Hello Steve,
I have sent a dunfell branch patch with the subject
"[OE-core][*dunfell*][PATCH]
go-runtime: Security fix for CVE-2022-41722". I am not sure why it's
showing as a reply on kirkstone patch, not a separate email. Please
consider this patch to fix CVE-2022-41722 in dunfell.
Thanks,
Shubham
On Wed, Apr 19, 2023 at 6:03 PM Shubham Kulkarni via lists.openembedded.org
<skulkarni=mvista....@lists.openembedded.org> wrote:
> From: Shubham Kulkarni <skulka...@mvista.com>
>
> path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
>
> Backport from
> https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
>
> Signed-off-by: Shubham Kulkarni <skulka...@mvista.com>
> ---
> meta/recipes-devtools/go/go-1.14.inc | 2 +
> .../go/go-1.14/CVE-2022-41722-1.patch | 53 +++++++++++
> .../go/go-1.14/CVE-2022-41722-2.patch | 104
> +++++++++++++++++++++
> 3 files changed, 159 insertions(+)
> create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
> create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
>
> diff --git a/meta/recipes-devtools/go/go-1.14.inc
> b/meta/recipes-devtools/go/go-1.14.inc
> index f2a5fc3..74017f4 100644
> --- a/meta/recipes-devtools/go/go-1.14.inc
> +++ b/meta/recipes-devtools/go/go-1.14.inc
> @@ -53,6 +53,8 @@ SRC_URI += "\
> file://CVE-2022-41717.patch \
> file://CVE-2022-1962.patch \
> file://CVE-2022-41723.patch \
> + file://CVE-2022-41722-1.patch \
> + file://CVE-2022-41722-2.patch \
> "
>
> SRC_URI_append_libc-musl = "
> file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
> diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
> b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
> new file mode 100644
> index 0000000..f5bffd7
> --- /dev/null
> +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
> @@ -0,0 +1,53 @@
> +From 94e0c36694fb044e81381d112fef3692de7cdf52 Mon Sep 17 00:00:00 2001
> +From: Yasuhiro Matsumoto <mattn...@gmail.com>
> +Date: Fri, 22 Apr 2022 10:07:51 +0900
> +Subject: [PATCH 1/2] path/filepath: do not remove prefix "." when
> following
> + path contains ":".
> +
> +Fixes #52476
> +
> +Change-Id: I9eb72ac7dbccd6322d060291f31831dc389eb9bb
> +Reviewed-on: https://go-review.googlesource.com/c/go/+/401595
> +Auto-Submit: Ian Lance Taylor <i...@google.com>
> +Reviewed-by: Alex Brainman <alex.brain...@gmail.com>
> +Run-TryBot: Ian Lance Taylor <i...@google.com>
> +Reviewed-by: Ian Lance Taylor <i...@google.com>
> +Reviewed-by: Damien Neil <dn...@google.com>
> +TryBot-Result: Gopher Robot <go...@golang.org>
> +
> +Upstream-Status: Backport from
> https://github.com/golang/go/commit/9cd1818a7d019c02fa4898b3e45a323e35033290
> +CVE: CVE-2022-41722
> +Signed-off-by: Shubham Kulkarni <skulka...@mvista.com>
> +---
> + src/path/filepath/path.go | 14 +++++++++++++-
> + 1 file changed, 13 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
> +index 26f1833..92dc090 100644
> +--- a/src/path/filepath/path.go
> ++++ b/src/path/filepath/path.go
> +@@ -116,9 +116,21 @@ func Clean(path string) string {
> + case os.IsPathSeparator(path[r]):
> + // empty path element
> + r++
> +- case path[r] == '.' && (r+1 == n ||
> os.IsPathSeparator(path[r+1])):
> ++ case path[r] == '.' && r+1 == n:
> + // . element
> + r++
> ++ case path[r] == '.' && os.IsPathSeparator(path[r+1]):
> ++ // ./ element
> ++ r++
> ++
> ++ for r < len(path) && os.IsPathSeparator(path[r]) {
> ++ r++
> ++ }
> ++ if out.w == 0 && volumeNameLen(path[r:]) > 0 {
> ++ // When joining prefix "." and an absolute
> path on Windows,
> ++ // the prefix should not be removed.
> ++ out.append('.')
