From 14d72e24a09acb891a40152905e17842a440be06 Mon Sep 17 00:00:00 2001 From: hanchao Date: Fri, 4 Mar 2022 16:45:52 +0800 Subject: [PATCH] fix CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 Reference:https://go-review.googlesource.com/c/go/+/382835;https://go-review.googlesource.com/c/go/+/381336;https://go-review.googlesource.com/c/go/+/382854 Conflict:NA Score:CVE-2022-23772:7.5 CVE-2022-23773:7.5 CVE-2022-23806:9.1 Reason:fix CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 --- ...o1.16-math-big-prevent-overflow-in-R.patch | 64 ++ ...o1.16-cmd-go-internal-modfetch-do-no.patch | 738 ++++++++++++++++++ ...o1.16-crypto-elliptic-make-IsOnCurve.patch | 149 ++++ golang.spec | 14 +- 4 files changed, 961 insertions(+), 4 deletions(-) create mode 100644 0057-release-branch.go1.16-math-big-prevent-overflow-in-R.patch create mode 100644 0058-release-branch.go1.16-cmd-go-internal-modfetch-do-no.patch create mode 100644 0059-release-branch.go1.16-crypto-elliptic-make-IsOnCurve.patch diff --git a/0057-release-branch.go1.16-math-big-prevent-overflow-in-R.patch b/0057-release-branch.go1.16-math-big-prevent-overflow-in-R.patch new file mode 100644 index 0000000..e2217de --- /dev/null +++ b/0057-release-branch.go1.16-math-big-prevent-overflow-in-R.patch @@ -0,0 +1,64 @@ +From 3ebb1762fb1942b4ffe932000f873e16c194a2d7 Mon Sep 17 00:00:00 2001 +From: Katie Hockman +Date: Wed, 2 Mar 2022 10:52:56 +0800 +Subject: [Backport 1/3] [release-branch.go1.16] math/big: prevent overflow in + (*Rat).SetString + +Credit to rsc@ for the original patch. + +Thanks to the OSS-Fuzz project for discovering this +issue and to Emmanuel Odeke (@odeke_et) for reporting it. + +Updates #50699 +Fixes #50700 +Fixes CVE-2022-23772 + +Change-Id: I590395a3d55689625390cf1e58f5f40623b26ee5 +Reviewed-on: https://go-review.googlesource.com/c/go/+/379537 +Trust: Katie Hockman +Run-TryBot: Katie Hockman +TryBot-Result: Gopher Robot +Reviewed-by: Emmanuel Odeke +Reviewed-by: Roland Shoemaker +Reviewed-by: Julie Qiu +(cherry picked from commit ad345c265916bbf6c646865e4642eafce6d39e78) +Reviewed-on: https://go-review.googlesource.com/c/go/+/381337 + +Reference:https://go-review.googlesource.com/c/go/+/381337 +Conflict:NA +--- + src/math/big/ratconv.go | 5 +++++ + src/math/big/ratconv_test.go | 1 + + 2 files changed, 6 insertions(+) + +diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go +index ac3c8bd..90053a9 100644 +--- a/src/math/big/ratconv.go ++++ b/src/math/big/ratconv.go +@@ -169,6 +169,11 @@ func (z *Rat) SetString(s string) (*Rat, bool) { + n := exp5 + if n < 0 { + n = -n ++ if n < 0 { ++ // This can occur if -n overflows. -(-1 << 63) would become ++ // -1 << 63, which is still negative. ++ return nil, false ++ } + } + if n > 1e6 { + return nil, false // avoid excessively large exponents +diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go +index 15d206c..e55e655 100644 +--- a/src/math/big/ratconv_test.go ++++ b/src/math/big/ratconv_test.go +@@ -104,6 +104,7 @@ var setStringTests = []StringTest{ + {in: "4/3/"}, + {in: "4/3."}, + {in: "4/"}, ++ {in: "13e-9223372036854775808"}, // CVE-2022-23772 + + // valid + {"0", "0", true}, +-- +2.30.0 + diff --git a/0058-release-branch.go1.16-cmd-go-internal-modfetch-do-no.patch b/0058-release-branch.go1.16-cmd-go-internal-modfetch-do-no.patch new file mode 100644 index 0000000..c17c90f --- /dev/null +++ b/0058-release-branch.go1.16-cmd-go-internal-modfetch-do-no.patch @@ -0,0 +1,738 @@ +From 36e1a9747e2dc9304702a6b86ef4b7744832fe74 Mon Sep 17 00:00:00 2001 +From: "Bryan C. Mills" +Date: Wed, 2 Mar 2022 10:55:05 +0800 +Subject: [Backport 2/3] [release-branch.go1.16] cmd/go/internal/modfetch: do + not short-circuit canonical versions + +Since at least CL 121857, the conversion logic in +(*modfetch).codeRepo.Stat has had a short-circuit to use the version +requested by the caller if it successfully resolves and is already +canonical. + +However, we should not use that version if it refers to a branch +instead of a tag, because branches (unlike tags) usually do not refer +to a single, stable release: a branch named "v1.0.0" may be for the +development of the v1.0.0 release, or for the development of patches +based on v1.0.0, but only one commit (perhaps at the end of that +branch but possibly not even written yet!) can be that specific +version. + +We already have some logic to prefer tags that are semver-equivalent +to the version requested by the caller. That more general case +suffices for exact equality too so we can eliminate the +special-case, fixing the bug and (happily!) also somewhat simplifying +the code. + +Updates #35671 +Fixes #50686 +Fixes CVE-2022-23773 + +Change-Id: I2fd290190b8a99a580deec7e26d15659b58a50b0 +Reviewed-on: https://go-review.googlesource.com/c/go/+/378400 +Trust: Bryan Mills +Run-TryBot: Bryan Mills +Reviewed-by: Russ Cox +TryBot-Result: Gopher Robot +(cherry picked from commit fa4d9b8e2bc2612960c80474fca83a4c85a974eb) +Reviewed-on: https://go-review.googlesource.com/c/go/+/382839 + +Conflict:NA +Reference:https://go-review.googlesource.com/c/go/+/382839 +--- + src/cmd/go/internal/modfetch/coderepo.go | 212 ++++++------ + src/cmd/go/internal/modfetch/coderepo_test.go | 308 ++++++++++-------- + .../testdata/script/mod_invalid_version.txt | 8 +- + 3 files changed, 275 insertions(+), 253 deletions(-) + +diff --git a/src/cmd/go/internal/modfetch/coderepo.go b/src/cmd/go/internal/modfetch/coderepo.go +index d043903..afff65e 100644 +--- a/src/cmd/go/internal/modfetch/coderepo.go ++++ b/src/cmd/go/internal/modfetch/coderepo.go +@@ -298,16 +298,13 @@ func (r *codeRepo) Latest() (*RevInfo, error) { + // If statVers is a valid module version, it is used for the Version field. + // Otherwise, the Version is derived from the passed-in info and recent tags. + func (r *codeRepo) convert(info *codehost.RevInfo, statVers string) (*RevInfo, error) { +- info2 := &RevInfo{ +- Name: info.Name, +- Short: info.Short, +- Time: info.Time, +- } +- + // If this is a plain tag (no dir/ prefix) + // and the module path is unversioned, + // and if the underlying file tree has no go.mod, + // then allow using the tag with a +incompatible suffix. ++ // ++ // (If the version is +incompatible, then the go.mod file must not exist: ++ // +incompatible is not an ongoing opt-out from semantic import versioning.) + var canUseIncompatible func() bool + canUseIncompatible = func() bool { + var ok bool +@@ -321,19 +318,12 @@ func (r *codeRepo) convert(info *codehost.RevInfo, statVers string) (*RevInfo, e + return ok + } + +- invalidf := func(format string, args ...interface{}) error { +- return &module.ModuleError{ +- Path: r.modPath, +- Err: &module.InvalidVersionError{ +- Version: info2.Version, +- Err: fmt.Errorf(format, args...), +- }, +- } +- } +- +- // checkGoMod verifies that the go.mod file for the module exists or does not +- // exist as required by info2.Version and the module path represented by r. +- checkGoMod := func() (*RevInfo, error) { ++ // checkCanonical verifies that the canonical version v is compatible with the ++ // module path represented by r, adding a "+incompatible" suffix if needed. ++ // ++ // If statVers is also canonical, checkCanonical also verifies that v is ++ // either statVers or statVers with the added "+incompatible" suffix. ++ checkCanonical := func(v string) (*RevInfo, error) { + // If r.codeDir is non-empty, then the go.mod file must exist: the module + // author — not the module consumer, — gets to decide how to carve up the repo + // into modules. +@@ -344,73 +334,91 @@ func (r *codeRepo) convert(info *codehost.RevInfo, statVers string) (*RevInfo, e + // r.findDir verifies both of these conditions. Execute it now so that + // r.Stat will correctly return a notExistError if the go.mod location or + // declared module path doesn't match. +- _, _, _, err := r.findDir(info2.Version) ++ _, _, _, err := r.findDir(v) + if err != nil { + // TODO: It would be nice to return an error like "not a module". + // Right now we return "missing go.mod", which is a little confusing. + return nil, &module.ModuleError{ + Path: r.modPath, + Err: &module.InvalidVersionError{ +- Version: info2.Version, ++ Version: v, + Err: notExistError{err: err}, + }, + } + } + +- // If the version is +incompatible, then the go.mod file must not exist: +- // +incompatible is not an ongoing opt-out from semantic import versioning. +- if strings.HasSuffix(info2.Version, "+incompatible") { +- if !canUseIncompatible() { ++ invalidf := func(format string, args ...interface{}) error { ++ return &module.ModuleError{ ++ Path: r.modPath, ++ Err: &module.InvalidVersionError{ ++ Version: v, ++ Err: fmt.Errorf(format, args...), ++ }, ++ } ++ } ++ ++ // Add the +incompatible suffix if needed or requested explicitly, and ++ // verify that its presence or absence is appropriate for this version ++ // (which depends on whether it has an explicit go.mod file). ++ ++ if v == strings.TrimSuffix(statVers, "+incompatible") { ++ v = statVers ++ } ++ base := strings.TrimSuffix(v, "+incompatible") ++ var errIncompatible error ++ if !module.MatchPathMajor(base, r.pathMajor) { ++ if canUseIncompatible() { ++ v = base + "+incompatible" ++ } else { + if r.pathMajor != "" { +- return nil, invalidf("+incompatible suffix not allowed: module path includes a major version suffix, so major version must match") ++ errIncompatible = invalidf("module path includes a major version suffix, so major