From patchwork Fri Mar 20 00:28:16 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 83929 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C13741093163 for ; Fri, 20 Mar 2026 00:28:38 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.2626.1773966514690509719 for ; Thu, 19 Mar 2026 17:28:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=w1F18Afs; spf=pass (domain: smile.fr, ip: 209.85.128.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-486ff201041so1763625e9.1 for ; Thu, 19 Mar 2026 17:28:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1773966513; x=1774571313; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=wT51peYY3bb5kZ///bjH5lNa9M4ckxNyaRQZwgmQHkA=; b=w1F18Afs9yduLhTMRJ4Rk0sj58fPmc0/BXh8VSRIFGGrBzsTlIuYidI5CDCLmtQ+0V xPR4inLcowUz6EM0YkfeJ6oyanlSb2S197mokm65zSdrANSPxgRKMDe7LEHq64vWt7SG 2wLuJf3DT+wbt3zrCKhUQ+gpDgC38WnnsoTU8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773966513; x=1774571313; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=wT51peYY3bb5kZ///bjH5lNa9M4ckxNyaRQZwgmQHkA=; b=Z5p+CaLFJum/yuRHNizKIawABDqZ7ukh1OzAMIVTB3Zf/F+GjLgDpE59qhK7O5x2Ey jMzKpHJOU5+ZJzwPpmZS5FHFIMnVZTgdCiGk1sV4hTY3VwjcGSwwLWth5ONSYHrCkA7N 1YdYCp5qZ4eNlNx71VBlIT4Q47UNR/XOUGhSNzFDiCVzjGaiWs6bDoIxsoDDoHz3FLNb iBK6cNTLM0oBqCugvGWHax/mkuprAJZh0iTOoetgw5eegG8UWR4rjyF+3hQswsW2y8sS BwS+OVTAGj2id86DZn+G4s3fd5GRpfVJfQtPV/0r0qx/oI/70JDevcflpX+cFoXEbXU5 No9g== X-Gm-Message-State: AOJu0Yyt2wP5FDXVsQ6JRQ2xbySG5MmPC0Z2rWkMtXkZLQrdCD8xXKOz SgXAc4itr0YoNL0LE4sN6jenJXefFtsII3tkrwtFMTfsZga4PEClsHdaAJ9oym+u9LbCgSbSSTl 8EOvs X-Gm-Gg: ATEYQzxNpSMIKosilgbziMlrYUxu+O4HM3HovyynZxEdxNbpJwrgX3tKSMo4942SWmY 3W4rMymtXpkzc7BUHF6o/eEHRkJgE6EdG5Bjb7msdRhawOZUOamV1AKiSxjYKeTToGTwJfIN4Wp LG6KxNMDArMWUTVouqV1myppvyAhR7rG95tQVjnF+K7+7omDBQuX2XHamHH/5a/7MSvzrMjvNmc Li3/dWqRPYvDDe0bjd/UuRaFbeby9yM2CKtGMj0v/u1bnOOqiTBxlcg7Ex71gWasGdwXIbr2vOp hz0RTgftSa16xUm7Oct+gXoJadqcp0BAj9khO0O/TPZr8zPVuTiBNvhQXzjJ7B5Jv45OX7SFy/6 41cxc4fVIwpmxR4dZVaxk1G0h+KsYH5WfanLiEZlANWb6+2Kc//q/6rURsXXbQ54jlKv4DRe4Z7 PjmtvqBJ2qvHIQdq7+rO/IxWvoqTatlsVw3FpnYMGqyMK+LJ8vbaOoEvJKY0fc6tiqC7uN4UJqI vTYczb2Sm1fHQMNWTyz39NWNFI= X-Received: by 2002:a05:600c:8b31:b0:485:469f:5320 with SMTP id 5b1f17b1804b1-486fee2d9e0mr14234555e9.30.1773966512549; Thu, 19 Mar 2026 17:28:32 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Mar 2026 17:28:32 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 09/15] go: Fix CVE-2025-61726.patch variable ordering Date: Fri, 20 Mar 2026 01:28:16 +0100 Message-ID: <367d5ae92969c94ee439ed0fbba3ba4b9b0b6397.1773966414.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Mar 2026 00:28:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/233570 From: Eduardo Ferreira Commit 6a1ae4e792 (go 1.22.12: Fix CVE-2025-61726, 2026-02-11) introduced a patch backporting a fix for CVE-2025-61726, but this patch also introduced a bug. From Go's source code[1], they say that the 'All' table from 'godebugs' should be populated alphabetically by Name. And 'Lookup'[2] function uses binary search to try and find the variable. Here's the trace: Mar 06 11:33:33 toradex-smarc-imx95-12594035 systemd[1]: Started Docker Application Container Engine. Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 2026/03/06 11:34:53 http: panic serving @: godebug: Value of name not listed in godeb ugs.All: urlmaxqueryparams Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: goroutine 78 [running]: Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*conn).serve.func1() Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http/server.go:1903 +0xb0 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?}) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: runtime/panic.go:770 +0x124 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.deferwrap1() Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:383 +0x2c Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End(0x40011b4a80, {0x0, 0x0, 0x40 006441c0?}) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:421 +0x898 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?}) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: runtime/panic.go:770 +0x124 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value.func1() Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug/godebug.go:141 +0xd8 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).doSlow(0x22?, 0x55748a9b60?) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:74 +0x100 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).Do(...) