mirror of
https://git.yoctoproject.org/poky
synced 2026-07-02 17:13:39 +02:00
go: patch CVE-2026-27145
Backport patch from [1] [1] https://go.dev/cl/783621 (From OE-Core rev: 209a1b3a48b8e3996e1b53f2d7efe335855b7375) Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
61f170a32d
commit
e2d512c2e7
@@ -61,6 +61,7 @@ SRC_URI += "\
|
||||
file://CVE-2025-58183.patch \
|
||||
file://CVE-2026-25679.patch \
|
||||
file://CVE-2026-32288.patch \
|
||||
file://CVE-2026-27145.patch \
|
||||
"
|
||||
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
|
||||
|
||||
|
||||
96
meta/recipes-devtools/go/go/CVE-2026-27145.patch
Normal file
96
meta/recipes-devtools/go/go/CVE-2026-27145.patch
Normal file
@@ -0,0 +1,96 @@
|
||||
From 612753600a0184c8b792425dea62e530170ca811 Mon Sep 17 00:00:00 2001
|
||||
From: Ian Alexander <jitsu@google.com>
|
||||
Date: Wed, 27 May 2026 04:22:31 -0400
|
||||
Subject: [PATCH] crypto/x509: split candidate hostname only once
|
||||
|
||||
(*x509.Certificate).VerifyHostname previously called matchHostnames in a
|
||||
loop over all DNS Subject Alternative Name (SAN) entries. This caused
|
||||
strings.Split(host, ".") to execute repeatedly on the same input
|
||||
hostname.
|
||||
|
||||
With a large DNS SAN list, verification costs scaled quadratically based
|
||||
on the number of SAN entries multiplied by the hostname's label count.
|
||||
Because x509.Verify validates hostnames before building the certificate
|
||||
chain, this overhead occurred even for untrusted certificates.
|
||||
|
||||
Thanks to Jakub Ciolek <jakub@ciolek.dev> for reporting this issue.
|
||||
|
||||
Fixes #79694
|
||||
Fixes CVE-2026-27145
|
||||
|
||||
Change-Id: I2788b8ee22ffd28e45bcc7b0d860549084906a74
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/783621
|
||||
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
||||
Reviewed-by: David Chase <drchase@google.com>
|
||||
Reviewed-by: Neal Patel <neal@golang.org>
|
||||
|
||||
CVE: CVE-2026-27145
|
||||
Upstream-Status: Backport [https://github.com/golang/go/commit/d01955d5d50ccb5f46c215f88c1781742b3f117d]
|
||||
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
|
||||
---
|
||||
src/crypto/x509/verify.go | 15 +++++++++------
|
||||
1 file changed, 9 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
|
||||
index 1de06bc95b..4c423a5fca 100644
|
||||
--- a/src/crypto/x509/verify.go
|
||||
+++ b/src/crypto/x509/verify.go
|
||||
@@ -102,7 +102,7 @@ func (h HostnameError) Error() string {
|
||||
c := h.Certificate
|
||||
maxNamesIncluded := 100
|
||||
|
||||
- if !c.hasSANExtension() && matchHostnames(c.Subject.CommonName, h.Host) {
|
||||
+ if !c.hasSANExtension() && matchHostnames(c.Subject.CommonName, splitHostname(h.Host)) {
|
||||
return "x509: certificate relies on legacy Common Name field, use SANs instead"
|
||||
}
|
||||
|
||||
@@ -1081,16 +1081,14 @@ func matchExactly(hostA, hostB string) bool {
|
||||
return toLowerCaseASCII(hostA) == toLowerCaseASCII(hostB)
|
||||
}
|
||||
|
||||
-func matchHostnames(pattern, host string) bool {
|
||||
+func matchHostnames(pattern string, hostParts []string) bool {
|
||||
pattern = toLowerCaseASCII(pattern)
|
||||
- host = toLowerCaseASCII(strings.TrimSuffix(host, "."))
|
||||
|
||||
- if len(pattern) == 0 || len(host) == 0 {
|
||||
+ if len(pattern) == 0 || len(hostParts) == 0 {
|
||||
return false
|
||||
}
|
||||
|
||||
patternParts := strings.Split(pattern, ".")
|
||||
- hostParts := strings.Split(host, ".")
|
||||
|
||||
if len(patternParts) != len(hostParts) {
|
||||
return false
|
||||
@@ -1168,6 +1166,7 @@ func (c *Certificate) VerifyHostname(h string) error {
|
||||
|
||||
candidateName := toLowerCaseASCII(h) // Save allocations inside the loop.
|
||||
validCandidateName := validHostnameInput(candidateName)
|
||||
+ hostParts := splitHostname(candidateName)
|
||||
|
||||
for _, match := range c.DNSNames {
|
||||
// Ideally, we'd only match valid hostnames according to RFC 6125 like
|
||||
@@ -1176,7 +1175,7 @@ func (c *Certificate) VerifyHostname(h string) error {
|
||||
// always allow perfect matches, and only apply wildcard and trailing
|
||||
// dot processing to valid hostnames.
|
||||
if validCandidateName && validHostnamePattern(match) {
|
||||
- if matchHostnames(match, candidateName) {
|
||||
+ if matchHostnames(match, hostParts) {
|
||||
return nil
|
||||
}
|
||||
} else {
|
||||
@@ -1189,6 +1188,10 @@ func (c *Certificate) VerifyHostname(h string) error {
|
||||
return HostnameError{c, h}
|
||||
}
|
||||
|
||||
+func splitHostname(host string) []string {
|
||||
+ return strings.Split(toLowerCaseASCII(strings.TrimSuffix(host, ".")), ".")
|
||||
+}
|
||||
+
|
||||
func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool {
|
||||
usages := make([]ExtKeyUsage, len(keyUsages))
|
||||
copy(usages, keyUsages)
|
||||
--
|
||||
2.43.0
|
||||
|
||||
Reference in New Issue
Block a user