@@ -47,6 +47,7 @@ SRC_URI += "\
file://CVE-2026-32289.patch \
file://CVE-2026-33811.patch \
file://CVE-2026-39817.patch \
+ file://CVE-2026-39819.patch \
"
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
new file mode 100644
@@ -0,0 +1,48 @@
+From db6ceacb046779c763f87060d8a1ba5c936309c9 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 8 Apr 2026 09:55:54 -0700
+Subject: [PATCH] cmd/go: use MkdirTemp to create temp directory for "go bug"
+
+Don't use a predictable, potentially attacker-controlled filename in /tmp.
+
+Fixes #78584
+Fixes CVE-2026-39819
+
+Change-Id: I72116aa6dd8fa50f65b6dc0292a15a8c6a6a6964
+Reviewed-on: https://go-review.googlesource.com/c/go/+/763882
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-by: Nicholas Husin <nsh@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+
+CVE: CVE-2026-39819
+Upstream-Status: Backport [https://github.com/golang/go/commit/5d6aa23e5b6151d25955a512532383c28c745e18]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/cmd/go/internal/bug/bug.go | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/cmd/go/internal/bug/bug.go b/src/cmd/go/internal/bug/bug.go
+index ed1813605e..9bf97dd511 100644
+--- a/src/cmd/go/internal/bug/bug.go
++++ b/src/cmd/go/internal/bug/bug.go
+@@ -182,14 +182,14 @@ func firstLine(buf []byte) []byte {
+ // printGlibcVersion prints information about the glibc version.
+ // It ignores failures.
+ func printGlibcVersion(w io.Writer) {
+- tempdir := os.TempDir()
+- if tempdir == "" {
++ tempdir, err := os.MkdirTemp("", "")
++ if err != nil {
+ return
+ }
+ src := []byte(`int main() {}`)
+ srcfile := filepath.Join(tempdir, "go-bug.c")
+ outfile := filepath.Join(tempdir, "go-bug")
+- err := os.WriteFile(srcfile, src, 0644)
++ err = os.WriteFile(srcfile, src, 0644)
+ if err != nil {
+ return
+ }
+--
+2.43.0
+