backport: fix CVE-2024-24784

0061-Backport-net-mail-properly-handle-special-characters.patch

@@ -0,0 +1,214 @@
+From b1a3bda40d0e6862fa93b00a1be47214b5478ca3 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Wed, 10 Jan 2024 11:02:14 -0800
+Subject: [PATCH] [Backport] net/mail: properly handle special characters in
+ phrase and obs-phrase
+
+Offering: Cloud Core Network
+CVE: CVE-2024-24784
+Reference: https://go-review.googlesource.com/c/go/+/566195
+
+Fixes a couple of misalignments with RFC 5322 which introduce
+significant diffs between (mostly) conformant parsers.
+
+This change reverts the changes made in CL50911, which allowed certain
+special RFC 5322 characters to appear unquoted in the "phrase" syntax.
+It is unclear why this change was made in the first place, and created
+a divergence from comformant parsers. In particular this resulted in
+treating comments in display names incorrectly.
+
+Additionally properly handle trailing malformed comments in the group
+syntax.
+
+Note: The upstream does not submit this change to go1.17 according to the rules of MinorReleases.
+Corego3.x are based on go1.17.8. Therefore, it need to submit the change to corego3.x.
+
+Edited-by: machangwang m00509938
+
+For #65083
+Fixes #65848
+
+Change-Id: I00dddc044c6ae3381154e43236632604c390f672
+Reviewed-on: https://go-review.googlesource.com/c/go/+/555596
+Reviewed-by: Damien Neil <dneil@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/566195
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Signed-off-by: Ma Chang Wang  machangwang@huawei.com
+---
+ src/net/mail/message.go      | 30 +++++++++++++++------------
+ src/net/mail/message_test.go | 40 ++++++++++++++++++++++++++----------
+ 2 files changed, 46 insertions(+), 24 deletions(-)
+
+diff --git a/src/net/mail/message.go b/src/net/mail/message.go
+index 47bbf6ca97..84f48f0cba 100644
+--- a/src/net/mail/message.go
++++ b/src/net/mail/message.go
+@@ -231,7 +231,7 @@ func (a *Address) String() string {
+ 	// Add quotes if needed
+ 	quoteLocal := false
+ 	for i, r := range local {
+-		if isAtext(r, false, false) {
++		if isAtext(r, false) {
+ 			continue
+ 		}
+ 		if r == '.' {
+@@ -395,7 +395,7 @@ func (p *addrParser) parseAddress(handleGroup bool) ([]*Address, error) {
+ 	if !p.consume('<') {
+ 		atext := true
+ 		for _, r := range displayName {
+-			if !isAtext(r, true, false) {
++			if !isAtext(r, true) {
+ 				atext = false
+ 				break
+ 			}
+@@ -430,7 +430,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
+ 	// handle empty group.
+ 	p.skipSpace()
+ 	if p.consume(';') {
+-		p.skipCFWS()
++		if !p.skipCFWS() {
++			return nil, errors.New("mail: misformatted parenthetical comment")
++		}
+ 		return group, nil
+ 	}
+ 
+@@ -447,7 +449,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
+ 			return nil, errors.New("mail: misformatted parenthetical comment")
+ 		}
+ 		if p.consume(';') {
+-			p.skipCFWS()
++			if !p.skipCFWS() {
++				return nil, errors.New("mail: misformatted parenthetical comment")
++			}
+ 			break
+ 		}
+ 		if !p.consume(',') {
+@@ -517,6 +521,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) {
+ 	var words []string
+ 	var isPrevEncoded bool
+ 	for {
++		// obs-phrase allows CFWS after one word
++		if len(words) > 0 {
++			if !p.skipCFWS() {
++				return "", errors.New("mail: misformatted parenthetical comment")
++			}
++		}
+ 		// word = atom / quoted-string
+ 		var word string
+ 		p.skipSpace()
+@@ -612,7 +622,6 @@ Loop:
+ // If dot is true, consumeAtom parses an RFC 5322 dot-atom instead.
+ // If permissive is true, consumeAtom will not fail on:
+ // - leading/trailing/double dots in the atom (see golang.org/issue/4938)
+-// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018)
+ func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) {
+ 	i := 0
+ 
+@@ -623,7 +632,7 @@ Loop:
+ 		case size == 1 && r == utf8.RuneError:
+ 			return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s)
