[OE-core][kirkstone][PATCH] go: fix CVE-2023-29406 net/http insufficient sanitization of Host header

[OE-core][kirkstone][PATCH] go: fix CVE-2023-29406 net/http insufficient sanitization of Host header

[Vivek Kumbhar]

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
 meta/recipes-devtools/go/go-1.17.13.inc       |   1 +
 .../go/go-1.18/CVE-2023-29406.patch           | 210 ++++++++++++++++++
 2 files changed, 211 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 73921852fc..36904a92fb 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -36,6 +36,7 @@ SRC_URI += "\
     file://CVE-2023-29405.patch \
     file://CVE-2023-29402.patch \
     file://CVE-2023-29400.patch \
+    file://CVE-2023-29406.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch
new file mode 100644
index 0000000000..a326cda5c4
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch
@@ -0,0 +1,210 @@
+From 5fa6923b1ea891400153d04ddf1545e23b40041b Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 28 Jun 2023 13:20:08 -0700
+Subject: [PATCH] [release-branch.go1.19] net/http: validate Host header before
+ sending
+
+Verify that the Host header we send is valid.
+Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
+adding an X-Evil header to HTTP/1 requests.
+
+Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
+header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
+the header and will go into a retry loop when the server rejects it.
+CL 506995 adds the necessary validation to x/net/http2.
+
+Updates #60374
+Fixes #61075
+For CVE-2023-29406
+
+Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
+Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/507358
+Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b]
+CVE: CVE-2023-29406
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/net/http/http_test.go      | 29 ----------------------
+ src/net/http/request.go        | 45 ++++++++--------------------------
+ src/net/http/request_test.go   | 11 ++-------
+ src/net/http/transport_test.go | 18 ++++++++++++++
+ 4 files changed, 30 insertions(+), 73 deletions(-)
+
+diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go
+index 0d92fe5..f03272a 100644
+--- a/src/net/http/http_test.go
++++ b/src/net/http/http_test.go
+@@ -48,35 +48,6 @@ func TestForeachHeaderElement(t *testing.T) {
+	}
+ }
+
+-func TestCleanHost(t *testing.T) {
+-	tests := []struct {
+-		in, want string
+-	}{
+-		{"www.google.com", "www.google.com"},
+-		{"www.google.com foo", "www.google.com"},
+-		{"www.google.com/foo", "www.google.com"},
+-		{" first character is a space", ""},
+-		{"[1::6]:8080", "[1::6]:8080"},
+-
+-		// Punycode:
+-		{"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"},
+-		{"bücher.de", "xn--bcher-kva.de"},
+-		{"bücher.de:8080", "xn--bcher-kva.de:8080"},
+-		// Verify we convert to lowercase before punycode:
+-		{"BÜCHER.de", "xn--bcher-kva.de"},
+-		{"BÜCHER.de:8080", "xn--bcher-kva.de:8080"},
+-		// Verify we normalize to NFC before punycode:
+-		{"gophér.nfc", "xn--gophr-esa.nfc"},            // NFC input; no work needed
+-		{"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input
+-	}
+-	for _, tt := range tests {
+-		got := cleanHost(tt.in)
+-		if tt.want != got {
+-			t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got, tt.want)
+-		}
+-	}
+-}
+-
+ // Test that cmd/go doesn't link in the HTTP server.
+ //
+ // This catches accidental dependencies between the HTTP transport and
+diff --git a/src/net/http/request.go b/src/net/http/request.go
+index 09cb0c7..2f4e740 100644
+--- a/src/net/http/request.go
++++ b/src/net/http/request.go
+@@ -17,7 +17,6 @@ import (
+	"io"
+	"mime"
+	"mime/multipart"
+-	"net"
+	"net/http/httptrace"
