diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.18/CVE-2022-27664.patch')
| -rw-r--r-- | meta/recipes-devtools/go/go-1.18/CVE-2022-27664.patch | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-27664.patch b/meta/recipes-devtools/go/go-1.18/CVE-2022-27664.patch new file mode 100644 index 0000000000..fba4f054ee --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-27664.patch @@ -0,0 +1,102 @@ +From 5bc9106458fc07851ac324a4157132a91b1f3479 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Mon, 22 Aug 2022 16:21:02 -0700 +Subject: [PATCH] [release-branch.go1.18] net/http: update bundled + golang.org/x/net/http2 + +Disable cmd/internal/moddeps test, since this update includes PRIVATE +track fixes. + +Fixes CVE-2022-27664 +Fixes #53977 +For #54658. + +Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 +Reviewed-by: Tatiana Bradley <tatiana@golang.org> +Run-TryBot: Michael Knyszek <mknyszek@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Carlos Amedee <carlos@golang.org> + +Upstream-Status: Backport +CVE: CVE-2022-27664 + +Reference to upstream patch: https://github.com/golang/go/commit/5bc9106458fc07851ac324a4157132a91b1f3479 +Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com> +--- + src/cmd/internal/moddeps/moddeps_test.go | 2 ++ + src/net/http/h2_bundle.go | 21 +++++++++++++-------- + 2 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go +index 56c3b2585c..3306e29431 100644 +--- a/src/cmd/internal/moddeps/moddeps_test.go ++++ b/src/cmd/internal/moddeps/moddeps_test.go +@@ -34,6 +34,8 @@ import ( + // See issues 36852, 41409, and 43687. + // (Also see golang.org/issue/27348.) + func TestAllDependencies(t *testing.T) { ++ t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from vendored modules") ++ + goBin := testenv.GoToolPath(t) + + // Ensure that all packages imported within GOROOT +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go +index bb82f24585..1e78f6cdb9 100644 +--- a/src/net/http/h2_bundle.go ++++ b/src/net/http/h2_bundle.go +@@ -3384,10 +3384,11 @@ func (s http2SettingID) String() string { + // name (key). See httpguts.ValidHeaderName for the base rules. + // + // Further, http2 says: +-// "Just as in HTTP/1.x, header field names are strings of ASCII +-// characters that are compared in a case-insensitive +-// fashion. However, header field names MUST be converted to +-// lowercase prior to their encoding in HTTP/2. " ++// ++// "Just as in HTTP/1.x, header field names are strings of ASCII ++// characters that are compared in a case-insensitive ++// fashion. However, header field names MUST be converted to ++// lowercase prior to their encoding in HTTP/2. " + func http2validWireHeaderFieldName(v string) bool { + if len(v) == 0 { + return false +@@ -3578,8 +3579,8 @@ func (s *http2sorter) SortStrings(ss []string) { + // validPseudoPath reports whether v is a valid :path pseudo-header + // value. It must be either: + // +-// *) a non-empty string starting with '/' +-// *) the string '*', for OPTIONS requests. ++// *) a non-empty string starting with '/' ++// *) the string '*', for OPTIONS requests. + // + // For now this is only used a quick check for deciding when to clean + // up Opaque URLs before sending requests from the Transport. +@@ -5053,6 +5054,9 @@ func (sc *http2serverConn) startGracefulShutdownInternal() { + func (sc *http2serverConn) goAway(code http2ErrCode) { + sc.serveG.check() + if sc.inGoAway { ++ if sc.goAwayCode == http2ErrCodeNo { ++ sc.goAwayCode = code ++ } + return + } + sc.inGoAway = true +@@ -6265,8 +6269,9 @@ func (rws *http2responseWriterState) writeChunk(p []byte) (n int, err error) { + // prior to the headers being written. If the set of trailers is fixed + // or known before the header is written, the normal Go trailers mechanism + // is preferred: +-// https://golang.org/pkg/net/http/#ResponseWriter +-// https://golang.org/pkg/net/http/#example_ResponseWriter_trailers ++// ++// https://golang.org/pkg/net/http/#ResponseWriter ++// https://golang.org/pkg/net/http/#example_ResponseWriter_trailers + const http2TrailerPrefix = "Trailer:" + + // promoteUndeclaredTrailers permits http.Handlers to set trailers +-- +2.36.1 + |