From 64c979e88e6d0917b6fe45e52e381affec150afd Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Mon, 4 Nov 2019 13:55:29 -0500 Subject: poky: subtree update:52a625582e..7035b4b21e MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adrian Bunk (9): squashfs-tools: Upgrade to 4.4 screen: Upgrade 4.6.2 -> 4.7.0 stress-ng: Upgrade 0.10.00 -> 0.10.08 nspr: Upgrade 4.21 -> 4.23 gcc: Remove stale gcc 8 patchfile gnu-efi: Upgrade 3.0.9 -> 3.0.10 python3-numpy: Stop shipping manual config files coreutils: Move stdbuf into an own package coreutils-stdbuf gnu-efi: Upgrade 3.0.10 -> 3.0.11 Alessio Igor Bogani (1): systemtap: support usrmerge Alexander Hirsch (1): libksba: Fix license specification Alexander Kanavin (6): gcr: update to 3.34.0 btrfs-tools: update to 5.3 libmodulemd-v1: update to 1.8.16 selftest: skip virgl test on centos 7 entirely nfs-utils: do not depend on bash unnecessarily selftest: add a test for gpl3-free images Alistair Francis (4): opensbi: Bump from 0.4 to 0.5 u-boot: Bump from 2019.07 to 2019.10 qemuriscv64: Build smode U-Boot libsdl2: Fix build failure when using mesa 19.2.1 Andreas Müller (4): adwaita-icon-theme: upgrade 3.32.0 -> 3.34.0 gsettings-desktop-schemas: upgrade 3.32.0 -> 3.34.0 IMAGE_LINGUAS_COMPLEMENTARY: auto-add language packages other than locales libical: add PACKAGECONFIG glib and enable it by default André Draszik (10): testimage.bbclass: support hardware-controlled targets testimage.bbclass: enable ssh agent forwarding oeqa/runtime/df: don't fail on long device names oeqa/core/decorator: add skipIfFeature oeqa/runtime/opkg: skip install on read-only-rootfs oeqa/runtime/systemd: skip unit enable/disable on read-only-rootfs ruby: update to v2.6.4 ruby: some ptest fixes oeqa/runtime/context.py: ignore more files when loading controllers connman: mark connman-wait-online as SYSTEMD_PACKAGE Bruce Ashfield (6): linux-yocto/4.19: update to v4.19.78 linux-yocto/5.2: update to v5.2.20 perf: fix v5.4+ builds perf: create directories before copying single files perf: add 'cap' PACKAGECONFIG perf: drop 'include' copy Carlos Rafael Giani (12): gstreamer1.0: upgrade to version 1.16.1 gstreamer1.0-plugins-base: upgrade to version 1.16.1 gstreamer1.0-plugins-good: upgrade to version 1.16.1 gstreamer1.0-plugins-bad: upgrade to version 1.16.1 gstreamer1.0-plugins-ugly: upgrade to version 1.16.1 gstreamer1.0-libav: upgrade to version 1.16.1 gstreamer1.0-vaapi: upgrade to version 1.16.1 gstreamer1.0-omx: upgrade to version 1.16.1 gstreamer1.0-python: upgrade to version 1.16.1 gstreamer1.0-rtsp-server: upgrade to version 1.16.1 gst-validate: upgrade to version 1.16.1 gstreamer: Change SRC_URI to use HTTPS access instead of HTTP Changqing Li (4): qemu: Fix CVE-2019-12068 python: Fix CVE-2019-10160 sudo: fix CVE-2019-14287 mdadm: fix do_package failed when changed local.conf but not cleaned Chee Yang Lee (2): wic/help: change 'wic write' help description wic/engine: use 'linux-swap' for swap file system Chen Qi (3): go: fix CVE-2019-16276 python3: fix CVE-2019-16935 python: fix CVE-2019-16935 Chris Laplante via bitbake-devel (2): bitbake: bitbake: contrib/vim: initial commit, with unmodified code from indent/python.vim bitbake: bitbake: contrib/vim: Modify Python indentation to work with 'python do_task {' Christopher Larson (2): bitbake: fetch2/git: fetch shallow revs when needed bitbake: tests/fetch: add test for fetching shallow revs Dan Callaghan (1): elfutils: add PACKAGECONFIG for compression algorithms Douglas Royds via Openembedded-core (1): icecc: Export ICECC_CC and friends via wrapper-script Eduardo Abinader (1): devtool: add ssh key option to deploy-target param Eugene Smirnov (1): wic/rawcopy: Support files in sub-directories Ferry Toth (1): sudo: Fix fetching sources Frazer Leslie Clews (2): makedevs: fix format strings in makedevs.c in print statements makedevs: fix invalidScanfFormatWidth to prevent overflowing usr_buf George McCollister (1): openssl: make OPENSSL_ENGINES match install path Haiqing Bai (1): unfs3: fixed the issue that unfsd consumes 100% CPU He Zhe (1): ltp: Fix overcommit_memory failure