+	"net/http/internal/ascii"
+	"net/textproto"
+@@ -27,6 +26,7 @@ import (
+	"strings"
+	"sync"
+
++	"golang.org/x/net/http/httpguts"
+	"golang.org/x/net/idna"
+ )
+
+@@ -568,12 +568,19 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
+	// is not given, use the host from the request URL.
+	//
+	// Clean the host, in case it arrives with unexpected stuff in it.
+-	host := cleanHost(r.Host)
++	host := r.Host
+	if host == "" {
+		if r.URL == nil {
+			return errMissingHost
+		}
+-		host = cleanHost(r.URL.Host)
++		host = r.URL.Host
++	}
++	host, err = httpguts.PunycodeHostPort(host)
++	if err != nil {
++		return err
++	}
++	if !httpguts.ValidHostHeader(host) {
++		return errors.New("http: invalid Host header")
+	}
+
+	// According to RFC 6874, an HTTP client, proxy, or other
+@@ -730,38 +737,6 @@ func idnaASCII(v string) (string, error) {
+	return idna.Lookup.ToASCII(v)
+ }
+
+-// cleanHost cleans up the host sent in request's Host header.
+-//
+-// It both strips anything after '/' or ' ', and puts the value
+-// into Punycode form, if necessary.
+-//
+-// Ideally we'd clean the Host header according to the spec:
+-//   https://tools.ietf.org/html/rfc7230#section-5.4 (Host = uri-host [ ":" port ]")
+-//   https://tools.ietf.org/html/rfc7230#section-2.7 (uri-host -> rfc3986's host)
+-//   https://tools.ietf.org/html/rfc3986#section-3.2.2 (definition of host)
+-// But practically, what we are trying to avoid is the situation in
+-// issue 11206, where a malformed Host header used in the proxy context
+-// would create a bad request. So it is enough to just truncate at the
+-// first offending character.
+-func cleanHost(in string) string {
+-	if i := strings.IndexAny(in, " /"); i != -1 {
+-		in = in[:i]
+-	}
+-	host, port, err := net.SplitHostPort(in)
+-	if err != nil { // input was just a host
+-		a, err := idnaASCII(in)
+-		if err != nil {
+-			return in // garbage in, garbage out
+-		}
+-		return a
+-	}
+-	a, err := idnaASCII(host)
+-	if err != nil {
+-		return in // garbage in, garbage out
+-	}
+-	return net.JoinHostPort(a, port)
+-}
+-
+ // removeZone removes IPv6 zone identifier from host.
+ // E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080"
+ func removeZone(host string) string {
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index fac12b7..368e87a 100644
+--- a/src/net/http/request_test.go
++++ b/src/net/http/request_test.go
+@@ -776,15 +776,8 @@ func TestRequestBadHost(t *testing.T) {
+	}
+	req.Host = "foo.com with spaces"
+	req.URL.Host = "foo.com with spaces"
+-	req.Write(logWrites{t, &got})
+-	want := []string{
+-		"GET /after HTTP/1.1\r\n",
+-		"Host: foo.com\r\n",
+-		"User-Agent: " + DefaultUserAgent + "\r\n",
+-		"\r\n",
+-	}
+-	if !reflect.DeepEqual(got, want) {
+-		t.Errorf("Writes = %q\n  Want = %q", got, want)
++	if err := req.Write(logWrites{t, &got}); err == nil {
++		t.Errorf("Writing request with invalid Host: succeded, want error")
+	}
+ }
+
+diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
+index eeaa492..58f12af 100644
+--- a/src/net/http/transport_test.go
++++ b/src/net/http/transport_test.go
+@@ -6512,3 +6512,21 @@ func TestCancelRequestWhenSharingConnection(t *testing.T) {
+	close(r2c)
+	wg.Wait()
+ }
++
++func TestRequestSanitization(t *testing.T) {
++	setParallel(t)
++	defer afterTest(t)
++
++	ts := newClientServerTest(t, h1Mode, HandlerFunc(func(rw ResponseWriter, req *Request) {
++		if h, ok := req.Header["X-Evil"]; ok {
++			t.Errorf("request has X-Evil header: %q", h)
++		}
++	})).ts
++	defer ts.Close()
++	req, _ := NewRequest("GET", ts.URL, nil)
++	req.Host = "go.dev\r\nX-Evil:evil"
++	resp, _ := ts.Client().Do(req)
++	if resp != nil {
++		resp.Body.Close()
++	}
++}
+--
+2.25.1
-- 
2.25.1

