else { ++ // Find the first END line, and then find the last BEGIN line before ++ // the end line. This lets us skip any repeated BEGIN lines that don't ++ // have a matching END. ++ endIndex := bytes.Index(rest, pemEnd) ++ if endIndex < 0 { + return nil, data + } +- ++ endTrailerIndex := endIndex + len(pemEnd) ++ beginIndex := bytes.LastIndex(rest[:endIndex], pemStart[1:]) ++ if beginIndex < 0 || beginIndex > 0 && rest[beginIndex-1] != '\n' { ++ return nil, data ++ } ++ rest = rest[beginIndex+len(pemStart)-1:] ++ endIndex -= beginIndex + len(pemStart) - 1 ++ endTrailerIndex -= beginIndex + len(pemStart) - 1 + var typeLine []byte +- typeLine, rest = getLine(rest) ++ var consumed int ++ typeLine, rest, consumed = getLine(rest) + if !bytes.HasSuffix(typeLine, pemEndOfLine) { + continue + } ++ endIndex -= consumed ++ endTrailerIndex -= consumed + typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)] + + p = &Block{ +@@ -114,7 +124,7 @@ func Decode(data []byte) (p *Block, rest []byte) { + if len(rest) == 0 { + return nil, data + } +- line, next := getLine(rest) ++ line, next, consumed := getLine(rest) + + i := bytes.IndexByte(line, ':') + if i == -1 { +@@ -127,21 +137,13 @@ func Decode(data []byte) (p *Block, rest []byte) { + val = bytes.TrimSpace(val) + p.Headers[string(key)] = string(val) + rest = next ++ endIndex -= consumed ++ endTrailerIndex -= consumed + } + +- var endIndex, endTrailerIndex int +- +- // If there were no headers, the END line might occur +- // immediately, without a leading newline. +- if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) { +- endIndex = 0 +- endTrailerIndex = len(pemEnd) - 1 +- } else { +- endIndex = bytes.Index(rest, pemEnd) +- endTrailerIndex = endIndex + len(pemEnd) +- } +- +- if endIndex < 0 { ++ // If there were headers, there must be a newline between the headers ++ // and the END line, so endIndex should be >= 0. ++ if len(p.Headers) > 0 && endIndex < 0 { + continue + } + +@@ -161,21 +163,24 @@ func Decode(data []byte) (p *Block, rest []byte) { + } + + // The line must end with only whitespace. +- if s, _ := getLine(restOfEndLine); len(s) != 0 { ++ if s, _, _ := getLine(restOfEndLine); len(s) != 0 { + continue + } + +- base64Data := removeSpacesAndTabs(rest[:endIndex]) +- p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data))) +- n, err := base64.StdEncoding.Decode(p.Bytes, base64Data) +- if err != nil { +- continue ++ p.Bytes = []byte{} ++ if endIndex > 0 { ++ base64Data := removeSpacesAndTabs(rest[:endIndex]) ++ p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data))) ++ n, err := base64.StdEncoding.Decode(p.Bytes, base64Data) ++ if err != nil { ++ continue ++ } ++ p.Bytes = p.Bytes[:n] + } +- p.Bytes = p.Bytes[:n] + + // the -1 is because we might have only matched pemEnd without the + // leading newline if the PEM block was empty. +- _, rest = getLine(rest[endIndex+len(pemEnd)-1:]) ++ _, rest, _ = getLine(rest[endIndex+len(pemEnd)-1:]) + return p, rest + } + } +diff --git a/src/encoding/pem/pem_test.go b/src/encoding/pem/pem_test.go +index c94b5ca..a326f9b 100644 +--- a/src/encoding/pem/pem_test.go ++++ b/src/encoding/pem/pem_test.go +@@ -34,7 +34,7 @@ var getLineTests = []GetLineTest{ + + func TestGetLine(t *testing.T) { + for i, test := range getLineTests { +- x, y := getLine([]byte(test.in)) ++ x, y, _ := getLine([]byte(test.in)) + if string(x) != test.out1 || string(y) != test.out2 { + t.Errorf("#%d got:%+v,%+v want:%s,%s", i, x, y, test.out1, test.out2) + } +@@ -46,6 +46,7 @@ func TestDecode(t *testing.T) { + if !reflect.DeepEqual(result, certificate) { + t.Errorf("#0 got:%#v want:%#v", result, certificate) + } ++ + result, remainder = Decode(remainder) + if !reflect.DeepEqual(result, privateKey) { + t.Errorf("#1 got:%#v want:%#v", result, privateKey) +@@ -68,7 +69,7 @@ func TestDecode(t *testing.T) { + } + + result, remainder = Decode(remainder) +- if result == nil || result.Type != "HEADERS" || len(result.Headers) != 1 { ++ if result == nil || result.Type != "VALID HEADERS" || len(result.Headers) != 1 { + t.Errorf("#5 expected single header block but got :%v", result) + } + +@@ -381,15 +382,15 @@ ZWAaUoVtWIQ52aKS0p19G99hhb+IVANC4akkdHV4SP8i7MVNZhfUmg== + + # This shouldn't be recognised because of the missing newline after the + headers. +------BEGIN HEADERS----- ++-----BEGIN INVALID HEADERS----- + Header: 1 +------END HEADERS----- ++-----END INVALID HEADERS----- + + # This should be valid, however. +------BEGIN HEADERS----- ++-----BEGIN VALID HEADERS----- + Header: 1 + +------END HEADERS-----`) ++-----END VALID HEADERS-----`) + + var certificate = &Block{Type: "CERTIFICATE", + Headers: map[string]string{}, +-- +2.40.0 + From patchwork Fri Nov 28 16:07:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 75556 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88CABD116F6 for ; Fri, 28 Nov 2025 16:08:11 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.19474.1764346090491445368 for ; Fri, 28 Nov 2025 08:08:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=lt1DMiF7; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=4427058972=archana.polampalli@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5ASFk2mb3001991 for ; Fri, 28 Nov 2025 08:08:10 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=fz9L3CxFiias/Eucw+CJN9bhgipOqhOwboCecZX6jU0=; b=lt1DMiF7igga Q68sZiuDwrzg9GXZrltQMORFlpEkWAWhtU8eUN8KGW66XM3B4pdLzzyz/vnJBe/p PCk52Vm3cXfxh79fPa68tWP9RrxeuGLF5Loc/dkyauFJ2GlRg5PCvP2o4I59qp43 /HX+xXBt3qGr/jFZDKmUT6RiK2J2Va3rkIfVx3lsjoSnnHmChGkzUJ0ukO8cbGSQ b879ytsGJ68VJh36nYE74PwTgI2CD+bmjkSFKzBEUGeXHxnCM6NUiPJXyB+eSRgL XwTeuGqXMhOJ9f1W261NN7ixKWbef6Df0GFs/5ReX02K9+L8kyTHPfzTo6TVCgS/ ptRHVNDByA== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4akdjjerhj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 28 Nov 2025 08:08:09 -0800 (PST) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Fri, 28 Nov 2025 08:08:09 -0800 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Fri, 28 Nov 2025 08:08:08 -0800 From: To: Subject: [oe-core][kirkstone][PATCH 4/4] go: fix CVE-2025-61724 Date: Fri, 28 Nov 2025 21:37:59 +0530 Message-ID: <20251128160759.331036-4-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251128160759.331036-1-archana.polampalli@windriver.com> References: <20251128160759.331036-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTI4MDExOCBTYWx0ZWRfX5/B1Yd++vnl8 wYUV80FXEWYBI5wKz9TfWnSVUC6s26koJEzRuProQ4qv7KWZwWK+HrhQV3n288p+gokFPj+AfYI oCPf5DaC7GIjynXOq6ctN6f4d8OAkGVMSUId8Ju/288Wrf2lExwxn06YXzTpCJyvWaToSRKMz1I fke3luN/mlyp81KDDi9u2EdlbYERVLjAziTp9di11ZaznctIOpJYnqtrd4mRDFDS2EgcoiMXHaZ icMVRtaEmAWyFgmMLjTsipZJdKZVHap/l6/EIMJKowSnoMAgvNWgYCW0f5HYxTKoLE0nQP6tnTr NximOov3YARDWgR+7eVeqaq++19YG+dsawAAIvW1/dKKT3vpK/ah762lRHL79WInjwB9N5sOOoq 5ByckG5H08UaBLIJBWtFUxzljrNoVQ== X-Proofpoint-ORIG-GUID: XImOnOSNhXxzkU3Ys3hE0rajHbeIgJmN X-Authority-Analysis: v=2.4 cv=Wq8m8Nfv c=1 sm=1 tr=0 ts=6929c8ea cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=pM9yUfARAAAA:8 a=Oh2cFVv5AAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=1XWaLZrsAAAA:8 a=UGZXEnhljDJq2poRytIA:9 a=YH-7kEGJnRg4CV3apUU-:22 a=7KeoIwV6GZqOttXkcoxL:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: XImOnOSNhXxzkU3Ys3hE0rajHbeIgJmN X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-28_08,2025-11-27_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 phishscore=0 clxscore=1015 lowpriorityscore=0 priorityscore=1501 impostorscore=0 bulkscore=0 malwarescore=0 spamscore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511280118 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 16:08:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226920 From: Archana Polampalli The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Signed-off-by: Archana Polampalli --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.18/CVE-2025-61724.patch | 74 +++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-61724.