Hongxu Jia (1): openssh: fix CVE-2019-16905 Joe Slater (2): libtiff: fix CVE-2019-17546 libxslt: fix CVE-2019-18197 Kai Kang (1): bind: fix CVE-2019-6471 and CVE-2018-5743 Liwei Song (1): util-linux: fix PKNAME name is NULL when use lsblk [LIN1019-2963] Mattias Hansson (1): base.bbclass: add dependency on pseudo from do_prepare_recipe_sysroot Max Tomago (1): python-native: Remove debug.patch Maxime Roussin-Bélanger (2): meta: update and add missing homepage/bugtracker links meta: add missing description in recipes-gnome Michael Ho (1): cmake.bbclass: add HOSTTOOLS_DIR to CMAKE_FIND_ROOT_PATH Mike Crowe (2): kernel-fitimage: Cope with non-standard kernel deploy subdirectory kernel-devicetree: Cope with non-standard kernel deploy subdirectory Mikko Rapeli (1): systemd.bbclass: enable all services specified in ${SYSTEMD_SERVICE} Nicola Lunghi (1): ofono: tidy up the recipe Ola x Nilsson (10): oeqa/selftest/recipetool: Use with to control file handle lifetime oe.types.path: Use with to control file handle lifetime lib/oe/packagedata: Use with to control file handle lifetime lib/oe/package_manager: Use with to control file handle lifetime report-error.bbclass: Use with to control file handle lifetime package.bbclass: Use with to manage file handle lifetimes devtool-source.bbclass: Use with to manage file handle lifetime libc-package.bbclass: Use with to manage filehandle in do_spit_gconvs bitbake: bitbake: prserv/serv: Use with while reading pidfile bitbake: bitbake: ConfHandler: Use with to manage filehandle lifetime Oleksandr Kravchuk (4): ell: update to 0.23 ell: update to 0.25 ell: update to 0.26 ofono: update to 1.31 Ricardo Ribalda Delgado (1): i2c-tools: Add missing RDEPEND Richard Leitner (1): kernel-fitimage: introduce FIT_SIGN_ALG Richard Purdie (4): tinderclient: Drop obsolete class meson: Backport fix to assist meta-oe breakage nfs-utils: Improve handling when no exported fileysystems qemu: Avoid potential build configuration contamination Robert Yang (1): bluez5: Fix for --enable-btpclient Ross Burton (29): sanity: check the format of SDK_VENDOR file: explicitly disable seccomp python3: -dev should depend on distutils gawk: add PACKAGECONFIG for readline python3: alternative name is python3-config not python-config python3: ensure that all forms of python3-config are in python3-dev oeqa/selftest: use specialist assert* methods bluez5: refresh upstreamed patches xorgproto: fix summary libx11: upgrade to 1.6.9 xorgproto: upgrade to 2019.2 llvm: add missing Upstream-Status tags buildhistory-analysis: filter out -src changes by default squashfs-tools: remove redundant source checksums squashfs-tools: clean up compile/install tasks wpa-supplicant: fix CVE-2019-16275 gcr: remove intltool-native elfutils: disable bzip cve-check: ensure all known CVEs are in the report git: some tools are no longer perl, so move to main recipe git: cleanup man install qemu-helper-native: add missing option to getopt() call qemu-helper-native: showing help shouldn't be an error qemu-helper-native: pass compiler flags oeqa/selftest: add test for oe-run-native cve-check: failure to parse versions should be more visible gst-examples: rename so PV is in filename sanity: check for more bits of Python recipeutils-test: use a small dependency in the dummy recipe Sai Hari Chandana Kalluri (1): devtool: Add --remove-work option for devtool reset command Scott Rifenbark (9): ref-manual: First pass of 2.8 migration changes (WIP) poky.ent: Updated the release date to October 2019 dev-manual: Added info to "Selecting an Initialization Manager" ref-manual: 2nd pass 3.0 migration documenation: Changed "2.8" to "3.0". ref-manual: Removed deprecated link to ref-classes-bluetooth ref-manual, dev-manual: Clean up of a commit ref-manual: Updated the BUSYBOX_SPLIT_SUID variable. ref-manual, dev-manual: Added CMake toolchain files. Stefan Agner (1): uninative: check .done file instead of tarball Tom Benn (1): dbus: update dbus-1.init to reflect new PID file Trevor Gamblin (5): aspell: upgrade from 0.60.7 to 0.60.8 binutils: fix CVE-2019-17450 binutils: fix CVE-2019-17451 