!70 fix CVE-2021-39293
Merge pull request !70 from hc/openEuler-20.03-LTS-SP3
This commit is contained in:
openeuler-ci-bot
Gitee
commit
162f86bf27
@ -0,0 +1,73 @@
|
||||
From 6c480017ae600b2c90a264a922e041df04dfa785 Mon Sep 17 00:00:00 2001
|
||||
From: Roland Shoemaker <roland@golang.org>
|
||||
Date: Wed, 18 Aug 2021 11:49:29 -0700
|
||||
Subject: [PATCH] [release-branch.go1.16] archive/zip: prevent preallocation check from overflowing
|
||||
|
||||
If the indicated directory size in the archive header is so large that
|
||||
subtracting it from the archive size overflows a uint64, the check that
|
||||
the indicated number of files in the archive can be effectively
|
||||
bypassed. Prevent this from happening by checking that the indicated
|
||||
directory size is less than the size of the archive.
|
||||
|
||||
Thanks to the OSS-Fuzz project for discovering this issue and to
|
||||
Emmanuel Odeke for reporting it.
|
||||
|
||||
Fixes #47985
|
||||
Updates #47801
|
||||
Fixes CVE-2021-39293
|
||||
|
||||
Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/343434
|
||||
Trust: Roland Shoemaker <roland@golang.org>
|
||||
Run-TryBot: Roland Shoemaker <roland@golang.org>
|
||||
TryBot-Result: Go Bot <gobot@golang.org>
|
||||
Reviewed-by: Russ Cox <rsc@golang.org>
|
||||
(cherry picked from commit bacbc33439b124ffd7392c91a5f5d96eca8c0c0b)
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/345409
|
||||
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
|
||||
Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
|
||||
Trust: Cherry Mui <cherryyz@google.com>
|
||||
|
||||
Reference:https://go-review.googlesource.com/c/go/+/345409
|
||||
Conflict:NA
|
||||
---
|
||||
|
||||
diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
|
||||
index ddef2b7..801d131 100644
|
||||
--- a/src/archive/zip/reader.go
|
||||
+++ b/src/archive/zip/reader.go
|
||||
@@ -105,7 +105,7 @@
|
||||
// indicate it contains up to 1 << 128 - 1 files. Since each file has a
|
||||
// header which will be _at least_ 30 bytes we can safely preallocate
|
||||
// if (data size / 30) >= end.directoryRecords.
|
||||
- if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
|
||||
+ if end.directorySize < uint64(size) && (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
|
||||
z.File = make([]*File, 0, end.directoryRecords)
|
||||
}
|
||||
z.Comment = end.comment
|
||||
diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
|
||||
index 471be27..99f1334 100644
|
||||
--- a/src/archive/zip/reader_test.go
|
||||
+++ b/src/archive/zip/reader_test.go
|
||||
@@ -1225,3 +1225,21 @@
|
||||
t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
|
||||
}
|
||||
}
|
||||
+
|
||||
+func TestCVE202139293(t *testing.T) {
|
||||
+ // directory size is so large, that the check in Reader.init
|
||||
+ // overflows when subtracting from the archive size, causing
|
||||
+ // the pre-allocation check to be bypassed.
|
||||
+ data := []byte{
|
||||
+ 0x50, 0x4b, 0x06, 0x06, 0x05, 0x06, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
|
||||
+ 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
|
||||
+ 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
|
||||
+ 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
|
||||
+ 0x00, 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
|
||||
+ 0xff, 0x50, 0xfe, 0x00, 0xff, 0x00, 0x3a, 0x00, 0x00, 0x00, 0xff,
|
||||
+ }
|
||||
+ _, err := NewReader(bytes.NewReader(data), int64(len(data)))
|
||||
+ if err != ErrFormat {
|
||||
+ t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
|
||||
+ }
|
||||
+}
|
||||
@ -62,7 +62,7 @@
|
||||
|
||||
Name: golang
|
||||
Version: 1.15.7
|
||||
Release: 6
|
||||
Release: 7
|
||||
Summary: The Go Programming Language
|
||||
License: BSD and Public Domain
|
||||
URL: https://golang.org/
|
||||
@ -200,6 +200,7 @@ Patch6051: 0051-net-reject-leading-zeros-in-IP-address-parsers.patch
|
||||
Patch6052: 0052-release-branch.go1.16-misc-wasm-cmd-link-do-not-let-.patch
|
||||
Patch6053: 0053-net-http-httputil-close-incoming-ReverseProxy-reques.patch
|
||||
Patch6054: 0054-release-branch.go1.16-net-http-update-bundled-golang.patch
|
||||
Patch6055: 0055-release-branch.go1.16-archive-zip-prevent-preallocat.patch
|
||||
|
||||
Patch9001: 0001-drop-hard-code-cert.patch
|
||||
|
||||
@ -433,6 +434,9 @@ fi
|
||||
%files devel -f go-tests.list -f go-misc.list -f go-src.list
|
||||
|
||||
%changelog
|
||||
* Tue Feb 8 2022 hanchao<hanchao47@huawei.com> - 1.15.7-7
|
||||
- fix CVE-2021-39293
|
||||
|
||||
* Wed Jan 19 2022 hanchao<hanchao47@huawei.com> - 1.15.7-6
|
||||
- fix CVE-2021-44716
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user