From 05d8718c3a2decd5a343af98ac75a2f159463d84 Mon Sep 17 00:00:00 2001 From: vegbir Date: Mon, 24 Jun 2024 21:45:52 +0800 Subject: [PATCH] golang: fix CVE-2024-24789 Signed-off-by: vegbir --- ...-zip-treat-truncated-EOCDR-comment-a.patch | 58 +++++++++++++++++++ golang.spec | 9 ++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 0066-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch diff --git a/0066-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch b/0066-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch new file mode 100644 index 0000000..82e0533 --- /dev/null +++ b/0066-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch @@ -0,0 +1,58 @@ +From c4a663363a6899c73b02b6667607619af1799e15 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 15 May 2024 05:39:10 +0800 +Subject: [PATCH] [Backport] archive/zip: treat truncated EOCDR comment as an + error + +CVE: CVE-2024-24789 +Reference: https://go-review.googlesource.com/c/go/+/588795 + +When scanning for an end of central directory record, +treat an EOCDR signature with a record containing a truncated +comment as an error. Previously, we would skip over the invalid +record and look for another one. Other implementations do not +do this (they either consider this a hard error, or just ignore +the truncated comment). This parser misalignment allowed +presenting entirely different archive contents to Go programs +and other zip decoders. + +For #66869 +Fixes #67553 +Fixes CVE-2024-24789 + +Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6 +Reviewed-on: https://go-review.googlesource.com/c/go/+/585397 +Reviewed-by: Joseph Tsai +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +(cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5) +Reviewed-on: https://go-review.googlesource.com/c/go/+/588795 +Reviewed-by: Matthew Dempsky + +Signed-off-by: vegbir +--- + src/archive/zip/reader.go | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go +index e40a2c656b..987f543852 100644 +--- a/src/archive/zip/reader.go ++++ b/src/archive/zip/reader.go +@@ -644,9 +644,13 @@ func findSignatureInBlock(b []byte) int { + if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 { + // n is length of comment + n := int(b[i+directoryEndLen-2]) | int(b[i+directoryEndLen-1])<<8 +- if n+directoryEndLen+i <= len(b) { +- return i ++ if n+directoryEndLen+i > len(b) { ++ // Truncated comment. ++ // Some parsers (such as Info-ZIP) ignore the truncated comment ++ // rather than treating it as a hard error. ++ return -1 + } ++ return i + } + } + return -1 +-- +2.33.0 \ No newline at end of file diff --git a/golang.spec b/golang.spec index 11eb83e..49afe8b 100644 --- a/golang.spec +++ b/golang.spec @@ -63,7 +63,7 @@ Name: golang Version: 1.17.3 -Release: 33 +Release: 34 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -215,6 +215,7 @@ Patch6062: 0062-1.17-backport-runtime-decrement-netpollWaiters-in-ne.patch Patch6063: 0063-1.17-backport-runtime-adjust-netpollWaiters-after-go.patch Patch6064: 0064-Backport-net-http-update-bundled-golang.org-x-net-ht.patch Patch6065: 0065-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch +Patch6066: 0066-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch ExclusiveArch: %{golang_arches} @@ -453,6 +454,12 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Mon Jun 24 2024 yangjiaqi - 1.17.3-34 +- Type:CVE +- CVE:CVE-2024-24789 +- SUG:NA +- DESC:fix CVE-2024-24789 + * Mon May 27 2024 lujingxiao - 1.17.3-33 - Type:CVE - CVE:CVE-2024-24787 -- Gitee