@@ -51,6 +51,7 @@ SRC_URI += "\
file://CVE-2026-39820.patch \
file://CVE-2026-39825.patch \
file://CVE-2026-39826.patch \
+ file://CVE-2026-42499.patch \
"
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
new file mode 100644
@@ -0,0 +1,91 @@
+From dd339e72189d59f249786afd4021b9fb391f3562 Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Tue, 28 Apr 2026 12:10:24 -0400
+Subject: [PATCH] net/mail: fix quadratic consumePhrase behavior
+
+Updates #78987
+Fixes CVE-2026-42499
+
+Change-Id: I8438e5dee7e6433573d4161baf8fb2151e7fbc2f
+Reviewed-on: https://go-review.googlesource.com/c/go/+/771520
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-by: Nicholas Husin <nsh@golang.org>
+LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+
+CVE: CVE-2026-42499
+Upstream-Status: Backport [https://github.com/golang/go/commit/2c59389fcc5194aeae742fb413e55b656c22343f]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/net/mail/message.go | 23 +++++++++++++++++------
+ src/net/mail/message_test.go | 11 +++++++++++
+ 2 files changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/src/net/mail/message.go b/src/net/mail/message.go
+index 37d7ff5df1..f57742068e 100644
+--- a/src/net/mail/message.go
++++ b/src/net/mail/message.go
+@@ -567,8 +567,10 @@ func (p *addrParser) consumeAddrSpec() (spec string, err error) {
+ func (p *addrParser) consumePhrase() (phrase string, err error) {
+ debug.Printf("consumePhrase: [%s]", p.s)
+ // phrase = 1*word
+- var words []string
+- var isPrevEncoded bool
++ var (
++ words []string
++ sb strings.Builder
++ )
+ for {
+ // obs-phrase allows CFWS after one word
+ if len(words) > 0 {
+@@ -600,13 +602,22 @@ func (p *addrParser) consumePhrase() (phrase string, err error) {
+ break
+ }
+ debug.Printf("consumePhrase: consumed %q", word)
+- if isPrevEncoded && isEncoded {
+- words[len(words)-1] += word
+- } else {
++ switch {
++ case isEncoded:
++ sb.WriteString(word)
++ case !isEncoded && sb.Len() > 0:
++ words = append(words, sb.String())
++ sb.Reset()
++ words = append(words, word)
++ default:
+ words = append(words, word)
+ }
+- isPrevEncoded = isEncoded
+ }
++
++ if sb.Len() > 0 {
++ words = append(words, sb.String())
++ }
++
+ // Ignore any error if we got at least one word.
+ if err != nil && len(words) == 0 {
+ debug.Printf("consumePhrase: hit err: %v", err)
+diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go
+index 1b165317f9..27837a9cbd 100644
+--- a/src/net/mail/message_test.go
++++ b/src/net/mail/message_test.go
+@@ -1219,6 +1219,17 @@ func TestEmptyAddress(t *testing.T) {
+ }
+ }
+
++func BenchmarkConsumePhrase(b *testing.B) {
++ for _, n := range []int{10, 100, 1000, 10000} {
++ b.Run(fmt.Sprintf("words-%d", n), func(b *testing.B) {
++ input := strings.Repeat("=?utf-8?q?hello?= ", n) + "<user@example.com>"
++ for b.Loop() {
++ (&addrParser{s: input}).consumePhrase()
++ }
++ })
++ }
++}
++
+ func BenchmarkConsumeComment(b *testing.B) {
+ for _, n := range []int{10, 100, 1000, 10000} {
+ b.Run(fmt.Sprintf("depth-%d", n), func(b *testing.B) {
+--
+2.43.0
+