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:65 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value(0x5575b21be0) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug/godebug.go:138 +0x50 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.urlParamsWithinMax(0x1) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:968 +0x3c Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.parseQuery(0x400069a630, {0x0, 0x0}) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:985 +0xdc Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.ParseQuery(...) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:958 Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*Request).ParseForm(0x4000bdab40) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http/request.go:1317 +0x33c Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils.ParseForm(0x0?) Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils/httputils.go:104 +0x20 The 'Lookup' function was failing due to the wrong ordering and returning 'nil', which was not being checked properly and caused this issue. The fix was to just reorder the line where 'urlmaxqueryparams' is being added to respect the alphabetical ordering. And for that the whole CVE patch was generated again. This change was validated with docker-moby (original issue), where a container run successfully and no traces in the logs. [1] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20 [2] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100 Signed-off-by: Eduardo Ferreira Signed-off-by: Yoann Congal --- .../go/go/CVE-2025-61726.patch | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/meta/recipes-devtools/go/go/CVE-2025-61726.patch b/meta/recipes-devtools/go/go/CVE-2025-61726.patch index ab053ff55c9..bdd10bc9331 100644 --- a/meta/recipes-devtools/go/go/CVE-2025-61726.patch +++ b/meta/recipes-devtools/go/go/CVE-2025-61726.patch @@ -1,4 +1,4 @@ -From 85050ca6146f3edb50ded0a352ab9edbd635effc Mon Sep 17 00:00:00 2001 +From bf06767a9ac737387eee77c7eedd67c65e853ac2 Mon Sep 17 00:00:00 2001 From: Damien Neil Date: Mon, 3 Nov 2025 14:28:47 -0800 Subject: [PATCH] [release-branch.go1.24] net/url: add urlmaxqueryparams @@ -36,6 +36,7 @@ Reviewed-by: Junyang Shao TryBot-Bypass: Michael Pratt (cherry picked from commit 85c794ddce26a092b0ea68d0fca79028b5069d5a) Signed-off-by: Deepak Rathore +Signed-off-by: Eduardo Ferreira --- doc/godebug.md | 7 +++++ src/internal/godebugs/table.go | 1 + @@ -45,7 +46,7 @@ Signed-off-by: Deepak Rathore 5 files changed, 85 insertions(+) diff --git a/doc/godebug.md b/doc/godebug.md -index ae4f0576b4..635597ea42 100644 +index ae4f057..635597e 100644 --- a/doc/godebug.md +++ b/doc/godebug.md @@ -126,6 +126,13 @@ for example, @@ -63,19 +64,19 @@ index ae4f0576b4..635597ea42 100644 to concerns around VCS injection attacks. This behavior can be renabled with the setting `allowmultiplevcs=1`. diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go -index 33dcd81fc3..4ae043053c 100644 +index 33dcd81..7178df6 100644 --- a/src/internal/godebugs/table.go +++ b/src/internal/godebugs/table.go -@@ -52,6 +52,7 @@ var All = []Info{ +@@ -51,6 +51,7 @@ var All = []Info{ + {Name: "tlsmaxrsasize", Package: "crypto/tls"}, {Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"}, {Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"}, - {Name: "x509sha1", Package: "crypto/x509"}, + {Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"}, + {Name: "x509sha1", Package: "crypto/x509"}, {Name: "x509usefallbackroots", Package: "crypto/x509"}, {Name: "x509usepolicies", Package: "crypto/x509"}, - {Name: "zipinsecurepath", Package: "archive/zip"}, diff --git a/src/net/url/url.go b/src/net/url/url.go -index d2ae03232f..5219e3c130 100644 +index d2ae032..cdca468 100644 --- a/src/net/url/url.go +++ b/src/net/url/url.go @@ -13,6 +13,7 @@ package url @@ -118,7 +119,7 @@ index d2ae03232f..5219e3c130 100644 var key string key, query, _ = strings.Cut(query, "&") diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go -index fef236e40a..b2f8bd95fc 100644 +index fef236e..b2f8bd9 100644 --- a/src/net/url/url_test.go +++ b/src/net/url/url_test.go @@ -1488,6 +1488,54 @@ func TestParseQuery(t *testing.T) { @@ -177,7 +178,7 @@ index fef236e40a..b2f8bd95fc 100644 url *URL out string diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go -index 517ec0e0a4..335f7873b3 100644 +index 517ec0e..88d6d8c 100644 --- a/src/runtime/metrics/doc.go +++ b/src/runtime/metrics/doc.go @@ -328,6 +328,11 @@ Below is the full list of supported metrics, ordered lexicographically. @@ -193,4 +194,4 @@ index 517ec0e0a4..335f7873b3 100644 The number of non-default behaviors executed by the crypto/x509 package due to a non-default GODEBUG=x509sha1=... setting. -- -2.35.6 +2.34.1