Re: [OE-core][kirkstone][PATCH] go: fix CVE-2023-29406 net/http insufficient sanitization of Host header

[Robert Yang]

Hello,

This patch caused docker failed to run on kirkstone branch:

$ docker run --rm -it ubuntu /bin/bash
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
3153aa388d02: Pull complete
Digest: sha256:0bced47fffa3361afa981854fcabcd4577cd43cebbb808cea2b1f33a3dd7f508
Status: Downloaded newer image for ubuntu:latest
http: invalid Host header

Maybe we need consider revert it atm since CVE-2023-29406 is a medium bug.

// Robert

On 7/26/23 12:37, vkumbhar wrote:
> Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> ---
>   meta/recipes-devtools/go/go-1.17.13.inc       |   1 +
>   .../go/go-1.18/CVE-2023-29406.patch           | 210 ++++++++++++++++++
>   2 files changed, 211 insertions(+)
>   create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch
> 
> diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
> index 73921852fc..36904a92fb 100644
> --- a/meta/recipes-devtools/go/go-1.17.13.inc
> +++ b/meta/recipes-devtools/go/go-1.17.13.inc
> @@ -36,6 +36,7 @@ SRC_URI += "\
>       file://CVE-2023-29405.patch \
>       file://CVE-2023-29402.patch \
>       file://CVE-2023-29400.patch \
> +    file://CVE-2023-29406.patch \
>   "
>   SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
>   
> diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch
> new file mode 100644
> index 0000000000..a326cda5c4
> --- /dev/null
> +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch
> @@ -0,0 +1,210 @@
> +From 5fa6923b1ea891400153d04ddf1545e23b40041b Mon Sep 17 00:00:00 2001
> +From: Damien Neil <dneil@google.com>
> +Date: Wed, 28 Jun 2023 13:20:08 -0700
> +Subject: [PATCH] [release-branch.go1.19] net/http: validate Host header before
> + sending
> +
> +Verify that the Host header we send is valid.
> +Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
> +adding an X-Evil header to HTTP/1 requests.
> +
> +Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
> +header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
> +the header and will go into a retry loop when the server rejects it.
> +CL 506995 adds the necessary validation to x/net/http2.
> +
> +Updates #60374
> +Fixes #61075
> +For CVE-2023-29406
> +
> +Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
> +Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
> +TryBot-Result: Gopher Robot <gobot@golang.org>
> +Run-TryBot: Damien Neil <dneil@google.com>
> +(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2)
> +Reviewed-on: https://go-review.googlesource.com/c/go/+/507358
> +Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
> +Reviewed-by: Roland Shoemaker <roland@golang.org>
> +
> +Upstream-Status: Backport [https://github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b]
> +CVE: CVE-2023-29406
> +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> +---
> + src/net/http/http_test.go      | 29 ----------------------
> + src/net/http/request.go        | 45 ++++++++--------------------------
> + src/net/http/request_test.go   | 11 ++-------
> + src/net/http/transport_test.go | 18 ++++++++++++++
> + 4 files changed, 30 insertions(+), 73 deletions(-)
> +
> +diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go
> +index 0d92fe5..f03272a 100644
> +--- a/src/net/http/http_test.go
> ++++ b/src/net/http/http_test.go
> +@@ -48,35 +48,6 @@ func TestForeachHeaderElement(t *testing.T) {
> +	}
> + }
> +
> +-func TestCleanHost(t *testing.T) {
> +-	tests := []struct {
> +-		in, want string
> +-	}{
> +-		{"www.google.com", "www.google.com"},
> +-		{"www.google.com foo", "www.google.com"},
> +-		{"www.google.com/foo", "www.google.com"},
> +-		{" first character is a space", ""},
> +-		{"[1::6]:8080", "[1::6]:8080"},
> +-
> +-		// Punycode:
> +-		{"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"},
> +-		{"bücher.de", "xn--bcher-kva.de"},
> +-		{"bücher.de:8080", "xn--bcher-kva.de:8080"},
> +-		// Verify we convert to lowercase before punycode:
> +-		{"BÜCHER.de", "xn--bcher-kva.de"},
> +-		{"BÜCHER.de:8080", "xn--bcher-kva.de:8080"},
> +-		// Verify we normalize to NFC before punycode:
> +-		{"gophér.nfc", "xn--gophr-esa.nfc"},            // NFC input; no work needed
> +-		{"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input
> +-	}
> +-	for _, tt := range tests {
> +-		got := cleanHost(tt.in)
> +-		if tt.want != got {
> +-			t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got, tt.want)
> +-		}
> +-	}
> +-}
> +-
> + // Test that cmd/go doesn't link in the HTTP server.
> + //
> + // This catches accidental dependencies between the HTTP transport and
