From ba21eed3541e753e319189cda2b89ea6fb0a2b53 Mon Sep 17 00:00:00 2001 From: hanchao Date: Thu, 18 Aug 2022 17:48:04 +0800 Subject: [PATCH] golang: fix CVE-2022-29804,CVE-2022-29526 Score: CVE-2022-29804: 7.5, CVE-2022-29526: 5.3 Reference: https://go-review.googlesource.com/c/go/+/401595/, https://go-review.googlesource.com/c/go/+/401078/ Conflict: NA Reason: fix CVE-2022-29804,CVE-2022-29526 --- ...-not-remove-prefix-.-when-following-.patch | 103 ++++++++++++++++++ ...o1.17-syscall-check-correct-group-in.patch | 53 +++++++++ golang.spec | 10 +- 3 files changed, 165 insertions(+), 1 deletion(-) create mode 100644 0017-path-filepath-do-not-remove-prefix-.-when-following-.patch create mode 100644 0018-release-branch.go1.17-syscall-check-correct-group-in.patch diff --git a/0017-path-filepath-do-not-remove-prefix-.-when-following-.patch b/0017-path-filepath-do-not-remove-prefix-.-when-following-.patch new file mode 100644 index 0000000..0f44f38 --- /dev/null +++ b/0017-path-filepath-do-not-remove-prefix-.-when-following-.patch @@ -0,0 +1,103 @@ +From e903e474f9632a151fff2df3dd3e891395f1a8f1 Mon Sep 17 00:00:00 2001 +From: Yasuhiro Matsumoto +Date: Fri, 22 Apr 2022 10:07:51 +0900 +Subject: [PATCH 1/2] path/filepath: do not remove prefix "." when following + path contains ":". + +Fixes #52476 + +Change-Id: I9eb72ac7dbccd6322d060291f31831dc389eb9bb +Reviewed-on: https://go-review.googlesource.com/c/go/+/401595 +Auto-Submit: Ian Lance Taylor +Reviewed-by: Alex Brainman +Run-TryBot: Ian Lance Taylor +Reviewed-by: Ian Lance Taylor +Reviewed-by: Damien Neil +TryBot-Result: Gopher Robot + +Reference:https://go-review.googlesource.com/c/go/+/401595/ +Conflict:NA +--- + src/path/filepath/path.go | 14 +++++++++++++- + src/path/filepath/path_test.go | 3 +++ + src/path/filepath/path_windows_test.go | 26 ++++++++++++++++++++++++++ + 3 files changed, 42 insertions(+), 1 deletion(-) + +diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go +index b56534dead..8300a32cb1 100644 +--- a/src/path/filepath/path.go ++++ b/src/path/filepath/path.go +@@ -117,9 +117,21 @@ func Clean(path string) string { + case os.IsPathSeparator(path[r]): + // empty path element + r++ +- case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])): ++ case path[r] == '.' && r+1 == n: + // . element + r++ ++ case path[r] == '.' && os.IsPathSeparator(path[r+1]): ++ // ./ element ++ r++ ++ ++ for r < len(path) && os.IsPathSeparator(path[r]) { ++ r++ ++ } ++ if out.w == 0 && volumeNameLen(path[r:]) > 0 { ++ // When joining prefix "." and an absolute path on Windows, ++ // the prefix should not be removed. ++ out.append('.') ++ } + case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])): + // .. element: remove to last separator + r += 2 +diff --git a/src/path/filepath/path_test.go b/src/path/filepath/path_test.go +index bc5509b49c..ed17a8854d 100644 +--- a/src/path/filepath/path_test.go ++++ b/src/path/filepath/path_test.go +@@ -93,6 +93,9 @@ var wincleantests = []PathTest{ + {`//host/share/foo/../baz`, `\\host\share\baz`}, + {`\\a\b\..\c`, `\\a\b\c`}, + {`\\a\b`, `\\a\b`}, ++ {`.\c:`, `.\c:`}, ++ {`.\c:\foo`, `.\c:\foo`}, ++ {`.\c:foo`, `.\c:foo`}, + } + + func TestClean(t *testing.T) { +diff --git a/src/path/filepath/path_windows_test.go b/src/path/filepath/path_windows_test.go +index 76a459ac96..3edafb5a85 100644 +--- a/src/path/filepath/path_windows_test.go ++++ b/src/path/filepath/path_windows_test.go +@@ -530,3 +530,29 @@ func TestNTNamespaceSymlink(t *testing.T) { + t.Errorf(`EvalSymlinks(%q): got %q, want %q`, filelink, got, want) + } + } ++ ++func TestIssue52476(t *testing.T) { ++ tests := []struct { ++ lhs, rhs string ++ want string ++ }{ ++ {`..