diff options
Diffstat (limited to 'poky/meta/recipes-devtools')
10 files changed, 940 insertions, 1 deletions
diff --git a/poky/meta/recipes-devtools/git/files/CVE-2023-25652.patch b/poky/meta/recipes-devtools/git/files/CVE-2023-25652.patch new file mode 100644 index 0000000000..d6b17a2b8a --- /dev/null +++ b/poky/meta/recipes-devtools/git/files/CVE-2023-25652.patch @@ -0,0 +1,94 @@ +From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin <johannes.schindelin@gmx.de> +Date: Thu, 9 Mar 2023 16:02:54 +0100 +Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it + exists + +The `git apply --reject` is expected to write out `.rej` files in case +one or more hunks fail to apply cleanly. Historically, the command +overwrites any existing `.rej` files. The idea being that +apply/reject/edit cycles are relatively common, and the generated `.rej` +files are not considered precious. + +But the command does not overwrite existing `.rej` symbolic links, and +instead follows them. This is unsafe because the same patch could +potentially create such a symbolic link and point at arbitrary paths +outside the current worktree, and `git apply` would write the contents +of the `.rej` file into that location. + +Therefore, let's make sure that any existing `.rej` file or symbolic +link is removed before writing it. + +Reported-by: RyotaK <ryotak.mail@gmail.com> +Helped-by: Taylor Blau <me@ttaylorr.com> +Helped-by: Junio C Hamano <gitster@pobox.com> +Helped-by: Linus Torvalds <torvalds@linuxfoundation.org> +Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + +Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b] +CVE: CVE-2023-25652 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + apply.c | 14 ++++++++++++-- + t/t4115-apply-symlink.sh | 15 +++++++++++++++ + 2 files changed, 27 insertions(+), 2 deletions(-) + +diff --git a/apply.c b/apply.c +index 4f303bf..aa7111d 100644 +--- a/apply.c ++++ b/apply.c +@@ -4531,7 +4531,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch) + FILE *rej; + char namebuf[PATH_MAX]; + struct fragment *frag; +- int cnt = 0; ++ int fd, cnt = 0; + struct strbuf sb = STRBUF_INIT; + + for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) { +@@ -4571,7 +4571,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch) + memcpy(namebuf, patch->new_name, cnt); + memcpy(namebuf + cnt, ".rej", 5); + +- rej = fopen(namebuf, "w"); ++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); ++ if (fd < 0) { ++ if (errno != EEXIST) ++ return error_errno(_("cannot open %s"), namebuf); ++ if (unlink(namebuf)) ++ return error_errno(_("cannot unlink '%s'"), namebuf); ++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); ++ if (fd < 0) ++ return error_errno(_("cannot open %s"), namebuf); ++ } ++ rej = fdopen(fd, "w"); + if (!rej) + return error_errno(_("cannot open %s"), namebuf); + +diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh +index 1acb7b2..2b034ff 100755 +--- a/t/t4115-apply-symlink.sh ++++ b/t/t4115-apply-symlink.sh +@@ -125,4 +125,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' ' + test_path_is_file .git/delete-me + ' + ++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' ' ++ test_when_finished "git reset --hard && git clean -dfx" && ++ ++ test_commit file && ++ echo modified >file.t && ++ git diff -- file.t >patch && ++ echo modified-again >file.t && ++ ++ ln -s foo file.t.rej && ++ test_must_fail git apply patch --reject 2>err && ++ test_i18ngrep "Rejected hunk" err && ++ test_path_is_missing foo && ++ test_path_is_file file.t.rej ++' ++ + test_done +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/git/files/CVE-2023-29007.patch b/poky/meta/recipes-devtools/git/files/CVE-2023-29007.patch new file mode 100644 index 0000000000..e166c01412 --- /dev/null +++ b/poky/meta/recipes-devtools/git/files/CVE-2023-29007.patch @@ -0,0 +1,159 @@ +From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001 +From: Taylor Blau <me@ttaylorr.com> +Date: Fri, 14 Apr 2023 11:46:59 -0400 +Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection' + +Avoids issues with renaming or deleting sections with long lines, where +configuration values may be interpreted as sections, leading to +configuration injection. Addresses CVE-2023-29007. + +* tb/config-copy-or-rename-in-file-injection: + config.c: disallow overly-long lines in `copy_or_rename_section_in_file()` + config.c: avoid integer truncation in `copy_or_rename_section_in_file()` + config: avoid fixed-sized buffer when renaming/deleting a section + t1300: demonstrate failure when renaming sections with long lines + +Signed-off-by: Taylor Blau <me@ttaylorr.com> + +Upstream-Status: Backport [https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4] +CVE: CVE-2023-29007 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + config.c | 36 +++++++++++++++++++++++++----------- + t/t1300-config.sh | 30 ++++++++++++++++++++++++++++++ + 2 files changed, 55 insertions(+), 11 deletions(-) + +diff --git a/config.c b/config.c +index e7052b3..676b687 100644 +--- a/config.c ++++ b/config.c +@@ -2987,9 +2987,10 @@ void git_config_set_multivar(const char *key, const char *value, + multi_replace); + } + +-static int section_name_match (const char *buf, const char *name) ++static size_t section_name_match (const char *buf, const char *name) + { +- int i = 0, j = 0, dot = 0; ++ size_t i = 0, j = 0; ++ int dot = 0; + if (buf[i] != '[') + return 0; + for (i = 1; buf[i] && buf[i] != ']'; i++) { +@@ -3042,6 +3043,8 @@ static int section_name_is_ok(const char *name) + return 1; + } + ++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024) ++ + /* if new_name == NULL, the section is removed instead */ + static int git_config_copy_or_rename_section_in_file(const char *config_filename, + const char *old_name, +@@ -3051,11 +3054,12 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + char *filename_buf = NULL; + struct lock_file lock = LOCK_INIT; + int out_fd; +- char buf[1024]; ++ struct strbuf buf = STRBUF_INIT; + FILE *config_file = NULL; + struct stat st; + struct strbuf copystr = STRBUF_INIT; + struct config_store_data store; ++ uint32_t line_nr = 0; + + memset(&store, 0, sizeof(store)); + +@@ -3092,16 +3096,25 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + goto out; + } + +- while (fgets(buf, sizeof(buf), config_file)) { +- int i; +- int length; ++ while (!strbuf_getwholeline(&buf, config_file, '\n')) { ++ size_t i, length; + int is_section = 0; +- char *output = buf; +- for (i = 0; buf[i] && isspace(buf[i]); i++) ++ char *output = buf.buf; ++ ++ line_nr++; ++ ++ if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) { ++ ret = error(_("refusing to work with overly long line " ++ "in '%s' on line %"PRIuMAX), ++ config_filename, (uintmax_t)line_nr); ++ goto out; ++ } ++ ++ for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++) + ; /* do nothing */ +- if (buf[i] == '[') { ++ if (buf.buf[i] == '[') { + /* it's a section */ +- int offset; ++ size_t offset; + is_section = 1; + + /* +@@ -3118,7 +3131,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + strbuf_reset(©str); + } + +- offset = section_name_match(&buf[i], old_name); ++ offset = section_name_match(&buf.buf[i], old_name); + if (offset > 0) { + ret++; + if (new_name == NULL) { +@@ -3193,6 +3206,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + out_no_rollback: + free(filename_buf); + config_store_data_clear(&store); ++ strbuf_release(&buf); + return ret; + } + +diff --git a/t/t1300-config.sh b/t/t1300-config.sh +index 983a0a1..9b67f6b 100755 +--- a/t/t1300-config.sh ++++ b/t/t1300-config.sh +@@ -616,6 +616,36 @@ test_expect_success 'renaming to bogus section is rejected' ' + test_must_fail git config --rename-section branch.zwei "bogus name" + ' + ++test_expect_success 'renaming a section with a long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %1024s [a] e = f\\n" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ git config -f y --rename-section a xyz && ++ test_must_fail git config -f y b.e ++' ++ ++test_expect_success 'renaming an embedded section with a long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %1024s [a] [foo] e = f\\n" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ git config -f y --rename-section a xyz && ++ test_must_fail git config -f y foo.e ++' ++ ++test_expect_success 'renaming a section with an overly-long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %525000s e" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ test_must_fail git config -f y --rename-section a xyz 2>err && ++ test_i18ngrep "refusing to work with overly long line in .y. on line 2" err ++' ++ + cat >> .git/config << EOF + [branch "zwei"] a = 1 [branch "vier"] + EOF +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/git/git.inc b/poky/meta/recipes-devtools/git/git.inc index 36318eed20..e64472ea28 100644 --- a/poky/meta/recipes-devtools/git/git.inc +++ b/poky/meta/recipes-devtools/git/git.inc @@ -28,6 +28,8 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ file://CVE-2023-22490-2.patch \ file://CVE-2023-22490-3.patch \ file://CVE-2023-23946.patch \ + file://CVE-2023-29007.patch \ + file://CVE-2023-25652.patch \ " S = "${WORKDIR}/git-${PV}" diff --git a/poky/meta/recipes-devtools/go/go-1.14.inc b/poky/meta/recipes-devtools/go/go-1.14.inc index 3b99b8fe7e..2c500e8331 100644 --- a/poky/meta/recipes-devtools/go/go-1.14.inc +++ b/poky/meta/recipes-devtools/go/go-1.14.inc @@ -58,6 +58,11 @@ SRC_URI += "\ file://CVE-2020-29510.patch \ file://CVE-2023-24537.patch \ file://CVE-2023-24534.patch \ + file://CVE-2023-24538-1.patch \ + file://CVE-2023-24538-2.patch \ + file://CVE-2023-24538-3.patch \ + file://CVE-2023-24539.patch \ + file://CVE-2023-24540.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch new file mode 100644 index 0000000000..eda26e5ff6 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch @@ -0,0 +1,125 @@ +From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick <bradfitz@golang.org> +Date: Mon, 2 Aug 2021 14:55:51 -0700 +Subject: [PATCH 1/3] net/netip: add new IP address package + +Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati) +Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com> +Co-authored-by: David Anderson <dave@natulte.net> (Tailscale CLA) +Co-authored-by: David Crawshaw <crawshaw@tailscale.com> (Tailscale CLA) +Co-authored-by: Dmytro Shynkevych <dmytro@tailscale.com> (Tailscale CLA) +Co-authored-by: Elias Naur <mail@eliasnaur.com> +Co-authored-by: Joe Tsai <joetsai@digital-static.net> (Tailscale CLA) +Co-authored-by: Jonathan Yu <jawnsy@cpan.org> (GitHub @jawnsy) +Co-authored-by: Josh Bleecher Snyder <josharian@gmail.com> (Tailscale CLA) +Co-authored-by: Maisem Ali <maisem@tailscale.com> (Tailscale CLA) +Co-authored-by: Manuel Mendez (Go AUTHORS mmendez534@...) +Co-authored-by: Matt Layher <mdlayher@gmail.com> +Co-authored-by: Noah Treuhaft <noah.treuhaft@gmail.com> (GitHub @nwt) +Co-authored-by: Stefan Majer <stefan.majer@gmail.com> +Co-authored-by: Terin Stock <terinjokes@gmail.com> (Cloudflare CLA) +Co-authored-by: Tobias Klauser <tklauser@distanz.ch> + +Fixes #46518 + +Change-Id: I0041f9e1115d61fa6e95fcf32b01d9faee708712 +Reviewed-on: https://go-review.googlesource.com/c/go/+/339309 +Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> +TryBot-Result: Go Bot <gobot@golang.org> +Reviewed-by: Russ Cox <rsc@golang.org> +Trust: Brad Fitzpatrick <bradfitz@golang.org> + +Dependency Patch #1 + +Upstream-Status: Backport [https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0] +CVE: CVE-2023-24538 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/internal/godebug/godebug.go | 34 ++++++++++++++++++++++++++++++++++ + src/internal/godebug/godebug_test.go | 34 ++++++++++++++++++++++++++++++++++ + 2 files changed, 68 insertions(+) + create mode 100644 src/internal/godebug/godebug.go + create mode 100644 src/internal/godebug/godebug_test.go + +diff --git a/src/internal/godebug/godebug.go b/src/internal/godebug/godebug.go +new file mode 100644 +index 0000000..ac434e5 +--- /dev/null ++++ b/src/internal/godebug/godebug.go +@@ -0,0 +1,34 @@ ++// Copyright 2021 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++// Package godebug parses the GODEBUG environment variable. ++package godebug ++ ++import "os" ++ ++// Get returns the value for the provided GODEBUG key. ++func Get(key string) string { ++ return get(os.Getenv("GODEBUG"), key) ++} ++ ++// get returns the value part of key=value in s (a GODEBUG value). ++func get(s, key string) string { ++ for i := 0; i < len(s)-len(key)-1; i++ { ++ if i > 0 && s[i-1] != ',' { ++ continue ++ } ++ afterKey := s[i+len(key):] ++ if afterKey[0] != '=' || s[i:i+len(key)] != key { ++ continue ++ } ++ val := afterKey[1:] ++ for i, b := range val { ++ if b == ',' { ++ return val[:i] ++ } ++ } ++ return val ++ } ++ return "" ++} +diff --git a/src/internal/godebug/godebug_test.go b/src/internal/godebug/godebug_test.go +new file mode 100644 +index 0000000..41b9117 +--- /dev/null ++++ b/src/internal/godebug/godebug_test.go +@@ -0,0 +1,34 @@ ++// Copyright 2021 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package godebug ++ ++import "testing" ++ ++func TestGet(t *testing.T) { ++ tests := []struct { ++ godebug string ++ key string ++ want string ++ }{ ++ {"", "", ""}, ++ {"", "foo", ""}, ++ {"foo=bar", "foo", "bar"}, ++ {"foo=bar,after=x", "foo", "bar"}, ++ {"before=x,foo=bar,after=x", "foo", "bar"}, ++ {"before=x,foo=bar", "foo", "bar"}, ++ {",,,foo=bar,,,", "foo", "bar"}, ++ {"foodecoy=wrong,foo=bar", "foo", "bar"}, ++ {"foo=", "foo", ""}, ++ {"foo", "foo", ""}, ++ {",foo", "foo", ""}, ++ {"foo=bar,baz", "loooooooong", ""}, ++ } ++ for _, tt := range tests { ++ got := get(tt.godebug, tt.key) ++ if got != tt.want { ++ t.Errorf("get(%q, %q) = %q; want %q", tt.godebug, tt.key, got, tt.want) ++ } ++ } ++} +-- +2.7.4 diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch new file mode 100644 index 0000000000..5036f2890b --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch @@ -0,0 +1,196 @@ +From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001 +From: empijei <robclap8@gmail.com> +Date: Fri, 27 Mar 2020 19:27:55 +0100 +Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes + for JSON compatibility +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The existing implementation is not compatible with JSON +escape as it uses hex escaping. +Unicode escape, instead, is valid for both JSON and JS. +This fix avoids creating a separate escaping context for +scripts of type "application/ld+json" and it is more +future-proof in case more JSON+JS contexts get added +to the platform (e.g. import maps). + +Fixes #33671 +Fixes #37634 + +Change-Id: Id6f6524b4abc52e81d9d744d46bbe5bf2e081543 +Reviewed-on: https://go-review.googlesource.com/c/go/+/226097 +Reviewed-by: Carl Johnson <me@carlmjohnson.net> +Reviewed-by: Daniel Martà <mvdan@mvdan.cc> +Run-TryBot: Daniel Martà <mvdan@mvdan.cc> +TryBot-Result: Gobot Gobot <gobot@golang.org> + +Dependency Patch #2 + +Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072ddacea0e0d6b55fb148fff18070 +CVE: CVE-2023-24538 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/html/template/js.go | 70 +++++++++++++++++++++++++++------------------- + src/text/template/funcs.go | 8 +++--- + 2 files changed, 46 insertions(+), 32 deletions(-) + +diff --git a/src/html/template/js.go b/src/html/template/js.go +index 0e91458..ea9c183 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -163,7 +163,6 @@ func jsValEscaper(args ...interface{}) string { + } + // TODO: detect cycles before calling Marshal which loops infinitely on + // cyclic data. This may be an unacceptable DoS risk. +- + b, err := json.Marshal(a) + if err != nil { + // Put a space before comment so that if it is flush against +@@ -178,8 +177,8 @@ func jsValEscaper(args ...interface{}) string { + // TODO: maybe post-process output to prevent it from containing + // "<!--", "-->", "<![CDATA[", "]]>", or "</script" + // in case custom marshalers produce output containing those. +- +- // TODO: Maybe abbreviate \u00ab to \xab to produce more compact output. ++ // Note: Do not use \x escaping to save bytes because it is not JSON compatible and this escaper ++ // supports ld+json content-type. + if len(b) == 0 { + // In, `x=y/{{.