@@ -37,6 +37,7 @@ SRC_URI += "\
file://CVE-2025-61731.patch \
file://CVE-2025-68119-dependent.patch \
file://CVE-2025-68119.patch \
+ file://CVE-2025-61732.patch \
"
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
new file mode 100644
@@ -0,0 +1,53 @@
+From fe8c665f1608126e7b644ab07bb0698ad1c0b4b6 Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Tue, 6 Jan 2026 16:09:19 -0500
+Subject: [PATCH] [release-branch.go1.24] cmd/go: remove user-content from doc
+ strings in cgo ASTs.
+
+Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue.
+
+Updates #76697
+Fixes #77128
+Fixes CVE-2025-61732
+
+CVE: CVE-2025-61732
+Upstream-Status: Backport [https://github.com/golang/go/commit/14d0bb39c1c4]
+
+Change-Id: Ie2a96b79a813e362cbf8e6cb0e3c2d0c022bcb29
+Reviewed-on: https://go-review.googlesource.com/c/go/+/740001
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+(cherry picked from commit 14d0bb39c1c4093bd02740d14b1a2ca720ced97c)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ src/cmd/cgo/ast.go | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/src/cmd/cgo/ast.go b/src/cmd/cgo/ast.go
+index 3cbbeafdca..eb373bdefa 100644
+--- a/src/cmd/cgo/ast.go
++++ b/src/cmd/cgo/ast.go
+@@ -301,17 +301,12 @@ func (f *File) saveExport(x interface{}, context astContext) {
+ error_(c.Pos(), "export comment has wrong name %q, want %q", name, n.Name.Name)
+ }
+
+- doc := ""
+- for _, c1 := range n.Doc.List {
+- if c1 != c {
+- doc += c1.Text + "\n"
+- }
+- }
+-
+ f.ExpFunc = append(f.ExpFunc, &ExpFunc{
+ Func: n,
+ ExpName: name,
+- Doc: doc,
++ // Caution: Do not set the Doc field on purpose
++ // to ensure that there are no unintended artifacts
++ // in the binary. See https://go.dev/issue/76697.
+ })
+ break
+ }
+--
+2.35.6