> ++ }
> + case path[r] == '.' && path[r+1] == '.' && (r+2 == n ||
> os.IsPathSeparator(path[r+2])):
> + // .. element: remove to last separator
> + r += 2
> +--
> +2.7.4
> diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
> b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
> new file mode 100644
> index 0000000..e1f7a55
> --- /dev/null
> +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
> @@ -0,0 +1,104 @@
> +From b8803cb711ae163b8e67897deb6cf8c49702227c Mon Sep 17 00:00:00 2001
> +From: Damien Neil <dn...@google.com>
> +Date: Mon, 12 Dec 2022 16:43:37 -0800
> +Subject: [PATCH 2/2] path/filepath: do not Clean("a/../c:/b") into c:\b on
> + Windows
> +
> +Do not permit Clean to convert a relative path into one starting
> +with a drive reference. This change causes Clean to insert a .
> +path element at the start of a path when the original path does not
> +start with a volume name, and the first path element would contain
> +a colon.
> +
> +This may introduce a spurious but harmless . path element under
> +some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
> +
> +This reverts CL 401595, since the change here supersedes the one
> +in that CL.
> +
> +Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
> +
> +Updates #57274
> +Fixes #57276
> +Fixes CVE-2022-41722
> +
> +Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
> +Reviewed-on:
> https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
> +Reviewed-by
> <https://team-review.git.corp.google.com/c/golang/go-private/+/1675249+Reviewed-by>:
> Roland Shoemaker <bracew...@google.com>
> +Run-TryBot: Damien Neil <dn...@google.com>
> +Reviewed-by: Julie Qiu <julie...@google.com>
> +TryBot-Result: Security TryBots <
> security-tryb...@go-security-trybots.iam.gserviceaccount.com>
> +(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
> +Reviewed-on:
> https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
> +Run-TryBot
> <https://team-review.git.corp.google.com/c/golang/go-private/+/1728944+Run-TryBot>:
> Roland Shoemaker <bracew...@google.com>
> +Reviewed-by: Tatiana Bradley <tatianabrad...@google.com>
> +Reviewed-by: Damien Neil <dn...@google.com>
> +Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
> +Reviewed-by: Than McIntosh <th...@google.com>
> +Run-TryBot: Michael Pratt <mpr...@google.com>
> +TryBot-Result: Gopher Robot <go...@golang.org>
> +Auto-Submit: Michael Pratt <mpr...@google.com>
> +
> +Upstream-Status: Backport from
> https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
> +CVE: CVE-2022-41722
> +Signed-off-by: Shubham Kulkarni <skulka...@mvista.com>
> +---
> + src/path/filepath/path.go | 27 ++++++++++++++-------------
> + 1 file changed, 14 insertions(+), 13 deletions(-)
> +
> +diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
> +index 92dc090..f0f095e 100644
> +--- a/src/path/filepath/path.go
> ++++ b/src/path/filepath/path.go
> +@@ -14,6 +14,7 @@ package filepath
> + import (
> + "errors"
> + "os"
> ++ "runtime"
> + "sort"
> + "strings"
> + )
> +@@ -116,21 +117,9 @@ func Clean(path string) string {
> + case os.IsPathSeparator(path[r]):
> + // empty path element
> + r++
> +- case path[r] == '.' && r+1 == n:
> ++ case path[r] == '.' && (r+1 == n ||
> os.IsPathSeparator(path[r+1])):
> + // . element
> + r++
> +- case path[r] == '.' && os.IsPathSeparator(path[r+1]):
> +- // ./ element
> +- r++
> +-
> +- for r < len(path) && os.IsPathSeparator(path[r]) {
> +- r++
> +- }
> +- if out.w == 0 && volumeNameLen(path[r:]) > 0 {
> +- // When joining prefix "." and an absolute
> path on Windows,
> +- // the prefix should not be removed.
> +- out.append('.')
> +- }
> + case path[r] == '.' && path[r+1] == '.' && (r+2 == n ||
> os.IsPathSeparator(path[r+2])):
> + // .. element: remove to last separator
> + r += 2
> +@@ -156,6 +145,18 @@ func Clean(path string) string {
> + if rooted && out.w != 1 || !rooted && out.w != 0 {
> + out.append(Separator)
> + }
> ++ // If a ':' appears in the path element at the
> start of a Windows path,
> ++ // insert a .\ at the beginning to avoid
> converting relative paths
> ++ // like a/../c: into c:.
> ++ if runtime.GOOS == "windows" && out.w == 0 &&
> out.volLen == 0 && r != 0 {
> ++ for i := r; i < n &&
> !os.IsPathSeparator(path[i]); i++ {
> ++ if path[i] == ':' {
> ++ out.append('.')
> ++ out.append(Separator)
> ++ break
> ++ }
> ++ }
> ++ }
> + // copy element
> + for ; r < n && !os.IsPathSeparator(path[r]); r++ {
> + out.append(path[r])
> +--
> +2.7.4
> --
> 2.7.4
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180218):
https://lists.openembedded.org/g/openembedded-core/message/180218
Mute This Topic: https://lists.openembedded.org/mt/98365307/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