}}*z` a json.Marshaler that produces "" should + // not cause the output `x=y/*z`. +@@ -260,6 +259,8 @@ func replace(s string, replacementTable []string) string { + r, w = utf8.DecodeRuneInString(s[i:]) + var repl string + switch { ++ case int(r) < len(lowUnicodeReplacementTable): ++ repl = lowUnicodeReplacementTable[r] + case int(r) < len(replacementTable) && replacementTable[r] != "": + repl = replacementTable[r] + case r == '\u2028': +@@ -283,67 +284,80 @@ func replace(s string, replacementTable []string) string { + return b.String() + } + ++var lowUnicodeReplacementTable = []string{ ++ 0: `\u0000`, 1: `\u0001`, 2: `\u0002`, 3: `\u0003`, 4: `\u0004`, 5: `\u0005`, 6: `\u0006`, ++ '\a': `\u0007`, ++ '\b': `\u0008`, ++ '\t': `\t`, ++ '\n': `\n`, ++ '\v': `\u000b`, // "\v" == "v" on IE 6. ++ '\f': `\f`, ++ '\r': `\r`, ++ 0xe: `\u000e`, 0xf: `\u000f`, 0x10: `\u0010`, 0x11: `\u0011`, 0x12: `\u0012`, 0x13: `\u0013`, ++ 0x14: `\u0014`, 0x15: `\u0015`, 0x16: `\u0016`, 0x17: `\u0017`, 0x18: `\u0018`, 0x19: `\u0019`, ++ 0x1a: `\u001a`, 0x1b: `\u001b`, 0x1c: `\u001c`, 0x1d: `\u001d`, 0x1e: `\u001e`, 0x1f: `\u001f`, ++} ++ + var jsStrReplacementTable = []string{ +- 0: `\0`, ++ 0: `\u0000`, + '\t': `\t`, + '\n': `\n`, +- '\v': `\x0b`, // "\v" == "v" on IE 6. ++ '\v': `\u000b`, // "\v" == "v" on IE 6. + '\f': `\f`, + '\r': `\r`, + // Encode HTML specials as hex so the output can be embedded + // in HTML attributes without further encoding. +- '"': `\x22`, +- '&': `\x26`, +- '\'': `\x27`, +- '+': `\x2b`, ++ '"': `\u0022`, ++ '&': `\u0026`, ++ '\'': `\u0027`, ++ '+': `\u002b`, + '/': `\/`, +- '<': `\x3c`, +- '>': `\x3e`, ++ '<': `\u003c`, ++ '>': `\u003e`, + '\\': `\\`, + } + + // jsStrNormReplacementTable is like jsStrReplacementTable but does not + // overencode existing escapes since this table has no entry for `\`. + var jsStrNormReplacementTable = []string{ +- 0: `\0`, ++ 0: `\u0000`, + '\t': `\t`, + '\n': `\n`, +- '\v': `\x0b`, // "\v" == "v" on IE 6. ++ '\v': `\u000b`, // "\v" == "v" on IE 6. + '\f': `\f`, + '\r': `\r`, + // Encode HTML specials as hex so the output can be embedded + // in HTML attributes without further encoding. +- '"': `\x22`, +- '&': `\x26`, +- '\'': `\x27`, +- '+': `\x2b`, ++ '"': `\u0022`, ++ '&': `\u0026`, ++ '\'': `\u0027`, ++ '+': `\u002b`, + '/': `\/`, +- '<': `\x3c`, +- '>': `\x3e`, ++ '<': `\u003c`, ++ '>': `\u003e`, + } +- + var jsRegexpReplacementTable = []string{ +- 0: `\0`, ++ 0: `\u0000`, + '\t': `\t`, + '\n': `\n`, +- '\v': `\x0b`, // "\v" == "v" on IE 6. ++ '\v': `\u000b`, // "\v" == "v" on IE 6. + '\f': `\f`, + '\r': `\r`, + // Encode HTML specials as hex so the output can be embedded + // in HTML attributes without further encoding. +- '"': `\x22`, ++ '"': `\u0022`, + '$': `\$`, +- '&': `\x26`, +- '\'': `\x27`, ++ '&': `\u0026`, ++ '\'': `\u0027`, + '(': `\(`, + ')': `\)`, + '*': `\*`, +- '+': `\x2b`, ++ '+': `\u002b`, + '-': `\-`, + '.': `\.`, + '/': `\/`, +- '<': `\x3c`, +- '>': `\x3e`, ++ '<': `\u003c`, ++ '>': `\u003e`, + '?': `\?`, + '[': `\[`, + '\\': `\\`, +diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go +index 46125bc..f3de9fb 100644 +--- a/src/text/template/funcs.go ++++ b/src/text/template/funcs.go +@@ -640,10 +640,10 @@ var ( + jsBackslash = []byte(`\\`) + jsApos = []byte(`\'`) + jsQuot = []byte(`\"`) +- jsLt = []byte(`\x3C`) +- jsGt = []byte(`\x3E`) +- jsAmp = []byte(`\x26`) +- jsEq = []byte(`\x3D`) ++ jsLt = []byte(`\u003C`) ++ jsGt = []byte(`\u003E`) ++ jsAmp = []byte(`\u0026`) ++ jsEq = []byte(`\u003D`) + ) + + // JSEscape writes to w the escaped JavaScript equivalent of the plain text data b. +-- +2.7.4 diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch new file mode 100644 index 0000000000..d5bb33e091 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch @@ -0,0 +1,208 @@ +From 16f4882984569f179d73967c9eee679bb9b098c5 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Mon, 20 Mar 2023 11:01:13 -0700 +Subject: [PATCH 3/3] html/template: disallow actions in JS template literals + +ECMAScript 6 introduced template literals[0][1] which are delimited with +backticks. These need to be escaped in a similar fashion to the +delimiters for other string literals. Additionally template literals can +contain special syntax for string interpolation. + +There is no clear way to allow safe insertion of actions within JS +template literals, as handling (JS) string interpolation inside of these +literals is rather complex. As such we've chosen to simply disallow +template actions within these template literals. + +A new error code is added for this parsing failure case, errJsTmplLit, +but it is unexported as it is not backwards