packages/golang
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!384 [sync] PR-381: golang: fix CVE-2024-24789

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @hcnbxx 
Signed-off-by: @hcnbxx
This commit is contained in:
openeuler-ci-bot 2024-06-25 07:21:45 +00:00 committed by Gitee
commit 6df7f26cbb
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 66 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
0066-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch Normal file
View File

@ -0,0 +1,58 @@
From c4a663363a6899c73b02b6667607619af1799e15 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Wed, 15 May 2024 05:39:10 +0800
Subject: [PATCH] [Backport] archive/zip: treat truncated EOCDR comment as an
error
CVE: CVE-2024-24789
Reference: https://go-review.googlesource.com/c/go/+/588795
When scanning for an end of central directory record,
treat an EOCDR signature with a record containing a truncated
comment as an error. Previously, we would skip over the invalid
record and look for another one. Other implementations do not
do this (they either consider this a hard error, or just ignore
the truncated comment). This parser misalignment allowed
presenting entirely different archive contents to Go programs
and other zip decoders.
For #66869
Fixes #67553
Fixes CVE-2024-24789
Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6
Reviewed-on: https://go-review.googlesource.com/c/go/+/585397
Reviewed-by: Joseph Tsai <joetsai@digital-static.net>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5)
Reviewed-on: https://go-review.googlesource.com/c/go/+/588795
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Signed-off-by: vegbir <yangjiaqi16@huawei.com>
---
src/archive/zip/reader.go | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
index e40a2c656b..987f543852 100644
--- a/src/archive/zip/reader.go
+++ b/src/archive/zip/reader.go
@@ -644,9 +644,13 @@ func findSignatureInBlock(b []byte) int {
if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 {
// n is length of comment
n := int(b[i+directoryEndLen-2]) | int(b[i+directoryEndLen-1])<<8
- if n+directoryEndLen+i <= len(b) {
- return i
+ if n+directoryEndLen+i > len(b) {
+ // Truncated comment.
+ // Some parsers (such as Info-ZIP) ignore the truncated comment
+ // rather than treating it as a hard error.
+ return -1
}
+ return i
}
}
return -1
--
2.33.0

9
golang.spec
View File

@ -63,7 +63,7 @@
Name: golang
Version: 1.17.3
Release: 33
Release: 34
Summary: The Go Programming Language
License: BSD and Public Domain
URL: https://golang.org/
@ -215,6 +215,7 @@ Patch6062: 0062-1.17-backport-runtime-decrement-netpollWaiters-in-ne.patch
Patch6063: 0063-1.17-backport-runtime-adjust-netpollWaiters-after-go.patch
Patch6064: 0064-Backport-net-http-update-bundled-golang.org-x-net-ht.patch
Patch6065: 0065-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch
Patch6066: 0066-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch
ExclusiveArch: %{golang_arches}
@ -453,6 +454,12 @@ fi
%files devel -f go-tests.list -f go-misc.list -f go-src.list
%changelog
* Mon Jun 24 2024 yangjiaqi <yangjiaqi16@huawei.com> - 1.17.3-34
- Type:CVE
- CVE:CVE-2024-24789
- SUG:NA
- DESC:fix CVE-2024-24789
* Mon May 27 2024 lujingxiao <lujingxiao@huawei.com> - 1.17.3-33
- Type:CVE
- CVE:CVE-2024-24787