* [OE-core][kirkstone][PATCH] go-runtime: Security fix for CVE-2022-41722
@ 2023-04-18 11:54 skulkarni
2023-04-18 14:34 ` Steve Sakoman
0 siblings, 1 reply; 3+ messages in thread
From: skulkarni @ 2023-04-18 11:54 UTC (permalink / raw)
To: openembedded-core; +Cc: Shubham Kulkarni
From: Shubham Kulkarni <skulkarni@mvista.com>
path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.18/CVE-2022-41722.patch | 102 ++++++++++++++++++
2 files changed, 103 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 14d58932dc..d104e34408 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -23,6 +23,7 @@ SRC_URI += "\
file://CVE-2022-2879.patch \
file://CVE-2022-41720.patch \
file://CVE-2022-41723.patch \
+ file://CVE-2022-41722.patch \
"
SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
new file mode 100644
index 0000000000..447c3d45bd
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
@@ -0,0 +1,102 @@
+From a826b19625caebed6dd0f3fbd9d0111f6c83737c Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Mon, 12 Dec 2022 16:43:37 -0800
+Subject: [PATCH] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
+
+Do not permit Clean to convert a relative path into one starting
+with a drive reference. This change causes Clean to insert a .
+path element at the start of a path when the original path does not
+start with a volume name, and the first path element would contain
+a colon.
+
+This may introduce a spurious but harmless . path element under
+some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
+
+This reverts CL 401595, since the change here supersedes the one
+in that CL.
+
+Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
+
+Updates #57274
+Fixes #57276
+Fixes CVE-2022-41722
+
+Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
+Reviewed-by: Than McIntosh <thanm@google.com>
+Run-TryBot: Michael Pratt <mpratt@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/path/filepath/path.go | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
+index 8300a32..94621a0 100644
+--- a/src/path/filepath/path.go
++++ b/src/path/filepath/path.go
+@@ -15,6 +15,7 @@ import (
+ "errors"
+ "io/fs"
+ "os"
++ "runtime"
+ "sort"
+ "strings"
+ )
+@@ -117,21 +118,9 @@ func Clean(path string) string {
+ case os.IsPathSeparator(path[r]):
+ // empty path element
+ r++
+- case path[r] == '.' && r+1 == n:
++ case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
+ // . element
+ r++
+- case path[r] == '.' && os.IsPathSeparator(path[r+1]):
+- // ./ element
+- r++
+-
+- for r < len(path) && os.IsPathSeparator(path[r]) {
+- r++
+- }
+- if out.w == 0 && volumeNameLen(path[r:]) > 0 {
+- // When joining prefix "." and an absolute path on Windows,
+- // the prefix should not be removed.
+- out.append('.')
+- }
+ case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
+ // .. element: remove to last separator
+ r += 2
+@@ -157,6 +146,18 @@ func Clean(path string) string {
+ if rooted && out.w != 1 || !rooted && out.w != 0 {
+ out.append(Separator)
+ }
++ // If a ':' appears in the path element at the start of a Windows path,
++ // insert a .\ at the beginning to avoid converting relative paths
++ // like a/../c: into c:.
++ if runtime.GOOS == "windows" && out.w == 0 && out.volLen == 0 && r != 0 {
++ for i := r; i < n && !os.IsPathSeparator(path[i]); i++ {
++ if path[i] == ':' {
++ out.append('.')
++ out.append(Separator)
++ break
++ }
++ }
++ }
+ // copy element
+ for ; r < n && !os.IsPathSeparator(path[r]); r++ {
+ out.append(path[r])
+--
+2.7.4
--
2.33.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core][kirkstone][PATCH] go-runtime: Security fix for CVE-2022-41722
2023-04-18 11:54 [OE-core][kirkstone][PATCH] go-runtime: Security fix for CVE-2022-41722 skulkarni
@ 2023-04-18 14:34 ` Steve Sakoman
2023-04-19 5:55 ` Shubham Kulkarni
0 siblings, 1 reply; 3+ messages in thread
From: Steve Sakoman @ 2023-04-18 14:34 UTC (permalink / raw)
To: Shubham Kulkarni; +Cc: openembedded-core
There were a couple of issues with this patch. I've fixed both so no
need to resubmit, but in the future please be sure to check the
following:
1. Patch should be based on the latest kirkstone head -- you were
using an earlier state which was missing "go: fix CVE-2022-41724,
41725" so the patch didn't apply.
