From patchwork Thu May 21 10:09:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88566 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3A7F2CD5BB1 for ; Thu, 21 May 2026 10:10:18 +0000 (UTC) Received: from mx-relay25-hz12-if1.hornetsecurity.com (mx-relay25-hz12-if1.hornetsecurity.com [94.100.139.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.33219.1779358208328762222 for ; Thu, 21 May 2026 03:10:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=MhUSy2p5; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.225, mailfrom: tgaige@witekio.com) Received: from mail-francecentralazon11023101.outbound.protection.outlook.com ([40.107.162.101]) by mx-gate25-hz12; Thu, 21 May 2026 12:10:05 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=DQhriUQyoDnXlCbYb+nj8Qc6s8CZOOWg9sV440GhBdIeVeeIfpSaEUHYDFmuYymdHMLHU8a391h3bx1c+R43KJIUcFBQDn5BJgN/8YUzvGxPIGXzhOMmp89W9rXXBB3HZPWNaUxVEvinn9Hj3OmTr6sgtftkSfTAwlTQvVhjTsJ6ERthQLLa0moKtLNPDyL0goEMEonpDGYJIxqVfyvmmWgcPa225Oxzg6r9L1qyw0rPpxgDmYILPYrwdKb4bkT0NdTfBbhnvX1LKwIh6rwhCa7j7os2JxjAvXvxPeqIfufAV9P4Ld10PeY8Ma8KaTV/rHXuykVmZxAorMLbCAonFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nLxnkrFOzLhqj69KXODt+eAoE/DP762sCLgzeeS/IVg=; b=b2LcJTDs2O5ynWEWuV/9JH5pPD71JFxlpJcndbowSXJHbRSZoNR+UwJijwjkH/PSauXWALyGaznnkFFm1KWa3Fy1pbW993doWX6QEQnIOAdnNCrl5JRzmVVeHdKfuHNxh1JU2R8eX6rpztvNrlFaYz5inw+ZW95jGywPIS+bGpHhUVD6aXEEss9jJ1IZ2IuBwnHNiF9VDJ6NPwYIpw/19qrPbarLGn3YJNO7/+69VLrmqNJMpml597BLC3+23gd6VYac158CVgTBFy6YfSeWrrTv1OU5mv9URx94NR+4XZqbyil0u6ruq/ZjUJn1oeZncB3lIShhFYDXwXv6RLjzcg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nLxnkrFOzLhqj69KXODt+eAoE/DP762sCLgzeeS/IVg=; b=MhUSy2p5SwQQsTmp8Y79iMNHu+tfwuSupJhB9X3UQ/t/ULxMm+XWRaNbIuuICAM480NKUyqJAEAn8aqvabC13sCRzZJhaf5UJtIZwkXltiQHHRj8sBi0bSRIcBAfrPnZhV5OXfK2jNe3L6CfBWEFG0D1VqLlY35XzjgEmsxR3ZnzBcsPc9iKSwZV3SQW/otU2jgMKJmf8Xs15E/nglu8UplZsoGYCSrf1YrAhwTR1aIPuC+sqN195V27QMkJKFbziK1R1KaD8JPYmH0QWqEqbFNUKSmTCC7g7+rC2NHTpbv/28y5wfIuyrxsc2h72Af7yuPNs2OCWNWl16mgKkjXIA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by AS4P192MB1672.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:507::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.17; Thu, 21 May 2026 10:09:57 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Thu, 21 May 2026 10:09:57 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" , Bruno Vernay Subject: [scarthgap][PATCH 01/14] go: patch CVE-2026-27142 Date: Thu, 21 May 2026 12:09:34 +0200 Message-ID: <20260521100949.1299757-1-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: ZR0P278CA0104.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::19) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|AS4P192MB1672:EE_ X-MS-Office365-Filtering-Correlation-Id: 76a2feac-c12a-49be-afc8-08deb7211c7e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|52116014|376014|18002099003|56012099003|38350700014|3023799007|6133799003; X-Microsoft-Antispam-Message-Info: VvK89N3eWQNKJNgWdXIQjdNlevNCKzfYoGnpk453er7ZuPnc66oyottyjl8IErBFW4GbNb9FcOgUmS0JjKGyvxbQknSHjFOG5qSQolurrikTtRUr9qYg5xyzU6nZuAOG29Gvh/jpE30NvqT/x0FDP//IAIafUYfUY02KIq10uV6g9ErQTmlHD+UBQIu7mcJi2t4mY7Co7+nRtXND/3XciR2Fgh6WFmqh4IxTjXXLY2ilefxlpHXZfBC0CEGHyHPinK+Nn6eF08upcVpS07Wd1wkGhW+ukbsWmuMBmqD17fhsMAAlvOuIQUZnDZBjLY2HjRVfqyE3ZQLjit/qWg7z6+3LLamywTVKp3oIyHCPEfTTTxtEIpnUPM8SNKKdODU/UuArCoc8iX0VKyYRCwwuvmgt4yE9vD96GfiGDMCwBisurmmtTt6wTTanWMwN1l2pE8sVgKkp7QTharthRGQtayqtYZqwxvfdzhplipPgjvqL5i4LgxcGFQgJcJEa1CRKXyhvdFRS8Y6LewirY6GFxKZmsgOfpYT3z3fVu2KKDv36jhgKC3jOtEPlqlz4i43bCwQafl5OMA8PXFRsG7b0q8ShWJB2FreJqb7H93uvRpTCpbEXSEjtJKbjBdbNl+jit0F98bsyhP1aw2vSmmVdeBD1bZKARCpefhuwQpWuPzJbuKPNwuDou74yVsyhu3o2lH74fWay3olhVeI/0T20xg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(52116014)(376014)(18002099003)(56012099003)(38350700014)(3023799007)(6133799003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: OgRXx9g/IG2+EVi2yco1+nmsRv+QFS0kDVZXmyekM1oEMWqm2jZABUxRgPuAcTREujm1RdER7bmEREzl1N9H7GNuPK7N7B0fI1oPfqB6CuAM4RYL4dbu5A+BCt30PKp2AEnzWItiZwxWpe3yRVkqhVmC4q/VJmCYOQHyG/yzDdUiigMmnfWDcMdETK+Xyx7mEn8SSAAztXEy6sLzUUE7jBqZTa9bKGWT1B2p1Dt80OcHKQF4N/DMsHEdpPltrvFMlUq7hY8d5Tr0hExz7YLXOHbYj/RqnsQaZmEMX88kW+DRJ2YT8KOYxYoGSh3oTxt7ZQtoL9ypdH2f53q2oJ1puTOyZ12u/W07RnzwPBzijDvwI+xxaKVBaq2xB87V4OpFWLQqRXMSTb/AbCXlXdE+64duwl6K/mTimm1m0sIwhaJmKmzuqE3VXVTnssi4f96HxNI1Vuy7QwJ5vA3VG60NaKmYI3w2QwqUu3fTUDVHAjxhJcOQHesjwKVkEH8QLVEiktK3yjh1aU+YQlIojOnjcSf8sk3q2ZVqEzTGb5afn6cdFDDcXJYwgrXztn3uj9B9pkx3s/JwX7+0dcGVPIEkTkyUNMc3UdJaYD54lkrfPBecIXQzXu43XGhFKEOUnCbXU3FJUBN2emNwmHxCxaap9jgPr8vuuhDfAs9x8GXeizRlGkoWTmCz7pNLGVZUHeVUlh/1pvIYnZ/wLOc9/L2WyD1aTgJLytZehvWEs3zyiRILJHcLKTWh5PCTDJucTCKWHB9BGOyyC3yUHSaVcmvyDcr7Z4KFZMUPtq5P6/MrwsRuRqIEqf1J1o9m/UqVK67OqaL9luaQXOe6BBqab/OpMgZ63r75QJMuYHxR24rD8zn4xcrFkTmu7C4Q3tmYB//nBGbUJHSp7+6PcVpD+TQpm9jnaxE00lqy1P49peWtis2yY4irFOoAGqxeRFugn+iB9Gz4FFiCDKQBaDpkIkLf3P6i858p78vXxXQTnyyYynwNmuOTQtTF/EkX8O33dTIqaqMAhZYyQS8oALSyK3ABaA7Iqt0+r6ApIxIMc8zj7y6jKt4LwX6VDy6ClVnEQ+tqwuBhlGyqbPPtKP3FvT+WBwh/VeAgjbEl7OSAI8t0pT5eaFtpP5Uw5aeq9ZdEP8yHZ4mfhm94Lb/s1Xsli00JD1UujIvC9OPCVpAeTXWj4AUAlFDb31RRO/2j8QY0vju3l9gAJmcGCzbgxUBWWy0ExMjzABgP7ESvhmjQ8LoHQ0XhaPdp3TGMGL3sEE167lfQJTzpBOi61yB1sFeyz8jmVyWfLiVQOerxu3bRykUPPNt/+Up7z2olLTmNCpvHdxj9ZUMK68HSDFzK75354q7W6lbOTfV8eqTKfjk7bxvA2WFIp1bB784G9Po4ixo65Q15oGNs6jWaA+YESzRrgj2bFPcZrJCK9KWjSI7XgXOz4GYXOBlEmVLs9qhQccTjh371C96uOLni3Qg+nk5gcDJo7PRkt41MfslrPLGfatas+49Di4FVY/WfwK/j6SVpAyxCOot0gbsZx6THAA+0zuP6Dhw52PYKRoFj3szciFKysakIr364SFT+bSzw60/l3CNyzflDP/ofglXKV2dGMEegReXxXBuRUYtAvG453K1Oaw/zds3QhltWw2cOFAJdR4/U0h0kskWpQDuNFdJa1W1mUyY+hs68nexd72kNQKO9kCn5sR361pbN9+HU5+eYMHlr+aIIJH0dqhd3ER3fqBgkOg== X-Exchange-RoutingPolicyChecked: QWa7kL+ABcPueZZhdjqFRorgTdFhJfW2nzYLs5Aj2KTam3kKDXueMTvLKVAvrWLcAq/zbOTOLPi2XYsbqp01K1GM5gODcP/1LYcohzBwWuGKFYQtlDGO1HFUkK+4q843Z8PouldTu2g9dHSqOmQar/+iIc7xGwsHf69WLLS4wYchycDSfIbpqisru3BbmUDFsDIKhm+7HDlk/9TleSQp3w6FAuIBfIHoKA1qJDkm9B30zV7Ymoe1P8DlQqWnV9bzt9YDC4FiRmFL6aOz6adWI02VmHTVWqhGuHqUvrVuxuebE4N48m2Z4Kxdz89j5lmK+/lPJ/5EWZOskZ71JglOFA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: QQR0UDmOeIs2ByXRYVOriVX4JWk5FRI4btJDptIMbHe8Kq1hFetgYT6v3tsQTQpIVtvEETGnvKzdrCKzrJkkGNW0POWL9uKXuEX3P62WCUJ3kh6ptalQQC35lB1nm+KJZoOFNzem6CbBsKGahGLqMLDLz7/rmRrYgr/AKQ/21/MlR7JswPre1QmLXzdaegAkaNc8wBDQr62jN+OdATbPnO3VGGqibsqa8YQyA2vwEXXM1aJXS5XnH1v+5KiYV8nb/J5TVs6qphvsBZRY5orJsFd7fHhY8GxUb2D7wWQUN8RGDwOODlIQwG72C33dQaWBRFyCxw8qmTYl2go44LB5tbGiteGZuhEFtOJzKYG/a8ROd+3o44vNwrLfqPtEplxQ9GzPLMsC69EDnfkPic+zGRikg3TO9E1R8v7vmrhS3gRIlTDjqFkZnzhycS+kX4hznyMHoZ5ZeLNBqKkKFDVprPT6zns+3r+dOskvmaxw4+RZGX37lXByxQpmnuXBLlyBJFMYisxAw8nAKVL0sji/mdfD6OE9L13OmWAZQQadiSn6R8rr/wVq8WBf0KGugGCd/cQLsspOWrsz5Cwb4DASZvA5FNH4MbsLC2ls8S9FKNrGsg3ZnMdEk2X63D0en2fl X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 76a2feac-c12a-49be-afc8-08deb7211c7e X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 10:09:57.4880 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 6pQuk8uxxRY2Wre7UOUZ54xtIHs1OsWCi760t9vRX6htRAuY6gyo+R7bJ3DzvVI+dfh3KcFkupz8lYUoqfA+qQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4P192MB1672 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate25-hz12 with 4gLkfw4YTbz1X5Hk X-cloud-security-connect: mail-francecentralazon11023101.outbound.protection.outlook.com[40.107.162.101], TLS=1, IP=40.107.162.101 X-cloud-security-Digest: 17bf5b10dae236555f48ea5c63201cca X-cloud-security: scantime:1.967 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 21 May 2026 10:10:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237484 From: "Theo Gaige (Schneider Electric)" Backport patch from [1] [1] https://go.dev/cl/752081 Signed-off-by: Theo Gaige (Schneider Electric) Reviewed-by: Bruno Vernay --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-27142.patch | 386 ++++++++++++++++++ 2 files changed, 387 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-27142.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 3fa421e223..8efa82f862 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -41,6 +41,7 @@ SRC_URI += "\ file://CVE-2025-68121_p1.patch \ file://CVE-2025-68121_p2.patch \ file://CVE-2025-68121_p3.patch \ + file://CVE-2026-27142.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-27142.patch b/meta/recipes-devtools/go/go/CVE-2026-27142.patch new file mode 100644 index 0000000000..e735abaf4b --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-27142.patch @@ -0,0 +1,386 @@ +From 1ac19df75e9c25951c04008a52b23a1cd95e81cc Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Fri, 9 Jan 2026 11:12:01 -0800 +Subject: [PATCH] html/template: properly escape URLs in meta content + attributes + +The meta tag can include a content attribute that contains URLs, which +we currently don't escape if they are inserted via a template action. +This can plausibly lead to XSS vulnerabilities if untrusted data is +inserted there, the http-equiv attribute is set to "refresh", and the +content attribute contains an action like `url={{.