diff mbox series

[scarthgap] go 1.22.12: fix CVE-2026-27140

Message ID 20260512071934.82378-1-hprajapati@mvista.com
State New
Headers show
Series [scarthgap] go 1.22.12: fix CVE-2026-27140 | expand

Commit Message

Hitendra Prajapati May 12, 2026, 7:19 a.m. UTC 
Pick patch from [1] also mentioned at Debian report in [2]

[1] https://github.com/golang/go/commit/abaa0cbb259e059ee60c33a7507eddc1fe7d20fa
[2] https://security-tracker.debian.org/tracker/CVE-2026-27140
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-27140

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 meta/recipes-devtools/go/go-1.22.12.inc       |  1 +
 .../go/go/CVE-2026-27140.patch                | 58 +++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go/CVE-2026-27140.patch
diff mbox series

Patch

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index 3fa421e223..7ece9095ff 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -41,6 +41,7 @@  SRC_URI += "\
     file://CVE-2025-68121_p1.patch \
     file://CVE-2025-68121_p2.patch \
     file://CVE-2025-68121_p3.patch \
+    file://CVE-2026-27140.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
 
diff --git a/meta/recipes-devtools/go/go/CVE-2026-27140.patch b/meta/recipes-devtools/go/go/CVE-2026-27140.patch
new file mode 100644
index 0000000000..5c9fb31c23
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2026-27140.patch
@@ -0,0 +1,58 @@ 
+From abaa0cbb259e059ee60c33a7507eddc1fe7d20fa Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Tue, 24 Feb 2026 23:05:34 +0000
+Subject: [PATCH] [release-branch.go1.25] cmd/go: disallow cgo trust boundary
+ bypass
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The cgo compiler implicitly trusts generated files
+with 'cgo' prefixes; thus, SWIG files containing 'cgo'
+in their names will cause bypass of the trust boundary,
+leading to code smuggling or arbitrary code execution.
+
+The cgo compiler will now produce an error if it
+encounters any SWIG files containing this prefix.
+
+Thanks to Juho Forsén of Mattermost for reporting this issue.
+
+Fixes #78335
+Fixes CVE-2026-27140
+
+Change-Id: I44185a84e07739b3b347efdb86be7d8fa560b030
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3520
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3989
+Reviewed-on: https://go-review.googlesource.com/c/go/+/763556
+Reviewed-by: David Chase <drchase@google.com>
+TryBot-Bypass: Gopher Robot <gobot@golang.org>
+Reviewed-by: Junyang Shao <shaojunyang@google.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+
+CVE: CVE-2026-27140
+Upstream-Status: Backport [https://github.com/golang/go/commit/abaa0cbb259e059ee60c33a7507eddc1fe7d20fa]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/cmd/go/internal/work/exec.go | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
+index 815942a..520c478 100644
+--- a/src/cmd/go/internal/work/exec.go
++++ b/src/cmd/go/internal/work/exec.go
+@@ -3347,6 +3347,10 @@ func (b *Builder) swigIntSize(objdir string) (intsize string, err error) {
+ 
+ // Run SWIG on one SWIG input file.
+ func (b *Builder) swigOne(a *Action, file, objdir string, pcCFLAGS []string, cxx bool, intgosize string) (outGo, outC string, err error) {
++	if strings.HasPrefix(file, "cgo") {
++		return "", "", errors.New("SWIG file must not use prefix 'cgo'")
++	}
++
+ 	p := a.Package
+ 	sh := b.Shell(a)
+ 
+-- 
+2.50.1
+