compatible with other minor +release versions to introduce an API change in a minor release. We will +export this code in the next major release. + +The previous behavior (with the cavet that backticks are now escaped +properly) can be re-enabled with GODEBUG=jstmpllitinterp=1. + +This change subsumes CL471455. + +Thanks to Sohom Datta, Manipal Institute of Technology, for reporting +this issue. + +Fixes CVE-2023-24538 +For #59234 +Fixes #59271 + +[0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals +[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals + +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457 +Reviewed-by: Damien Neil <dneil@google.com> +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802612 +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Change-Id: Ic7f10595615f2b2740d9c85ad7ef40dc0e78c04c +Reviewed-on: https://go-review.googlesource.com/c/go/+/481987 +Auto-Submit: Michael Knyszek <mknyszek@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Michael Knyszek <mknyszek@google.com> +Reviewed-by: Matthew Dempsky <mdempsky@google.com> + +Upstream-Status: Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b +CVE: CVE-2023-24538 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/html/template/context.go | 2 ++ + src/html/template/error.go | 13 +++++++++++++ + src/html/template/escape.go | 11 +++++++++++ + src/html/template/js.go | 2 ++ + src/html/template/jsctx_string.go | 9 +++++++++ + src/html/template/transition.go | 7 ++++++- + 6 files changed, 43 insertions(+), 1 deletion(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index f7d4849..0b65313 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -116,6 +116,8 @@ const ( + stateJSDqStr + // stateJSSqStr occurs inside a JavaScript single quoted string. + stateJSSqStr ++ // stateJSBqStr occurs inside a JavaScript back quoted string. ++ stateJSBqStr + // stateJSRegexp occurs inside a JavaScript regexp literal. + stateJSRegexp + // stateJSBlockCmt occurs inside a JavaScript /* block comment */. +diff --git a/src/html/template/error.go b/src/html/template/error.go +index 0e52706..fd26b64 100644 +--- a/src/html/template/error.go ++++ b/src/html/template/error.go +@@ -211,6 +211,19 @@ const ( + // pipeline occurs in an unquoted attribute value context, "html" is + // disallowed. Avoid using "html" and "urlquery" entirely in new templates. + ErrPredefinedEscaper ++ ++ // errJSTmplLit: "... appears in a JS template literal" ++ // Example: ++ // <script>var tmpl = `{{.Interp}`</script> ++ // Discussion: ++ // Package html/template does not support actions inside of JS template ++ // literals. ++ // ++ // TODO(rolandshoemaker): we cannot add this as an exported error in a minor ++ // release, since it is backwards incompatible with the other minor ++ // releases. As such we need to leave it unexported, and then we'll add it ++ // in the next major release. ++ errJSTmplLit + ) + + func (e *Error) Error() string { +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index f12dafa..29ca5b3 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -8,6 +8,7 @@ import ( + "bytes" + "fmt" + "html" ++ "internal/godebug" + "io" + "text/template" + "text/template/parse" +@@ -203,6 +204,16 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context { + c.jsCtx = jsCtxDivOp + case stateJSDqStr, stateJSSqStr: + s = append(s, "_html_template_jsstrescaper") ++ case stateJSBqStr: ++ debugAllowActionJSTmpl := godebug.Get("jstmpllitinterp") ++ if debugAllowActionJSTmpl == "1" { ++ s = append(s, "_html_template_jsstrescaper") ++ } else { ++ return context{ ++ state: stateError, ++ err: errorf(errJSTmplLit, n, n.Line, "%s appears in a JS template literal", n), ++ } ++ } + case stateJSRegexp: + s = append(s, "_html_template_jsregexpescaper") + case stateCSS: +diff --git a/src/html/template/js.go b/src/html/template/js.go +index ea9c183..b888eaf 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -308,6 +308,7 @@ var jsStrReplacementTable = []string{ + // Encode HTML specials as hex so the output can be embedded + // in HTML attributes without further encoding. + '"': `\u0022`, ++ '`': `\u0060`, + '&': `\u0026`, + '\'': `\u0027`, + '+': `\u002b`, +@@ -331,6 +332,7 @@ var jsStrNormReplacementTable = []string{ + '"': `\u0022`, + '&': `\u0026`, + '\'': `\u0027`, ++ '`': `\u0060`, + '+': `\u002b`, + '/': `\/`, + '<': `\u003c`, +diff --git a/src/html/template/jsctx_string.go b/src/html/template/jsctx_string.go +index dd1d87e..2394893 100644 +--- a/src/html/template/jsctx_string.go ++++ b/src/html/template/jsctx_string.go +@@ -4,6 +4,15 @@ package template + + import "strconv" + ++func _() { ++ // An "invalid array index" compiler error signifies that the constant values have changed. ++ // Re-run the stringer command to generate them again. ++ var x [1]struct{} ++ _ = x[jsCtxRegexp-0] ++ _ = x[jsCtxDivOp-1] ++ _ = x[jsCtxUnknown-2] ++} ++ + const _jsCtx_name = "jsCtxRegexpjsCtxDivOpjsCtxUnknown" + + var _jsCtx_index = [...]uint8{0, 11, 21, 33} +diff --git a/src/html/template/transition.go b/src/html/template/transition.go +index 06df679..92eb351 100644 +--- a/src/html/template/transition.go ++++ b/src/html/template/transition.go +@@ -27,6 +27,7 @@ var transitionFunc = [...]func(context, []byte) (context, int){ + stateJS: tJS, + stateJSDqStr: tJSDelimited, + stateJSSqStr: tJSDelimited, ++ stateJSBqStr: tJSDelimited, + stateJSRegexp: tJSDelimited, + stateJSBlockCmt: tBlockCmt, + stateJSLineCmt: tLineCmt, +@@ -262,7 +263,7 @@ func tURL(c context, s []byte) (context, int) { + + // tJS is the context transition function for the JS state. + func tJS(c context, s []byte) (context, int) { +- i := bytes.IndexAny(s, `"'/`) ++ i := bytes.IndexAny(s, "\"`'/") + if i == -1 { + // Entire input is non string, comment, regexp tokens. + c.jsCtx = nextJSCtx(s, c.jsCtx) +@@ -274,6 +275,8 @@ func tJS(c context, s []byte) (context, int) { + c.state, c.jsCtx = stateJSDqStr, jsCtxRegexp + case '\'': + c.state, c.jsCtx = stateJSSqStr, jsCtxRegexp ++ case '`': ++ c.state, c.jsCtx = stateJSBqStr, jsCtxRegexp + case '/': + switch { + case i+1 < len(s) && s[i+1] == '/': +@@ -303,6 +306,8 @@ func tJSDelimited(c context, s []byte) (context, int) { + switch c.state { + case stateJSSqStr: + specials = `\'` ++ case stateJSBqStr: ++ specials = "`\\" + case stateJSRegexp: + specials = `\/[]` + } +-- +2.7.4 diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch new file mode 100644 index 0000000000..281b6486a8 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch @@ -0,0 +1,60 @@ +From 8673ca81e5340b87709db2d9749c92a3bf925df1 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Thu, 13 Apr 2023 15:40:44 -0700 +Subject: [PATCH] html/template: disallow angle brackets in CSS values + +Angle brackets should not appear in CSS contexts, as they may affect +token boundaries (such as closing a <style> tag, resulting in +injection). Instead emit filterFailsafe, matching the behavior for other +dangerous characters. + +Thanks to Juho Nurminen of Mattermost for reporting this issue. + +Fixes #59720 +Fixes CVE-2023-24539 + +Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 +Reviewed-by: Julie Qiu <julieqiu@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/491615 +Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +Run-TryBot: Carlos Amedee <carlos@golang.org> +TryBot-Result: Gopher Robot <gobot@golang.org> + +Upstream-Status: Backport from [https://github.com/golang/go/commit/8673ca81e5340b87709db2d9749c92a3bf925df1] +CVE: CVE-2023-24539 +Signed-off-by: Ashish Sharma <asharma@mvista.com> +--- + src/html/template/css.go | 2 +- + src/html/template/css_test.go | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/html/template/css.go b/src/html/template/css.go +index 890a0c6b227fe..f650d8b3e843a 100644 +--- a/src/html/template/css.go ++++ b/src/html/template/css.go +@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string { + // inside a string that might embed JavaScript source. + for i, c := range b { + switch c { +- case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}': ++ case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>': + return filterFailsafe + case '-': + // Disallow <!