> +diff --git a/src/net/http/request.go b/src/net/http/request.go
> +index 09cb0c7..2f4e740 100644
> +--- a/src/net/http/request.go
> ++++ b/src/net/http/request.go
> +@@ -17,7 +17,6 @@ import (
> +	"io"
> +	"mime"
> +	"mime/multipart"
> +-	"net"
> +	"net/http/httptrace"
> +	"net/http/internal/ascii"
> +	"net/textproto"
> +@@ -27,6 +26,7 @@ import (
> +	"strings"
> +	"sync"
> +
> ++	"golang.org/x/net/http/httpguts"
> +	"golang.org/x/net/idna"
> + )
> +
> +@@ -568,12 +568,19 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
> +	// is not given, use the host from the request URL.
> +	//
> +	// Clean the host, in case it arrives with unexpected stuff in it.
> +-	host := cleanHost(r.Host)
> ++	host := r.Host
> +	if host == "" {
> +		if r.URL == nil {
> +			return errMissingHost
> +		}
> +-		host = cleanHost(r.URL.Host)
> ++		host = r.URL.Host
> ++	}
> ++	host, err = httpguts.PunycodeHostPort(host)
> ++	if err != nil {
> ++		return err
> ++	}
> ++	if !httpguts.ValidHostHeader(host) {
> ++		return errors.New("http: invalid Host header")
> +	}
> +
> +	// According to RFC 6874, an HTTP client, proxy, or other
> +@@ -730,38 +737,6 @@ func idnaASCII(v string) (string, error) {
> +	return idna.Lookup.ToASCII(v)
> + }
> +
> +-// cleanHost cleans up the host sent in request's Host header.
> +-//
> +-// It both strips anything after '/' or ' ', and puts the value
> +-// into Punycode form, if necessary.
> +-//
> +-// Ideally we'd clean the Host header according to the spec:
> +-//   https://tools.ietf.org/html/rfc7230#section-5.4 (Host = uri-host [ ":" port ]")
> +-//   https://tools.ietf.org/html/rfc7230#section-2.7 (uri-host -> rfc3986's host)
> +-//   https://tools.ietf.org/html/rfc3986#section-3.2.2 (definition of host)
> +-// But practically, what we are trying to avoid is the situation in
> +-// issue 11206, where a malformed Host header used in the proxy context
> +-// would create a bad request. So it is enough to just truncate at the
> +-// first offending character.
> +-func cleanHost(in string) string {
> +-	if i := strings.IndexAny(in, " /"); i != -1 {
> +-		in = in[:i]
> +-	}
> +-	host, port, err := net.SplitHostPort(in)
> +-	if err != nil { // input was just a host
> +-		a, err := idnaASCII(in)
> +-		if err != nil {
> +-			return in // garbage in, garbage out
> +-		}
> +-		return a
> +-	}
> +-	a, err := idnaASCII(host)
> +-	if err != nil {
> +-		return in // garbage in, garbage out
> +-	}
> +-	return net.JoinHostPort(a, port)
> +-}
> +-
> + // removeZone removes IPv6 zone identifier from host.
> + // E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080"
> + func removeZone(host string) string {
> +diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
> +index fac12b7..368e87a 100644
> +--- a/src/net/http/request_test.go
> ++++ b/src/net/http/request_test.go
> +@@ -776,15 +776,8 @@ func TestRequestBadHost(t *testing.T) {
> +	}
> +	req.Host = "foo.com with spaces"
> +	req.URL.Host = "foo.com with spaces"
> +-	req.Write(logWrites{t, &got})
> +-	want := []string{
> +-		"GET /after HTTP/1.1\r\n",
> +-		"Host: foo.com\r\n",
> +-		"User-Agent: " + DefaultUserAgent + "\r\n",
> +-		"\r\n",
> +-	}
> +-	if !reflect.DeepEqual(got, want) {
> +-		t.Errorf("Writes = %q\n  Want = %q", got, want)
> ++	if err := req.Write(logWrites{t, &got}); err == nil {
> ++		t.Errorf("Writing request with invalid Host: succeded, want error")
> +	}
> + }
> +
> +diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
> +index eeaa492..58f12af 100644
> +--- a/src/net/http/transport_test.go
> ++++ b/src/net/http/transport_test.go
> +@@ -6512,3 +6512,21 @@ func TestCancelRequestWhenSharingConnection(t *testing.T) {
> +	close(r2c)
> +	wg.Wait()
> + }
> ++
> ++func TestRequestSanitization(t *testing.T) {
> ++	setParallel(t)
> ++	defer afterTest(t)
> ++
> ++	ts := newClientServerTest(t, h1Mode, HandlerFunc(func(rw ResponseWriter, req *Request) {
> ++		if h, ok := req.Header["X-Evil"]; ok {
> ++			t.Errorf("request has X-Evil header: %q", h)
> ++		}
> ++	})).ts
> ++	defer ts.Close()
> ++	req, _ := NewRequest("GET", ts.URL, nil)
> ++	req.Host = "go.dev\r\nX-Evil:evil"
> ++	resp, _ := ts.Client().Do(req)
> ++	if resp != nil {
> ++		resp.Body.Close()
> ++	}
> ++}
> +--
> +2.25.1
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#184856): https://lists.openembedded.org/g/openembedded-core/message/184856
> Mute This Topic: https://lists.openembedded.org/mt/100365153/7304958
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [liezhi.yang@eng.windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [OE-core][kirkstone][PATCH] go: fix CVE-2023-29406 net/http insufficient sanitization of Host header

