Address CVE-2024-45341

microsoft · Feb 4, 2025 · 78e5e3e · 78e5e3e
1 parent d52f91d
commit 78e5e3e
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 1 deletion.
diff --git a/SPECS/msft-golang/CVE-2024-45341.patch b/SPECS/msft-golang/CVE-2024-45341.patch
@@ -0,0 +1,66 @@
+From b35410e65f9b0c61dd694dc0d4a4aaf2fc1fb2da Mon Sep 17 00:00:00 2001
+From: Kanishk Bansal <[email protected]>
+Date: Tue, 4 Feb 2025 15:21:06 +0000
+Subject: [PATCH] Address CVE-2024-45341
+
+---
+ src/crypto/x509/name_constraints_test.go | 17 +++++++++++++++++
+ src/crypto/x509/verify.go                |  7 +++++--
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go
+index 008c702..a585184 100644
+--- a/src/crypto/x509/name_constraints_test.go
++++ b/src/crypto/x509/name_constraints_test.go
+@@ -1607,6 +1607,23 @@ var nameConstraintsTests = []nameConstraintsTest{
+ 		leaf:          leafSpec{sans: []string{"dns:.example.com"}},
+ 		expectedError: "cannot parse dnsName \".example.com\"",
+ 	},
++	// #86: URIs with IPv6 addresses with zones and ports are rejected
++	{
++		roots: []constraintsSpec{
++			{
++				ok: []string{"uri:example.com"},
++			},
++		},
++		intermediates: [][]constraintsSpec{
++			{
++				{},
++			},
++		},
++		leaf: leafSpec{
++			sans: []string{"uri:http://[2006:abcd::1%25.example.com]:16/"},
++		},
++		expectedError: "URI with IP",
++	},
+ }
+
+ func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
+diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
+index 7170087..bbccfce 100644
+--- a/src/crypto/x509/verify.go
++++ b/src/crypto/x509/verify.go
+@@ -11,6 +11,7 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"net"
++	"net/netip"
+ 	"net/url"
+ 	"reflect"
+ 	"runtime"
+@@ -434,8 +435,10 @@ func matchURIConstraint(uri *url.URL, constraint string) (bool, error) {
+ 		}
+ 	}
+
+-	if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") ||
+-		net.ParseIP(host) != nil {
++	// netip.ParseAddr will reject the URI IPv6 literal form "[...]", so we
++	// check if _either_ the string parses as an IP, or if it is enclosed in
++	// square brackets.
++	if _, err := netip.ParseAddr(host); err == nil || (strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]")) {
+ 		return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String())
+ 	}
+
+-- 
+2.43.0
+
diff --git a/SPECS/msft-golang/msft-golang.spec b/SPECS/msft-golang/msft-golang.spec
@@ -31,6 +31,7 @@ Source2:        https://github.com/microsoft/go/releases/download/v1.19.12-1/go.
 Source3:        https://github.com/microsoft/go/releases/download/v1.20.14-1/go.20240206.2.src.tar.gz
 Patch0:         go14_bootstrap_aarch64.patch
 Patch1:         CVE-2024-45336.patch
+Patch2:         CVE-2024-45341.patch
 Conflicts:      go
 Conflicts:      golang
 
@@ -51,6 +52,7 @@ mv -v go go-bootstrap-02
 
 %setup -q -n go
 %patch 1 -p1
+%patch 2 -p1
 
 %build
 # go 1.4 bootstraps with C.
@@ -157,7 +159,7 @@ fi
 
 %changelog
 * Sat Feb 1 2025 Kanishk Bansal <[email protected]> - 1.23.3-2
-- Address CVE-2024-45336 using an upstream patch.
+- Address CVE-2024-45336, CVE-2024-45341 using an upstream patch.
 
 * Wed Jan 15 2025 Muhammad Falak <[email protected]> - 1.23.3-1
 - Bump version to 1.23.3