}}`. + +Track whether we are inside of a meta element, if we are inside of a +content attribute, _and_ if the content attribute contains "url=". If +all of those are true, then we will apply the same URL escaping that we +use elsewhere. + +Also add a new GODEBUG, htmlmetacontenturlescape, to allow disabling this +escaping for cases where this behavior is considered safe. The behavior +can be disabled by setting htmlmetacontenturlescape=0. + +Updates #77954 +Fixes #77972 +Fixes CVE-2026-27142 + +Change-Id: I9bbca263be9894688e6ef1e9a8f8d2f4304f5873 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3360 +Reviewed-by: Neal Patel +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3643 +Reviewed-by: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/go/+/752081 +Auto-Submit: Gopher Robot +Reviewed-by: Cherry Mui +TryBot-Bypass: Gopher Robot +Reviewed-by: Dmitri Shuralyov + +CVE: CVE-2026-27142 +Upstream-Status: Backport [https://github.com/golang/go/commit/994692847a2cd3efd319f0cb61a07c0012c8a4ff] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + doc/godebug.md | 5 +++ + src/html/template/attr_string.go | 5 +-- + src/html/template/context.go | 8 +++++ + src/html/template/element_string.go | 5 +-- + src/html/template/escape.go | 14 +++++++++ + src/html/template/escape_test.go | 34 +++++++++++++++++++++ + src/html/template/state_string.go | 8 +++-- + src/html/template/transition.go | 47 +++++++++++++++++++++++++---- + src/internal/godebugs/table.go | 1 + + src/runtime/metrics/doc.go | 5 +++ + 10 files changed, 119 insertions(+), 13 deletions(-) + +diff --git a/doc/godebug.md b/doc/godebug.md +index 635597e..07b63cb 100644 +--- a/doc/godebug.md ++++ b/doc/godebug.md +@@ -126,6 +126,11 @@ for example, + see the [runtime documentation](/pkg/runtime#hdr-Environment_Variables) + and the [go command documentation](/cmd/go#hdr-Build_and_test_caching). + ++Go 1.26.1 added a new `htmlmetacontenturlescape` setting that controls whether ++html/template will escape URLs in the `url=` portion of the content attribute of ++HTML meta tags. The default `htmlmetacontentescape=1` will cause URLs to be ++escaped. Setting `htmlmetacontentescape=0` disables this behavior. ++ + Go 1.26 added a new `urlmaxqueryparams` setting that controls the maximum number + of query parameters that net/url will accept when parsing a URL-encoded query string. + If the number of parameters exceeds the number set in `urlmaxqueryparams`, +diff --git a/src/html/template/attr_string.go b/src/html/template/attr_string.go +index 51c3f26..7159fa9 100644 +--- a/src/html/template/attr_string.go ++++ b/src/html/template/attr_string.go +@@ -14,11 +14,12 @@ func _() { + _ = x[attrStyle-3] + _ = x[attrURL-4] + _ = x[attrSrcset-5] ++ _ = x[attrMetaContent-6] + } + +-const _attr_name = "attrNoneattrScriptattrScriptTypeattrStyleattrURLattrSrcset" ++const _attr_name = "attrNoneattrScriptattrScriptTypeattrStyleattrURLattrSrcsetattrMetaContent" + +-var _attr_index = [...]uint8{0, 8, 18, 32, 41, 48, 58} ++var _attr_index = [...]uint8{0, 8, 18, 32, 41, 48, 58, 73} + + func (i attr) String() string { + if i >= attr(len(_attr_index)-1) { +diff --git a/src/html/template/context.go b/src/html/template/context.go +index b78f0f7..8b3af2f 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -156,6 +156,10 @@ const ( + // stateError is an infectious error state outside any valid + // HTML/CSS/JS construct. + stateError ++ // stateMetaContent occurs inside a HTML meta element content attribute. ++ stateMetaContent ++ // stateMetaContentURL occurs inside a "url=" tag in a HTML meta element content attribute. ++ stateMetaContentURL + // stateDead marks unreachable code after a {{break}} or {{continue}}. + stateDead + ) +@@ -267,6 +271,8 @@ const ( + elementTextarea + // elementTitle corresponds to the RCDATA element. + elementTitle ++ // elementMeta corresponds to the HTML <meta> element. ++ elementMeta + ) + + //go:generate stringer -type attr +@@ -288,4 +294,6 @@ const ( + attrURL + // attrSrcset corresponds to a srcset attribute. + attrSrcset ++ // attrMetaContent corresponds to the content attribute in meta HTML element. ++ attrMetaContent + ) +diff --git a/src/html/template/element_string.go b/src/html/template/element_string.go +index db28665..bdf9da7 100644 +--- a/src/html/template/element_string.go ++++ b/src/html/template/element_string.go +@@ -13,11 +13,12 @@ func _() { + _ = x[elementStyle-2] + _ = x[elementTextarea-3] + _ = x[elementTitle-4] ++ _ = x[elementMeta-5] + } + +-const _element_name = "elementNoneelementScriptelementStyleelementTextareaelementTitle" ++const _element_name = "elementNoneelementScriptelementStyleelementTextareaelementTitleelementMeta" + +-var _element_index = [...]uint8{0, 11, 24, 36, 51, 63} ++var _element_index = [...]uint8{0, 11, 24, 36, 51, 63, 74} + + func (i element) String() string { + if i >= element(len(_element_index)-1) { +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index 1eace16..b368cab 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -165,6 +165,8 @@ func (e *escaper) escape(c context, n parse.Node) context { + + var debugAllowActionJSTmpl = godebug.New("jstmpllitinterp") + ++var htmlmetacontenturlescape = godebug.New("htmlmetacontenturlescape") ++ + // escapeAction escapes an action template node. + func (e *escaper) escapeAction(c context, n *parse.ActionNode) context { + if len(n.Pipe.Decl) != 0 { +@@ -222,6 +224,18 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context { + default: + panic(c.urlPart.String()) + } ++ case stateMetaContent: ++ // Handled below in delim check. ++ case stateMetaContentURL: ++ if htmlmetacontenturlescape.Value() != "0" { ++ s = append(s, "_html_template_urlfilter") ++ } else { ++ // We don't have a great place to increment this, since it's hard to ++ // know if we actually escape any urls in _html_template_urlfilter, ++ // since it has no information about what context it is being ++ // executed in etc. This is probably the best we can do. ++ htmlmetacontenturlescape.IncNonDefault() ++ } + case stateJS: + s = append(s, "_html_template_jsvalescaper") + // A slash after a value starts a div operator. +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index 497ead8..1970db1 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -734,6 +734,16 @@ func TestEscape(t *testing.T) { + "<script>var a = `${ var a = \"{{\"a \\\" d\"}}\" }`</script>", + "<script>var a = `${ var a = \"a \\u0022 d\" }`</script>", + }, ++ { ++ "meta content attribute url", ++ `<meta http-equiv="refresh" content="asd; url={{"javascript:alert(1)"}}; asd; url={{"vbscript:alert(1)"}}; asd">`, ++ `<meta http-equiv="refresh" content="asd; url=#ZgotmplZ; asd; url=#ZgotmplZ; asd">`, ++ }, ++ { ++ "meta content string", ++ `<meta http-equiv="refresh" content="{{"asd: 123"}}">`, ++ `<meta http-equiv="refresh" content="asd: 123">`, ++ }, + } + + for _, test := range tests { +@@ -1016,6 +1026,14 @@ func TestErrors(t *testing.T) { + "<script>var tmpl = `asd ${return \"{\"}`;</script>", + ``, + }, ++ { ++ `{{if eq "" ""}}<meta>{{end}}`, ++ ``, ++ }, ++ { ++ `{{if eq "" ""}}<meta content="url={{"asd"}}">{{end}}`, ++ ``, ++ }, + + // Error cases. + { +@@ -2194,3 +2212,19 @@ func TestAliasedParseTreeDoesNotOverescape(t *testing.T) { + t.Fatalf(`Template "foo" and "bar" rendered %q and %q respectively, expected equal values`, got1, got2) + } + } ++ ++func TestMetaContentEscapeGODEBUG(t *testing.T) { ++ savedGODEBUG := os.Getenv("GODEBUG") ++ os.Setenv("GODEBUG", savedGODEBUG+",htmlmetacontenturlescape=0") ++ defer func() { os.Setenv("GODEBUG", savedGODEBUG) }() ++ ++ tmpl := Must(New("").Parse(`<meta http-equiv="refresh" content="asd; url={{"javascript:alert(1)"}}; asd; url={{"vbscript:alert(1)"}}; asd">`)) ++ var b strings.Builder ++ if err := tmpl.Execute(&b, nil); err != nil { ++ t.Fatalf("unexpected error: %s", err) ++ } ++ want := `<meta http-equiv="refresh" content="asd; url=javascript:alert(1); asd; url=vbscript:alert(1); asd">` ++ if got := b.String(); got != want { ++ t.Fatalf("got %q, want %q", got, want) ++ } ++} +diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go +index eed1e8b..f5a70b2 100644 +--- a/src/html/template/state_string.go ++++ b/src/html/template/state_string.go +@@ -36,12 +36,14 @@ func _() { + _ = x[stateCSSBlockCmt-25] + _ = x[stateCSSLineCmt-26] + _ = x[stateError-27] +- _ = x[stateDead-28] ++ _ = x[stateMetaContent-28] ++ _ = x[stateMetaContentURL-29] ++ _ = x[stateDead-30] + } + +-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead" ++const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateMetaContentstateMetaContentURLstateDead" + +-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 156, 169, 184, 198, 216, 235, 243, 256, 269, 282, 295, 306, 322, 337, 347, 356} ++var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 156, 169, 184, 198, 216, 235, 243, 256, 269, 282, 295, 306, 322, 337, 347, 363, 382, 391} + + func (i state) String() string { + if i >= state(len(_state_index)-1) { +diff --git a/src/html/template/transition.go b/src/html/template/transition.go +index d5a05f6..5aa3c35 100644 +--- a/src/html/template/transition.go ++++ b/src/html/template/transition.go +@@ -23,6 +23,8 @@ var transitionFunc = [...]func(context, []byte) (context, int){ + stateRCDATA: