go: Fix CVE-2024-24789

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. References: https://nvd.nist.gov/vuln/detail/CVE-2024-24789 Upstream-patch: https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc (From OE-Core rev: f198fdc392c6e3b99431383ab6577749e83f1cb3) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Soumya Sambu <soumya.sambu@windriver.com> 2024-08-01 04:55:33 +0000
committer: Steve Sakoman <steve@sakoman.com> 2024-08-08 09:03:45 -0700
commit: 7506cbff40f07ae937758a5fbf872ce751e8c3ba (patch)
tree: 9a497832d1eb2fba464839140bfa2e38e6360771
parent: ae4a66db4bd23f3b6ee71ff27986a6a3d2b84f66 (diff)
download: poky-7506cbff40f07ae937758a5fbf872ce751e8c3ba.tar.gz
2 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 95fb572362..e83c4dfa80 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -56,6 +56,7 @@ SRC_URI += "\
    file://CVE-2024-24784.patch \
    file://CVE-2024-24785.patch \
    file://CVE-2023-45288.patch \
+    file://CVE-2024-24789.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch b/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch
new file mode 100644
index 0000000000..2679109a0e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch
@@ -0,0 +1,78 @@
+From c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Tue, 14 May 2024 14:39:10 -0700
+Subject: [PATCH] [release-branch.go1.21] archive/zip: treat truncated EOCDR
+ comment as an error
+When scanning for an end of central directory record,
+treat an EOCDR signature with a record containing a truncated
+comment as an error. Previously, we would skip over the invalid
+record and look for another one. Other implementations do not
+do this (they either consider this a hard error, or just ignore
+the truncated comment). This parser misalignment allowed
+presenting entirely different archive contents to Go programs
+and other zip decoders.
+For #66869
+Fixes #67553
+Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6
+Reviewed-on: https://go-review.googlesource.com/c/go/+/585397
+Reviewed-by: Joseph Tsai <joetsai@digital-static.net>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+(cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/588795
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+CVE: CVE-2024-24789
+Upstream-Status: Backport [https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/archive/zip/reader.go      | 8 ++++++--
+ src/archive/zip/reader_test.go | 8 ++++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
+index e40a2c6..987f543 100644
+--- a/src/archive/zip/reader.go
+++ b/src/archive/zip/reader.go
+@@ -644,9 +644,13 @@ func findSignatureInBlock(b []byte) int {
+                if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 {
+                        // n is length of comment
+                        n := int(b[i+directoryEndLen-2]) | int(b[i+directoryEndLen-1])<<8
+-                       if n+directoryEndLen+i <= len(b) {
+-                               return i
+                       if n+directoryEndLen+i > len(b) {
+                               // Truncated comment.
+                               // Some parsers (such as Info-ZIP) ignore the truncated comment
+                               // rather than treating it as a hard error.
+                               return -1
+                        }
+                       return i
+                }
+        }
+        return -1
+diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
+index a549153..7ac394d 100644
+--- a/src/archive/zip/reader_test.go
+++ b/src/archive/zip/reader_test.go
+@@ -487,6 +487,14 @@ var tests = []ZipTest{
+                        },
+                },
+        },
+       // Issue 66869: Don't skip over an EOCDR with a truncated comment.
+       // The test file sneakily hides a second EOCDR before the first one;
+       // previously we would extract one file ("file") from this archive,
+       // while most other tools would reject the file or extract a different one ("FILE").