-- or -->. +diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go +index a735638b0314f..2b76256a766e9 100644 +--- a/src/html/template/css_test.go ++++ b/src/html/template/css_test.go +@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) { + {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"}, + {`-expre\0000073sion`, "-expre\x073sion"}, + {`@import url evil.css`, "ZgotmplZ"}, ++ {"<", "ZgotmplZ"}, ++ {">", "ZgotmplZ"}, + } + for _, test := range tests { + got := cssValueFilter(test.css) diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch new file mode 100644 index 0000000000..799a0dfcda --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch @@ -0,0 +1,90 @@ +From ce7bd33345416e6d8cac901792060591cafc2797 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Tue, 11 Apr 2023 16:27:43 +0100 +Subject: [PATCH] [release-branch.go1.19] html/template: handle all JS + whitespace characters + +Rather than just a small set. Character class as defined by \s [0]. + +Thanks to Juho Nurminen of Mattermost for reporting this. + +For #59721 +Fixes #59813 +Fixes CVE-2023-24540 + +[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes + +Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 +Reviewed-by: Julie Qiu <julieqiu@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497 +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/491355 +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +Reviewed-by: Carlos Amedee <carlos@golang.org> +TryBot-Bypass: Carlos Amedee <carlos@golang.org> +Run-TryBot: Carlos Amedee <carlos@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797] +CVE: CVE-2023-24540 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/html/template/js.go | 8 +++++++- + src/html/template/js_test.go | 11 +++++++---- + 2 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/src/html/template/js.go b/src/html/template/js.go +index fe7054efe5cd8..4e05c1455723f 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -13,6 +13,11 @@ import ( + "unicode/utf8" + ) + ++// jsWhitespace contains all of the JS whitespace characters, as defined ++// by the \s character class. ++// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes. ++const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff" ++ + // nextJSCtx returns the context that determines whether a slash after the + // given run of tokens starts a regular expression instead of a division + // operator: / or /=. +@@ -26,7 +31,8 @@ import ( + // JavaScript 2.0 lexical grammar and requires one token of lookbehind: + // https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html + func nextJSCtx(s []byte, preceding jsCtx) jsCtx { +- s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029") ++ // Trim all JS whitespace characters ++ s = bytes.TrimRight(s, jsWhitespace) + if len(s) == 0 { + return preceding + } +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go +index e07c695f7a77d..e52180cc113b5 100644 +--- a/src/html/template/js_test.go ++++ b/src/html/template/js_test.go +@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) { + {jsCtxDivOp, "0"}, + // Dots that are part of a number are div preceders. + {jsCtxDivOp, "0."}, ++ // Some JS interpreters treat NBSP as a normal space, so ++ // we must too in order to properly escape things. ++ {jsCtxRegexp, "=\u00A0"}, + } + + for _, test := range tests { +- if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx { +- t.Errorf("want %s got %q", test.jsCtx, test.s) ++ if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx { ++ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx) + } +- if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx { +- t.Errorf("want %s got %q", test.jsCtx, test.s) ++ if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx { ++ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx) + } + } + diff --git a/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service b/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service index 7f72f3388a..b6b81d5c1a 100644 --- a/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service +++ b/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service @@ -1,7 +1,7 @@ [Unit] Description=Run pending postinsts DefaultDependencies=no -After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount +After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount ldconfig.service Before=sysinit.target [Service] |