tSpecialTagEnd, + stateAttr: tAttr, + stateURL: tURL, ++ stateMetaContent: tMetaContent, ++ stateMetaContentURL: tMetaContentURL, + stateSrcset: tURL, + stateJS: tJS, + stateJSDqStr: tJSDelimited, +@@ -83,6 +85,7 @@ var elementContentType = [...]state{ + elementStyle: stateCSS, + elementTextarea: stateRCDATA, + elementTitle: stateRCDATA, ++ elementMeta: stateText, + } + + // tTag is the context transition function for the tag state. +@@ -93,6 +96,11 @@ func tTag(c context, s []byte) (context, int) { + return c, len(s) + } + if s[i] == '>' { ++ // Treat <meta> specially, because it doesn't have an end tag, and we ++ // want to transition into the correct state/element for it. ++ if c.element == elementMeta { ++ return context{state: stateText, element: elementNone}, i + 1 ++ } + return context{ + state: elementContentType[c.element], + element: c.element, +@@ -113,6 +121,8 @@ func tTag(c context, s []byte) (context, int) { + attrName := strings.ToLower(string(s[i:j])) + if c.element == elementScript && attrName == "type" { + attr = attrScriptType ++ } else if c.element == elementMeta && attrName == "content" { ++ attr = attrMetaContent + } else { + switch attrType(attrName) { + case contentTypeURL: +@@ -162,12 +172,13 @@ func tAfterName(c context, s []byte) (context, int) { + } + + var attrStartStates = [...]state{ +- attrNone: stateAttr, +- attrScript: stateJS, +- attrScriptType: stateAttr, +- attrStyle: stateCSS, +- attrURL: stateURL, +- attrSrcset: stateSrcset, ++ attrNone: stateAttr, ++ attrScript: stateJS, ++ attrScriptType: stateAttr, ++ attrStyle: stateCSS, ++ attrURL: stateURL, ++ attrSrcset: stateSrcset, ++ attrMetaContent: stateMetaContent, + } + + // tBeforeValue is the context transition function for stateBeforeValue. +@@ -203,6 +214,7 @@ var specialTagEndMarkers = [...][]byte{ + elementStyle: []byte("style"), + elementTextarea: []byte("textarea"), + elementTitle: []byte("title"), ++ elementMeta: []byte(""), + } + + var ( +@@ -612,6 +624,28 @@ func tError(c context, s []byte) (context, int) { + return c, len(s) + } + ++// tMetaContent is the context transition function for the meta content attribute state. ++func tMetaContent(c context, s []byte) (context, int) { ++ for i := 0; i < len(s); i++ { ++ if i+3 <= len(s)-1 && bytes.Equal(bytes.ToLower(s[i:i+4]), []byte("url=")) { ++ c.state = stateMetaContentURL ++ return c, i + 4 ++ } ++ } ++ return c, len(s) ++} ++ ++// tMetaContentURL is the context transition function for the "url=" part of a meta content attribute state. ++func tMetaContentURL(c context, s []byte) (context, int) { ++ for i := 0; i < len(s); i++ { ++ if s[i] == ';' { ++ c.state = stateMetaContent ++ return c, i + 1 ++ } ++ } ++ return c, len(s) ++} ++ + // eatAttrName returns the largest j such that s[i:j] is an attribute name. + // It returns an error if s[i:] does not look like it begins with an + // attribute name, such as encountering a quote mark without a preceding +@@ -638,6 +672,7 @@ var elementNameMap = map[string]element{ + "style": elementStyle, + "textarea": elementTextarea, + "title": elementTitle, ++ "meta": elementMeta, + } + + // asciiAlpha reports whether c is an ASCII letter. +diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go +index 7178df6..90311eb 100644 +--- a/src/internal/godebugs/table.go ++++ b/src/internal/godebugs/table.go +@@ -31,6 +31,7 @@ var All = []Info{ + {Name: "gocachetest", Package: "cmd/go"}, + {Name: "gocacheverify", Package: "cmd/go"}, + {Name: "gotypesalias", Package: "go/types"}, ++ {Name: "htmlmetacontenturlescape", Package: "html/template"}, + {Name: "http2client", Package: "net/http"}, + {Name: "http2debug", Package: "net/http", Opaque: true}, + {Name: "http2server", Package: "net/http"}, +diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go +index 335f787..f68e386 100644 +--- a/src/runtime/metrics/doc.go ++++ b/src/runtime/metrics/doc.go +@@ -255,6 +255,11 @@ Below is the full list of supported metrics, ordered lexicographically. + The number of non-default behaviors executed by the go/types + package due to a non-default GODEBUG=gotypesalias=... setting. + ++ /godebug/non-default-behavior/htmlmetacontenturlescape:events ++ The number of non-default behaviors executed by ++ the html/template package due to a non-default ++ GODEBUG=htmlmetacontenturlescape=... setting. ++ + /godebug/non-default-behavior/http2client:events + The number of non-default behaviors executed by the net/http + package due to a non-default GODEBUG=http2client=... setting. +-- +2.43.0 + From patchwork Thu May 21 10:09:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88564 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: <tgaige.opensource@witekio.com> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF7A6CD5BAC for <webhook@archiver.kernel.org>; Thu, 21 May 2026 10:10:17 +0000 (UTC) Received: from mx-relay25-hz12-if1.hornetsecurity.com (mx-relay25-hz12-if1.hornetsecurity.com [94.100.139.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.33220.1779358213740978900 for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 03:10:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=bXrh3UAb; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.225, mailfrom: tgaige@witekio.com) Received: from mail-francecentralazon11023101.outbound.protection.outlook.com ([40.107.162.101]) by mx-gate25-hz12; Thu, 21 May 2026 12:10:11 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=VEVqdBcT2mvhVoU2J0hiGSPEaRnaigkWFnuXcUv0FTxIylbUp2PoPESKOBlYVFXvi2wVw3aZzu81oxrBVmfX3M/bZz4G3MdP08OFSfHCEUtPUUqnzs3++p30L/xEDfe6cb8PAadE6gZbqSCuJWjM1sha9T7C4HrxvPPyhduH6xHGmT28Qf51lmCXVtVF33Qr0Oj2/eqETPjkyDCYt0jVEJTBxjmWbvzkqpdFnibOj/NjPQkOspvb2pLyb1PazNfysCjmYcU1A34DIE3poQpI4twePFyAtw0nmX5avqEKEpY9TMKABlfcJ/+WkzsCpazz1SeYMWJotVctQz2dOLBfCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QwEVnZEqpmn0d1JjR6860KtZJ7FvaMOyJdMngezvqM4=; b=evssSvrzk3Uw/nhZ28omDH4HB/9J0YEvkGzM/OzoVUrNl72G6iZ+RwPcfm4y4Sik+oJs6rXjMFoxNcSRaxoGAtM2jqUkugbdOrQca2ET0dWmqLa+Dxz+xM1YMVh1Mwihs4/fdi5ULEk8lDcB7gbRonAj4dBJsUf882YbtEimHMhYPssVQXR6KnlSkz0a/dbaZlNGzXTWNAwxyf+ieokSPF0fIotXdVrGlUK5xQp91C3W9LzXr3jVGdu+yUdLXG1nuPnlOIyizS8RTeCLA/5bZY1uyRk/sm77ktxvjda+leMmFGaBSTzb5Gv42XgPhYCBA+4zu3ieorQePiqbuWEY7w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QwEVnZEqpmn0d1JjR6860KtZJ7FvaMOyJdMngezvqM4=; b=bXrh3UAbvb5hIznblQx+b+3PVme4FyYTo12LE7tYGlzyBwDYqQKbLkBY5rl7tNkymfJi1vMISSS+PlSGs2wvF2J9z12rSj2k2UH0c6OrpkiNHbiAMTjgO87r9Qfs5cnENTgh+lCUKtKtoafTDQ5dsZ4fiH1hPdYpprs5m2e+RCxWKTkRLK75JXUhtuEKXbkypOOB1qocV8nudIkBif1cUEEfjPI/5DhVuy+q+7vjoaqcd+2wJLk/qfmfIepAHza064rVUZT8336UrMV/MuteEw/OpexgX6kjz0Gqi8UJhGe8b+Ekum2zwoJ89IUSSY92WQ2YDqSJpnfNALg1GiIFRA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by AS4P192MB1672.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:507::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.17; Thu, 21 May 2026 10:09:59 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Thu, 21 May 2026 10:09:59 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>, Bruno Vernay <bruno.vernay@se.com> Subject: [scarthgap][PATCH 02/14] go: patch CVE-2026-32280 Date: Thu, 21 May 2026 12:09:35 +0200 Message-ID: <20260521100949.1299757-2-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260521100949.1299757-1-tgaige.opensource@witekio.com> References: <20260521100949.1299757-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0104.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::19) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|AS4P192MB1672:EE_ X-MS-Office365-Filtering-Correlation-Id: 22e17b1c-d0a1-42d0-d550-08deb7211dc8 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|52116014|376014|22082099003|18002099003|56012099003|38350700014|6133799003; X-Microsoft-Antispam-Message-Info: 7d0IlU9J/ApFvkg7k9/y4RtG9a2StLDGYrjNmV42skl3cJiKv52b5Q2XkFLG6hVRVm8kPCE85x0xC8PXSNLl49HPz1VQLKaDZKJB9JBC6O2xMR59FHnSNaphs+u5Gzr0Rawbltgx2TkyUTCKdJivbrgBHp6abn/C0T9yqXK+qAMQ25bddPPvb4J3r9MynGou/XQkVoUzRlazbvA5i4Bpmg3Zm0bOPb4h2O6EYf0QQ+gt4WQxFuES2YGdUHFdspIzHUP3uraxYd7pe8ARhQQVVM/oecJe9CmKuieCdAGRDW/2sZIR5+wmbg5Q+seccVz/paeWMHrI8jVhjHycQQmiOlhdoU7y3j1/UEUP8se8IwfM2nRJYvnMpI1nBH9rEt8bOTNeC7UQqIfbjbneEyZ7AdAt9lL8KWHHHs0WWJBU8R/sLkxQKevNILATgckn1YfNV2kNr1Ez/mgXxsCk2xT1aAJaTxG10wf/+KMF0E89rF3g7QN+vHgjzkPgBgnmNKfeXEq1azdhEk7A5TeNqAw7SU3W4AnTSCTlSeLZuK3syjKx6Yoi5CL4bEZqQ6CE+OpgZCgij+WMF3vdh2UkOjkZwSy0a92wV/LqpIJIvdaTFf9wEVHjvKen7IsDgZSkwVX16AagQJKwBJmGLKbfSy9Ff5BUxuWu2IM9atBiBdMiYuwbkpT/c4rtuBjrnTIc/9tVyRMOOp0udIwYqMw4YCsGbQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(52116014)(376014)(22082099003)(18002099003)(56012099003)(38350700014)(6133799003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: n7l8ZautxtLo2yoFcRCpjSn3VGAwn0vN1hRDZWdoVKKnz46zcI0I/vU5fvG3qREu7qYsLA1VWr5hQBdoGQYzohmy0+KBcR/YgB9qfcWidOT2we4OP2CPoakkXdGH/M28WnLHq7Z0kJxKayiQa0HbhiNY6KVLIfRHwRLGa9OBEOO+4BI21i2k9di/jrd806bxUPno9pVSBgk4KtKYqveVGPn+EHXXA3NRmq7zFvmu0sb0W0trjZLDmwKsV8zLVRl/S+ab/izbdVGwRA8iV9p13kDBo1azIDuo3wVL0xVOVK7gtBheDEEqkiFPV0TXwnYOo+eTYHvZBU9/Ew30MGDB/yRNof6M6lRF2fPR41QQmmQtVUlMhKvZaURbn2dgHJhNOuTr7LHfxkehZGE6EJpq9trEh5ZmMy4Ye/v5LQajexAa980NF6+3xYEp2pbmWYs8W3kpaE59hoTbWqY4tqSBTDyFKZX4Js8pZ2yMYDvUnvlpC7H3zZwN26m72PqFbZA5azohifw0uOHO98phJ23ypeSWY2UCQPBL9TCpo6yYCuqHg05qR0Gj9fVG8SPSLCwm8Yda0JmaulVQdPLMyhcY2IyYwYtSneGu0Xr2umnjP9c63GEuE8EH85daZDRXMqD61d6G0Z+p/lqTLXAasl7Rm1LaVxVW0+b4MATu7+RVVonT/XWr96sIlBsbrDixFQ+d1LEddDqoJFEdsHgZibEh0IN00mZFPAXvI5EvbX1poaTpwQXsbDOtF5ow2Ts1CudNSiJmrGhdpeatvd5CKDg4kHg7TJumWZ5a6eRXSoIC2KHYrgS75eXEcVQ/nEy3pkSkLF40OalVw4z1HNTGSA//44N9295bG61E2hqVY84GZzzqvVh1SUmxCRjlvWRfTjlZP9dFPioksp+i2zMRZC2A0WnhPTErmK4+U9gpaYjy6eAgRhtdoysDWnk/CZzHtGwf95b8Xaw0yoHBn1ZQoR18loc/jJOCEiTBZHudP9Fy5n9MAmLAhIK8F0J1tZ6K17kXPbGnHUmxWNyyPNMFMYJzE+07XXXniNFkmfXnZiJrRLvsxxuk4eysFci2YiW+iQn9Uka0jXSJ31VK0xMCEtpgRXlqsSAsN57fZy2pnQ39GVLRGhN0BIV4UXYivCmloiWaUg1RdVKODqq6JYz/hsK88/UEDh9ULJjBKb4c3+uzZ8a1F0xASzDplmawovIUBbgqhhpdvKwTgzLeDjyq1TMg8ybCcbT7gZCszv2QzcO7NvaPDCvgtNX3o2FrjSfrTPzn9QO1CiWNYFItBg12ce45Tp2UbOc7tzj6oqSVxvNo1HemYdMuCqx7x+v518FpuKAwf2ssXL1IbUYcnwqjf/B3ZRFqoKSZEOBjaMdjWrkvEMVQYhhSYqkE4tVMLcOa1sl45Y5aiIDGVTLkkR5DLKiijkNM2Zaqou21DaYF0ljns7p/O1B+vvIRWmE8IvlrM5S9e+EzqmxWkPb+FHO7t7us7J+GqqJaM8BPpVZbNyaUAE7QxLD9pUA6OF+z8Xr9hWsfpgT86kCf06Sb/lu/m2XF6H0dGtxpu+zjpcgbNHrFC7kNfkCZWrp6bfAmOmqGiCITHJ2oGHdHYVd5WprULy4Ep5h9TW+2PLh3iWMSjJ0C8q+yPoOvs+MrLVMJjPZ/GHJtbj3CGIZzZwp9Hcyi3mZUIZ545t83u2SlTw6H0paI0OyUAO8iW9o7raUu6Up/4hl/SAWJh4Tc13WAYoF36mxLhg== X-Exchange-RoutingPolicyChecked: Juie6qKfDWqiF4guKfNUmTTuvNAD3WDuQ5PJLOX5W8Hq7QNiUlIHH61rz7iFPosXvJWHIpAs5fNQmFZKz6apOPiOSvH8C0s61au7yuZBwJ0nT3ylMJWTXi5C8lDW755VZrkSGKgtLnDQ6w7t+PGLQ9AmwwvKJ8wsYUSOikB/YVmocv9Zk5h50MgNa8ImoJGopOvtuF5dIjXtyfUFdLyJNCTNSV4Ox9IWdSGB09531BcvwmbZUEXL+sMsLMIpy3j/qFZZDSgr5StEUub847XMi8gaDhJlwSXRHaghKJVGJBqj1mjDiLgM1fJ9jkPZ9Wkd9nnoBsZZdKe1lKuBvzhIiw== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: mA5BwLMmQIkaJknrSFF1fzsg+1cDQLaJ1wLogz/NwFC5j3fStFTvl9aEydTmQjQayJiwkcIIzhjVuDQzEOri4HSOMDEVDBdsRU+5yB0HoY7C4GyY6p99WFuGY2rKbKJoHsydyKuuGkt+E1B6z4eq98ttETXzKms+Ht+Ty7/LZhIG/B2w5FCZ6S2FVGJsfhIXqEwmr6/kh+gUjBUMZS17UyGvOVmUplFAydbD61stcgxYixY6Q799glCQIS/OGx9L5ZXwtKFzHMOflCr1j2tghu5OlnRKRD+F5YWllAG3KtVdBNP4F3eY/vDGoPgFG0RrjJcFrllFAsVsZ+Oi1y+246v+yUtWoVfKqIMzZXImVKIII8M94iKddMm8fM51D0ADgL9FquLquK/N7MhHh9iCdb0YTKRSNZ4dnYV4F7sA/xiZXzktlEmh3qpuZesyjpBnjhdtKGOnRUchlsRZvEBnjD5tjbyy1VWFR/BF+JbapV+aF2X+Lh5FAz1ozL2I6HlnNwXQONDMdDQW77kZb+KrulgsLfvsdJXBYFTqrmyT5eP5D6gstJPyYNzmHj9IBHNVUQKbovxnBZ4LNfcBjeEeFyJfguzuwEKcc3O9Ol93Gt2tV/82t8JsE2QNJspoqqy7 X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 22e17b1c-d0a1-42d0-d550-08deb7211dc8 X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 10:09:59.5901 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: /yVV01C6iUu31bqXdGV7fsdWaFn48x7aNneUuy9IZmCzu2Ofbw9mzZLd5xBespIuAgduQfNHvjuzIKc3B5BNOw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4P192MB1672 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate25-hz12 with 4gLkg20MBCz1X2mL X-cloud-security-connect: mail-francecentralazon11023101.outbound.protection.outlook.com[40.107.162.101], TLS=1, IP=40.107.162.101 X-cloud-security-Digest: 083cef0182eb0e378ae90faf1eeb2631 X-cloud-security: scantime:1.600 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 10:10:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237486 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/758320 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-32280.patch | 289 ++++++++++++++++++ 2 files changed, 290 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-32280.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 8efa82f862..0d4dff6c21 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -42,6 +42,7 @@ SRC_URI += "\ file://CVE-2025-68121_p2.patch \ file://CVE-2025-68121_p3.patch \ file://CVE-2026-27142.patch \ + file://CVE-2026-32280.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-32280.patch b/meta/recipes-devtools/go/go/CVE-2026-32280.patch new file mode 100644 index 0000000000..9a6f7950ae --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-32280.patch @@ -0,0 +1,289 @@ +From 1d71a2882078ea5057e68a7d2fedc83a5227c764 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Thu, 5 Mar 2026 14:28:44 -0800 +Subject: [PATCH] crypto/x509: fix signature checking limit + +We added the "is this cert already in the chain" check (alreadyInChain) +to considerCandidates before the signature limit. considerCandidates +bails out when we exceed the signature check, but buildChains keeps +calling considerCandidates until it exhausts all potential parents. In +the case where a large number of certificates look to have signed each +other (e.g. all have subject==issuerSubject and the same key), +alreadyInChain is not particularly cheap, meaning even though we hit our +"this is too much work" limit, we still do a lot of work. + +Move alreadyInChain after the signature limit, and also return a +sentinel error, and check it in buildChains so we can break out of the +loop early if we aren't actually going to do any more work. + +Thanks to Jakub Ciolek for reporting this issue. + +Fixes #78282 +Fixes CVE-2026-32280 + +Change-Id: Ie6f05c6ba3b0a40c21f64f7c4f846e74fae3b10e +Reviewed-on: https://go-review.googlesource.com/c/go/+/758320 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Neal Patel <nealpatel@google.com> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Jakub Ciolek <jakub@ciolek.dev> + +CVE: CVE-2026-32280 +Upstream-Status: Backport [https://github.com/golang/go/commit/26d8a902002a2b41bc4c302044110f2eae8d597f] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/crypto/x509/verify.go | 31 ++++--- + src/crypto/x509/verify_test.go | 150 ++++++++++++++++----------------- + 2 files changed, 96 insertions(+), 85 deletions(-) + +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 0ae8aef..1de06bc 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -939,6 +939,8 @@ func alreadyInChain(candidate *Certificate, chain []*Certificate) bool { + // for failed checks due to different intermediates having the same Subject. + const maxChainSignatureChecks = 100 + ++var errSignatureLimit = errors.New("x509: signature check attempts limit reached while verifying certificate chain") ++ + func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*Certificate, err error) { + var ( + hintErr error +@@ -946,16 +948,16 @@ func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, o + ) + + considerCandidate := func(certType int, candidate potentialParent) { +- if candidate.cert.PublicKey == nil || alreadyInChain(candidate.cert, currentChain) { +- return +- } +- + if sigChecks == nil { + sigChecks = new(int) + } + *sigChecks++ + if *sigChecks > maxChainSignatureChecks { +- err = errors.New("x509: signature check attempts limit reached while verifying certificate chain") ++ err = errSignatureLimit ++ return ++ } ++ ++ if candidate.cert.PublicKey == nil || alreadyInChain(candidate.cert, currentChain) { + return + } + +@@ -996,11 +998,20 @@ func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, o + } + } + +- for _, root := range opts.Roots.findPotentialParents(c) { +- considerCandidate(rootCertificate, root) +- } +- for _, intermediate := range opts.Intermediates.findPotentialParents(c) { +- considerCandidate(intermediateCertificate, intermediate) ++candidateLoop: ++ for _, parents := range []struct { ++ certType int ++ potentials []potentialParent ++ }{ ++ {rootCertificate, opts.Roots.findPotentialParents(c)}, ++ {intermediateCertificate, opts.Intermediates.findPotentialParents(c)}, ++ } { ++ for _, parent := range parents.potentials { ++ considerCandidate(parents.certType, parent) ++ if err == errSignatureLimit { ++ break candidateLoop ++ } ++ } + } + + if len(chains) > 0 { +diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go +index 223c250..f3711ac 100644 +--- a/src/crypto/x509/verify_test.go ++++ b/src/crypto/x509/verify_test.go +@@ -1765,10 +1765,13 @@ func TestValidHostname(t *testing.T) { + } + } + +-func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.PrivateKey) (*Certificate, crypto.PrivateKey, error) { +- priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) +- if err != nil { +- return nil, nil, err ++func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.PrivateKey, priv crypto.PrivateKey) (*Certificate, crypto.PrivateKey, error) { ++ if priv == nil { ++ var err error ++ priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) ++ if err != nil { ++ return nil, nil, err ++ } + } + + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) +@@ -1779,6 +1782,7 @@ func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.Pr + Subject: pkix.Name{CommonName: cn}, + NotBefore: time.Now().Add(-1 * time.Hour), + NotAfter: time.Now().Add(24 * time.Hour), ++ DNSNames: []string{rand.Text()}, + + KeyUsage: KeyUsageKeyEncipherment | KeyUsageDigitalSignature | KeyUsageCertSign, + ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageServerAuth}, +@@ -1790,7 +1794,7 @@ func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.Pr + issuerKey = priv + } + +- derBytes, err := CreateCertificate(rand.Reader, template, issuer, priv.Public(), issuerKey) ++ derBytes, err := CreateCertificate(rand.Reader, template, issuer, priv.