2. CVE patch files should have a CVE: tag in addition to the
Upstream-status: and Signed-off-by: tags
Thanks for helping fix CVEs!
Steve
On Tue, Apr 18, 2023 at 1:54 AM Shubham Kulkarni <skulkarni@mvista.com> wrote:
>
> From: Shubham Kulkarni <skulkarni@mvista.com>
>
> path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
>
> Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
>
> Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> ---
> meta/recipes-devtools/go/go-1.17.13.inc | 1 +
> .../go/go-1.18/CVE-2022-41722.patch | 102 ++++++++++++++++++
> 2 files changed, 103 insertions(+)
> create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
>
> diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
> index 14d58932dc..d104e34408 100644
> --- a/meta/recipes-devtools/go/go-1.17.13.inc
> +++ b/meta/recipes-devtools/go/go-1.17.13.inc
> @@ -23,6 +23,7 @@ SRC_URI += "\
> file://CVE-2022-2879.patch \
> file://CVE-2022-41720.patch \
> file://CVE-2022-41723.patch \
> + file://CVE-2022-41722.patch \
> "
> SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
>
> diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> new file mode 100644
> index 0000000000..447c3d45bd
> --- /dev/null
> +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> @@ -0,0 +1,102 @@
> +From a826b19625caebed6dd0f3fbd9d0111f6c83737c Mon Sep 17 00:00:00 2001
> +From: Damien Neil <dneil@google.com>
> +Date: Mon, 12 Dec 2022 16:43:37 -0800
> +Subject: [PATCH] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
> +
> +Do not permit Clean to convert a relative path into one starting
> +with a drive reference. This change causes Clean to insert a .
> +path element at the start of a path when the original path does not
> +start with a volume name, and the first path element would contain
> +a colon.
> +
> +This may introduce a spurious but harmless . path element under
> +some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
> +
> +This reverts CL 401595, since the change here supersedes the one
> +in that CL.
> +
> +Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
> +
> +Updates #57274
> +Fixes #57276
> +Fixes CVE-2022-41722
> +
> +Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
> +Reviewed-by: Roland Shoemaker <bracewell@google.com>
> +Run-TryBot: Damien Neil <dneil@google.com>
> +Reviewed-by: Julie Qiu <julieqiu@google.com>
> +TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
> +(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
> +Run-TryBot: Roland Shoemaker <bracewell@google.com>
> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
> +Reviewed-by: Damien Neil <dneil@google.com>
> +Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
> +Reviewed-by: Than McIntosh <thanm@google.com>
> +Run-TryBot: Michael Pratt <mpratt@google.com>
> +TryBot-Result: Gopher Robot <gobot@golang.org>
> +Auto-Submit: Michael Pratt <mpratt@google.com>
> +
> +Upstream-Status: Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18
> +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> +---
> + src/path/filepath/path.go | 27 ++++++++++++++-------------
> + 1 file changed, 14 insertions(+), 13 deletions(-)
> +
> +diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
> +index 8300a32..94621a0 100644
> +--- a/src/path/filepath/path.go
> ++++ b/src/path/filepath/path.go
> +@@ -15,6 +15,7 @@ import (
> + "errors"
> + "io/fs"
> + "os"
> ++ "runtime"
> + "sort"
> + "strings"
> + )
> +@@ -117,21 +118,9 @@ func Clean(path string) string {
> + case os.IsPathSeparator(path[r]):
> + // empty path element
> + r++
> +- case path[r] == '.' && r+1 == n:
> ++ case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
> + // . element
> + r++
> +- case path[r] == '.' && os.IsPathSeparator(path[r+1]):
> +- // ./ element
> +- r++
> +-
> +- for r < len(path) && os.IsPathSeparator(path[r]) {
> +- r++
> +- }
> +- if out.w == 0 && volumeNameLen(path[r:]) > 0 {
> +- // When joining prefix "." and an absolute path on Windows,
> +- // the prefix should not be removed.
> +- out.append('.')
