@@ -46,6 +46,7 @@ SRC_URI += "\
file://CVE-2026-32283.patch \
file://CVE-2026-32289.patch \
file://CVE-2026-33811.patch \
+ file://CVE-2026-39817.patch \
"
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
new file mode 100644
@@ -0,0 +1,105 @@
+From 7d35508ad684c808ec11fb6ef3ab27f9258a9418 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 15 Apr 2026 16:27:23 -0400
+Subject: [PATCH] cmd/pack: refuse to extract files with directory components
+
+Do not write to /etc/passwd when running "go tool pack x evil.a"
+on an archive containing a file named /etc/passwd.
+
+Fixes #78778
+
+Change-Id: I4cf69b81af62321ffbb41ace679672a86a6a6964
+Reviewed-on: https://go-review.googlesource.com/c/go/+/767520
+Reviewed-by: Nicholas Husin <nsh@golang.org>
+LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Nicholas Husin <husin@google.com>
+
+CVE: CVE-2026-39817
+Upstream-Status: Backport [https://github.com/golang/go/commit/7409ada33f99c0d74db2b0389c51a15de116e48d]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/cmd/pack/pack.go | 5 +++++
+ src/cmd/pack/pack_test.go | 44 +++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 49 insertions(+)
+
+diff --git a/src/cmd/pack/pack.go b/src/cmd/pack/pack.go
+index 412ea36d60..2fe0258f01 100644
+--- a/src/cmd/pack/pack.go
++++ b/src/cmd/pack/pack.go
+@@ -135,6 +135,11 @@ func openArchive(name string, mode int, files []string) *Archive {
+ if err != nil {
+ log.Fatal(err)
+ }
++ for _, f := range a.Entries {
++ if !filepath.IsLocal(f.Name) || filepath.Base(f.Name) != f.Name {
++ log.Fatalf("%q: invalid name", f.Name)
++ }
++ }
+ return &Archive{
+ a: a,
+ files: files,
+diff --git a/src/cmd/pack/pack_test.go b/src/cmd/pack/pack_test.go
+index c3a63424dd..c4a8c78cbf 100644
+--- a/src/cmd/pack/pack_test.go
++++ b/src/cmd/pack/pack_test.go
+@@ -6,6 +6,7 @@ package main
+
+ import (
+ "bufio"
++ "bytes"
+ "cmd/internal/archive"
+ "fmt"
+ "internal/testenv"
+@@ -409,6 +410,49 @@ func TestRWithNonexistentFile(t *testing.T) {
+ run(packPath(t), "r", "p.a", "p.o") // should succeed
+ }
+
++func TestOutputPathSanitization(t *testing.T) {
++ dir := t.TempDir()
++
++ // Create pack.a containing a file named "longpathname".
++ // Note that "go tool pack" requires that all files be at least 8 bytes long.
++ const validPathName = "longpathname"
++ if err := os.WriteFile(dir+"/"+validPathName, make([]byte, 8), 0o666); err != nil {
++ t.Fatal(err)
++ }
++ doRun(t, dir, packPath(t), "grc", "pack.a", validPathName)
++
++ // Create evil.a from pack.a, replacing "longpathname" with "out/pathname".
++ b, err := os.ReadFile(dir + "/pack.a")
++ if err != nil {
++ t.Fatal(err)
++ }
++ idx := bytes.Index(b, []byte(validPathName))
++ if idx < 0 {
++ t.Fatalf("%v not found in pack.a", validPathName)
++ }
++ copy(b[idx:], "out/")
++ os.WriteFile(dir+"/evil.a", b, 0o666)
++
++ // Extract evil.a. It should fail and not extract a file to /out.
++ os.Mkdir(dir+"/out", 0o777)
++
++ cmd := testenv.Command(t, packPath(t), "x", "evil.a")
++ cmd.Dir = dir
++ _, err = cmd.CombinedOutput()
++ if err == nil {
++ t.Errorf("pack x evil.a: unexpected success")
++ }
++
++ ents, err := os.ReadDir(dir + "/out")
++ if err != nil {
++ t.Error(err)
++ }
++ for _, e := range ents {
++ t.Errorf("unexpected file in /out: %q", e.Name())
++ }
++
++}
++
+ // doRun runs a program in a directory and returns the output.
+ func doRun(t *testing.T, dir string, args ...string) string {
+ cmd := testenv.Command(t, args[0], args[1:]...)
+--
+2.43.0
+