version must match") + } else { +- return nil, invalidf("+incompatible suffix not allowed: module contains a go.mod file, so semantic import versioning is required") ++ errIncompatible = invalidf("module contains a go.mod file, so module path must match major version (%q)", path.Join(r.pathPrefix, semver.Major(v))) + } + } +- +- if err := module.CheckPathMajor(strings.TrimSuffix(info2.Version, "+incompatible"), r.pathMajor); err == nil { +- return nil, invalidf("+incompatible suffix not allowed: major version %s is compatible", semver.Major(info2.Version)) ++ } else if strings.HasSuffix(v, "+incompatible") { ++ errIncompatible = invalidf("+incompatible suffix not allowed: major version %s is compatible", semver.Major(v)) ++ } ++ ++ if statVers != "" && statVers == module.CanonicalVersion(statVers) { ++ // Since the caller-requested version is canonical, it would be very ++ // confusing to resolve it to anything but itself, possibly with a ++ // "+incompatible" suffix. Error out explicitly. ++ if statBase := strings.TrimSuffix(statVers, "+incompatible"); statBase != base { ++ return nil, &module.ModuleError{ ++ Path: r.modPath, ++ Err: &module.InvalidVersionError{ ++ Version: statVers, ++ Err: fmt.Errorf("resolves to version %v (%s is not a tag)", v, statBase), ++ }, ++ } + } + } + +- return info2, nil ++ if errIncompatible != nil { ++ return nil, errIncompatible ++ } ++ ++ return &RevInfo{ ++ Name: info.Name, ++ Short: info.Short, ++ Time: info.Time, ++ Version: v, ++ }, nil + } + + // Determine version. +- // +- // If statVers is canonical, then the original call was repo.Stat(statVers). +- // Since the version is canonical, we must not resolve it to anything but +- // itself, possibly with a '+incompatible' annotation: we do not need to do +- // the work required to look for an arbitrary pseudo-version. +- if statVers != "" && statVers == module.CanonicalVersion(statVers) { +- info2.Version = statVers +- +- if IsPseudoVersion(info2.Version) { +- if err := r.validatePseudoVersion(info, info2.Version); err != nil { +- return nil, err +- } +- return checkGoMod() +- } + +- if err := module.CheckPathMajor(info2.Version, r.pathMajor); err != nil { +- if canUseIncompatible() { +- info2.Version += "+incompatible" +- return checkGoMod() +- } else { +- if vErr, ok := err.(*module.InvalidVersionError); ok { +- // We're going to describe why the version is invalid in more detail, +- // so strip out the existing “invalid version” wrapper. +- err = vErr.Err +- } +- return nil, invalidf("module contains a go.mod file, so major version must be compatible: %v", err) +- } ++ if IsPseudoVersion(statVers) { ++ if err := r.validatePseudoVersion(info, statVers); err != nil { ++ return nil, err + } +- +- return checkGoMod() ++ return checkCanonical(statVers) + } + +- // statVers is empty or non-canonical, so we need to resolve it to a canonical +- // version or pseudo-version. ++ // statVers is not a pseudo-version, so we need to either resolve it to a ++ // canonical version or verify that it is already a canonical tag ++ // (not a branch). + + // Derive or verify a version from a code repo tag. + // Tag must have a prefix matching codeDir. +@@ -440,64 +448,59 @@ func (r *codeRepo) convert(info *codehost.RevInfo, statVers string) (*RevInfo, e + tagIsCanonical = true + } + +- if err := module.CheckPathMajor(v, r.pathMajor); err != nil { +- if canUseIncompatible() { +- return v + "+incompatible", tagIsCanonical +- } +- return "", false +- } +- + return v, tagIsCanonical + } + + // If the VCS gave us a valid version, use that. + if v, tagIsCanonical := tagToVersion(info.Version); tagIsCanonical { +- info2.Version = v +- return checkGoMod() ++ if info, err := checkCanonical(v); err == nil { ++ return info, err ++ } + } + + // Look through the tags on the revision for either a usable canonical version + // or an appropriate base for a pseudo-version. +- var pseudoBase string ++ var ( ++ highestCanonical string ++ pseudoBase string ++ ) + for _, pathTag := range info.Tags { + v, tagIsCanonical := tagToVersion(pathTag) +- if tagIsCanonical { +- if statVers != "" && semver.Compare(v, statVers) == 0 { +- // The user requested a non-canonical version, but the tag for the +- // canonical equivalent refers to the same revision. Use it. +- info2.Version = v +- return checkGoMod() ++ if statVers != "" && semver.Compare(v, statVers) == 0 { ++ // The tag is equivalent to the version requested by the user. ++ if tagIsCanonical { ++ // This tag is the canonical form of the requested version, ++ // not some other form with extra build metadata. ++ // Use this tag so that the resolved version will match exactly. ++ // (If it isn't actually allowed, we'll error out in