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index b621fb189c..bb5e839950 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -72,6 +72,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ file://CVE-2025-58187.patch \ file://CVE-2025-58189.patch \ file://CVE-2025-61723.patch \ + file://CVE-2025-61724.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2025-61724.patch b/meta/recipes-devtools/go/go-1.18/CVE-2025-61724.patch new file mode 100644 index 0000000000..8c63022909 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2025-61724.patch @@ -0,0 +1,74 @@ +From a402f4ad285514f5f3db90516d72047d591b307a Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Tue, 30 Sep 2025 15:11:16 -0700 +Subject: [PATCH] net/textproto: avoid quadratic complexity in + Reader.ReadResponse Reader.ReadResponse constructed a response string from + repeated string concatenation, permitting a malicious sender to cause + excessive memory allocation and CPU consumption by sending a response + consisting of many short lines. + +Use a strings.Builder to construct the string instead. + +Thanks to Jakub Ciolek for reporting this issue. + +Fixes CVE-2025-61724 +For #75716 +Fixes #75717 + +Change-Id: I1a98ce85a21b830cb25799f9ac9333a67400d736 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2940 +Reviewed-by: Roland Shoemaker +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2980 +Reviewed-by: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/go/+/709837 +Reviewed-by: Carlos Amedee +TryBot-Bypass: Michael Pratt +Auto-Submit: Michael Pratt + +CVE: CVE-2025-61724 + +Upstream-Status: Backport [https://github.com/golang/go/commit/a402f4ad285514f5f3db90516d72047d591b307a] + +Signed-off-by: Archana Polampalli +--- + src/net/textproto/reader.go | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index 3ac4d4d..a996257 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -288,8 +288,10 @@ func (r *Reader) ReadCodeLine(expectCode int) (code int, message string, err err + // An expectCode <= 0 disables the check of the status code. + // + func (r *Reader) ReadResponse(expectCode int) (code int, message string, err error) { +- code, continued, message, err := r.readCodeLine(expectCode) ++ code, continued, first, err := r.readCodeLine(expectCode) + multi := continued ++ var messageBuilder strings.Builder ++ messageBuilder.WriteString(first) + for continued { + line, err := r.ReadLine() + if err != nil { +@@ -300,12 +302,15 @@ func (r *Reader) ReadResponse(expectCode int) (code int, message string, err err + var moreMessage string + code2, continued, moreMessage, err = parseCodeLine(line, 0) + if err != nil || code2 != code { +- message += "\n" + strings.TrimRight(line, "\r\n") ++ messageBuilder.WriteByte('\n') ++ messageBuilder.WriteString(strings.TrimRight(line, "\r\n")) + continued = true + continue + } +- message += "\n" + moreMessage ++ messageBuilder.WriteByte('\n') ++ messageBuilder.WriteString(moreMessage) + } ++ message = messageBuilder.String() + if err != nil && multi && message != "" { + // replace one line error message with all lines (full message) + err = &Error{code, message} +-- +2.40.0 +