+ 
+-		case size == 0 || !isAtext(r, dot, permissive):
++		case size == 0 || !isAtext(r, dot):
+ 			break Loop
+ 
+ 		default:
+@@ -777,18 +786,13 @@ func (e charsetError) Error() string {
+ 
+ // isAtext reports whether r is an RFC 5322 atext character.
+ // If dot is true, period is included.
+-// If permissive is true, RFC 5322 3.2.3 specials is included,
+-// except '<', '>', ':' and '"'.
+-func isAtext(r rune, dot, permissive bool) bool {
++func isAtext(r rune, dot bool) bool {
+ 	switch r {
+ 	case '.':
+ 		return dot
+ 
+ 	// RFC 5322 3.2.3. specials
+-	case '(', ')', '[', ']', ';', '@', '\\', ',':
+-		return permissive
+-
+-	case '<', '>', '"', ':':
++	case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials
+ 		return false
+ 	}
+ 	return isVchar(r)
+diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go
+index 80a17b2853..00bc93e074 100644
+--- a/src/net/mail/message_test.go
++++ b/src/net/mail/message_test.go
+@@ -334,8 +334,11 @@ func TestAddressParsingError(t *testing.T) {
+ 		13: {"group not closed: null@example.com", "expected comma"},
+ 		14: {"group: first@example.com, second@example.com;", "group with multiple addresses"},
+ 		15: {"john.doe", "missing '@' or angle-addr"},
+-		16: {"john.doe@", "no angle-addr"},
++		16: {"john.doe@", "missing '@' or angle-addr"},
+ 		17: {"John Doe@foo.bar", "no angle-addr"},
++		18: {" group: null@example.com; (asd", "misformatted parenthetical comment"},
++		19: {" group: ; (asd", "misformatted parenthetical comment"},
++		20: {`(John) Doe <jdoe@machine.example>`, "missing word in phrase:"},
+ 	}
+ 
+ 	for i, tc := range mustErrTestCases {
+@@ -374,24 +377,19 @@ func TestAddressParsing(t *testing.T) {
+ 				Address: "john.q.public@example.com",
+ 			}},
+ 		},
+-		{
+-			`"John (middle) Doe" <jdoe@machine.example>`,
+-			[]*Address{{
+-				Name:    "John (middle) Doe",
+-				Address: "jdoe@machine.example",
+-			}},
+-		},
++		// Comment in display name
+ 		{
+ 			`John (middle) Doe <jdoe@machine.example>`,
+ 			[]*Address{{
+-				Name:    "John (middle) Doe",
++				Name:    "John Doe",
+ 				Address: "jdoe@machine.example",
+ 			}},
+ 		},
++		// Display name is quoted string, so comment is not a comment
+ 		{
+-			`John !@M@! Doe <jdoe@machine.example>`,
++			`"John (middle) Doe" <jdoe@machine.example>`,
+ 			[]*Address{{
+-				Name:    "John !@M@! Doe",
++				Name:    "John (middle) Doe",
+ 				Address: "jdoe@machine.example",
+ 			}},
+ 		},
+@@ -726,6 +724,26 @@ func TestAddressParsing(t *testing.T) {
+ 				},
+ 			},
+ 		},
++		// Comment in group display name
++		{
++			`group (comment:): a@example.com, b@example.com;`,
++			[]*Address{
++				{
++					Address: "a@example.com",
++				},
++				{
++					Address: "b@example.com",
++				},
++			},
++		},
++		{
++			`x(:"):"@a.example;("@b.example;`,
++			[]*Address{
++				{
++					Address: `@a.example;(@b.example`,
++				},
++			},
++		},
+ 	}
+ 	for _, test := range tests {
+ 		if len(test.exp) == 1 {
+-- 
+2.33.0
+

golang.spec

@@ -63,7 +63,7 @@
 
 Name:           golang
 Version:        1.17.3
-Release:        29
+Release:        30
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -210,6 +210,7 @@ Patch6057:	0057-release-branch.go1.21-crypto-x509-make-sure-pub-key-.patch
 Patch6058:	0058-release-branch.go1.21-html-template-escape-additiona.patch
 Patch6059:	0059-release-branch.go1.21-net-textproto-mime-multipart-a.patch
 Patch6060:	0060-release-branch.go1.21-net-http-net-http-cookiejar-av.patch
+Patch6061:	0061-Backport-net-mail-properly-handle-special-characters.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -448,6 +449,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Wed Mar 27 2024 hanchao <hanchao63@huawei.com> - 1.17.3-30
+- Type:CVE
+- CVE:CVE-2024-24784
+- SUG:NA
+- DESC:fix CVE-2024-24784
+
 * Wed Mar 27 2024 hanchao <hanchao63@huawei.com> - 1.17.3-29
 - Type:bugfix
 - CVE: