From ad6a913b6931c5d9815603cf90584f2e5c1fcfb0 Mon Sep 17 00:00:00 2001 From: vegbir Date: Mon, 24 Jun 2024 22:01:03 +0800 Subject: [PATCH] golang: fix CVE-2024-24789 Signed-off-by: vegbir --- ...-zip-treat-truncated-EOCDR-comment-a.patch | 57 +++++++++++++++++++ golang.spec | 9 ++- 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 0122-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch diff --git a/0122-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch b/0122-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch new file mode 100644 index 0000000..7d4ac20 --- /dev/null +++ b/0122-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch @@ -0,0 +1,57 @@ +From c75f3b343b8368d1a849f4ff93ad19da5de1e8c1 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 15 May 2024 05:39:10 +0800 +Subject: [PATCH] [Backport] archive/zip: treat truncated EOCDR comment as an + error + +CVE: CVE-2024-24789 +Reference: https://go-review.googlesource.com/c/go/+/588795 + +When scanning for an end of central directory record, +treat an EOCDR signature with a record containing a truncated +comment as an error. Previously, we would skip over the invalid +record and look for another one. Other implementations do not +do this (they either consider this a hard error, or just ignore +the truncated comment). This parser misalignment allowed +presenting entirely different archive contents to Go programs +and other zip decoders. + +For #66869 +Fixes #67553 +Fixes CVE-2024-24789 + +Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6 +Reviewed-on: https://go-review.googlesource.com/c/go/+/585397 +Reviewed-by: Joseph Tsai +Reviewed-by: Dmitri Shuralyov +LUCI-TryBot-Result: Go LUCI +(cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5) +Reviewed-on: https://go-review.googlesource.com/c/go/+/588795 +Reviewed-by: Matthew Dempsky +Signed-off-by: vegbir +--- + src/archive/zip/reader.go | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go +index a6957739d6..8e077a5549 100644 +--- a/src/archive/zip/reader.go ++++ b/src/archive/zip/reader.go +@@ -576,9 +576,13 @@ func findSignatureInBlock(b []byte) int { + if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 { + // n is length of comment + n := int(b[i+directoryEndLen-2]) | int(b[i+directoryEndLen-1])<<8 +- if n+directoryEndLen+i <= len(b) { +- return i ++ if n+directoryEndLen+i > len(b) { ++ // Truncated comment. ++ // Some parsers (such as Info-ZIP) ignore the truncated comment ++ // rather than treating it as a hard error. ++ return -1 + } ++ return i + } + } + return -1 +-- +2.33.0 \ No newline at end of file diff --git a/golang.spec b/golang.spec index 0dc812d..67bc0ae 100644 --- a/golang.spec +++ b/golang.spec @@ -58,7 +58,7 @@ Name: golang Version: 1.15.7 -Release: 44 +Release: 45 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -263,6 +263,7 @@ Patch6118: 0118-1.15-backport-runtime-decrement-netpollWaiters-in-ne.patch Patch6119: 0119-1.15-backport-runtime-adjust-netpollWaiters-after-go.patch Patch6120: 0120-Backport-net-http-update-bundled-golang.org-x-net-ht.patch Patch6121: 0121-Backport-cmd-go-disallow-lto_library-in-LDFLAGS.patch +Patch6122: 0122-Backport-archive-zip-treat-truncated-EOCDR-comment-a.patch Patch9001: 0001-drop-hard-code-cert.patch Patch9002: 0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch @@ -502,6 +503,12 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Mon Jun 24 2024 vegbir - 1.15.7-45 +- Type:CVE +- CVE:CVE-2024-24789 +- SUG:NA +- DESC:fix CVE-2024-24789 + * Mon May 27 2024 lujingxiao - 1.15.7-44 - Type:CVE - CVE:CVE-2024-24787 -- Gitee