+       {
+               Name:  "comment-truncated.zip",
+               Error: ErrFormat,
+       },
+ }
+ func TestReader(t *testing.T) {
+--
+2.40.0
author	Soumya Sambu <soumya.sambu@windriver.com>	2024-08-01 04:55:33 +0000
committer	Steve Sakoman <steve@sakoman.com>	2024-08-08 09:03:45 -0700
commit	7506cbff40f07ae937758a5fbf872ce751e8c3ba (patch)
tree	9a497832d1eb2fba464839140bfa2e38e6360771
parent	ae4a66db4bd23f3b6ee71ff27986a6a3d2b84f66 (diff)
download	poky-7506cbff40f07ae937758a5fbf872ce751e8c3ba.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 95fb572362..e83c4dfa80 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -56,6 +56,7 @@ SRC_URI += "\
56	file://CVE-2024-24784.patch \	56	file://CVE-2024-24784.patch \
57	file://CVE-2024-24785.patch \	57	file://CVE-2024-24785.patch \
58	file://CVE-2023-45288.patch \	58	file://CVE-2023-45288.patch \
		59	file://CVE-2024-24789.patch \
59	"	60	"
60	SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"	61	SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
61		62


diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch b/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch new file mode 100644 index 0000000000..2679109a0e --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch
@@ -0,0 +1,78 @@
		1	From c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc Mon Sep 17 00:00:00 2001
		2	From: Damien Neil <dneil@google.com>
		3	Date: Tue, 14 May 2024 14:39:10 -0700
		4	Subject: [PATCH] [release-branch.go1.21] archive/zip: treat truncated EOCDR
		5	comment as an error
		6
		7	When scanning for an end of central directory record,
		8	treat an EOCDR signature with a record containing a truncated
		9	comment as an error. Previously, we would skip over the invalid
		10	record and look for another one. Other implementations do not
		11	do this (they either consider this a hard error, or just ignore
		12	the truncated comment). This parser misalignment allowed
		13	presenting entirely different archive contents to Go programs
		14	and other zip decoders.
		15
		16	For #66869
		17	Fixes #67553
		18
		19	Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6
		20	Reviewed-on: https://go-review.googlesource.com/c/go/+/585397
		21	Reviewed-by: Joseph Tsai <joetsai@digital-static.net>
		22	Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
		23	LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
		24	(cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5)
		25	Reviewed-on: https://go-review.googlesource.com/c/go/+/588795
		26	Reviewed-by: Matthew Dempsky <mdempsky@google.com>
		27
		28	CVE: CVE-2024-24789
		29
		30	Upstream-Status: Backport [https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc]
		31
		32	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		33	---
		34	src/archive/zip/reader.go \| 8 ++++++--
		35	src/archive/zip/reader_test.go \| 8 ++++++++
		36	2 files changed, 14 insertions(+), 2 deletions(-)
		37
		38	diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
		39	index e40a2c6..987f543 100644
		40	--- a/src/archive/zip/reader.go
		41	+++ b/src/archive/zip/reader.go
		42	@@ -644,9 +644,13 @@ func findSignatureInBlock(b []byte) int {
		43	if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 {
		44	// n is length of comment
		45	n := int(b[i+directoryEndLen-2]) \| int(b[i+directoryEndLen-1])<<8
		46	- if n+directoryEndLen+i <= len(b) {
		47	- return i
		48	+ if n+directoryEndLen+i > len(b) {
		49	+ // Truncated comment.
		50	+ // Some parsers (such as Info-ZIP) ignore the truncated comment
		51	+ // rather than treating it as a hard error.
		52	+ return -1
		53	}
		54	+ return i
		55	}
		56	}
		57	return -1
		58	diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
		59	index a549153..7ac394d 100644
		60	--- a/src/archive/zip/reader_test.go
		61	+++ b/src/archive/zip/reader_test.go
		62	@@ -487,6 +487,14 @@ var tests = []ZipTest{
		63	},
		64	},
		65	},
		66	+ // Issue 66869: Don't skip over an EOCDR with a truncated comment.
		67	+ // The test file sneakily hides a second EOCDR before the first one;
		68	+ // previously we would extract one file ("file") from this archive,
		69	+ // while most other tools would reject the file or extract a different one ("FILE").
		70	+ {
		71	+ Name: "comment-truncated.zip",
		72	+ Error: ErrFormat,
		73	+ },
		74	}
		75
		76	func TestReader(t *testing.T) {
		77	--
		78	2.40.0