ncurses: fix CVE-2019-17594, CVE-2019-17595 libgcrypt: upgrade 1.8.4 -> 1.8.5 Trevor Woerner (1): libcap-ng: undefined reference to `pthread_atfork' Wenlin Kang (1): sysstat: fix CVE-2019-16167 Yann Dirson (1): mesa: fix meson configure fix when 'dri' is excluded from PACKAGECONFIG Yeoh Ee Peng (1): scripts/oe-pkgdata-util: Enable list-pkgs to print ordered packages Yi Zhao (2): libsdl2: fix CVE-2019-13616 libgcrypt: fix CVE-2019-12904 Zang Ruochen (6): bison:upgrade 3.4.1 -> 3.4.2 e2fsprogs:upgrade 1.45.3 -> 1.45.4 libxvmc:upgrade 1.0.11 -> 1.0.12 python3-pip:upgrade 19.2.3 -> 19.3.1 python-setuptools:upgrade 41.2.0 -> 41.4.0 libcap-ng:upgrade 0.7.9 -> 0.7.10 Signed-off-by: Brad Bishop Change-Id: I50bc42f74dffdc406ffc0dea034e41462fe6e06b --- poky/meta/recipes-devtools/go/go-1.12.inc | 1 + ...nch.go1.12-security-net-textproto-don-t-n.patch | 163 +++++++++++++++++++++ 2 files changed, 164 insertions(+) create mode 100644 poky/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch (limited to 'poky/meta/recipes-devtools/go') diff --git a/poky/meta/recipes-devtools/go/go-1.12.inc b/poky/meta/recipes-devtools/go/go-1.12.inc index 39157ff88..ed14b175e 100644 --- a/poky/meta/recipes-devtools/go/go-1.12.inc +++ b/poky/meta/recipes-devtools/go/go-1.12.inc @@ -16,6 +16,7 @@ SRC_URI += "\ file://0006-cmd-dist-separate-host-and-target-builds.patch \ file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ + file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/poky/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch b/poky/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch new file mode 100644 index 000000000..7b39dbd73 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.12/0001-release-branch.go1.12-security-net-textproto-don-t-n.patch @@ -0,0 +1,163 @@ +From 265b691ac440bfb711d8de323346f7d72e620efe Mon Sep 17 00:00:00 2001 +From: Filippo Valsorda +Date: Thu, 12 Sep 2019 12:37:36 -0400 +Subject: [PATCH] [release-branch.go1.12-security] net/textproto: don't + normalize headers with spaces before the colon + +RFC 7230 is clear about headers with a space before the colon, like + +X-Answer : 42 + +being invalid, but we've been accepting and normalizing them for compatibility +purposes since CL 5690059 in 2012. + +On the client side, this is harmless and indeed most browsers behave the same +to this day. On the server side, this becomes a security issue when the +behavior doesn't match that of a reverse proxy sitting in front of the server. + +For example, if a WAF accepts them without normalizing them, it might be +possible to bypass its filters, because the Go server would interpret the +header differently. Worse, if the reverse proxy coalesces requests onto a +single HTTP/1.1 connection to a Go server, the understanding of the request +boundaries can get out of sync between them, allowing an attacker to tack an +arbitrary method and path onto a request by other clients, including +authentication headers unknown to the attacker. + +This was recently presented at multiple security conferences: +https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn + +net/http servers already reject header keys with invalid characters. +Simply stop normalizing extra spaces in net/textproto, let it return them +unchanged like it does for other invalid headers, and let net/http enforce +RFC 7230, which is HTTP specific. This loses us normalization on the client +side, but there's no right answer on the client side anyway, and hiding the +issue sounds worse than letting the application decide. + +Fixes CVE-2019-16276 + +Change-Id: I6d272de827e0870da85d93df770d6a0e161bbcf1 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/549719 +Reviewed-by: Brad Fitzpatrick +(cherry picked from commit 1280b868e82bf173ea3e988be3092d160ee66082) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/558776 +Reviewed-by: Dmitri Shuralyov + +CVE: CVE-2019-16276 + +Upstream-Status: Backport [https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8] + +Signed-off-by: Chen Qi +--- + src/net/http/serve_test.go | 4 ++++ + src/net/http/transport_test.go | 27 +++++++++++++++++++++++++++ + src/net/textproto/reader.go | 10 ++-------- + src/net/textproto/reader_test.go | 13 ++++++------- + 4 files changed, 39 insertions(+), 15 deletions(-) + +diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go +index 6eb0088a96..89bfdfbb82 100644 +--- a/src/net/http/serve_test.go ++++ b/src/net/http/serve_test.go +@@ -4748,6 +4748,10 @@ func TestServerValidatesHeaders(t *testing.T) { + {"foo\xffbar: foo\r\n", 400}, // binary in header + {"foo\x00bar: foo\r\n", 400}, // binary in header + {"Foo: " + strings.Repeat("x", 1<<21) + "\r\n", 431}, // header too large ++ // Spaces between the header key and colon are not allowed. ++ // See RFC 7230, Section 3.2.4. ++ {"Foo : bar\r\n", 400}, ++ {"Foo\t: bar\r\n", 400}, + + {"foo: foo foo\r\n", 200}, // LWS space is okay + {"foo: foo\tfoo\r\n", 200}, // LWS tab is okay +diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go +index 5c329543e2..5e5438a708 100644 +--- a/src/net/http/transport_test.go ++++ b/src/net/http/transport_test.go +@@ -5133,3 +5133,30 @@ func TestTransportIgnores408(t *testing.T) { + } + t.Fatalf("timeout after %v waiting for Transport connections to die off", time.Since(t0)) + } ++ ++func TestInvalidHeaderResponse(t *testing.T) { ++ setParallel(t) ++ defer afterTest(t) ++ cst := newClientServerTest(t, h1Mode, HandlerFunc(func(w ResponseWriter, r *Request) { ++ conn, buf, _ := w.(Hijacker).Hijack() ++ buf.Write([]byte("HTTP/1.1 200 OK\r\n" + ++ "Date: Wed, 30 Aug 2017 19:09:27 GMT\r\n" + ++ "Content-Type: text/html; charset=utf-8\r\n" + ++ "Content-Length: 0\r\n" + ++ "Foo : bar\r\n\r\n")) ++ buf.Flush() ++ conn.Close() ++ })) ++ defer cst.close() ++ res, err := cst.c.Get(cst.ts.URL) ++ if err != nil { ++ t.Fatal(err) ++ } ++ defer res.Body.Close() ++ if v := res.Header.Get("Foo"); v != "" { ++ t.Errorf(`unexpected "Foo" header: %q`, v) ++ } ++ if v := res.Header.Get("Foo "); v != "bar" { ++ t.Errorf(`bad "Foo " header value: %q, want %q`, v, "bar") ++ } ++} +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index 2c4f25d5ae..1a5e364cf7 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -493,18 +493,12 @@ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) { + return m, err + } + +- // Key ends at first colon; should not have trailing spaces +- // but they appear in the wild, violating specs, so we remove +- // them if present. ++ // Key ends at first colon. + i := bytes.IndexByte(kv, ':') + if i < 0 { + return m, ProtocolError("malformed MIME header line: " + string(kv)) + } +- endKey := i +- for endKey > 0 && kv[endKey-1] == ' ' { +- endKey-- +- } +- key := canonicalMIMEHeaderKey(kv[:endKey]) ++ key := canonicalMIMEHeaderKey(kv[:i]) + + // As per RFC 7230 field-name is a token, tokens consist of one or more chars. + // We could return a ProtocolError here, but better to be liberal in what we +diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go +index f85fbdc36d..b92fdcd3c7 100644 +--- a/src/net/textproto/reader_test.go ++++ b/src/net/textproto/reader_test.go +@@ -188,11 +188,10 @@ func TestLargeReadMIMEHeader(t *testing.T) { + } + } + +-// Test that we read slightly-bogus MIME headers seen in the wild, +-// with spaces before colons, and spaces in keys. ++// TestReadMIMEHeaderNonCompliant checks that we don't normalize headers ++// with spaces before colons, and accept spaces in keys. + func TestReadMIMEHeaderNonCompliant(t *testing.T) { +- // Invalid HTTP response header as sent by an Axis security +- // camera: (this is handled by IE, Firefox, Chrome, curl, etc.) ++ // These invalid headers will be rejected by net/http according to RFC 7230. + r := reader("Foo: bar\r\n" + + "Content-Language: en\r\n" + + "SID : 0\r\n" + +@@ -202,9 +201,9 @@ func TestReadMIMEHeaderNonCompliant(t *testing.T) { + want := MIMEHeader{ + "Foo": {"bar"}, + "Content-Language": {"en"}, +- "Sid": {"0"}, +- "Audio Mode": {"None"}, +- "Privilege": {"127"}, ++ "SID ": {"0"}, ++ "Audio Mode ": {"None"}, ++ "Privilege ": {"127"}, + } + if !reflect.DeepEqual(m, want) || err != nil { + t.Fatalf("ReadMIMEHeader =\n%v, %v; want:\n%v", m, err, want) -- cgit v1.2.3