(crypto.Signer).Public(), issuerKey) + if err != nil { + return nil, nil, err + } +@@ -1802,81 +1806,77 @@ func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.Pr + return cert, priv, nil + } + +-func TestPathologicalChain(t *testing.T) { +- if testing.Short() { +- t.Skip("skipping generation of a long chain of certificates in short mode") +- } +- +- // Build a chain where all intermediates share the same subject, to hit the +- // path building worst behavior. +- roots, intermediates := NewCertPool(), NewCertPool() +- +- parent, parentKey, err := generateCert("Root CA", true, nil, nil) +- if err != nil { +- t.Fatal(err) +- } +- roots.AddCert(parent) +- +- for i := 1; i < 100; i++ { +- parent, parentKey, err = generateCert("Intermediate CA", true, parent, parentKey) +- if err != nil { +- t.Fatal(err) +- } +- intermediates.AddCert(parent) +- } +- +- leaf, _, err := generateCert("Leaf", false, parent, parentKey) +- if err != nil { +- t.Fatal(err) +- } +- +- start := time.Now() +- _, err = leaf.Verify(VerifyOptions{ +- Roots: roots, +- Intermediates: intermediates, +- }) +- t.Logf("verification took %v", time.Since(start)) +- +- if err == nil || !strings.Contains(err.Error(), "signature check attempts limit") { +- t.Errorf("expected verification to fail with a signature checks limit error; got %v", err) +- } +-} +- +-func TestLongChain(t *testing.T) { ++func TestPathologicalChains(t *testing.T) { + if testing.Short() { +- t.Skip("skipping generation of a long chain of certificates in short mode") +- } +- +- roots, intermediates := NewCertPool(), NewCertPool() +- +- parent, parentKey, err := generateCert("Root CA", true, nil, nil) +- if err != nil { +- t.Fatal(err) +- } +- roots.AddCert(parent) ++ t.Skip("skipping generation of a long chains of certificates in short mode") ++ } ++ ++ // Test four pathological cases, where the intermediates in the chain have ++ // the same/different subjects and the same/different keys. This covers a ++ // number of cases where the chain building algorithm might be inefficient, ++ // such as when there are many intermediates with the same subject but ++ // different keys, many intermediates with the same key but different ++ // subjects, many intermediates with the same subject and key, or many ++ // intermediates with different subjects and keys. ++ // ++ // The worst case for our algorithm is when all of the intermediates share ++ // both subject and key, in which case all of the intermediates appear to ++ // have signed each other, causing us to see a large number of potential ++ // parents for each intermediate. ++ // ++ // All of these cases, Certificate.Verify should return errSignatureLimit. ++ // ++ // In all cases, don't have a root in the pool, so a valid chain cannot actually be built. ++ ++ for _, test := range []struct { ++ sameSubject bool ++ sameKey bool ++ }{ ++ {sameSubject: false, sameKey: false}, ++ {sameSubject: true, sameKey: false}, ++ {sameSubject: false, sameKey: true}, ++ {sameSubject: true, sameKey: true}, ++ } { ++ t.Run(fmt.Sprintf("sameSubject=%t,sameKey=%t", test.sameSubject, test.sameKey), func(t *testing.T) { ++ intermediates := NewCertPool() ++ ++ var intermediateKey crypto.PrivateKey ++ if test.sameKey { ++ var err error ++ intermediateKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) ++ if err != nil { ++ t.Fatal(err) ++ } ++ } + +- for i := 1; i < 15; i++ { +- name := fmt.Sprintf("Intermediate CA #%d", i) +- parent, parentKey, err = generateCert(name, true, parent, parentKey) +- if err != nil { +- t.Fatal(err) +- } +- intermediates.AddCert(parent) +- } ++ var leafSigner crypto.PrivateKey ++ var intermediate *Certificate ++ for i := range 100 { ++ cn := "Intermediate CA" ++ if !test.sameSubject { ++ cn += fmt.Sprintf(" #%d", i) ++ } ++ var err error ++ intermediate, leafSigner, err = generateCert(cn, true, intermediate, leafSigner, intermediateKey) ++ if err != nil { ++ t.Fatal(err) ++ } ++ intermediates.AddCert(intermediate) ++ } + +- leaf, _, err := generateCert("Leaf", false, parent, parentKey) +- if err != nil { +- t.Fatal(err) +- } ++ leaf, _, err := generateCert("Leaf", false, intermediate, leafSigner, nil) ++ if err != nil { ++ t.Fatal(err) ++ } + +- start := time.Now() +- if _, err := leaf.Verify(VerifyOptions{ +- Roots: roots, +- Intermediates: intermediates, +- }); err != nil { +- t.Error(err) ++ start := time.Now() ++ _, err = leaf.Verify(VerifyOptions{ ++ Roots: NewCertPool(), ++ Intermediates: intermediates, ++ }) ++ t.Logf("verification took %v", time.Since(start)) ++ }) + } +- t.Logf("verification took %v", time.Since(start)) + } + + func TestSystemRootsError(t *testing.T) { +-- +2.43.0 + From patchwork Thu May 21 10:09:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88567 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: <tgaige.opensource@witekio.com> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2AA38CD5BB0 for <webhook@archiver.kernel.org>; Thu, 21 May 2026 10:10:18 +0000 (UTC) Received: from mx-relay17-hz12-if1.hornetsecurity.com (mx-relay17-hz12-if1.hornetsecurity.com [94.100.139.217]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.33064.1779358210543430485 for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 03:10:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=Ntz6vNC8; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.217, mailfrom: tgaige@witekio.com) Received: from mail-francecentralazon11023089.outbound.protection.outlook.com ([40.107.162.89]) by mx-gate17-hz12; Thu, 21 May 2026 12:10:07 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=J5+I5zMZ89xRp9fAVKJNFs9jVjnoteZCc4M3czyXXGJg4XaPJ8faliKEu6F0Tm7HcxGbk/RolZWxbqJ9x5sFv4MsIDyrsvK/Hyn4Le2G7pR8iB4zbjJH+S07LiRibs43gWVqt0G6v93EdTNkEQv23QL/+MxQZvGmw6YXxOOqhwFybMRj497gCSIcBP7aoRE4F9YCvcEaX3zyQUBNuO5uQ2KrAam54b1Yh3D4Hk7Do9oCfggmzWbL7yjPHLqmWBshBHlpZb4g9KED4EjW3Atzsji3ZqzoXboyUoA14JrvW1GIndMnhlaYQ36RCPzwGsLKG0TAbPyBMp/fpJOGQfHTMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iGQkIl6cCcWgBWadYGievRBdljIDaE6blYdPfq8s4XE=; b=gtLteImT7iq55HqwlhGmm8xPJrAhD0fLXV7LSw2soLNObWi7SgZPqdXBSW8oh70RN+KGTGfREf9mvFnRZJT0uJgWzwv46mLk7yrINd5lqjlW1dt4P8xBi4KePPK36VJ+Ol/mUxuGNzCyJr1QWCDvLutprlf25t6hb5QTvzGfD4mSYbUwLPubbEA/seDVTgY5Dpc5IshGhwrKSOm1GxpuTmrIeVaWhhEKJEPxHjAB8rU2vJe3IQgfev2RH/HXUFTfcybGRJWUp5uvWXF/8W2PtjlWaYr+qWoEcVVAWTHdcOp5MEbuZD4sd9vCy/tcSWoCBxcWJUPzCCMbWT/h3uUF0A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iGQkIl6cCcWgBWadYGievRBdljIDaE6blYdPfq8s4XE=; b=Ntz6vNC8+q5FiaZ9pYUEhRzDCJNFNnCLZaekYsJAbhk/f1MC8aqbY7iKRzVcpP4yRyOhIMjQBDu+qLQeLijLLjhLJUE7LvRZok8WnUDCK2K60RLNbuLfGV/DGaX7IsbdNLRxB42n9ocM2EkNQNMsRwtYCjSMatcQNEGCNvQMWnGr2o81vYpixITcY+NYW+4ZDcBzIh9ib9/nj8yHrZGt8EB6Ke30Ky6DHEaK1VvUtHLh7zWzj4rQZc62vkh+3tMpdI8WAtiXs7rImLBoprTiLOj/JVb43dfoIxjxj47zhifwDQ4DbjDRyI1etj+QOWR4JRiZoqXhY7imDXWnm3/rsQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by AMBP192MB2913.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:6a5::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.16; Thu, 21 May 2026 10:10:02 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Thu, 21 May 2026 10:10:02 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>, Bruno Vernay <bruno.vernay@se.com> Subject: [scarthgap][PATCH 03/14] go: patch CVE-2026-32283 Date: Thu, 21 May 2026 12:09:36 +0200 Message-ID: <20260521100949.1299757-3-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260521100949.1299757-1-tgaige.opensource@witekio.com> References: <20260521100949.1299757-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0104.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::19) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|AMBP192MB2913:EE_ X-MS-Office365-Filtering-Correlation-Id: cc01d67d-b406-41d5-948c-08deb7211f2f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014|52116014|18002099003|56012099003|22082099003|38350700014|6133799003|3023799007; X-Microsoft-Antispam-Message-Info: nXwSN9+2Y93NeM+nPL5liQ7g1GzWFKIpJkr/qO9qxyVdHE3SVmDdRsymFGhujFhZWPdVgokI1jhCLAWSD/4k6qTBaDqLCKz1YFRXawUuUs+X3kCvvO0gLUjVDelrb8AIll9quD3hzQ8cKq4K/2727H+qkD47lVNObKC7JSpV8IbLMyqdw01AfomaTm+8CesZQdGjSqRPPBti5UWVQPyaNP/H6kii0NwoDESVYeCY+AClJ/LwIM1/e8qiS7vm19xGT3+bas6IemYu4Hy3w8iLThrMWWCia/cF/0hvkqVHAV1J898cFSAsuikq4076qLD1GwvE1YjLm357be46oR1Iit4iInpqvaye/mFBgP/T9z2l6rgR0YFc+xcEJ/9wk90mGzjGGbxNog4An9X+RqUV7f52w8INzwRWgvH1k2sAWktvTJTfitjNcpARBooZh7f76FgwpgrQhff1e24aAu0nc+IZ3lFxgee2s071LzLh6wGysTAYvcekhC16dFpdZv+M8lLldf/kB4Rmy1YdH5AOI9uZCrBnbeDJzTthN1NlsktqtVfn/++Ra3Hgct112LJBAqlSFERnmzmIk2RxycRHm9EuHh7fgO0x4b3XBIo3H6BRqJXdI9nolPnb5bRxLD/XjE+dWt4vqdHFG/7OuTYqRypZUtz/eZFewByz3euV1u7GEKIQpZdvYnOHbPsCvTf86gIrBW05H6E1n7tQsph++A== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(52116014)(18002099003)(56012099003)(22082099003)(38350700014)(6133799003)(3023799007);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 