[Vivek Kumbhar]

[-- Attachment #1: Type: text/plain, Size: 11299 bytes --]

Okay, If that's the case, I'll revert this patch.

Thanks,
Vivek

On Tue, Aug 22, 2023 at 9:08 AM Robert Yang <liezhi.yang@windriver.com>
wrote:

> Hello,
>
> This patch caused docker failed to run on kirkstone branch:
>
> $ docker run --rm -it ubuntu /bin/bash
> Unable to find image 'ubuntu:latest' locally
> latest: Pulling from library/ubuntu
> 3153aa388d02: Pull complete
> Digest:
> sha256:0bced47fffa3361afa981854fcabcd4577cd43cebbb808cea2b1f33a3dd7f508
> Status: Downloaded newer image for ubuntu:latest
> http: invalid Host header
>
> Maybe we need consider revert it atm since CVE-2023-29406 is a medium bug.
>
> // Robert
>
> On 7/26/23 12:37, vkumbhar wrote:
> > Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> > ---
> >   meta/recipes-devtools/go/go-1.17.13.inc       |   1 +
> >   .../go/go-1.18/CVE-2023-29406.patch           | 210 ++++++++++++++++++
> >   2 files changed, 211 insertions(+)
> >   create mode 100644
> meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch
> >
> > diff --git a/meta/recipes-devtools/go/go-1.17.13.inc
> b/meta/recipes-devtools/go/go-1.17.13.inc
> > index 73921852fc..36904a92fb 100644
> > --- a/meta/recipes-devtools/go/go-1.17.13.inc
> > +++ b/meta/recipes-devtools/go/go-1.17.13.inc
> > @@ -36,6 +36,7 @@ SRC_URI += "\
> >       file://CVE-2023-29405.patch \
> >       file://CVE-2023-29402.patch \
> >       file://CVE-2023-29400.patch \
> > +    file://CVE-2023-29406.patch \
> >   "
> >   SRC_URI[main.sha256sum] =
> "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
> >
> > diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch
> b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch
> > new file mode 100644
> > index 0000000000..a326cda5c4
> > --- /dev/null
> > +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406.patch
> > @@ -0,0 +1,210 @@
> > +From 5fa6923b1ea891400153d04ddf1545e23b40041b Mon Sep 17 00:00:00 2001
> > +From: Damien Neil <dneil@google.com>
> > +Date: Wed, 28 Jun 2023 13:20:08 -0700
> > +Subject: [PATCH] [release-branch.go1.19] net/http: validate Host header
> before
> > + sending
> > +
> > +Verify that the Host header we send is valid.
> > +Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
> > +adding an X-Evil header to HTTP/1 requests.
> > +
> > +Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
> > +header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
> > +the header and will go into a retry loop when the server rejects it.
> > +CL 506995 adds the necessary validation to x/net/http2.
> > +
> > +Updates #60374
> > +Fixes #61075
> > +For CVE-2023-29406
> > +
> > +Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
> > +Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
> > +Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
> > +TryBot-Result: Gopher Robot <gobot@golang.org>
> > +Run-TryBot: Damien Neil <dneil@google.com>
> > +(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2)
> > +Reviewed-on: https://go-review.googlesource.com/c/go/+/507358
> > +Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
> > +Reviewed-by: Roland Shoemaker <roland@golang.org>
> > +
> > +Upstream-Status: Backport [
> https://github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b
> ]
> > +CVE: CVE-2023-29406
> > +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> > +---
> > + src/net/http/http_test.go      | 29 ----------------------
> > + src/net/http/request.go        | 45 ++++++++--------------------------
> > + src/net/http/request_test.go   | 11 ++-------
> > + src/net/http/transport_test.go | 18 ++++++++++++++
