golang: fix CVE-2024-24789

Signed-off-by: vegbir <yangjiaqi16@huawei.com> (cherry picked from commit 05d8718c3a2decd5a343af98ac75a2f159463d84)
2024-06-24 21:45:52 +08:00 · 2024-06-24 21:45:52 +08:00 · 7d9ba61b3a
commit 7d9ba61b3a
parent fcf5360fc0
2 changed files with 66 additions and 1 deletions
--- a/0066-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch
+++ b/0066-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch
@ -0,0 +1,58 @@
+From c4a663363a6899c73b02b6667607619af1799e15 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 15 May 2024 05:39:10 +0800
+Subject: [PATCH] [Backport] archive/zip: treat truncated EOCDR comment as an
+ error
+
+CVE: CVE-2024-24789
+Reference: https://go-review.googlesource.com/c/go/+/588795
+
+When scanning for an end of central directory record,
+treat an EOCDR signature with a record containing a truncated
+comment as an error. Previously, we would skip over the invalid
+record and look for another one. Other implementations do not
+do this (they either consider this a hard error, or just ignore
+the truncated comment). This parser misalignment allowed
+presenting entirely different archive contents to Go programs
+and other zip decoders.
+
+For #66869
+Fixes #67553
+Fixes CVE-2024-24789
+
+Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6
+Reviewed-on: https://go-review.googlesource.com/c/go/+/585397
+Reviewed-by: Joseph Tsai <joetsai@digital-static.net>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+(cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/588795
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+
+Signed-off-by: vegbir <yangjiaqi16@huawei.com>
+---
+ src/archive/zip/reader.go | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
+index e40a2c656b..987f543852 100644
+--- a/src/archive/zip/reader.go
+++ b/src/archive/zip/reader.go
+@@ -644,9 +644,13 @@ func findSignatureInBlock(b []byte) int {
+ 		if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 {
+ 			// n is length of comment
+ 			n := int(b[i+directoryEndLen-2]) | int(b[i+directoryEndLen-1])<<8
+-			if n+directoryEndLen+i <= len(b) {
+-				return i
+			if n+directoryEndLen+i > len(b) {
+				// Truncated comment.
+				// Some parsers (such as Info-ZIP) ignore the truncated comment
+				// rather than treating it as a hard error.
+				return -1
+ 			}
+			return i
+ 		}
+ 	}
+ 	return -1
+-- 
+2.33.0
--- a/golang.spec
+++ b/golang.spec
@ -63,7 +63,7 @@

 Name:           golang
 Version:        1.17.3
-Release:        33
+Release:        34
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@ -215,6 +215,7 @@ Patch6062:	0062-1.17-backport-runtime-decrement-netpollWaiters-in-ne.patch
 Patch6063:	0063-1.17-backport-runtime-adjust-netpollWaiters-after-go.patch
 Patch6064:	0064-Backport-net-http-update-bundled-golang.org-x-net-ht.patch
 Patch6065:	0065-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch
+Patch6066:	0066-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch

 ExclusiveArch:  %{golang_arches}

@ -453,6 +454,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list

 %changelog
+* Mon Jun 24 2024 yangjiaqi <yangjiaqi16@huawei.com> - 1.17.3-34
+- Type:CVE
+- CVE:CVE-2024-24789
+- SUG:NA
+- DESC:fix CVE-2024-24789
+
 * Mon May 27 2024 lujingxiao <lujingxiao@huawei.com> - 1.17.3-33
 - Type:CVE
 - CVE:CVE-2024-24787