6pKRJjFxyROyLROlpto4NNPSMq8YzSGU4x6hqmgdrFzXzhKhBkcxC6SuNyAKvzvXG88uW51R5VF4+Yu8D/uSQ2QufWES6spx0yrYskaCDmtGzsYS6VTgAUpKQmlQPQROiqyT4Uq6GFFSeG2Lc8lGgj5+KV7eiEP4wH47lD0eOGZxhbDVBltJVXn2P8IC8iLPZwKd6bnnhEppFAY7T1zorWdSuGTS9IFPXeXUgkeCFFWuxwKm77omJHjWF4Kuj7V/b3EJqFjAZrniqnVbCgYpv/moQ+Zd1IpfRbcm1cCpzzOgXrOw4kJqnENuKFU2lhl9bX8dSquJdrFPGRj+f62QO3nKSdVc58ThQE8/WlQvzsH9pxLVvoz2TVj1lHwLeNbeCXCQ0/o56moLVhqiyaZqqMFd2NF8XaQcQeUdbehD6NuvcEYKVTObF0px4BdaMuSvCQwMh0aU4PwoVN+ls7+/x3hT9JKNI04+J1ycvkP6SVy6cHHGezQhRtfh3jPVK2/nN8NQ8hRQpwI/KZKfCDy7t7ex+B1siyGuzlggBxuTxp2lrx36m8TvajIFSne2kCeoo3BRFnoG8pCXTmSrHtIVqjGENcJ4+UhY2yYIFpThoXshAHiM1p4FSZ1NYXK2Om+fsW+YYtQh4FPdvK/eEYBwCGkkjO+bb0ahJ5PeLyXJi0Fr+G7w0ZIKRwgA8xSdq2kTenvGWie4tdMlcevlfKKw7vCkL+73Eep9o3C86x8yKmfpxU1UGELYc5K75KVME+8XqQfgvIMI0xmfWKJeOEZ6UDQxKfC713/3C5IpK4+oLIC63xDJDYPzD0CtX7WE3kZk7GbQ94S2ObOHWHXAgOZ4SWkXycQXJ20n5P+jRZaTSyLWuumHyUpNnFoMEbS2uMTl0htwlKPUf+/XZaXAFG+gmbD2mRAw24wc+FQL4UIFcunpC35Rcl3kOC9/GtMwStRBH8o5xsUKCiGUGlL7NR7UgsZ2MRbT2R9cW4FhvLg8rdej5LMxu4GahYsQQho0W4pLD3ckv1o8HJtkOuUKzx+TnuCIfI2iI/nOTSnTerN+U110R/TmsvN3USHVFmoCvJyYCV00ovrj3KrPj/AxYoE9vh4f2AUwvvTksEedlLVclO0kfMzjm+FWTGNeijAdcZ/lwV19lcOq+9tAPALQPBGoo+3xyFutBkEjmT0YM+RaVYgnn1p4wRe0gVHHCu4v0iw87zCY2+LCqRk2e1WQ9a+xu6ToSDAFPcLPagSKV6CknSwwjxTMptuHJKRnTnm9K5IrrQH75AG/XA6ltwofhkDf4WHa2HEanl8lscXA3WOJvzBTp8dd2R5Yuia4E0j8vYZg1GmSZOeutzUnHvqWtLtViNVG9JZrsxBJIVn+tScgzG7svtpMcMBmwU9x1YMyfRx+8j10qzEnK4IV3ELBwNbQ4lLHwpLtV2wyhMdbURDjpJy8VFphPr89p/Oq8Ugd6tCEdT6XB/ax/tdoRCTVmhnvhX6vgbam+91oK0U0n+oa4a1fNb8i6j/gYLqh7QqcrASostjDGdXX5mTLbgEw1nDGHBQLOVn4X9O70VyiVRA6Tr2D/byaAUhsoBO3B+topJFnyC4fVHvX+K9JVM9JeF2A1A9mJpkTjpInPFOcvZXhELp0WfiZvw5xX5Sl1/7J65alrNOVdnEf1m4sbu6kPEakbJkR3dlE7qCq9hryMBG9R4VpTxEKQa96dKCnpiI5p5ctO/gzHukBpdmH8D+vD0KTeQ== X-Exchange-RoutingPolicyChecked: JVlARIlyScdWsLSS5vy3jzyPtqkIwuYKwDiUx2ptoJST2JxkKaNOm/JqEwphwATn4ex9sS1AqTUBD2ni9oz0ASlcCSthBxT7fYNrFOBIFw2hh2ZVccQLJaZmfRVWowBHShAvQD+gTzSlPBnDBv/axfGQdg6BrlfeVJ1Pthez/UaGtNEKKN4KNWvnK7v1Ewog5/1Zl++Jhbc7jbR8urnu5Ds3wizs/DezO6ro2fJzf3KLgTfwzyjJFHYlE6FJNWyrNJE6Pu+paLd8DohWePyb/jC28ri4Di2i/z6MB2RAZ1YRVa2UIc7a4zcDMhqV5PwGCrnATKd99o2f79pWjcHnbg== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 5cLB73LZa49q5g0OApNtDTfYaFkJr7USduzjAM+ZwrtULLuVWGbgXV3MP5xNNAsHpkDpsfDZoYLhy3yGAJ3w3DqyXWfpfEWlD8yrMqDDVFUMU85vQEYV5paVkdu57npOVtFLuXDv3WkycD79M2LoTRTjZN6us/jk5MuoC7YCEERayg25pbUkTPa4+TbtBmw53X2xZSjutaSUTOtRrOz2WthJfHFsb3OfIlAnQEqW3X40EqwKx/+IMG3wk7ol7i+FYzi8u8v1kn+bLXTnvGRtXO/y3aEfimeB6x3qC3HF0FztNmMAoCiCCIAyafCkjvUYEAOFma2vHVj/dAM/ecMbmJlvWHuja6TJTTHjKvyeLFclryrVIcbNJqoBq9ftPixh8GbYoOz03LPF3fzewPxNkDOAI3JyY6YKdd2kFJCizr228a4ZfGEeBxDC9kh7SGVa6KKtviz258OaM7jrYxkP3rgawZb/deVMYbKb3pRaLl0u+fqg6Z3kljFB66XXxhfxqzYtWo2l65d8hPMS9ueWtdFdVWUrsbMTxDTUfPofsM2kxYQfjTeR83sJZI5VWJWopqAFbBSV/mxlXaEM9poRCgq++d4OOwR//SOvUL4mSGx2Duso/DIryf26TUlj0ZeU X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: cc01d67d-b406-41d5-948c-08deb7211f2f X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 10:10:01.9262 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: NlepKeF20/BdsZs16/y2B+QPTtcgGmzMgXmPWKn8kxDqDJgYiPkSTJ9Qsea0P+atWiAyOUILP6Is6qMcQEELNA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AMBP192MB2913 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate17-hz12 with 4gLkfz3Wp2z1L8XZ X-cloud-security-connect: mail-francecentralazon11023089.outbound.protection.outlook.com[40.107.162.89], TLS=1, IP=40.107.162.89 X-cloud-security-Digest: 61bef733f7fb05576bfce394a72f9c65 X-cloud-security: scantime:1.447 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 10:10:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237485 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/763767 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-32283.patch | 177 ++++++++++++++++++ 2 files changed, 178 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-32283.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 0d4dff6c21..99c2945a8c 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -43,6 +43,7 @@ SRC_URI += "\ file://CVE-2025-68121_p3.patch \ file://CVE-2026-27142.patch \ file://CVE-2026-32280.patch \ + file://CVE-2026-32283.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-32283.patch b/meta/recipes-devtools/go/go/CVE-2026-32283.patch new file mode 100644 index 0000000000..87bcc5816f --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-32283.patch @@ -0,0 +1,177 @@ +From f560f55d3f804dcc3002dfe963b37bfa3a67202c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Mon, 23 Mar 2026 11:54:41 -0700 +Subject: [PATCH] crypto/tls: prevent deadlock when client sends multiple key + update messages + +When we made setReadTrafficSecret send an alert when there are pending +handshake messages, we introduced a deadlock when the client sends +multiple key update messages that request a response, as handleKeyUpdate +will lock the mutex, and defer the unlocking until the end of the +function, but setReadTrafficSecret called sendAlert in the failure case, +which also tries to lock the mutex. + +Add an argument to setReadTrafficSecret which lets the caller indicate +if the mutex is already locked, and if so, call sendAlertLocked instead +of sendAlert. + +Thanks to Jakub Ciolek for reporting this issue. + +Fixes #78334 +Fixes CVE-2026-32283 + +Change-Id: Id8e56974233c910e0d66ba96eafbd2ea57832610 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3881 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/763767 +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Auto-Submit: David Chase <drchase@google.com> +Reviewed-by: Russ Cox <rsc@golang.org> +Reviewed-by: Jakub Ciolek <jakub@ciolek.dev> + +CVE: CVE-2026-32283 +Upstream-Status: Backport [https://github.com/golang/go/commit/1ea7966042731bae941511fb2b261b9536ad268f] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/crypto/tls/conn.go | 10 +++-- + src/crypto/tls/handshake_client_tls13.go | 4 +- + src/crypto/tls/handshake_server_tls13.go | 4 +- + src/crypto/tls/handshake_test.go | 48 ++++++++++++++++++++++++ + 4 files changed, 59 insertions(+), 7 deletions(-) + +diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go +index 08609ce..770d456 100644 +--- a/src/crypto/tls/conn.go ++++ b/src/crypto/tls/conn.go +@@ -1345,7 +1345,7 @@ func (c *Conn) handleKeyUpdate(keyUpdate *keyUpdateMsg) error { + } + + newSecret := cipherSuite.nextTrafficSecret(c.in.trafficSecret) +- if err := c.setReadTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret); err != nil { ++ if err := c.setReadTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret, keyUpdate.updateRequested); err != nil { + return err + } + +@@ -1675,12 +1675,16 @@ func (c *Conn) VerifyHostname(host string) error { + // setReadTrafficSecret sets the read traffic secret for the given encryption level. If + // being called at the same time as setWriteTrafficSecret, the caller must ensure the call + // to setWriteTrafficSecret happens first so any alerts are sent at the write level. +-func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) error { ++func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte, locked bool) error { + // Ensure that there are no buffered handshake messages before changing the + // read keys, since that can cause messages to be parsed that were encrypted + // using old keys which are no longer appropriate. + if c.hand.Len() != 0 { +- c.sendAlert(alertUnexpectedMessage) ++ if locked { ++ c.sendAlertLocked(alertUnexpectedMessage) ++ } else { ++ c.sendAlert(alertUnexpectedMessage) ++ } + return errors.New("tls: handshake buffer not empty before setting read traffic secret") + } + c.in.setTrafficSecret(suite, level, secret) +diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go +index 68ff92b..2d58b21 100644 +--- a/src/crypto/tls/handshake_client_tls13.go ++++ b/src/crypto/tls/handshake_client_tls13.go +@@ -396,7 +396,7 @@ func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error { + c.setWriteTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret) + serverSecret := hs.suite.deriveSecret(handshakeSecret, + serverHandshakeTrafficLabel, hs.transcript) +- if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret); err != nil { ++ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret, false); err != nil { + return err + } + +@@ -607,7 +607,7 @@ func (hs *clientHandshakeStateTLS13) readServerFinished() error { + clientApplicationTrafficLabel, hs.transcript) + serverSecret := hs.suite.deriveSecret(hs.masterSecret, + serverApplicationTrafficLabel, hs.transcript) +- if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret); err != nil { ++ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret, false); err != nil { + return err + } + +diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go +index 1ecee3a..f73b536 100644 +--- a/src/crypto/tls/handshake_server_tls13.go ++++ b/src/crypto/tls/handshake_server_tls13.go +@@ -636,7 +636,7 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error { + c.setWriteTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret) + clientSecret := hs.suite.deriveSecret(hs.handshakeSecret, + clientHandshakeTrafficLabel, hs.transcript) +- if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret); err != nil { ++ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret, false); err != nil { + return err + } + +@@ -1005,7 +1005,7 @@ func (hs *serverHandshakeStateTLS13) readClientFinished() error { + return errors.New("tls: invalid client finished hash") + } + +- if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret); err != nil { ++ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret, false); err != nil { + return err + } + +diff --git a/src/crypto/tls/handshake_test.go b/src/crypto/tls/handshake_test.go +index 4991a0e..a95d751 100644 +--- a/src/crypto/tls/handshake_test.go ++++ b/src/crypto/tls/handshake_test.go +@@ -673,3 +673,51 @@ func concatHandshakeMessages(msgs ...handshakeMessage) ([]byte, error) { + outBuf = append(outBuf, marshalled...) + return outBuf, nil + } ++ ++func TestMultipleKeyUpdate(t *testing.T) { ++ for _, requestUpdate := range []bool{true, false} { ++ t.Run(fmt.Sprintf("requestUpdate=%t", requestUpdate), func(t *testing.T) { ++ ++ c, s := localPipe(t) ++ cfg := testConfig.Clone() ++ cfg.MinVersion = VersionTLS13 ++ cfg.MaxVersion = VersionTLS13 ++ client := Client(c, testConfig) ++ server := Server(s, testConfig) ++ ++ clientHandshakeDone := make(chan struct{}) ++ go func() { ++ if err := client.Handshake(); err != nil { ++ } ++ close(clientHandshakeDone) ++ io.Copy(io.Discard, server) ++ }() ++ ++ if err := server.Handshake(); err != nil { ++ t.Fatalf("server handshake failed: %v\n", err) ++ } ++ <-clientHandshakeDone ++ ++ c.SetReadDeadline(time.Now().Add(1 * time.Second)) ++ s.SetReadDeadline(time.Now().Add(1 * time.Second)) ++ ++ kuMsg, err := (&keyUpdateMsg{updateRequested: requestUpdate}).marshal() ++ if err != nil { ++ t.Fatalf("failed to marshal key update message: %v", err) ++ } ++ ++ client.out.Lock() ++ if _, err := client.writeRecordLocked(recordTypeHandshake, append(kuMsg, kuMsg...)); err != nil { ++ t.Fatalf("failed to write key update messages: %v", err) ++ } ++ client.out.Unlock() ++ ++ _, err = io.Copy(io.Discard, client) ++ if err == nil { ++ t.Fatal("expected multiple key update messages to cause an error, got nil") ++ } else if !strings.HasSuffix(err.Error(), "tls: unexpected message") { ++ t.Fatalf("unexpected error: %v", err) ++ } ++ }) ++ } ++} +-- +2.43.0 + From patchwork Thu May 21 10:09:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88572 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: <tgaige.opensource@witekio.com> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 69CE8CD5BB1 for <webhook@archiver.kernel.org>; Thu, 21 May 2026 10:10:28 +0000 (UTC) Received: from mx-relay25-hz12-if1.hornetsecurity.com (mx-relay25-hz12-if1.hornetsecurity.com [94.100.139.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.33224.1779358219368865094 for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 03:10:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=FwWpmvAv; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.225, mailfrom: tgaige@witekio.com) Received: from mail-francecentralazon11023101.outbound.protection.outlook.com ([40.107.162.101]) by mx-gate25-hz12; Thu, 21 May 2026 12:10:17 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=MMOfRq+8Xdy+5G5vp3k6rnDpg6at1fKtloUSNw1H4B02pqIsXNKS05zE3Ru1G5luS8KCeMDw8Ie+vfIuYBbJ6hpGiTx95wf/rY5ewKUziHdMsUn4eyPAuHSXb75WSINev67M1MRx+O4M9VttHk3cjKXBecW3DFhPqWw4Xan+tKknq441wo42haWZWarqXflaz0UnRv7WE3X3HFB4TC5rDXoulpj3ITl6OCisa/fbtG7IWIRmuF3diHxnAZlS+nOB+fEP0Otzm1bzhSD++EFIO1aISQnmMSWzLYnQXcuG0bbdIUgSs1+wmRGfJUli/Y6L5YC9toCiZmVpsGyplCOLUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ohH4dVTarYlsOvRFp0xym5uqakNm7Gr2CzGoEXbvTDU=; b=mAsgxnZgxHjGSBdfO0T2Rriu+gR52I9idYsDI2vgWUc42V4zjqjCW+50Qwjow6yVSkehx3T2RTDAPD/7JcmgCsOl4cqjhV/+frYDZD801ic8G/lZJr66yuwsev/mYUBy9am8n4HnZ+Iz6rvwUEVA3Vb8/rnT2Ij5CLiexEgbTLF7NGbUT1wDchlZJ47lr3meKHxQu989Z4/P6M09hLjKD7gz3LP9FXjreYPeU1pkGmJgYvgwcoUdVjMye3AXc/N6NvMP5baihQk2R1VUAZrPY/xcg+//6FK1Bp/KCiVgjdwYoslSvPPVuYVlTFB/o7G1Y64TlFSAiOBi5ZVr3MgpYQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ohH4dVTarYlsOvRFp0xym5uqakNm7Gr2CzGoEXbvTDU=; b=FwWpmvAvBKxH4Kfq94e8HOQTCRJB49pBQ3kE+EzUEBtQZtRKP5UVKxIh64uFYnBarJ4I6Fdhq26QLkxfmLhTSK9772vLM/vKs4ANXtccKG0OjL1iLSjCzeO8vj+nhjj++QhO8sX+F5Ry/yI0bkdWZZPI2qWtrdfYPBrutdc6AehtHRqKpXGBhKUtA9qgn+YvtGg/fOYeZ90Mw5MFbBDT8RU5WFptFh5IOIzCJUPHgo+3IldnjO24m/eYAnitboyF7l8lyNf3E1ON5pk639sKNX9ChqEsbyieBG7FdgeHOLPvxd0t732xJKu4cK6ZiH/UOCXyVWiskVqMwknkENMtQw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by AS4P192MB1672.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:507::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.17; Thu, 21 May 2026 10:10:03 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Thu, 21 May 2026 10:10:03 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>, Bruno Vernay <bruno.vernay@se.com> Subject: [scarthgap][PATCH 04/14] go: patch CVE-2026-32289 Date: Thu, 21 May 2026 12:09:37 +0200 Message-ID: <20260521100949.1299757-4-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260521100949.1299757-1-tgaige.opensource@witekio.com> References: <20260521100949.1299757-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0104.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::19) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|AS4P192MB1672:EE_ X-MS-Office365-Filtering-Correlation-Id: 9cc27374-4660-4b0b-21d8-08deb721203a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|52116014|376014|22082099003|18002099003|56012099003|38350700014|6133799003; X-Microsoft-Antispam-Message-Info: OmKxIx4raUcoP5+rnRFjCn1KFPCnPZNig958MfOD49INwmOLGTc4j1WLFm2s9eqiNu15i1gsH0UJcVAnQYSBkO8om4dPNVzLfJloTTHKUPeSFwikDb1ohfc0wd7haeuyRonHvAY6u6SvjRVvIw8vu69E58wOOqU1L68L86uuxXdarHi7vmbP2VYeewARCTS37sMVlQkTdbUXLs9R5G3XmXgms/+uHQRkRgenEXyKmEANo3GEQsX7WUytExprHPeYQ8QiKaj+iL24bDyE2zMa5NcPb5+eunRZp4r5JYeceMqXtisXf9mDnwEJ9wRb8+ZoBcBgdvo1EESiDdz9xA5c9kbb0k6h55vIJQ8lmGjRVPlNZDdM8uwAfLNnc1mvYEciojPEVYpTKSZoTrCzEwKVK9WAyGanx4tC1Azh6clP6QW5BhWP9/wz/635iKbB1eaVTKRzTmCTM/yNI1GUQLITNTbzIaMNJBMxKGxALx54tog6rBZoIl6jcgPp6QaQarWT7xUZZYHO4Zc9iCwduG8GjqC5PuIOqJoZ30uHMJPtHngv6NiyKe16yHDlZiPd9BSXbkpZNGu0oDlt0Z1apAvY3fQEjoVXn5NFmV4xLKSoyxV1v0kTOUAfOUVj7L6Xp56P0zgkVoqYMQKDkD36OhzIfU4BI5lD6oEMKodLG50VClnVjvm+LliTWdxxOXYwDXQGNFoNySvyXaqrWJucBDwWxw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(52116014)(376014)(22082099003)(18002099003)(56012099003)(38350700014)(6133799003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?ZpbCUb2Nd7K3Le4ERSNietyDYjXR?= =?utf-8?q?p0gczlaxCnC1eRt6zwg/ypq8PZLg/+EAVPdnGgj/m2eg2BMALXN7XbEo5davU47i8?= =?utf-8?q?teAhTmDGS1JBkbzHSkJBzsGlIeuCFQXKTM6slqXTDafnzPvQvdcUxuOvvcPR7szyS?= =?utf-8?q?2LrEeKIBKXP4lf8Hp04iYJT29iWO8Qks39Tna64+y8Eg7NPIjI9YZXFrcV3XDir2e?= =?utf-8?q?H8IH4tK2Miu8yM/s38VwKqax5GPoG30jJQfGg33lpLsCCqVqF/l6nKuU40jl1zrbC?= =?utf-8?q?zpFl1I5ZBGPP8fRue/bGeM7ZrsI/wE2H/LeoWM1VbwJnlrCDb2rOaUcbxrFUjW/y9?= =?utf-8?q?DKJ7L9L5IzyaL9nCj/nSNFYGsq5iku7T15z2dxbIerpsJbqoar1Okd4FF/89dYGK+?= =?utf-8?q?YxTy4c3uOPFcW2fz8VQsgD9AChfCzNngXqyVcJZzn9r8+nTHiiZ6ETs49z2a8jqw3?= =?utf-8?q?JQEdtPc2j1SPwZLG29B3wGVONF2k7MC5VBLw74Hywp5c3GqCIUAChX45xdJH4wfLC?= =?utf-8?q?nG5Ll9RXRnE7rzi4OPHbzpeYgIteis+ltv5n+HjuMIFG2tkMNB3tywVBnAs8QmWXe?= =?utf-8?q?7RLpiUIavkne7O0oMm9n4UjqLKg1rNk5AXBrLUrsoOjUPOlmTuepjlfsXwb0pseQx?= =?utf-8?q?U2zf9UHLI/v3Xhm2dah4zYPkMFiSKKkkIkyB5Sj5s+d4O0C4ALzNEBUrb0iS3nVaF?= =?utf-8?q?VMKXitSDbmr1hgGVyn7E614dQEUr9kGieu73My35HBdYrCOYLKd2WiZD6VqhGp8sl?= =?utf-8?q?2n/xMzqSaZe4AIPPCxM0YGLA5OX38U0x3e4gJb+jTrZQ5d9VS14ye7zOb3nMVw0Wi?= =?utf-8?q?yu3GXKyQ09AJ0Y+YHJiL9SUyjFceDAD1G2R1XGH1nTcOJJkXsHuzwT+yalteTcN6n?= =?utf-8?q?/UUzwBNzo1wzi49gDKTmXEBiRg1ZGeC6WuEOA66gvXFEmVH2A4aEBkwXAJ/IvCaDF?= =?utf-8?q?a0Asl93ODczyaPT8NXBxm7rq/4bk2EhywtQuEpONKMFoR1u4/cEDzimFpW0X/Ogkx?= =?utf-8?q?Vy/C1iCaxUTjhYeiBvvHN01B3NrmiJvmlFbc6iw105E6JU91wbzEaoGK79uIuEhfb?= =?utf-8?q?PkzffTkyzFvIDp80bJv1goHZYBTILKaiphIKRKapN0e6JmzbOhJhbCkEBFzZjw5Ck?= =?utf-8?q?zTLioT58CaI7yh/l1du4dKR8f52PuWYHGaDD1RlgX7ckKHxc4uWwYccrRjPkacqgC?= =?utf-8?q?x1myhNSDE407AfNMVMuQUhktuxFeNDoPte/DxmPAm8Rqui+V3+03e6qoF9QmZbIbA?= =?utf-8?q?NLiF5wAY/5aCqMO9gBpuUNDLqz0UlZ+fyM5ev8IFIK1caUKmQaYr0j3fqn4k7tHTG?= =?utf-8?q?CHhC7ZasJ52wtdWgNw3RxV4PTPJaixN+KjUrGCTlo4Q/Szq1IaLq/gkktdwSPtznr?= =?utf-8?q?BlfIo/vg0LTI0vEcSfPDwou2OF8mqWLu+yMUov7/LxU4hfNIVWh5wylUxLBewiEVI?= =?utf-8?q?wjxSojEEN0S794mT+toK378wiADu9SoL1fhNJWlH0JMEcPWdq1BtBPtRsqP4Vm99F?= =?utf-8?q?D3wpkyaBFPzcG21pMBDpjMEVsPbS/hzWOWvr5LooqRNKWZUw1TIbQNCV01HeLzoYK?= =?utf-8?q?FV9qFr8siTIa6J5iAC6m6flRLh6anvKdnlFT0kyvHlU+yBia1oNp/yqmIE0jgMZYO?= =?utf-8?q?9tQj60klq0/IrhMNJ8mI1GsKVQmdvVtQ=3D=3D?