| Message ID | 20260306-fix-cve-61726-patch-ordering-v2-1-410fea740c2a@toradex.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | [v2] go 1.22.12: Fix CVE-2025-61726.patch variable ordering | expand |
On Fri Mar 6, 2026 at 8:55 PM CET, Eduardo Ferreira via lists.openembedded.org wrote: > From: Eduardo Ferreira <eduardo.barbosa@toradex.com> > > Commit 6a1ae4e79252f9a896faa702e4a8b3e27529a474 introduced a patch > backporting a fix for CVE-2025-61726, but this patch also introduced > a bug. > > From Go's source code[1], they say that the 'All' table from 'godebugs' > should be populated alphabetically by Name. And 'Lookup'[2] function uses > binary search to try and find the variable. > > Here's the trace: > Mar 06 11:33:33 toradex-smarc-imx95-12594035 systemd[1]: Started Docker Application Container Engine. > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 2026/03/06 11:34:53 http: panic serving @: godebug: Value of name not listed in godeb > ugs.All: urlmaxqueryparams > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: goroutine 78 [running]: > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*conn).serve.func1() > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http/server.go:1903 +0xb0 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?}) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: runtime/panic.go:770 +0x124 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.deferwrap1() > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:383 +0x2c > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End(0x40011b4a80, {0x0, 0x0, 0x40 > 006441c0?}) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:421 +0x898 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?}) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: runtime/panic.go:770 +0x124 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value.func1() > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug/godebug.go:141 +0xd8 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).doSlow(0x22?, 0x55748a9b60?) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:74 +0x100 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).Do(...) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:65 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value(0x5575b21be0) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug/godebug.go:138 +0x50 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.urlParamsWithinMax(0x1) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:968 +0x3c > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.parseQuery(0x400069a630, {0x0, 0x0}) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:985 +0xdc > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.ParseQuery(...) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:958 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*Request).ParseForm(0x4000bdab40) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http/request.go:1317 +0x33c > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils.ParseForm(0x0?) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils/httputils.go:104 +0x20 > > The 'Lookup' function was failing due to the wrong ordering and returning 'nil', > which was not being checked properly and caused this issue. > > The fix was to just reorder the line where 'urlmaxqueryparams' is being > added to respect the alphabetical ordering. And for that the whole CVE > patch was generated again. > > This change was validated with docker-moby (original issue), where a container > run successfully and no traces in the logs. > > Fixes: 6a1ae4e792 ("go 1.22.12: Fix CVE-2025-61726.patch variable ordering") > > [1] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20 > [2] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100 > > Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com> > --- Hi Eduardo, I suspect this commit is not for master but for the scarthgap branch, is that right? In such cases, please remember to add the [scarthgap] tag in mail subject, you can find help about it here: https://docs.yoctoproject.org/dev/contributor-guide/submit-changes.html#submitting-changes-to-stable-release-branches Thanks, Mathieu
diff --git a/meta/recipes-devtools/go/go/CVE-2025-61726.patch b/meta/recipes-devtools/go/go/CVE-2025-61726.patch index ab053ff55c..65fe62a4da 100644 --- a/meta/recipes-devtools/go/go/CVE-2025-61726.patch +++ b/meta/recipes-devtools/go/go/CVE-2025-61726.patch @@ -1,6 +1,6 @@ -From 85050ca6146f3edb50ded0a352ab9edbd635effc Mon Sep 17 00:00:00 2001 -From: Damien Neil <dneil@google.com> -Date: Mon, 3 Nov 2025 14:28:47 -0800 +From a41ff6cac6acdb8a55708d9f1e40efd8c4f87421 Mon Sep 17 00:00:00 2001 +From: Eduardo Ferreira <eduardo.barbosa@toradex.com> +Date: Fri, 6 Mar 2026 13:38:46 +0000 Subject: [PATCH] [release-branch.go1.24] net/url: add urlmaxqueryparams GODEBUG to limit the number of query parameters @@ -36,6 +36,7 @@ Reviewed-by: Junyang Shao <shaojunyang@google.com> TryBot-Bypass: Michael Pratt <mpratt@google.com> (cherry picked from commit 85c794ddce26a092b0ea68d0fca79028b5069d5a) Signed-off-by: Deepak Rathore <deeratho@cisco.com> +Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com> --- doc/godebug.md | 7 +++++ src/internal/godebugs/table.go | 1 + @@ -45,7 +46,7 @@ Signed-off-by: Deepak Rathore <deeratho@cisco.com> 5 files changed, 85 insertions(+) diff --git a/doc/godebug.md b/doc/godebug.md -index ae4f0576b4..635597ea42 100644 +index ae4f057..635597e 100644 --- a/doc/godebug.md +++ b/doc/godebug.md @@ -126,6 +126,13 @@ for example, @@ -63,19 +64,19 @@ index ae4f0576b4..635597ea42 100644 to concerns around VCS injection attacks. This behavior can be renabled with the setting `allowmultiplevcs=1`. diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go -index 33dcd81fc3..4ae043053c 100644 +index 33dcd81..7178df6 100644 --- a/src/internal/godebugs/table.go +++ b/src/internal/godebugs/table.go -@@ -52,6 +52,7 @@ var All = []Info{ +@@ -51,6 +51,7 @@ var All = []Info{ + {Name: "tlsmaxrsasize", Package: "crypto/tls"}, {Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"}, {Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"}, - {Name: "x509sha1", Package: "crypto/x509"}, + {Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"}, + {Name: "x509sha1", Package: "crypto/x509"}, {Name: "x509usefallbackroots", Package: "crypto/x509"}, {Name: "x509usepolicies", Package: "crypto/x509"}, - {Name: "zipinsecurepath", Package: "archive/zip"}, diff --git a/src/net/url/url.go b/src/net/url/url.go -index d2ae03232f..5219e3c130 100644 +index d2ae032..f796077 100644 --- a/src/net/url/url.go +++ b/src/net/url/url.go @@ -13,6 +13,7 @@ package url @@ -118,7 +119,7 @@ index d2ae03232f..5219e3c130 100644 var key string key, query, _ = strings.Cut(query, "&") diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go -index fef236e40a..b2f8bd95fc 100644 +index fef236e..b2f8bd9 100644 --- a/src/net/url/url_test.go +++ b/src/net/url/url_test.go @@ -1488,6 +1488,54 @@ func TestParseQuery(t *testing.T) { @@ -177,7 +178,7 @@ index fef236e40a..b2f8bd95fc 100644 url *URL out string diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go -index 517ec0e0a4..335f7873b3 100644 +index 517ec0e..2efb13a 100644 --- a/src/runtime/metrics/doc.go +++ b/src/runtime/metrics/doc.go @@ -328,6 +328,11 @@ Below is the full list of supported metrics, ordered lexicographically. @@ -193,4 +194,4 @@ index 517ec0e0a4..335f7873b3 100644 The number of non-default behaviors executed by the crypto/x509 package due to a non-default GODEBUG=x509sha1=... setting. -- -2.35.6 +2.34.1