> +- }
> + case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
> + // .. element: remove to last separator
> + r += 2
> +@@ -157,6 +146,18 @@ func Clean(path string) string {
> + if rooted && out.w != 1 || !rooted && out.w != 0 {
> + out.append(Separator)
> + }
> ++ // If a ':' appears in the path element at the start of a Windows path,
> ++ // insert a .\ at the beginning to avoid converting relative paths
> ++ // like a/../c: into c:.
> ++ if runtime.GOOS == "windows" && out.w == 0 && out.volLen == 0 && r != 0 {
> ++ for i := r; i < n && !os.IsPathSeparator(path[i]); i++ {
> ++ if path[i] == ':' {
> ++ out.append('.')
> ++ out.append(Separator)
> ++ break
> ++ }
> ++ }
> ++ }
> + // copy element
> + for ; r < n && !os.IsPathSeparator(path[r]); r++ {
> + out.append(path[r])
> +--
> +2.7.4
> --
> 2.33.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#180187): https://lists.openembedded.org/g/openembedded-core/message/180187
> Mute This Topic: https://lists.openembedded.org/mt/98341957/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core][kirkstone][PATCH] go-runtime: Security fix for CVE-2022-41722
2023-04-18 14:34 ` Steve Sakoman
@ 2023-04-19 5:55 ` Shubham Kulkarni
0 siblings, 0 replies; 3+ messages in thread
From: Shubham Kulkarni @ 2023-04-19 5:55 UTC (permalink / raw)
To: Steve Sakoman; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 7938 bytes --]
Thank you Steve! Apologies for the inconvenience caused. I will take care
next time.
Thanks,
Shubham
On Tue, Apr 18, 2023 at 8:04 PM Steve Sakoman <steve@sakoman.com> wrote:
> There were a couple of issues with this patch. I've fixed both so no
> need to resubmit, but in the future please be sure to check the
> following:
>
> 1. Patch should be based on the latest kirkstone head -- you were
> using an earlier state which was missing "go: fix CVE-2022-41724,
> 41725" so the patch didn't apply.
> 2. CVE patch files should have a CVE: tag in addition to the
> Upstream-status: and Signed-off-by: tags
>
> Thanks for helping fix CVEs!
>
> Steve
>
> On Tue, Apr 18, 2023 at 1:54 AM Shubham Kulkarni <skulkarni@mvista.com>
> wrote:
> >
> > From: Shubham Kulkarni <skulkarni@mvista.com>
> >
> > path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
> >
> > Backport from
> https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
> >
> > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> > ---
> > meta/recipes-devtools/go/go-1.17.13.inc | 1 +
> > .../go/go-1.18/CVE-2022-41722.patch | 102 ++++++++++++++++++
> > 2 files changed, 103 insertions(+)
> > create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> >
> > diff --git a/meta/recipes-devtools/go/go-1.17.13.inc
> b/meta/recipes-devtools/go/go-1.17.13.inc
> > index 14d58932dc..d104e34408 100644
> > --- a/meta/recipes-devtools/go/go-1.17.13.inc
> > +++ b/meta/recipes-devtools/go/go-1.17.13.inc
> > @@ -23,6 +23,7 @@ SRC_URI += "\
> > file://CVE-2022-2879.patch \
> > file://CVE-2022-41720.patch \
> > file://CVE-2022-41723.patch \
> > + file://CVE-2022-41722.patch \
> > "
> > SRC_URI[main.sha256sum] =
> "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
> >
> > diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> > new file mode 100644
> > index 0000000000..447c3d45bd
> > --- /dev/null
> > +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
> > @@ -0,0 +1,102 @@
> > +From a826b19625caebed6dd0f3fbd9d0111f6c83737c Mon Sep 17 00:00:00 2001
> > +From: Damien Neil <dneil@google.com>
> > +Date: Mon, 12 Dec 2022 16:43:37 -0800
> > +Subject: [PATCH] path/filepath: do not Clean("a/../c:/b") into c:\b on
> Windows
> > +
> > +Do not permit Clean to convert a relative path into one starting
> > +with a drive reference. This change causes Clean to insert a .
> > +path element at the start of a path when the original path does not
> > +start with a volume name, and the first path element would contain
> > +a colon.
> > +
> > +This may introduce a spurious but harmless . path element under
> > +some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
> > +
> > +This reverts CL 401595, since the change here supersedes the one
> > +in that CL.
