mirror of
https://git.yoctoproject.org/git/poky
synced 2026-01-01 13:58:04 +00:00
go: fix CVE-2025-58189
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. (From OE-Core rev: b3f055df67cf345c9a17c5c1c874c778d538ba9e) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Archana Polampalli
Steve Sakoman
parent
dd0a2c2470
commit
5f8155aefa
|
|
@ -70,6 +70,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \
|
||||||
file://CVE-2025-47906.patch \
|
file://CVE-2025-47906.patch \
|
||||||
file://CVE-2024-24783.patch \
|
file://CVE-2024-24783.patch \
|
||||||
file://CVE-2025-58187.patch \
|
file://CVE-2025-58187.patch \
|
||||||
|
file://CVE-2025-58189.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
|
SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
|
||||||
|
|
||||||
|
|
|
||||||
51
meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch
Normal file
51
meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch
Normal file
|
|
@ -0,0 +1,51 @@
|
||||||
|
From 2e1e356e33b9c792a9643749a7626a1789197bb9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Roland Shoemaker <roland@golang.org>
|
||||||
|
Date: Mon, 29 Sep 2025 10:11:56 -0700
|
||||||
|
Subject: [PATCH] crypto/tls: quote protocols in ALPN error message
|
||||||
|
|
||||||
|
Quote the protocols sent by the client when returning the ALPN
|
||||||
|
negotiation error message.
|
||||||
|
|
||||||
|
Fixes CVE-2025-58189
|
||||||
|
Updates #75652
|
||||||
|
Fixes #75660
|
||||||
|
|
||||||
|
Change-Id: Ie7b3a1ed0b6efcc1705b71f0f1e8417126661330
|
||||||
|
Reviewed-on: https://go-review.googlesource.com/c/go/+/707776
|
||||||
|
Auto-Submit: Roland Shoemaker <roland@golang.org>
|
||||||
|
Reviewed-by: Neal Patel <nealpatel@google.com>
|
||||||
|
Reviewed-by: Nicholas Husin <nsh@golang.org>
|
||||||
|
Auto-Submit: Nicholas Husin <nsh@golang.org>
|
||||||
|
Reviewed-by: Nicholas Husin <husin@google.com>
|
||||||
|
TryBot-Bypass: Roland Shoemaker <roland@golang.org>
|
||||||
|
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
|
||||||
|
(cherry picked from commit 4e9006a716533fe1c7ee08df02dfc73078f7dc19)
|
||||||
|
Reviewed-on: https://go-review.googlesource.com/c/go/+/708096
|
||||||
|
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
||||||
|
Reviewed-by: Carlos Amedee <carlos@golang.org>
|
||||||
|
|
||||||
|
CVE: CVE-2025-58189
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9]
|
||||||
|
|
||||||
|
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
|
||||||
|
---
|
||||||
|
src/crypto/tls/handshake_server.go | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
|
||||||
|
index 4e84aa9..17b6891 100644
|
||||||
|
--- a/src/crypto/tls/handshake_server.go
|
||||||
|
+++ b/src/crypto/tls/handshake_server.go
|
||||||
|
@@ -312,7 +312,7 @@ func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, erro
|
||||||
|
if http11fallback {
|
||||||
|
return "", nil
|
||||||
|
}
|
||||||
|
- return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
|
||||||
|
+ return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos)
|
||||||
|
}
|
||||||
|
|
||||||
|
// supportsECDHE returns whether ECDHE key exchanges can be used with this
|
||||||
|
--
|
||||||
|
2.40.0
|
||||||
|
|
||||||
Loading…
Reference in New Issue
Block a user