From eeeca13a9507ae5b2127d2335ec0ea44e00e09cb Mon Sep 17 00:00:00 2001 From: hanchao Date: Thu, 18 Aug 2022 20:02:38 +0800 Subject: [PATCH] golang: fix CVE-2022-29804,CVE-2022-29526 Score: CVE-2022-29804: 7.5, CVE-2022-29526: 5.3 Reference: https://go-review.googlesource.com/c/go/+/401595/, https://go-review.googlesource.com/c/go/+/401078/ Conflict: NA Reason: fix CVE-2022-29804,CVE-2022-29526 --- ...-not-remove-prefix-.-when-following-.patch | 104 ++++++++++++++++++ ...o1.17-syscall-check-correct-group-in.patch | 53 +++++++++ golang.spec | 7 +- 3 files changed, 163 insertions(+), 1 deletion(-) create mode 100644 0075-path-filepath-do-not-remove-prefix-.-when-following-.patch create mode 100644 0076-release-branch.go1.17-syscall-check-correct-group-in.patch diff --git a/0075-path-filepath-do-not-remove-prefix-.-when-following-.patch b/0075-path-filepath-do-not-remove-prefix-.-when-following-.patch new file mode 100644 index 0000000..96de818 --- /dev/null +++ b/0075-path-filepath-do-not-remove-prefix-.-when-following-.patch @@ -0,0 +1,104 @@ +From 0de49f05ec2b03819ae698c97e9445a6ab928d4c Mon Sep 17 00:00:00 2001 +From: Yasuhiro Matsumoto +Date: Fri, 22 Apr 2022 10:07:51 +0900 +Subject: [PATCH 1/2] path/filepath: do not remove prefix "." when following + path contains ":". + +Fixes #52476 + +Change-Id: I9eb72ac7dbccd6322d060291f31831dc389eb9bb +Reviewed-on: https://go-review.googlesource.com/c/go/+/401595 +Auto-Submit: Ian Lance Taylor +Reviewed-by: Alex Brainman +Run-TryBot: Ian Lance Taylor +Reviewed-by: Ian Lance Taylor +Reviewed-by: Damien Neil +TryBot-Result: Gopher Robot + +Conflict: NA +Reference: https://go-review.googlesource.com/c/go/+/401595/ + +--- + src/path/filepath/path.go | 14 +++++++++++++- + src/path/filepath/path_test.go | 3 +++ + src/path/filepath/path_windows_test.go | 26 ++++++++++++++++++++++++++ + 3 files changed, 42 insertions(+), 1 deletion(-) + +diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go +index 26f1833189..92dc090eea 100644 +--- a/src/path/filepath/path.go ++++ b/src/path/filepath/path.go +@@ -116,9 +116,21 @@ func Clean(path string) string { + case os.IsPathSeparator(path[r]): + // empty path element + r++ +- case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])): ++ case path[r] == '.' && r+1 == n: + // . element + r++ ++ case path[r] == '.' && os.IsPathSeparator(path[r+1]): ++ // ./ element ++ r++ ++ ++ for r < len(path) && os.IsPathSeparator(path[r]) { ++ r++ ++ } ++ if out.w == 0 && volumeNameLen(path[r:]) > 0 { ++ // When joining prefix "." and an absolute path on Windows, ++ // the prefix should not be removed. ++ out.append('.') ++ } + case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])): + // .. element: remove to last separator + r += 2 +diff --git a/src/path/filepath/path_test.go b/src/path/filepath/path_test.go +index d6f680556c..531a66333b 100644 +--- a/src/path/filepath/path_test.go ++++ b/src/path/filepath/path_test.go +@@ -93,6 +93,9 @@ var wincleantests = []PathTest{ + {`//host/share/foo/../baz`, `\\host\share\baz`}, + {`\\a\b\..\c`, `\\a\b\c`}, + {`\\a\b`, `\\a\b`}, ++ {`.\c:`, `.\c:`}, ++ {`.\c:\foo`, `.\c:\foo`}, ++ {`.\c:foo`, `.\c:foo`}, + } + + func TestClean(t *testing.T) { +diff --git a/src/path/filepath/path_windows_test.go b/src/path/filepath/path_windows_test.go +index f7c454bf65..e3979fe1e7 100644 +--- a/src/path/filepath/path_windows_test.go ++++ b/src/path/filepath/path_windows_test.go +@@ -581,3 +581,29 @@ func TestNTNamespaceSymlink(t *testing.T) { + t.Errorf(`EvalSymlinks(%q): got %q, want %q`, filelink, got, want) + } + } ++ ++func TestIssue52476(t *testing.T) { ++ tests := []struct { ++ lhs, rhs string ++ want string ++ }{ ++ {`..