Re: [OE-core][kirkstone][PATCH] go-runtime: Security fix for CVE-2022-41722

Tue, 18 Apr 2023 22:55:36 -0700 

Thank you Steve! Apologies for the inconvenience caused. I will take care
next time.

Thanks,
Shubham

On Tue, Apr 18, 2023 at 8:04 PM Steve Sakoman <st...@sakoman.com> wrote:

> There were a couple of issues with this patch.  I've fixed both so no
> need to resubmit, but in the future please be sure to check the
> following:
>
> 1. Patch should be based on the latest kirkstone head -- you were
> using an earlier state which was missing "go: fix CVE-2022-41724,
> 41725" so the patch didn't apply.
> 2. CVE patch files should have a CVE: tag in addition to the
> Upstream-status: and Signed-off-by: tags
>
> Thanks for helping fix CVEs!
>
> Steve
>
> On Tue, Apr 18, 2023 at 1:54 AM Shubham Kulkarni <skulka...@mvista.com>
> wrote:
> >
> > From: Shubham Kulkarni <skulka...@mvista.com>
> >
> > path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
> >
> > Backport from
> https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
> >
> > Signed-off-by: Shubham Kulkarni <skulka...@mvista.com>
> > ---
> >  meta/recipes-devtools/go/go-1.17.13.inc       |   1 +
> >  .../go/go-1.18/CVE-2022-41722.patch           | 102 ++++++++++++++++++
> >  2 files changed, 103 insertions(+)
> >  create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> >
> > diff --git a/meta/recipes-devtools/go/go-1.17.13.inc
> b/meta/recipes-devtools/go/go-1.17.13.inc
> > index 14d58932dc..d104e34408 100644
> > --- a/meta/recipes-devtools/go/go-1.17.13.inc
> > +++ b/meta/recipes-devtools/go/go-1.17.13.inc
> > @@ -23,6 +23,7 @@ SRC_URI += "\
> >      file://CVE-2022-2879.patch \
> >      file://CVE-2022-41720.patch \
> >      file://CVE-2022-41723.patch \
> > +    file://CVE-2022-41722.patch \
> >  "
> >  SRC_URI[main.sha256sum] =
> "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
> >
> > diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> > new file mode 100644
> > index 0000000000..447c3d45bd
> > --- /dev/null
> > +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> > @@ -0,0 +1,102 @@
> > +From a826b19625caebed6dd0f3fbd9d0111f6c83737c Mon Sep 17 00:00:00 2001
> > +From: Damien Neil <dn...@google.com>
> > +Date: Mon, 12 Dec 2022 16:43:37 -0800
> > +Subject: [PATCH] path/filepath: do not Clean("a/../c:/b") into c:\b on
> Windows
> > +
> > +Do not permit Clean to convert a relative path into one starting
> > +with a drive reference. This change causes Clean to insert a .
> > +path element at the start of a path when the original path does not
> > +start with a volume name, and the first path element would contain
> > +a colon.
> > +
> > +This may introduce a spurious but harmless . path element under
> > +some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
> > +
> > +This reverts CL 401595, since the change here supersedes the one
> > +in that CL.
> > +
> > +Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this
> issue.
> > +
> > +Updates #57274
> > +Fixes #57276
> > +Fixes CVE-2022-41722
> > +
> > +Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
> > +Reviewed-on:
> https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
> > +Reviewed-by: Roland Shoemaker <bracew...@google.com>
> > +Run-TryBot: Damien Neil <dn...@google.com>
> > +Reviewed-by: Julie Qiu <julie...@google.com>
> > +TryBot-Result: Security TryBots <
> security-tryb...@go-security-trybots.iam.gserviceaccount.com>
> > +(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
> > +Reviewed-on:
> https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
> > +Run-TryBot: Roland Shoemaker <bracew...@google.com>
> > +Reviewed-by: Tatiana Bradley <tatianabrad...@google.com>
> > +Reviewed-by: Damien Neil <dn...@google.com>
> > +Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
> > +Reviewed-by: Than McIntosh <th...@google.com>
> > +Run-TryBot: Michael Pratt <mpr...@google.com>
> > +TryBot-Result: Gopher Robot <go...@golang.org>
> > +Auto-Submit: Michael Pratt <mpr...@google.com>
> > +
> > +Upstream-Status: Backport from
> https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18
> > +Signed-off-by: Shubham Kulkarni <skulka...@mvista.com>
> > +---
> > + src/path/filepath/path.go | 27 ++++++++++++++-------------
> > + 1 file changed, 14 insertions(+), 13 deletions(-)
> > +
> > +diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
> > +index 8300a32..94621a0 100644
> > +--- a/src/path/filepath/path.go
> > ++++ b/src/path/filepath/path.go
> > +@@ -15,6 +15,7 @@ import (
> > +       "errors"
> > +       "io/fs"
> > +       "os"
> > ++      "runtime"
> > +       "sort"
> > +       "strings"
> > + )
> > +@@ -117,21 +118,9 @@ func Clean(path string) string {
> > +               case os.IsPathSeparator(path[r]):
> > +                       // empty path element
> > +                       r++
> > +-              case path[r] == '.' && r+1 == n:
> > ++              case path[r] == '.' && (r+1 == n ||
> os.IsPathSeparator(path[r+1])):
> > +                       // . element
> > +                       r++
> > +-              case path[r] == '.' && os.IsPathSeparator(path[r+1]):
> > +-                      // ./ element
> > +-                      r++
> > +-
> > +-                      for r < len(path) && os.IsPathSeparator(path[r])
> {
> > +-                              r++
> > +-                      }
> > +-                      if out.w == 0 && volumeNameLen(path[r:]) > 0 {
> > +-                              // When joining prefix "." and an
> absolute path on Windows,
> > +-                              // the prefix should not be removed.
> > +-                              out.append('.')
> > +-                      }
> > +               case path[r] == '.' && path[r+1] == '.' && (r+2 == n ||
> os.IsPathSeparator(path[r+2])):
> > +                       // .. element: remove to last separator
> > +                       r += 2
> > +@@ -157,6 +146,18 @@ func Clean(path string) string {
> > +                       if rooted && out.w != 1 || !rooted && out.w != 0
> {
> > +                               out.append(Separator)
> > +                       }
> > ++                      // If a ':' appears in the path element at the
> start of a Windows path,
> > ++                      // insert a .\ at the beginning to avoid
> converting relative paths
> > ++                      // like a/../c: into c:.
> > ++                      if runtime.GOOS == "windows" && out.w == 0 &&
> out.volLen == 0 && r != 0 {
> > ++                              for i := r; i < n &&
> !os.IsPathSeparator(path[i]); i++ {
> > ++                                      if path[i] == ':' {
> > ++                                              out.append('.')
> > ++                                              out.append(Separator)
> > ++                                              break
> > ++                                      }
> > ++                              }
> > ++                      }
> > +                       // copy element
> > +                       for ; r < n && !os.IsPathSeparator(path[r]); r++
> {
> > +                               out.append(path[r])
> > +--
> > +2.7.4
> > --
> > 2.33.0
> >
> >
> > 
> >
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180210): 
https://lists.openembedded.org/g/openembedded-core/message/180210
Mute This Topic: https://lists.openembedded.org/mt/98341957/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to