mirror of
https://git.yoctoproject.org/poky
synced 2026-07-16 15:57:04 +00:00
go: patch CVE-2026-27145
Backport patch from [1] [1] https://go.dev/cl/783621 (From OE-Core rev: 209a1b3a48b8e3996e1b53f2d7efe335855b7375) Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
61f170a32d
commit
e2d512c2e7
@@ -61,6 +61,7 @@ SRC_URI += "\
|
|||||||
file://CVE-2025-58183.patch \
|
file://CVE-2025-58183.patch \
|
||||||
file://CVE-2026-25679.patch \
|
file://CVE-2026-25679.patch \
|
||||||
file://CVE-2026-32288.patch \
|
file://CVE-2026-32288.patch \
|
||||||
|
file://CVE-2026-27145.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
|
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,96 @@
|
|||||||
|
From 612753600a0184c8b792425dea62e530170ca811 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ian Alexander <jitsu@google.com>
|
||||||
|
Date: Wed, 27 May 2026 04:22:31 -0400
|
||||||
|
Subject: [PATCH] crypto/x509: split candidate hostname only once
|
||||||
|
|
||||||
|
(*x509.Certificate).VerifyHostname previously called matchHostnames in a
|
||||||
|
loop over all DNS Subject Alternative Name (SAN) entries. This caused
|
||||||
|
strings.Split(host, ".") to execute repeatedly on the same input
|
||||||
|
hostname.
|
||||||
|
|
||||||
|
With a large DNS SAN list, verification costs scaled quadratically based
|
||||||
|
on the number of SAN entries multiplied by the hostname's label count.
|
||||||
|
Because x509.Verify validates hostnames before building the certificate
|
||||||
|
chain, this overhead occurred even for untrusted certificates.
|
||||||
|
|
||||||
|
Thanks to Jakub Ciolek <jakub@ciolek.dev> for reporting this issue.
|
||||||
|
|
||||||
|
Fixes #79694
|
||||||
|
Fixes CVE-2026-27145
|
||||||
|
|
||||||
|
Change-Id: I2788b8ee22ffd28e45bcc7b0d860549084906a74
|
||||||
|
Reviewed-on: https://go-review.googlesource.com/c/go/+/783621
|
||||||
|
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
||||||
|
Reviewed-by: David Chase <drchase@google.com>
|
||||||
|
Reviewed-by: Neal Patel <neal@golang.org>
|
||||||
|
|
||||||
|
CVE: CVE-2026-27145
|
||||||
|
Upstream-Status: Backport [https://github.com/golang/go/commit/d01955d5d50ccb5f46c215f88c1781742b3f117d]
|
||||||
|
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
|
||||||
|
---
|
||||||
|
src/crypto/x509/verify.go | 15 +++++++++------
|
||||||
|
1 file changed, 9 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
|
||||||
|
index 1de06bc95b..4c423a5fca 100644
|
||||||
|
--- a/src/crypto/x509/verify.go
|
||||||
|
+++ b/src/crypto/x509/verify.go
|
||||||
|
@@ -102,7 +102,7 @@ func (h HostnameError) Error() string {
|
||||||
|
c := h.Certificate
|
||||||
|
maxNamesIncluded := 100
|
||||||
|
|
||||||
|
- if !c.hasSANExtension() && matchHostnames(c.Subject.CommonName, h.Host) {
|
||||||
|
+ if !c.hasSANExtension() && matchHostnames(c.Subject.CommonName, splitHostname(h.Host)) {
|
||||||
|
return "x509: certificate relies on legacy Common Name field, use SANs instead"
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1081,16 +1081,14 @@ func matchExactly(hostA, hostB string) bool {
|
||||||
|
return toLowerCaseASCII(hostA) == toLowerCaseASCII(hostB)
|
||||||
|
}
|
||||||
|
|
||||||
|
-func matchHostnames(pattern, host string) bool {
|
||||||
|
+func matchHostnames(pattern string, hostParts []string) bool {
|
||||||
|
pattern = toLowerCaseASCII(pattern)
|
||||||
|
- host = toLowerCaseASCII(strings.TrimSuffix(host, "."))
|
||||||
|
|
||||||
|
- if len(pattern) == 0 || len(host) == 0 {
|
||||||
|
+ if len(pattern) == 0 || len(hostParts) == 0 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
patternParts := strings.Split(pattern, ".")
|
||||||
|
- hostParts := strings.Split(host, ".")
|
||||||
|
|
||||||
|
if len(patternParts) != len(hostParts) {
|
||||||
|
return false
|
||||||
|
@@ -1168,6 +1166,7 @@ func (c *Certificate) VerifyHostname(h string) error {
|
||||||
|
|
||||||
|
candidateName := toLowerCaseASCII(h) // Save allocations inside the loop.
|
||||||
|
validCandidateName := validHostnameInput(candidateName)
|
||||||
|
+ hostParts := splitHostname(candidateName)
|
||||||
|
|
||||||
|
for _, match := range c.DNSNames {
|
||||||
|
// Ideally, we'd only match valid hostnames according to RFC 6125 like
|
||||||
|
@@ -1176,7 +1175,7 @@ func (c *Certificate) VerifyHostname(h string) error {
|
||||||
|
// always allow perfect matches, and only apply wildcard and trailing
|
||||||
|
// dot processing to valid hostnames.
|
||||||
|
if validCandidateName && validHostnamePattern(match) {
|
||||||
|
- if matchHostnames(match, candidateName) {
|
||||||
|
+ if matchHostnames(match, hostParts) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
@@ -1189,6 +1188,10 @@ func (c *Certificate) VerifyHostname(h string) error {
|
||||||
|
return HostnameError{c, h}
|
||||||
|
}
|
||||||
|
|
||||||
|
+func splitHostname(host string) []string {
|
||||||
|
+ return strings.Split(toLowerCaseASCII(strings.TrimSuffix(host, ".")), ".")
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool {
|
||||||
|
usages := make([]ExtKeyUsage, len(keyUsages))
|
||||||
|
copy(usages, keyUsages)
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
||||||
Reference in New Issue
Block a user