\.`, `C:`, `..\C:`}, ++ {`..`, `C:`, `..\C:`}, ++ {`.`, `:`, `:`}, ++ {`.`, `C:`, `.\C:`}, ++ {`.`, `C:/a/b/../c`, `.\C:\a\c`}, ++ {`.`, `\C:`, `.\C:`}, ++ {`C:\`, `.`, `C:\`}, ++ {`C:\`, `C:\`, `C:\C:`}, ++ {`C`, `:`, `C\:`}, ++ {`\.`, `C:`, `\C:`}, ++ {`\`, `C:`, `\C:`}, ++ } ++ ++ for _, test := range tests { ++ got := filepath.Join(test.lhs, test.rhs) ++ if got != test.want { ++ t.Errorf(`Join(%q, %q): got %q, want %q`, test.lhs, test.rhs, got, test.want) ++ } ++ } ++} +-- +2.30.2 + diff --git a/0076-release-branch.go1.17-syscall-check-correct-group-in.patch b/0076-release-branch.go1.17-syscall-check-correct-group-in.patch new file mode 100644 index 0000000..c6ec4dd --- /dev/null +++ b/0076-release-branch.go1.17-syscall-check-correct-group-in.patch @@ -0,0 +1,53 @@ +From 77f1f0c3293857f1010dd1899d5a6dafbc21a378 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Tue, 12 Apr 2022 13:38:17 -0700 +Subject: [PATCH 2/2] [release-branch.go1.17] syscall: check correct group in + Faccessat + +The Faccessat call checks the user, group, or other permission bits of a +file to see if the calling process can access it. The test to see if the +group permissions should be used was made with the wrong group id, using +the process's group id rather than the file's group id. Fix this to use +the correct group id. + +No test since we cannot easily change file permissions when not running +as root and the test is meaningless if running as root. + +For #52313 +Fixes #52439 + +Change-Id: I4e2c84754b0af7830b40fd15dedcbc58374d75ee +Reviewed-on: https://go-review.googlesource.com/c/go/+/399539 +Reviewed-by: Ian Lance Taylor +Run-TryBot: Ian Lance Taylor +TryBot-Result: Gopher Robot +(cherry picked from commit f66925e854e71e0c54b581885380a490d7afa30c) +Reviewed-on: https://go-review.googlesource.com/c/go/+/401078 +Auto-Submit: Tatiana Bradley +Run-TryBot: Tatiana Bradley +Run-TryBot: Damien Neil +Auto-Submit: Damien Neil +Reviewed-by: Tatiana Bradley + +Conflict: NA +Reference: https://go-review.googlesource.com/c/go/+/401078/ +--- + src/syscall/syscall_linux.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/syscall/syscall_linux.go b/src/syscall/syscall_linux.go +index 07fe6a6c2b..dbf16d9af2 100644 +--- a/src/syscall/syscall_linux.go ++++ b/src/syscall/syscall_linux.go +@@ -106,7 +106,7 @@ func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) { + gid = Getgid() + } + +- if uint32(gid) == st.Gid || isGroupMember(gid) { ++ if uint32(gid) == st.Gid || isGroupMember(int(st.Gid)) { + fmode = (st.Mode >> 3) & 7 + } else { + fmode = st.Mode & 7 +-- +2.30.2 + diff --git a/golang.spec b/golang.spec index 0c38afa..9a404f1 100644 --- a/golang.spec +++ b/golang.spec @@ -62,7 +62,7 @@ Name: golang Version: 1.15.7 -Release: 15 +Release: 16 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -220,6 +220,8 @@ Patch6071: 0071-release-branch.go1.17-compress-gzip-fix-stack-exhaus.patch Patch6072: 0072-release-branch.go1.17-crypto-tls-randomly-generate-t.patch Patch6073: 0073-release-branch.go1.17-crypto-rand-properly-handle-la.patch Patch6074: 0074-release-branch.go1.17-math-big-check-buffer-lengths-.patch +Patch6075: 0075-path-filepath-do-not-remove-prefix-.-when-following-.patch +Patch6076: 0076-release-branch.go1.17-syscall-check-correct-group-in.patch Patch9001: 0001-drop-hard-code-cert.patch @@ -455,6 +457,9 @@ fi %changelog +* Tue Aug 18 2022 hanchao - 1.15.7-16 +- fix CVE-2022-29804,CVE-2022-29526 + * Mon Aug 8 2022 hanchao - 1.15.7-15 - fix CVE-2022-32189 -- Gitee