[OE-core][kirkstone 2/8] go: Fix CVE-2024-24789

Sun, 04 Aug 2024 10:08:28 -0700 

From: Soumya Sambu <soumya.sa...@windriver.com>

The archive/zip package's handling of certain types of invalid zip files
differs from the behavior of most zip implementations. This misalignment
could be exploited to create an zip file with contents that vary depending
on the implementation reading the file. The archive/zip package now rejects
files containing these errors.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-24789

Upstream-patch:
https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc

Signed-off-by: Soumya Sambu <soumya.sa...@windriver.com>
Signed-off-by: Steve Sakoman <st...@sakoman.com>
---
 meta/recipes-devtools/go/go-1.17.13.inc       |  1 +
 .../go/go-1.21/CVE-2024-24789.patch           | 78 +++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
b/meta/recipes-devtools/go/go-1.17.13.inc
index 95fb572362..e83c4dfa80 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -56,6 +56,7 @@ SRC_URI += "\
     file://CVE-2024-24784.patch \
     file://CVE-2024-24785.patch \
     file://CVE-2023-45288.patch \
+    file://CVE-2024-24789.patch \
 "
 SRC_URI[main.sha256sum] = 
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch 
b/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch
new file mode 100644
index 0000000000..2679109a0e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch
@@ -0,0 +1,78 @@
+From c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc Mon Sep 17 00:00:00 2001
+From: Damien Neil <dn...@google.com>
+Date: Tue, 14 May 2024 14:39:10 -0700
+Subject: [PATCH] [release-branch.go1.21] archive/zip: treat truncated EOCDR
+ comment as an error
+
+When scanning for an end of central directory record,
+treat an EOCDR signature with a record containing a truncated
+comment as an error. Previously, we would skip over the invalid
+record and look for another one. Other implementations do not
+do this (they either consider this a hard error, or just ignore
+the truncated comment). This parser misalignment allowed
+presenting entirely different archive contents to Go programs
+and other zip decoders.
+
+For #66869
+Fixes #67553
+
+Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6
+Reviewed-on: https://go-review.googlesource.com/c/go/+/585397
+Reviewed-by: Joseph Tsai <joet...@digital-static.net>
+Reviewed-by: Dmitri Shuralyov <dmits...@google.com>
+LUCI-TryBot-Result: Go LUCI 
<golang-sco...@luci-project-accounts.iam.gserviceaccount.com>
+(cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/588795
+Reviewed-by: Matthew Dempsky <mdemp...@google.com>
+
+CVE: CVE-2024-24789
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc]
+
+Signed-off-by: Soumya Sambu <soumya.sa...@windriver.com>
+---
+ src/archive/zip/reader.go      | 8 ++++++--
+ src/archive/zip/reader_test.go | 8 ++++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
+index e40a2c6..987f543 100644
+--- a/src/archive/zip/reader.go
++++ b/src/archive/zip/reader.go
+@@ -644,9 +644,13 @@ func findSignatureInBlock(b []byte) int {
+               if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 
0x06 {
+                       // n is length of comment
+                       n := int(b[i+directoryEndLen-2]) | 
int(b[i+directoryEndLen-1])<<8
+-                      if n+directoryEndLen+i <= len(b) {
+-                              return i
++                      if n+directoryEndLen+i > len(b) {
++                              // Truncated comment.
++                              // Some parsers (such as Info-ZIP) ignore the 
truncated comment
++                              // rather than treating it as a hard error.
++                              return -1
+                       }
++                      return i
+               }
+       }
+       return -1
+diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
+index a549153..7ac394d 100644
+--- a/src/archive/zip/reader_test.go
++++ b/src/archive/zip/reader_test.go
+@@ -487,6 +487,14 @@ var tests = []ZipTest{
+                       },
+               },
+       },
++      // Issue 66869: Don't skip over an EOCDR with a truncated comment.
++      // The test file sneakily hides a second EOCDR before the first one;
++      // previously we would extract one file ("file") from this archive,
++      // while most other tools would reject the file or extract a different 
one ("FILE").
++      {
++              Name:  "comment-truncated.zip",
++              Error: ErrFormat,
++      },
+ }
+
+ func TestReader(t *testing.T) {
+--
+2.40.0
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#202952): 
https://lists.openembedded.org/g/openembedded-core/message/202952
Mute This Topic: https://lists.openembedded.org/mt/107718191/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to