diff options
| author |   Ralph Siemsen <ralph.siemsen@linaro.org> | 2022-11-17 11:54:51 -0500 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-11-23 00:26:19 +0000 |
| commit | aab2a343be4b0b21dcaf22a7fbf77007d48c08d6 (patch) | |
| tree | 03c6893cb13db379439223a7362e21157d20bb16 | |
| parent | 09a820fe21d7884c6733d569f6560ef1ded5435d (diff) | |
| download | openembedded-core-contrib-aab2a343be4b0b21dcaf22a7fbf77007d48c08d6.tar.gz | |
golang: fix CVE-2022-28327
Upstream-Status: Backport [https://github.com/golang/go/commit/7139e8b024604ab168b51b99c6e8168257a5bf58]
CVE: CVE-2022-28327
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-devtools/go/go-1.14.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch | 36 |
2 files changed, 37 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 525a3e77c5..6e596f4141 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -48,6 +48,7 @@ SRC_URI += "\ file://CVE-2021-44716.patch \ file://CVE-2022-24921.patch \ file://CVE-2022-28131.patch \ + file://CVE-2022-28327.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch new file mode 100644 index 0000000000..6361deec7d --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch @@ -0,0 +1,36 @@ +From 34d9ab78568d63d8097911237897b188bdaba9c2 Mon Sep 17 00:00:00 2001 +From: Filippo Valsorda <filippo@golang.org> +Date: Thu, 31 Mar 2022 12:31:58 -0400 +Subject: [PATCH] crypto/elliptic: tolerate zero-padded scalars in generic + P-256 + +Upstream-Status: Backport [https://github.com/golang/go/commit/7139e8b024604ab168b51b99c6e8168257a5bf58] +CVE: CVE-2022-28327 +Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> + + +Updates #52075 +Fixes #52076 +Fixes CVE-2022-28327 + +Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27 +Reviewed-on: https://go-review.googlesource.com/c/go/+/397136 +Trust: Filippo Valsorda <filippo@golang.org> +Reviewed-by: Julie Qiu <julie@golang.org> +--- + src/crypto/elliptic/p256.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/crypto/elliptic/p256.go b/src/crypto/elliptic/p256.go +index c23e414..787e3e7 100644 +--- a/src/crypto/elliptic/p256.go ++++ b/src/crypto/elliptic/p256.go +@@ -51,7 +51,7 @@ func p256GetScalar(out *[32]byte, in []byte) { + n := new(big.Int).SetBytes(in) + var scalarBytes []byte + +- if n.Cmp(p256Params.N) >= 0 { ++ if n.Cmp(p256Params.N) >= 0 || len(in) > len(out) { + n.Mod(n, p256Params.N) + scalarBytes = n.Bytes() + } else { |