> > +
> > +Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this
> issue.
> > +
> > +Updates #57274
> > +Fixes #57276
> > +Fixes CVE-2022-41722
> > +
> > +Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
> > +Reviewed-on:
> https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
> > +Reviewed-by: Roland Shoemaker <bracewell@google.com>
> > +Run-TryBot: Damien Neil <dneil@google.com>
> > +Reviewed-by: Julie Qiu <julieqiu@google.com>
> > +TryBot-Result: Security TryBots <
> security-trybots@go-security-trybots.iam.gserviceaccount.com>
> > +(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
> > +Reviewed-on:
> https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
> > +Run-TryBot: Roland Shoemaker <bracewell@google.com>
> > +Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
> > +Reviewed-by: Damien Neil <dneil@google.com>
> > +Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
> > +Reviewed-by: Than McIntosh <thanm@google.com>
> > +Run-TryBot: Michael Pratt <mpratt@google.com>
> > +TryBot-Result: Gopher Robot <gobot@golang.org>
> > +Auto-Submit: Michael Pratt <mpratt@google.com>
> > +
> > +Upstream-Status: Backport from
> https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18
> > +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> > +---
> > + src/path/filepath/path.go | 27 ++++++++++++++-------------
> > + 1 file changed, 14 insertions(+), 13 deletions(-)
> > +
> > +diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
> > +index 8300a32..94621a0 100644
> > +--- a/src/path/filepath/path.go
> > ++++ b/src/path/filepath/path.go
> > +@@ -15,6 +15,7 @@ import (
> > + "errors"
> > + "io/fs"
> > + "os"
> > ++ "runtime"
> > + "sort"
> > + "strings"
> > + )
> > +@@ -117,21 +118,9 @@ func Clean(path string) string {
> > + case os.IsPathSeparator(path[r]):
> > + // empty path element
> > + r++
> > +- case path[r] == '.' && r+1 == n:
> > ++ case path[r] == '.' && (r+1 == n ||
> os.IsPathSeparator(path[r+1])):
> > + // . element
> > + r++
> > +- case path[r] == '.' && os.IsPathSeparator(path[r+1]):
> > +- // ./ element
> > +- r++
> > +-
> > +- for r < len(path) && os.IsPathSeparator(path[r])
> {
> > +- r++
> > +- }
> > +- if out.w == 0 && volumeNameLen(path[r:]) > 0 {
> > +- // When joining prefix "." and an
> absolute path on Windows,
> > +- // the prefix should not be removed.
> > +- out.append('.')
> > +- }
> > + case path[r] == '.' && path[r+1] == '.' && (r+2 == n ||
> os.IsPathSeparator(path[r+2])):
> > + // .. element: remove to last separator
> > + r += 2
> > +@@ -157,6 +146,18 @@ func Clean(path string) string {
> > + if rooted && out.w != 1 || !rooted && out.w != 0
> {
> > + out.append(Separator)
> > + }
> > ++ // If a ':' appears in the path element at the
> start of a Windows path,
> > ++ // insert a .\ at the beginning to avoid
> converting relative paths
> > ++ // like a/../c: into c:.
> > ++ if runtime.GOOS == "windows" && out.w == 0 &&
> out.volLen == 0 && r != 0 {
> > ++ for i := r; i < n &&
> !os.IsPathSeparator(path[i]); i++ {
> > ++ if path[i] == ':' {
> > ++ out.append('.')
> > ++ out.append(Separator)
> > ++ break
> > ++ }
> > ++ }
> > ++ }
> > + // copy element
> > + for ; r < n && !os.IsPathSeparator(path[r]); r++
> {
> > + out.append(path[r])
> > +--
> > +2.7.4
> > --
> > 2.33.0
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#180187):
> https://lists.openembedded.org/g/openembedded-core/message/180187
> > Mute This Topic: https://lists.openembedded.org/mt/98341957/3620601
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> steve@sakoman.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
[-- Attachment #2: Type: text/html, Size: 12232 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-04-19 5:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-18 11:54 [OE-core][kirkstone][PATCH] go-runtime: Security fix for CVE-2022-41722 skulkarni
2023-04-18 14:34 ` Steve Sakoman
2023-04-19 5:55 ` Shubham Kulkarni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.