\.`, `C:`, `..\C:`}, ++ {`..`, `C:`, `..\C:`}, ++ {`.`, `:`, `:`}, ++ {`.`, `C:`, `.\C:`}, ++ {`.`, `C:/a/b/../c`, `.\C:\a\c`}, ++ {`.`, `\C:`, `.\C:`}, ++ {`C:\`, `.`, `C:\`}, ++ {`C:\`, `C:\`, `C:\C:`}, ++ {`C`, `:`, `C\:`}, ++ {`\.`, `C:`, `\C:`}, ++ {`\`, `C:`, `\C:`}, ++ } ++ ++ for _, test := range tests { ++ got := filepath.Join(test.lhs, test.rhs) ++ if got != test.want { ++ t.Errorf(`Join(%q, %q): got %q, want %q`, test.lhs, test.rhs, got, test.want) ++ } ++ } ++} +-- +2.30.2 + diff --git a/0018-release-branch.go1.17-syscall-check-correct-group-in.patch b/0018-release-branch.go1.17-syscall-check-correct-group-in.patch new file mode 100644 index 0000000..2387211 --- /dev/null +++ b/0018-release-branch.go1.17-syscall-check-correct-group-in.patch @@ -0,0 +1,53 @@ +From 66cff0cda766c1533373fabf3bc26fc3397e55d5 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Tue, 12 Apr 2022 13:38:17 -0700 +Subject: [PATCH 2/2] [release-branch.go1.17] syscall: check correct group in + Faccessat + +The Faccessat call checks the user, group, or other permission bits of a +file to see if the calling process can access it. The test to see if the +group permissions should be used was made with the wrong group id, using +the process's group id rather than the file's group id. Fix this to use +the correct group id. + +No test since we cannot easily change file permissions when not running +as root and the test is meaningless if running as root. + +For #52313 +Fixes #52439 + +Change-Id: I4e2c84754b0af7830b40fd15dedcbc58374d75ee +Reviewed-on: https://go-review.googlesource.com/c/go/+/399539 +Reviewed-by: Ian Lance Taylor +Run-TryBot: Ian Lance Taylor +TryBot-Result: Gopher Robot +(cherry picked from commit f66925e854e71e0c54b581885380a490d7afa30c) +Reviewed-on: https://go-review.googlesource.com/c/go/+/401078 +Auto-Submit: Tatiana Bradley +Run-TryBot: Tatiana Bradley +Run-TryBot: Damien Neil +Auto-Submit: Damien Neil +Reviewed-by: Tatiana Bradley + +Reference:https://go-review.googlesource.com/c/go/+/401078/ +Conflict:NA +--- + src/syscall/syscall_linux.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/syscall/syscall_linux.go b/src/syscall/syscall_linux.go +index dfce3d0a4b..3387f3bdc2 100644 +--- a/src/syscall/syscall_linux.go ++++ b/src/syscall/syscall_linux.go +@@ -109,7 +109,7 @@ func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) { + gid = Getgid() + } + +- if uint32(gid) == st.Gid || isGroupMember(gid) { ++ if uint32(gid) == st.Gid || isGroupMember(int(st.Gid)) { + fmode = (st.Mode >> 3) & 7 + } else { + fmode = st.Mode & 7 +-- +2.30.2 + diff --git a/golang.spec b/golang.spec index 943a4ff..9ebf77f 100644 --- a/golang.spec +++ b/golang.spec @@ -66,7 +66,7 @@ Name: golang Version: 1.17.3 -Release: 6 +Release: 7 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -169,6 +169,8 @@ Patch6013: 0013-release-branch.go1.17-compress-gzip-fix-stack-exhaus.patch Patch6014: 0014-release-branch.go1.17-crypto-tls-randomly-generate-t.patch Patch6015: 0015-release-branch.go1.17-crypto-rand-properly-handle-la.patch Patch6016: 0016-release-branch.go1.17-math-big-check-buffer-lengths-.patch +Patch6017: 0017-path-filepath-do-not-remove-prefix-.-when-following-.patch +Patch6018: 0018-release-branch.go1.17-syscall-check-correct-group-in.patch ExclusiveArch: %{golang_arches} @@ -403,6 +405,12 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Thu Aug 18 2022 hanchao - 1.17.3-7 +- Type:CVE +- CVE:CVE-2022-29804,CVE-2022-29526 +- SUG:NA +- DESC: fix CVE-2022-29804,CVE-2022-29526 + * Mon Aug 8 2022 hanchao - 1.17.3-6 - Type:CVE - CVE:NA -- Gitee