> > + 4 files changed, 30 insertions(+), 73 deletions(-)
> > +
> > +diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go
> > +index 0d92fe5..f03272a 100644
> > +--- a/src/net/http/http_test.go
> > ++++ b/src/net/http/http_test.go
> > +@@ -48,35 +48,6 @@ func TestForeachHeaderElement(t *testing.T) {
> > +     }
> > + }
> > +
> > +-func TestCleanHost(t *testing.T) {
> > +-    tests := []struct {
> > +-            in, want string
> > +-    }{
> > +-            {"www.google.com", "www.google.com"},
> > +-            {"www.google.com foo", "www.google.com"},
> > +-            {"www.google.com/foo", "www.google.com"},
> > +-            {" first character is a space", ""},
> > +-            {"[1::6]:8080", "[1::6]:8080"},
> > +-
> > +-            // Punycode:
> > +-            {"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"},
> > +-            {"bücher.de <http://xn--bcher-kva.de>", "xn--bcher-kva.de
> "},
> > +-            {"bücher.de:8080 <http://xn--bcher-kva.de:8080>", "
> xn--bcher-kva.de:8080"},
> > +-            // Verify we convert to lowercase before punycode:
> > +-            {"BÜCHER.de", "xn--bcher-kva.de"},
> > +-            {"BÜCHER.de:8080", "xn--bcher-kva.de:8080"},
> > +-            // Verify we normalize to NFC before punycode:
> > +-            {"gophér.nfc", "xn--gophr-esa.nfc"},            // NFC
> input; no work needed
> > +-            {"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD
> input
> > +-    }
> > +-    for _, tt := range tests {
> > +-            got := cleanHost(tt.in)
> > +-            if tt.want != got {
> > +-                    t.Errorf("cleanHost(%q) = %q, want %q", tt.in,
> got, tt.want)
> > +-            }
> > +-    }
> > +-}
> > +-
> > + // Test that cmd/go doesn't link in the HTTP server.
> > + //
> > + // This catches accidental dependencies between the HTTP transport and
> > +diff --git a/src/net/http/request.go b/src/net/http/request.go
> > +index 09cb0c7..2f4e740 100644
> > +--- a/src/net/http/request.go
> > ++++ b/src/net/http/request.go
> > +@@ -17,7 +17,6 @@ import (
> > +     "io"
> > +     "mime"
> > +     "mime/multipart"
> > +-    "net"
> > +     "net/http/httptrace"
> > +     "net/http/internal/ascii"
> > +     "net/textproto"
> > +@@ -27,6 +26,7 @@ import (
> > +     "strings"
> > +     "sync"
> > +
> > ++    "golang.org/x/net/http/httpguts"
> > +     "golang.org/x/net/idna"
> > + )
> > +
> > +@@ -568,12 +568,19 @@ func (r *Request) write(w io.Writer, usingProxy
> bool, extraHeaders Header, waitF
> > +     // is not given, use the host from the request URL.
> > +     //
> > +     // Clean the host, in case it arrives with unexpected stuff in it.
> > +-    host := cleanHost(r.Host)
> > ++    host := r.Host
> > +     if host == "" {
> > +             if r.URL == nil {
> > +                     return errMissingHost
> > +             }
> > +-            host = cleanHost(r.URL.Host)
> > ++            host = r.URL.Host
> > ++    }
> > ++    host, err = httpguts.PunycodeHostPort(host)
> > ++    if err != nil {
> > ++            return err
> > ++    }
> > ++    if !httpguts.ValidHostHeader(host) {
> > ++            return errors.New("http: invalid Host header")
> > +     }
> > +
> > +     // According to RFC 6874, an HTTP client, proxy, or other
> > +@@ -730,38 +737,6 @@ func idnaASCII(v string) (string, error) {
> > +     return idna.Lookup.ToASCII(v)
> > + }
> > +
> > +-// cleanHost cleans up the host sent in request's Host header.
> > +-//
> > +-// It both strips anything after '/' or ' ', and puts the value
> > +-// into Punycode form, if necessary.
> > +-//
> > +-// Ideally we'd clean the Host header according to the spec:
