From 392afff844936b846218d8162e9a4474c3019da1 Mon Sep 17 00:00:00 2001
From: wangziliang <wangziliang@kylinos.cn>
Date: Thu, 6 Jun 2024 07:20:43 +0000
Subject: [PATCH] fix CVE-2024-24789

---
 ...o1.21-archive-zip-treat-truncated-EO.patch |  73 ++++++++++++++++++
 comment-truncated.zip                         | Bin 0 -> 216 bytes
 golang.spec                                   |   8 +-
 3 files changed, 80 insertions(+), 1 deletion(-)
 create mode 100644 backport-0007-release-branch.go1.21-archive-zip-treat-truncated-EO.patch
 create mode 100644 comment-truncated.zip

diff --git a/backport-0007-release-branch.go1.21-archive-zip-treat-truncated-EO.patch b/backport-0007-release-branch.go1.21-archive-zip-treat-truncated-EO.patch
new file mode 100644
index 0000000..1297198
--- /dev/null
+++ b/backport-0007-release-branch.go1.21-archive-zip-treat-truncated-EO.patch
@@ -0,0 +1,73 @@
+From c8e40338cf00f3c1d86c8fb23863ad67a4c72bcc Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Tue, 14 May 2024 14:39:10 -0700
+Subject: [PATCH] [release-branch.go1.21] archive/zip: treat truncated EOCDR
+ comment as an error
+
+When scanning for an end of central directory record,
+treat an EOCDR signature with a record containing a truncated
+comment as an error. Previously, we would skip over the invalid
+record and look for another one. Other implementations do not
+do this (they either consider this a hard error, or just ignore
+the truncated comment). This parser misalignment allowed
+presenting entirely different archive contents to Go programs
+and other zip decoders.
+
+For #66869
+Fixes #67553
+
+Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6
+Reviewed-on: https://go-review.googlesource.com/c/go/+/585397
+Reviewed-by: Joseph Tsai <joetsai@digital-static.net>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+(cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/588795
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+---
+ src/archive/zip/reader.go                      |   8 ++++++--
+ src/archive/zip/reader_test.go                 |   8 ++++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
+index 1fde1decc4..20356bde0e 100644
+--- a/src/archive/zip/reader.go
++++ b/src/archive/zip/reader.go
+@@ -699,9 +699,13 @@ func findSignatureInBlock(b []byte) int {
+ 		if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 {
+ 			// n is length of comment
+ 			n := int(b[i+directoryEndLen-2]) | int(b[i+directoryEndLen-1])<<8
+-			if n+directoryEndLen+i <= len(b) {
+-				return i
++			if n+directoryEndLen+i > len(b) {
++				// Truncated comment.
++				// Some parsers (such as Info-ZIP) ignore the truncated comment
++				// rather than treating it as a hard error.
++				return -1
+ 			}
++			return i
+ 		}
+ 	}
+ 	return -1
+diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
+index a67c33598d..d89259538e 100644
+--- a/src/archive/zip/reader_test.go
++++ b/src/archive/zip/reader_test.go
+@@ -570,6 +570,14 @@ var tests = []ZipTest{
+ 			},
+ 		},
+ 	},
++	// Issue 66869: Don't skip over an EOCDR with a truncated comment.
++	// The test file sneakily hides a second EOCDR before the first one;
++	// previously we would extract one file ("file") from this archive,
++	// while most other tools would reject the file or extract a different one ("FILE").
++	{
++		Name:  "comment-truncated.zip",
++		Error: ErrFormat,
++	},
+ }
+ 
+ func TestReader(t *testing.T) {
+-- 
+2.27.0
+
diff --git a/comment-truncated.zip b/comment-truncated.zip
new file mode 100644
index 0000000000000000000000000000000000000000..1bc19a85575964f378a8a30f198ed6ba5360aa7d
GIT binary patch
literal 216
zcmWIWW@cf4gUWrGI~jpI5C#dmdHT2ppr}ax{CO=%28Pozb5c_hOA-UT8JU2>aDc83
pE&*nMbOm^`vVk~^KxhP{)xa|7=AgR>tO!m(+=pt;1fVP<0{|c)7RUeq

literal 0
HcmV?d00001

diff --git a/golang.spec b/golang.spec
index d214f53..013be97 100644
--- a/golang.spec
+++ b/golang.spec
@@ -66,11 +66,12 @@
 
 Name:           golang
 Version:        1.21.4
-Release:        8
+Release:        9
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
 Source0:        https://dl.google.com/go/go%{version}.src.tar.gz
+Source1:        comment-truncated.zip
 
 %if !%{golang_bootstrap}
 BuildRequires:  gcc-go >= 5
@@ -126,6 +127,7 @@ Patch6003:	backport-0003-release-branch.go1.21-net-textproto-mime-multipart-a.pa
 Patch6004:	backport-0004-release-branch.go1.21-net-http-net-http-cookiejar-av.patch
 Patch6005:	backport-0005-release-branch.go1.21-net-mail-properly-handle-speci.patch
 Patch6006:	backport-0006-Backport-net-http-update-bundled-golang.org-x-net-ht.patch
+Patch6007:	backport-0007-release-branch.go1.21-archive-zip-treat-truncated-EO.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -171,6 +173,7 @@ end
 
 %prep
 %autosetup -n go -p1
+cp %{SOURCE1} src/archive/zip/testdata/
 
 %build
 uname -a
@@ -364,6 +367,9 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Thu Jun 06 2024 wangziliang <wangziliang@kylinos.cn> - 1.21.4-9
+- fix CVE-2024-24789
+
 * Thu Apr 18 2024 Huang Yang <huangyang@loongson.cn> - 1.21.4-8
 - enable external_linker and cgo on loongarch64
 
-- 
Gitee