mirror of
https://git.yoctoproject.org/poky
synced 2026-04-22 15:32:14 +02:00
golang: fix CVE-2021-44716
Upstream-Status: Backport [d0aebe3e74]
CVE: CVE-2021-44716
(From OE-Core rev: c5ec3e8701a1b81d8e5b17d2521530345892a09b)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Ralph Siemsen
committed by
Richard Purdie
Richard Purdie
parent
9bb56c4550
commit
b574cdd1e0
@@ -45,6 +45,7 @@ SRC_URI += "\
|
||||
file://CVE-2022-2879.patch \
|
||||
file://CVE-2021-33195.patch \
|
||||
file://CVE-2021-33198.patch \
|
||||
file://CVE-2021-44716.patch \
|
||||
"
|
||||
|
||||
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
|
||||
|
||||
93
meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch
Normal file
93
meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch
Normal file
@@ -0,0 +1,93 @@
|
||||
From 9f1860075990e7bf908ca7cc329d1d3ef91741c8 Mon Sep 17 00:00:00 2001
|
||||
From: Filippo Valsorda <filippo@golang.org>
|
||||
Date: Thu, 9 Dec 2021 06:13:31 -0500
|
||||
Subject: [PATCH] net/http: update bundled golang.org/x/net/http2
|
||||
|
||||
Upstream-Status: Backport [https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a]
|
||||
CVE: CVE-2021-44716
|
||||
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
|
||||
|
||||
|
||||
Pull in security fix
|
||||
|
||||
a5309b3 http2: cap the size of the server's canonical header cache
|
||||
|
||||
Updates #50058
|
||||
Fixes CVE-2021-44716
|
||||
|
||||
Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/370575
|
||||
Trust: Filippo Valsorda <filippo@golang.org>
|
||||
Run-TryBot: Filippo Valsorda <filippo@golang.org>
|
||||
Reviewed-by: Alex Rakoczy <alex@golang.org>
|
||||
TryBot-Result: Gopher Robot <gobot@golang.org>
|
||||
(cherry picked from commit d0aebe3e74fe14799f97ddd3f01129697c6a290a)
|
||||
---
|
||||
src/go.mod | 2 +-
|
||||
src/go.sum | 4 ++--
|
||||
src/net/http/h2_bundle.go | 10 +++++++++-
|
||||
src/vendor/modules.txt | 2 +-
|
||||
4 files changed, 13 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/go.mod b/src/go.mod
|
||||
index ec6bd98..56f2fbb 100644
|
||||
--- a/src/go.mod
|
||||
+++ b/src/go.mod
|
||||
@@ -4,7 +4,7 @@ go 1.14
|
||||
|
||||
require (
|
||||
golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d
|
||||
- golang.org/x/net v0.0.0-20210129194117-4acb7895a057
|
||||
+ golang.org/x/net v0.0.0-20211209100217-a5309b321dca
|
||||
golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf // indirect
|
||||
golang.org/x/text v0.3.3-0.20191031172631-4b67af870c6f // indirect
|
||||
)
|
||||
diff --git a/src/go.sum b/src/go.sum
|
||||
index 171e083..1ceba05 100644
|
||||
--- a/src/go.sum
|
||||
+++ b/src/go.sum
|
||||
@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
|
||||
golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d h1:9FCpayM9Egr1baVnV1SX0H87m+XB0B8S0hAMi99X/3U=
|
||||
golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
-golang.org/x/net v0.0.0-20210129194117-4acb7895a057 h1:HThQeV5c0Ab/Puir+q6mC97b7+3dfZdsLWMLoBrzo68=
|
||||
-golang.org/x/net v0.0.0-20210129194117-4acb7895a057/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
+golang.org/x/net v0.0.0-20211209100217-a5309b321dca h1:UmeWAm8AwB6NA/e4FSaGlK1EKTLXKX3utx4Si+6kfPg=
|
||||
+golang.org/x/net v0.0.0-20211209100217-a5309b321dca/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
|
||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf h1:+4j7oujXP478CVb/AFvHJmVX5+Pczx2NGts5yirA0oY=
|
||||
diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
|
||||
index 702fd5a..83f2a72 100644
|
||||
--- a/src/net/http/h2_bundle.go
|
||||
+++ b/src/net/http/h2_bundle.go
|
||||
@@ -4293,7 +4293,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
|
||||
sc.canonHeader = make(map[string]string)
|
||||
}
|
||||
cv = CanonicalHeaderKey(v)
|
||||
- sc.canonHeader[v] = cv
|
||||
+ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
|
||||
+ // entries in the canonHeader cache. This should be larger than the number
|
||||
+ // of unique, uncommon header keys likely to be sent by the peer, while not
|
||||
+ // so high as to permit unreaasonable memory usage if the peer sends an unbounded
|
||||
+ // number of unique header keys.
|
||||
+ const maxCachedCanonicalHeaders = 32
|
||||
+ if len(sc.canonHeader) < maxCachedCanonicalHeaders {
|
||||
+ sc.canonHeader[v] = cv
|
||||
+ }
|
||||
return cv
|
||||
}
|
||||
|
||||
diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
|
||||
index 669bd9b..1d67183 100644
|
||||
--- a/src/vendor/modules.txt
|
||||
+++ b/src/vendor/modules.txt
|
||||
@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519
|
||||
golang.org/x/crypto/hkdf
|
||||
golang.org/x/crypto/internal/subtle
|
||||
golang.org/x/crypto/poly1305
|
||||
-# golang.org/x/net v0.0.0-20210129194117-4acb7895a057
|
||||
+# golang.org/x/net v0.0.0-20211209100217-a5309b321dca
|
||||
## explicit
|
||||
golang.org/x/net/dns/dnsmessage
|
||||
golang.org/x/net/http/httpguts
|
||||
Reference in New Issue
Block a user