checkCanonical.) ++ return checkCanonical(v) + } else { +- // Save the highest canonical tag for the revision. If we don't find a +- // better match, we'll use it as the canonical version. ++ // The user explicitly requested something equivalent to this tag. We ++ // can't use the version from the tag directly: since the tag is not ++ // canonical, it could be ambiguous. For example, tags v0.0.1+a and ++ // v0.0.1+b might both exist and refer to different revisions. + // +- // NOTE: Do not replace this with semver.Max. Despite the name, +- // semver.Max *also* canonicalizes its arguments, which uses +- // semver.Canonical instead of module.CanonicalVersion and thereby +- // strips our "+incompatible" suffix. +- if semver.Compare(info2.Version, v) < 0 { +- info2.Version = v +- } ++ // The tag is otherwise valid for the module, so we can at least use it as ++ // the base of an unambiguous pseudo-version. ++ // ++ // If multiple tags match, tagToVersion will canonicalize them to the same ++ // base version. ++ pseudoBase = v ++ } ++ } ++ // Save the highest non-retracted canonical tag for the revision. ++ // If we don't find a better match, we'll use it as the canonical version. ++ if tagIsCanonical && semver.Compare(highestCanonical, v) < 0 && !isRetracted(v) { ++ if module.MatchPathMajor(v, r.pathMajor) || canUseIncompatible() { ++ highestCanonical = v + } +- } else if v != "" && semver.Compare(v, statVers) == 0 { +- // The user explicitly requested something equivalent to this tag. We +- // can't use the version from the tag directly: since the tag is not +- // canonical, it could be ambiguous. For example, tags v0.0.1+a and +- // v0.0.1+b might both exist and refer to different revisions. +- // +- // The tag is otherwise valid for the module, so we can at least use it as +- // the base of an unambiguous pseudo-version. +- // +- // If multiple tags match, tagToVersion will canonicalize them to the same +- // base version. +- pseudoBase = v + } + } + + // If we found any canonical tag for the revision, return it. + // Even if we found a good pseudo-version base, a canonical version is better. +- if info2.Version != "" { +- return checkGoMod() ++ if highestCanonical != "" { ++ return checkCanonical(highestCanonical) + } + + if pseudoBase == "" { +@@ -511,11 +514,10 @@ func (r *codeRepo) convert(info *codehost.RevInfo, statVers string) (*RevInfo, e + tag, _ = r.code.RecentTag(info.Name, tagPrefix, "v0") + } + } +- pseudoBase, _ = tagToVersion(tag) // empty if the tag is invalid ++ pseudoBase, _ = tagToVersion(tag) + } + +- info2.Version = PseudoVersion(r.pseudoMajor, pseudoBase, info.Time, info.Short) +- return checkGoMod() ++ return checkCanonical(PseudoVersion(r.pseudoMajor, pseudoBase, info.Time, info.Short)) + } + + // validatePseudoVersion checks that version has a major version compatible with +@@ -539,10 +541,6 @@ func (r *codeRepo) validatePseudoVersion(info *codehost.RevInfo, version string) + } + }() + +- if err := module.CheckPathMajor(version, r.pathMajor); err != nil { +- return err +- } +- + rev, err := PseudoVersionRev(version) + if err != nil { + return err +diff --git a/src/cmd/go/internal/modfetch/coderepo_test.go b/src/cmd/go/internal/modfetch/coderepo_test.go +index 9a0cd7d..623dbe2 100644 +--- a/src/cmd/go/internal/modfetch/coderepo_test.go ++++ b/src/cmd/go/internal/modfetch/coderepo_test.go +@@ -420,180 +420,204 @@ var codeRepoTests = []codeRepoTest{ + zipSum: "h1:JItBZ+gwA5WvtZEGEbuDL4lUttGtLrs53lmdurq3bOg=", + zipFileHash: "9ea9ae1673cffcc44b7fdd3cc89953d68c102449b46c982dbf085e4f2e394da5", + }, ++ { ++ // Git branch with a semver name, +incompatible version, and no go.mod file. ++ vcs: "git", ++ path: "vcs-test.golang.org/go/mod/gitrepo1", ++ rev: "v2.3.4+incompatible", ++ err: `resolves to version v2.0.1+incompatible (v2.3.4 is not a tag)`, ++ }, ++ { ++ // Git branch with a semver name, matching go.mod file, and compatible version. ++ vcs: "git", ++ path: "vcs-test.golang.org/git/semver-branch.git", ++ rev: "v1.0.0", ++ err: `resolves to version v0.1.1-0.20220202191944-09c4d8f6938c (v1.0.0 is not a tag)`, ++ }, ++ { ++ // Git branch with a semver name, matching go.mod file, and disallowed +incompatible version. ++ // The version/tag mismatch takes precedence over the +incompatible mismatched. ++ vcs: "git", ++ path: "vcs-test.golang.org/git/semver-branch.git", ++ rev: "v2.0.0+incompatible", ++ err: `resolves to version v0.1.0 (v2.0.0 is not a tag)`, ++ }, ++ { ++ // Git branch with a semver name, matching go.mod file, and mismatched version. ++ // The version/tag mismatch takes precedence over the +incompatible mismatched. ++ vcs: "git", ++ path: "vcs-test.golang.org/git/semver-branch.git", ++ rev: "v2.0.0", ++ err: `resolves