> > +-//   https://tools.ietf.org/html/rfc7230#section-5.4 (Host = uri-host
> [ ":" port ]")
> > +-//   https://tools.ietf.org/html/rfc7230#section-2.7 (uri-host ->
> rfc3986's host)
> > +-//   https://tools.ietf.org/html/rfc3986#section-3.2.2 (definition of
> host)
> > +-// But practically, what we are trying to avoid is the situation in
> > +-// issue 11206, where a malformed Host header used in the proxy context
> > +-// would create a bad request. So it is enough to just truncate at the
> > +-// first offending character.
> > +-func cleanHost(in string) string {
> > +-    if i := strings.IndexAny(in, " /"); i != -1 {
> > +-            in = in[:i]
> > +-    }
> > +-    host, port, err := net.SplitHostPort(in)
> > +-    if err != nil { // input was just a host
> > +-            a, err := idnaASCII(in)
> > +-            if err != nil {
> > +-                    return in // garbage in, garbage out
> > +-            }
> > +-            return a
> > +-    }
> > +-    a, err := idnaASCII(host)
> > +-    if err != nil {
> > +-            return in // garbage in, garbage out
> > +-    }
> > +-    return net.JoinHostPort(a, port)
> > +-}
> > +-
> > + // removeZone removes IPv6 zone identifier from host.
> > + // E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080"
> > + func removeZone(host string) string {
> > +diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
> > +index fac12b7..368e87a 100644
> > +--- a/src/net/http/request_test.go
> > ++++ b/src/net/http/request_test.go
> > +@@ -776,15 +776,8 @@ func TestRequestBadHost(t *testing.T) {
> > +     }
> > +     req.Host = "foo.com with spaces"
> > +     req.URL.Host = "foo.com with spaces"
> > +-    req.Write(logWrites{t, &got})
> > +-    want := []string{
> > +-            "GET /after HTTP/1.1\r\n",
> > +-            "Host: foo.com\r\n",
> > +-            "User-Agent: " + DefaultUserAgent + "\r\n",
> > +-            "\r\n",
> > +-    }
> > +-    if !reflect.DeepEqual(got, want) {
> > +-            t.Errorf("Writes = %q\n  Want = %q", got, want)
> > ++    if err := req.Write(logWrites{t, &got}); err == nil {
> > ++            t.Errorf("Writing request with invalid Host: succeded,
> want error")
> > +     }
> > + }
> > +
> > +diff --git a/src/net/http/transport_test.go
> b/src/net/http/transport_test.go
> > +index eeaa492..58f12af 100644
> > +--- a/src/net/http/transport_test.go
> > ++++ b/src/net/http/transport_test.go
> > +@@ -6512,3 +6512,21 @@ func TestCancelRequestWhenSharingConnection(t
> *testing.T) {
> > +     close(r2c)
> > +     wg.Wait()
> > + }
> > ++
> > ++func TestRequestSanitization(t *testing.T) {
> > ++    setParallel(t)
> > ++    defer afterTest(t)
> > ++
> > ++    ts := newClientServerTest(t, h1Mode, HandlerFunc(func(rw
> ResponseWriter, req *Request) {
> > ++            if h, ok := req.Header["X-Evil"]; ok {
> > ++                    t.Errorf("request has X-Evil header: %q", h)
> > ++            }
> > ++    })).ts
> > ++    defer ts.Close()
> > ++    req, _ := NewRequest("GET", ts.URL, nil)
> > ++    req.Host = "go.dev\r\nX-Evil:evil"
> > ++    resp, _ := ts.Client().Do(req)
> > ++    if resp != nil {
> > ++            resp.Body.Close()
> > ++    }
> > ++}
> > +--
> > +2.25.1
> >
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#184856):
> https://lists.openembedded.org/g/openembedded-core/message/184856
> > Mute This Topic: https://lists.openembedded.org/mt/100365153/7304958
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> liezhi.yang@eng.windriver.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>

[-- Attachment #2: Type: text/html, Size: 16927 bytes --]