to version v0.1.0 (v2.0.0 is not a tag)`, ++ }, ++ { ++ // v3.0.0-devel is the same as tag v4.0.0-beta.1, but v4.0.0-beta.1 would ++ // not be allowed because it is incompatible and a go.mod file exists. ++ // The error message should refer to a valid pseudo-version, not the ++ // unusable semver tag. ++ vcs: "git", ++ path: "vcs-test.golang.org/git/semver-branch.git", ++ rev: "v3.0.0-devel", ++ err: `resolves to version v0.1.1-0.20220203155313-d59622f6e4d7 (v3.0.0-devel is not a tag)`, ++ }, + } + + func TestCodeRepo(t *testing.T) { + testenv.MustHaveExternalNetwork(t) ++ tmpdir := t.TempDir() + +- tmpdir, err := ioutil.TempDir("", "modfetch-test-") +- if err != nil { +- t.Fatal(err) +- } +- defer os.RemoveAll(tmpdir) ++ for _, tt := range codeRepoTests { ++ f := func(tt codeRepoTest) func(t *testing.T) { ++ return func(t *testing.T) { ++ t.Parallel() ++ if tt.vcs != "mod" { ++ testenv.MustHaveExecPath(t, tt.vcs) ++ } + +- t.Run("parallel", func(t *testing.T) { +- for _, tt := range codeRepoTests { +- f := func(tt codeRepoTest) func(t *testing.T) { +- return func(t *testing.T) { +- t.Parallel() +- if tt.vcs != "mod" { +- testenv.MustHaveExecPath(t, tt.vcs) +- } ++ repo := Lookup("direct", tt.path) + +- repo, err := Lookup("direct", tt.path) +- if tt.lookErr != "" { +- if err != nil && err.Error() == tt.lookErr { +- return ++ if tt.mpath == "" { ++ tt.mpath = tt.path ++ } ++ if mpath := repo.ModulePath(); mpath != tt.mpath { ++ t.Errorf("repo.ModulePath() = %q, want %q", mpath, tt.mpath) ++ } ++ ++ info, err := repo.Stat(tt.rev) ++ if err != nil { ++ if tt.err != "" { ++ if !strings.Contains(err.Error(), tt.err) { ++ t.Fatalf("repoStat(%q): %v, wanted %q", tt.rev, err, tt.err) + } +- t.Errorf("Lookup(%q): %v, want error %q", tt.path, err, tt.lookErr) +- } +- if err != nil { +- t.Fatalf("Lookup(%q): %v", tt.path, err) ++ return + } ++ t.Fatalf("repo.Stat(%q): %v", tt.rev, err) ++ } ++ if tt.err != "" { ++ t.Errorf("repo.Stat(%q): success, wanted error", tt.rev) ++ } ++ if info.Version != tt.version { ++ t.Errorf("info.Version = %q, want %q", info.Version, tt.version) ++ } ++ if info.Name != tt.name { ++ t.Errorf("info.Name = %q, want %q", info.Name, tt.name) ++ } ++ if info.Short != tt.short { ++ t.Errorf("info.Short = %q, want %q", info.Short, tt.short) ++ } ++ if !info.Time.Equal(tt.time) { ++ t.Errorf("info.Time = %v, want %v", info.Time, tt.time) ++ } + +- if tt.mpath == "" { +- tt.mpath = tt.path +- } +- if mpath := repo.ModulePath(); mpath != tt.mpath { +- t.Errorf("repo.ModulePath() = %q, want %q", mpath, tt.mpath) ++ if tt.gomod != "" || tt.gomodErr != "" { ++ data, err := repo.GoMod(tt.version) ++ if err != nil && tt.gomodErr == "" { ++ t.Errorf("repo.GoMod(%q): %v", tt.version, err) ++ } else if err != nil && tt.gomodErr != "" { ++ if err.Error() != tt.gomodErr { ++ t.Errorf("repo.GoMod(%q): %v, want %q", tt.version, err, tt.gomodErr) ++ } ++ } else if tt.gomodErr != "" { ++ t.Errorf("repo.GoMod(%q) = %q, want error %q", tt.version, data, tt.gomodErr) ++ } else if string(data) != tt.gomod { ++ t.Errorf("repo.GoMod(%q) = %q, want %q", tt.version, data, tt.gomod) + } ++ } + +- info, err := repo.Stat(tt.rev) ++ needHash := !testing.Short() && (tt.zipFileHash != "" || tt.zipSum != "") ++ if tt.zip != nil || tt.zipErr != "" || needHash { ++ f, err := os.CreateTemp(tmpdir, tt.version+".zip.") + if err != nil { +- if tt.err != "" { +- if !strings.Contains(err.Error(), tt.err) { +- t.Fatalf("repoStat(%q): %v, wanted %q", tt.rev, err, tt.err) +- } +- return +- } +- t.Fatalf("repo.Stat(%q): %v", tt.rev, err) ++ t.Fatalf("os.CreateTemp: %v", err) + } +- if tt.err != "" { +- t.Errorf("repo.Stat(%q): success, wanted error", tt.rev) +- } +- if info.Version != tt.version { +- t.Errorf("info.Version = %q, want %q", info.Version, tt.version) +- } +- if info.Name != tt.name { +- t.Errorf("info.Name = %q, want %q", info.Name, tt.name) +- } +- if info.Short != tt.short { +- t.Errorf("info.Short = %q, want %q", info.Short, tt.short) +- } +- if !info.Time.Equal(tt.time) { +- t.Errorf("info.Time = %v, want %v", info.Time, tt.time) ++ zipfile := f.Name() ++ defer func() { ++ f.Close() ++ os.Remove(zipfile) ++ }() ++ ++ var w io.Writer ++ var h hash.Hash ++ if needHash { ++ h = sha256.New() ++ w = io.MultiWriter(f, h) ++ } else { ++ w = f + } +- +- if tt.gomod != "" || tt.gomodErr != "" { +- data, err := repo.GoMod(tt.version) +- if err != nil && tt.gomodErr == "" { +- t.Errorf("repo.GoMod(%q): %v", tt.version, err) +- } else if err != nil && tt.gomodErr != "" { +- if err.Error() != tt.gomodErr { +- t.Errorf("repo.GoMod(%q): %v, want %q", tt.version, err, tt.gomodErr) ++ err = repo.Zip(w, tt.version) ++ f.Close() ++ if err != nil { ++ if tt.zipErr != "" { ++ if err.Error() == tt.zipErr { ++ return + } +- } else if tt.gomodErr != "" { +- t.Errorf("repo.GoMod(%q) = %q, want error %q", tt.version, data, tt.gomodErr) +- } else if string(data) != tt.gomod { +- t.Errorf("repo.GoMod(%q) = %q, want %q", tt.version, data, tt.gomod) ++ t.Fatalf("repo.Zip(%q): %v, want error %q", tt.version, err, tt.zipErr) + } ++ t.Fatalf("repo.Zip(%q): %v", tt.version, err) ++ } ++ if tt.zipErr != "" { ++ t.Errorf("repo.Zip(%q): success, want error %q", tt.version, tt.zipErr) + } + +- needHash := !testing.Short() && (tt.zipFileHash != "" || tt.zipSum != "") +- if tt.zip != nil || tt.zipErr != "" || needHash { +- f, err := ioutil.TempFile(tmpdir, tt.version+".zip.") ++ if tt.zip != nil { ++ prefix := tt.path + "@" + tt.version + "/" ++ z, err := zip.OpenReader(zipfile) + if err != nil { +- t.Fatalf("ioutil.TempFile: %v", err) +- } +- zipfile := f.Name() +- defer func() { +- f.Close() +- os.Remove(zipfile) +- }() +- +- var w io.Writer +- var h hash.Hash +- if needHash { +- h = sha256.New() +- w = io.MultiWriter(f, h) +- } else { +- w = f ++ t.Fatalf("open zip %s: %v", zipfile, err) + } +- err = repo.Zip(w, tt.version) +- f.Close() +- if err != nil { +- if tt.zipErr != "" { +- if err.Error() == tt.zipErr { +- return +- } +- t.Fatalf("repo.Zip(%q): %v, want error %q", tt.version, err, tt.zipErr) ++ var names []string ++ for _, file := range z.File { ++ if !strings.HasPrefix(file.Name, prefix) { ++ t.Errorf("zip entry %v does not start with prefix %v", file.Name, prefix) ++ continue + } +- t.Fatalf("repo.Zip(%q): %v", tt.version, err) +- } +- if tt.zipErr != "" { +- t.Errorf("repo.Zip(%q): success, want error %q", tt.version, tt.zipErr) ++ names = append(names, file.Name[len(prefix):]) + } +- +- if tt.zip != nil { +- prefix := tt.path + "@" + tt.version + "/" +- z, err := zip.OpenReader(zipfile) +- if err != nil { +- t.Fatalf("open zip %s: %v", zipfile, err) +- } +- var names []string +- for _, file := range z.File { +- if !strings.HasPrefix(file.Name, prefix) { +- t.Errorf("zip entry %v does not start with prefix %v", file.Name, prefix) +- continue +- } +- names = append(names, file.Name[len(prefix):]) +- } +- z.Close() +- if !reflect.DeepEqual(names, tt.zip) { +- t.Fatalf("zip = %v\nwant %v\n", names, tt.zip) +- } ++ z.Close() ++ if !reflect.DeepEqual(names, tt.zip) { ++ t.Fatalf("zip = %v\nwant %v\n", names, tt.zip) + } ++ } + +- if needHash { +- sum, err := dirhash.HashZip(zipfile, dirhash.Hash1) +- if err != nil { +- t.Errorf("repo.Zip(%q): %v", tt.version, err) +- } else if sum != tt.zipSum { +- t.Errorf("repo.Zip(%q): got file with sum %q, want %q", tt.version, sum, tt.zipSum) +- } else if zipFileHash := hex.EncodeToString(h.Sum(nil)); zipFileHash != tt.zipFileHash { +- t.Errorf("repo.Zip(%q): got file with hash %q, want %q (but content has correct sum)", tt.version, zipFileHash, tt.zipFileHash) +- } ++ if needHash { ++ sum, err := dirhash.HashZip(zipfile, dirhash.Hash1) ++ if err != nil { ++ t.Errorf("repo.Zip(%q): %v", tt.version, err) ++ } else if sum != tt.zipSum { ++ t.Errorf("repo.Zip(%q): got file with sum %q, want %q", tt.version, sum, tt.zipSum) ++ } else if zipFileHash := hex.EncodeToString(h.Sum(nil)); zipFileHash != tt.zipFileHash { ++ t.Errorf("repo.Zip(%q): got file with hash %q, want %q (but content has correct sum)", tt.version, zipFileHash, tt.zipFileHash) + } + } + } + } +- t.Run(strings.ReplaceAll(tt.path, "/", "_")+"/"+tt.rev, f(tt)) +- if strings.HasPrefix(tt.path, vgotest1git) { +- for vcs, alt := range altVgotests { +- altTest := tt +- altTest.vcs = vcs +- altTest.path = alt + strings.TrimPrefix(altTest.path, vgotest1git) +- if strings.HasPrefix(altTest.mpath, vgotest1git) { +- altTest.mpath = alt + strings.TrimPrefix(altTest.mpath, vgotest1git) +- } +- var m map[string]string +- if alt == vgotest1hg { +- m = hgmap +- } +- altTest.version = remap(altTest.version, m) +- altTest.name = remap(altTest.name, m) +- altTest.short = remap(altTest.short, m) +- altTest.rev = remap(altTest.rev, m) +- altTest.err = remap(altTest.err, m) +- altTest.gomodErr = remap(altTest.gomodErr, m) +- altTest.zipErr = remap(altTest.zipErr, m) +- altTest.zipSum = "" +- altTest.zipFileHash = "" +- t.Run(strings.ReplaceAll(altTest.path, "/", "_")+"/"+altTest.rev, f(altTest)) ++ } ++ t.Run(strings.ReplaceAll(tt.path, "/", "_")+"/"+tt.rev, f(tt)) ++ if strings.HasPrefix(tt.path, vgotest1git) { ++ for vcs, alt := range altVgotests { ++ altTest := tt ++ altTest.vcs = vcs ++ altTest.path = alt + strings.TrimPrefix(altTest.path, vgotest1git) ++ if strings.HasPrefix(altTest.mpath, vgotest1git) { ++ altTest.mpath = alt + strings.TrimPrefix(altTest.mpath, vgotest1git) ++ } ++ var m map[string]string ++ if alt == vgotest1hg { ++ m = hgmap + } ++ altTest.version = remap(altTest.version, m) ++ altTest.name = remap(altTest.name, m) ++ altTest.short = remap(altTest.short, m) ++ altTest.rev = remap(altTest.rev, m) ++ altTest.err = remap(altTest.err, m) ++ altTest.gomodErr = remap(altTest.gomodErr, m) ++ altTest.zipErr = remap(altTest.zipErr, m) ++ altTest.zipSum = "" ++ altTest.zipFileHash = "" ++ t.Run(strings.ReplaceAll(altTest.path, "/", "_")+"/"+altTest.rev, f(altTest)) + } + } +- }) ++ } + } + + var hgmap = map[string]string{ +diff --git a/src/cmd/go/testdata/script/mod_invalid_version.txt b/src/cmd/go/testdata/script/mod_invalid_version.txt +index 7e1bc9e..129661c 100644 +--- a/src/cmd/go/testdata/script/mod_invalid_version.txt ++++ b/src/cmd/go/testdata/script/mod_invalid_version.txt +@@ -193,10 +193,10 @@ cp go.mod.orig go.mod + go mod edit -require github.com/pierrec/lz4@v2.0.9-0.20190209155647-9a39efadad3d+incompatible + cd outside + ! go list -m github.com/pierrec/lz4 +-stderr 'go: example.com@v0.0.0 requires\n\tgithub.com/pierrec/lz4@v2.0.9-0.20190209155647-9a39efadad3d\+incompatible: invalid version: \+incompatible suffix not allowed: module contains a go.mod file, so semantic import versioning is required' ++stderr '^go: example.com@v0.0.0 requires\n\tgithub.com/pierrec/lz4@v2.0.9-0.20190209155647-9a39efadad3d\+incompatible: invalid version: module contains a go.mod file, so module path must match major version \("github.com/pierrec/lz4/v2"\)$' + cd .. + ! go list -m github.com/pierrec/lz4 +-stderr 'github.com/pierrec/lz4@v2.0.9-0.20190209155647-9a39efadad3d\+incompatible: invalid version: \+incompatible suffix not allowed: module contains a go.mod file, so semantic import versioning is required' ++stderr '^go: github.com/pierrec/lz4@v2.0.9-0.20190209155647-9a39efadad3d\+incompatible: invalid version: module contains a go.mod file, so module path must match major version \("github.com/pierrec/lz4/v2"\)$' + + # A +incompatible pseudo-version is valid for a revision of the module + # that lacks a go.mod file. +@@ -232,10 +232,10 @@ cp go.mod.orig go.mod + go mod edit -require github.com/pierrec/lz4@v2.0.8+incompatible + cd outside + ! go list -m github.com/pierrec/lz4 +-stderr 'github.com/pierrec/lz4@v2.0.8\+incompatible: invalid version: \+incompatible suffix not allowed: module contains a go.mod file, so semantic import versioning is required' ++stderr '^go list -m: github.com/pierrec/lz4@v2.0.8\+incompatible: invalid version: module contains a go.mod file, so module path must match major version \("github.com/pierrec/lz4/v2"\)$' + cd .. + ! go list -m github.com/pierrec/lz4 +-stderr 'github.com/pierrec/lz4@v2.0.8\+incompatible: invalid version: \+incompatible suffix not allowed: module contains a go.mod file, so semantic import versioning is required' ++stderr '^go list -m: github.com/pierrec/lz4@v2.0.8\+incompatible: invalid version: module contains a go.mod file, so module path must match major version \("github.com/pierrec/lz4/v2"\)$' + + -- go.mod.orig -- + module example.com +-- +2.30.0 + diff --git a/0059-release-branch.go1.16-crypto-elliptic-make-IsOnCurve.patch b/0059-release-branch.go1.16-crypto-elliptic-make-IsOnCurve.patch new file mode 100644 index 0000000..6f23254 --- /dev/null +++ b/0059-release-branch.go1.16-crypto-elliptic-make-IsOnCurve.patch @@ -0,0 +1,149 @@ +From 126bdb9ae49d443850459b55cf7c0686eef2f476 Mon Sep 17 00:00:00 2001 +From: Filippo Valsorda +Date: Wed, 2 Mar 2022 10:56:28 +0800 +Subject: [Backport 3/3] [release-branch.go1.16] crypto/elliptic: make + IsOnCurve return false for invalid field elements + +Updates #50974 +Fixes #50977 +Fixes CVE-2022-23806 + +Change-Id: I0201c2c88f13dd82910985a495973f1683af9259 +Reviewed-on: https://go-review.googlesource.com/c/go/+/382855 +Trust: Filippo Valsorda +Run-TryBot: Filippo Valsorda +Reviewed-by: Katie Hockman +Trust: Katie Hockman +TryBot-Result: Gopher Robot + +Conflict:NA +Reference:https://go-review.googlesource.com/c/go/+/382855 +--- + src/crypto/elliptic/elliptic.go | 4 ++ + src/crypto/elliptic/elliptic_test.go | 81 ++++++++++++++++++++++++++++ + src/crypto/elliptic/p224.go | 5 ++ + 3 files changed, 90 insertions(+) + +diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go +index f93dc16..321f926 100644 +--- a/src/crypto/elliptic/elliptic.go ++++ b/src/crypto/elliptic/elliptic.go +@@ -71,6 +71,10 @@ func (curve *CurveParams) polynomial(x *big.Int) *big.Int { + } + + func (curve *CurveParams) IsOnCurve(x, y *big.Int) bool { ++ if x.Sign() < 0 || x.Cmp(curve.P) >= 0 || ++ y.Sign() < 0 || y.Cmp(curve.P) >= 0 { ++ return false ++ } + // y² = x³ - 3x + b + y2 := new(big.Int).Mul(y, y) + y2.Mod(y2, curve.P) +diff --git a/src/crypto/elliptic/elliptic_test.go b/src/crypto/elliptic/elliptic_test.go +index e80e773..bb16b0d 100644 +--- a/src/crypto/elliptic/elliptic_test.go ++++ b/src/crypto/elliptic/elliptic_test.go +@@ -721,3 +721,84 @@ func testMarshalCompressed(t *testing.T, curve Curve, x, y *big.Int, want []byte + t.Errorf("point did not round-trip correctly: got (%v, %v), want (%v, %v)", X, Y, x, y) + } + } ++ ++func testAllCurves(t *testing.T, f func(*testing.T, Curve)) { ++ tests := []struct { ++ name string ++ curve Curve ++ }{ ++ {"P256", P256()}, ++ {"P256/Params", P256().Params()}, ++ {"P224", P224()}, ++ {"P224/Params", P224().Params()}, ++ {"P384", P384()}, ++ {"P384/Params", P384().Params()}, ++ {"P521", P521()}, ++ {"P521/Params", P521().Params()}, ++ } ++ if testing.Short() { ++ tests = tests[:1] ++ } ++ for _, test := range tests { ++ curve := test.curve ++ t.Run(test.name, func(t *testing.T) { ++ t.Parallel() ++ f(t, curve) ++ }) ++ } ++} ++ ++// TestInvalidCoordinates tests big.Int values that are not valid field elements ++// (negative or bigger than P). They are expected to return false from ++// IsOnCurve, all other behavior is undefined. ++func TestInvalidCoordinates(t *testing.T) { ++ testAllCurves(t, testInvalidCoordinates) ++} ++ ++func testInvalidCoordinates(t *testing.T, curve Curve) { ++ checkIsOnCurveFalse := func(name string, x, y *big.Int) { ++ if curve.IsOnCurve(x, y) { ++ t.Errorf("IsOnCurve(%s) unexpectedly returned true", name) ++ } ++ } ++ ++ p := curve.Params().P ++ _, x, y, _ := GenerateKey(curve, rand.Reader) ++ xx, yy := new(big.Int), new(big.Int) ++ ++ // Check if the sign is getting dropped. ++ xx.Neg(x) ++ checkIsOnCurveFalse("-x, y", xx, y) ++ yy.Neg(y) ++ checkIsOnCurveFalse("x, -y", x, yy) ++ ++ // Check if negative values are reduced modulo P. ++ xx.Sub(x, p) ++ checkIsOnCurveFalse("x-P, y", xx, y) ++ yy.Sub(y, p) ++ checkIsOnCurveFalse("x, y-P", x, yy) ++ ++ // Check if positive values are reduced modulo P. ++ xx.Add(x, p) ++ checkIsOnCurveFalse("x+P, y", xx, y) ++ yy.Add(y, p) ++ checkIsOnCurveFalse("x, y+P", x, yy) ++ ++ // Check if the overflow is dropped. ++ xx.Add(x, new(big.Int).Lsh(big.NewInt(1), 535)) ++ checkIsOnCurveFalse("x+2⁵³⁵, y", xx, y) ++ yy.Add(y, new(big.Int).Lsh(big.NewInt(1), 535)) ++ checkIsOnCurveFalse("x, y+2⁵³⁵", x, yy) ++ ++ // Check if P is treated like zero (if possible). ++ // y^2 = x^3 - 3x + B ++ // y = mod_sqrt(x^3 - 3x + B) ++ // y = mod_sqrt(B) if x = 0 ++ // If there is no modsqrt, there is no point with x = 0, can't test x = P. ++ if yy := new(big.Int).ModSqrt(curve.Params().B, p); yy != nil { ++ if !curve.IsOnCurve(big.NewInt(0), yy) { ++ t.Fatal("(0, mod_sqrt(B)) is not on the curve?") ++ } ++ checkIsOnCurveFalse("P, y", p, yy) ++ } ++} +diff --git a/src/crypto/elliptic/p224.go b/src/crypto/elliptic/p224.go +index 8c76021..ff5c834 100644 +--- a/src/crypto/elliptic/p224.go ++++ b/src/crypto/elliptic/p224.go +@@ -48,6 +48,11 @@ func (curve p224Curve) Params() *CurveParams { + } + + func (curve p224Curve) IsOnCurve(bigX, bigY *big.Int) bool { ++ if bigX.Sign() < 0 || bigX.Cmp(curve.P) >= 0 || ++ bigY.Sign() < 0 || bigY.Cmp(curve.P) >= 0 { ++ return false ++ } ++ + var x, y p224FieldElement + p224FromBig(&x, bigX) + p224FromBig(&y, bigY) +-- +2.30.0 + diff --git a/golang.spec b/golang.spec index 4a76ef7..c73853d 100644 --- a/golang.spec +++ b/golang.spec @@ -62,7 +62,7 @@ Name: golang Version: 1.15.7 -Release: 8 +Release: 9 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -202,6 +202,9 @@ Patch6053: 0053-net-http-httputil-close-incoming-ReverseProxy-reques.patch Patch6054: 0054-release-branch.go1.16-debug-macho-fail-on-invalid-dy.patch Patch6055: 0055-release-branch.go1.16-net-http-update-bundled-golang.patch Patch6056: 0056-release-branch.go1.16-archive-zip-prevent-preallocat.patch +Patch6057: 0057-release-branch.go1.16-math-big-prevent-overflow-in-R.patch +Patch6058: 0058-release-branch.go1.16-cmd-go-internal-modfetch-do-no.patch +Patch6059: 0059-release-branch.go1.16-crypto-elliptic-make-IsOnCurve.patch Patch9001: 0001-drop-hard-code-cert.patch @@ -435,13 +438,16 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Fri Mar 4 2022 hanchao - 1.15.7-9 +- fix CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 + * Tue Feb 8 2022 hanchao - 1.15.7-8 -- fix CVE-2021-44716 +- fix CVE-2021-39293 * Wed Jan 19 2022 hanchao - 1.15.7-7 - fix CVE-2021-44716 -* Thu Nov 16 2021 chenjiankun - 1.15.7-6 +* Tue Nov 16 2021 chenjiankun - 1.15.7-6 - fix CVE-2021-41771 * Wed Oct 27 2021 chenjiankun - 1.15.7-5 @@ -471,7 +477,7 @@ fi * Tue Mar 17 2020 jingrui - 1.13.5 - drop hard code cert -* Mon Mar 23 2020 jingrui - 1.13.4 +* Mon Mar 16 2020 jingrui - 1.13.4 - fix CVE-2020-7919 * Thu Feb 20 2020 openEuler Buildteam - 1.13-3.2 -- Gitee