= X-Exchange-RoutingPolicyChecked: QOyWJUyS8jlWZJUg/j6HmQjTZCpNa2e2kLmBboaWb3cUnXwwejqWsVOguw9gAX8ZF+xcXfl2f41sQnwlgHqqcecM27OQgJAxwP1ai8tlied7pJTW4FA6iiUOXsAz6k7kboi4+2i9VsvgmwZvFfQ0FpY1I7gNbIyP4AMZXT4zvI2Os2zNS3MXltHD5aPIlBjz1kia9msltW7MAhaTmT+qObhDR5zTCI7Kx9S0dmZtWny7iMVhDCAXYJ5tjGRMoRXqT3iE9dtxCgulmbIs9SD0H6Xz2va6+diApEoTjWiecjN2teZiw81mFQQhdqGzmh3zuArPrNSWVhDM2bbkSp9iww== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: OJUS/03aU5dI0GmTvmmLvZ9NhntK6IactGKwf6Gc+U1ec9N0ux5IjS9J4sKwLkwAcXuUIl8IaBzvF5+DDQs/5KoyufxPtHnWbTb5YdAfRxswWhMqgk+DoGKZzy80aGetSkLFFi9SlSR7jCVTOCbcRCDezEzE38DSxXYAebOP4W3b/fB08cYlqoyoHsHAsKvU5f/IwjHjgIMkbfdAhh6ThjWSCVnlTyzCA7PBlcNDxPXlWMC1ViGyCjeBlj7mTFaMwo4KKHmOD4e0vdmXguCy+9ZyyJRJXrSQeNSbJOr5QKeZZa/UN9ZKgg05ypD2lZ4vP6cGISnS3rEgW8c44+/gnIt6U8T2dAjOVI16GLqzfDiMOcwQod3c3bcox6LMvkGBt4Q90KIlHkKb7oBbr/Ks39h8iB0iEyVRrC0Zl6RKVfF6zrKWLAWwfIZrlfqv0kRkGFl5k7fDr00cyhbn/6mETcuf2XQJRre7zbmRbqAjTS8ulHdRjT6KObDJPJXzphJlHRhYnN8P1PLOoLVkYUvD1HA4rhk8Hcg4uGiNBlOt2l5PDyy2494rO11eZ0QukS43fuWG+TPIn8Scl+lGjok6YILV6y0vBFuM5IcxGirVcelyAnHxUbYzgSqBMRv3xcvF X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9cc27374-4660-4b0b-21d8-08deb721203a X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 10:10:03.7360 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: aefwuiZxlZaU5/aKIFTj+AsqDUkOcO8+sJSA2eGYNL0ypcr0TSHUNOjfQPSw70T4fg3vtM+D5m74v5vgbFh2+A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4P192MB1672 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate25-hz12 with 4gLkg76YrTz1X3m2 X-cloud-security-connect: mail-francecentralazon11023101.outbound.protection.outlook.com[40.107.162.101], TLS=1, IP=40.107.162.101 X-cloud-security-Digest: ebe40c5427ea43bc40d99d5f9c615533 X-cloud-security: scantime:1.555 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 10:10:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237488 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/763762 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-32289.patch | 217 ++++++++++++++++++ 2 files changed, 218 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-32289.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 99c2945a8c..288cd5c95f 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -44,6 +44,7 @@ SRC_URI += "\ file://CVE-2026-27142.patch \ file://CVE-2026-32280.patch \ file://CVE-2026-32283.patch \ + file://CVE-2026-32289.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-32289.patch b/meta/recipes-devtools/go/go/CVE-2026-32289.patch new file mode 100644 index 0000000000..28ff0c00e0 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-32289.patch @@ -0,0 +1,217 @@ +From 5291c6d3e6d0bc0a764a9a6bd6b3de1be64b8264 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Mon, 23 Mar 2026 13:34:23 -0700 +Subject: [PATCH] html/template: properly track JS template literal brace depth + across contexts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Properly track JS template literal brace depth across branches/ranges, +and prevent accidental re-use of escape analysis by including the +brace depth in the stringification/mangling for contexts. + +Fixes #78331 +Fixes CVE-2026-32289 + +Change-Id: I9f3f47c29e042220b18e4d3299db7a3fae4207fa +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3882 +Reviewed-by: Neal Patel <nealpatel@google.com> +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/763762 +Reviewed-by: Russ Cox <rsc@golang.org> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Auto-Submit: David Chase <drchase@google.com> +Reviewed-by: Fan Mỹ TĂ¢m Club <letrivien97@gmail.com> + +CVE: CVE-2026-32289 +Upstream-Status: Backport [https://github.com/golang/go/commit/199c4d1c3c9d509a51f777c81cb17d4b17728097] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/html/template/context.go | 14 +++++++++++- + src/html/template/escape.go | 4 ++-- + src/html/template/escape_test.go | 38 +++++++++++++++++++++----------- + 3 files changed, 40 insertions(+), 16 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index 8b3af2feab..132ae2d28d 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -6,6 +6,7 @@ package template + + import ( + "fmt" ++ "slices" + "text/template/parse" + ) + +@@ -37,7 +38,7 @@ func (c context) String() string { + if c.err != nil { + err = c.err + } +- return fmt.Sprintf("{%v %v %v %v %v %v %v}", c.state, c.delim, c.urlPart, c.jsCtx, c.attr, c.element, err) ++ return fmt.Sprintf("{%v %v %v %v %v %v %v %v}", c.state, c.delim, c.urlPart, c.jsCtx, c.jsBraceDepth, c.attr, c.element, err) + } + + // eq reports whether two contexts are equal. +@@ -46,6 +47,7 @@ func (c context) eq(d context) bool { + c.delim == d.delim && + c.urlPart == d.urlPart && + c.jsCtx == d.jsCtx && ++ slices.Equal(c.jsBraceDepth, d.jsBraceDepth) && + c.attr == d.attr && + c.element == d.element && + c.err == d.err +@@ -68,6 +70,9 @@ func (c context) mangle(templateName string) string { + if c.jsCtx != jsCtxRegexp { + s += "_" + c.jsCtx.String() + } ++ if c.jsBraceDepth != nil { ++ s += fmt.Sprintf("_jsBraceDepth(%v)", c.jsBraceDepth) ++ } + if c.attr != attrNone { + s += "_" + c.attr.String() + } +@@ -77,6 +82,13 @@ func (c context) mangle(templateName string) string { + return s + } + ++// clone returns a copy of c with the same field values. ++func (c context) clone() context { ++ clone := c ++ clone.jsBraceDepth = slices.Clone(c.jsBraceDepth) ++ return clone ++} ++ + // state describes a high-level HTML parser state. + // + // It bounds the top of the element stack, and by extension the HTML insertion +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index b368cab38c..c031ed27b9 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -522,7 +522,7 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) + if nodeName == "range" { + e.rangeContext = &rangeContext{outer: e.rangeContext} + } +- c0 := e.escapeList(c, n.List) ++ c0 := e.escapeList(c.clone(), n.List) + if nodeName == "range" { + if c0.state != stateError { + c0 = joinRange(c0, e.rangeContext) +@@ -553,7 +553,7 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) + return c0 + } + } +- c1 := e.escapeList(c, n.ElseList) ++ c1 := e.escapeList(c.clone(), n.ElseList) + return join(c0, c1, n, nodeName) + } + +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index 1970db1695..435c83378f 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -1181,6 +1181,18 @@ func TestErrors(t *testing.T) { + // html is allowed since it is the last command in the pipeline, but urlquery is not. + `predefined escaper "urlquery" disallowed in template`, + }, ++ { ++ "<script>var a = `{{if .X}}`{{end}}", ++ `{{if}} branches end in different contexts`, ++ }, ++ { ++ "<script>var a = `{{if .X}}a{{else}}`{{end}}", ++ `{{if}} branches end in different contexts`, ++ }, ++ { ++ "<script>var a = `{{if .X}}a{{else}}b{{end}}`</script>", ++ ``, ++ }, + } + for _, test := range tests { + buf := new(bytes.Buffer) +@@ -1752,7 +1764,7 @@ func TestEscapeText(t *testing.T) { + }, + { + "<script>var a = `${", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${}", +@@ -1760,27 +1772,27 @@ func TestEscapeText(t *testing.T) { + }, + { + "<script>var a = `${`", +- context{state: stateJSTmplLit, element: elementScript}, ++ context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${var a = \"", +- context{state: stateJSDqStr, element: elementScript}, ++ context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${var a = \"`", +- context{state: stateJSDqStr, element: elementScript}, ++ context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${var a = \"}", +- context{state: stateJSDqStr, element: elementScript}, ++ context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${``", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${`}", +- context{state: stateJSTmplLit, element: elementScript}, ++ context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>`${ {} } asd`</script><script>`${ {} }", +@@ -1788,7 +1800,7 @@ func TestEscapeText(t *testing.T) { + }, + { + "<script>var foo = `${ (_ => { return \"x\" })() + \"${", +- context{state: stateJSDqStr, element: elementScript}, ++ context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${ {</script><script>var b = `${ x }", +@@ -1816,23 +1828,23 @@ func TestEscapeText(t *testing.T) { + }, + { + "<script>`${ { `` }", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>`${ { }`", +- context{state: stateJSTmplLit, element: elementScript}, ++ context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var foo = `${ foo({ a: { c: `${", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{2, 0}}, + }, + { + "<script>var foo = `${ foo({ a: { c: `${ {{.}} }` }, b: ", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{1}}, + }, + { + "<script>`${ `}", +- context{state: stateJSTmplLit, element: elementScript}, ++ context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}}, + }, + } + +-- +2.43.0 + From patchwork Thu May 21 10:09:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88569 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: <tgaige.opensource@witekio.com> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5950BCD5BAC for <webhook@archiver.kernel.org>; Thu, 21 May 2026 10:10:28 +0000 (UTC) Received: from mx-relay151-hz1-if1.hornetsecurity.com (mx-relay151-hz1-if1.hornetsecurity.com [94.100.128.161]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.33069.1779358226718208552 for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 03:10:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=H5nBN+kw; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.161, mailfrom: tgaige@witekio.com) Received: from mail-swedencentralazon11023073.outbound.protection.outlook.com ([52.101.83.73]) by mx-gate151-hz1; Thu, 21 May 2026 12:10:24 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ISX6u2iEx2KunuznBc/HU9KEkaPjGcEUCvG1pjS9IaKZskl9GarDvEilJUHNBUUMZRomgPFuaqCuzv2pBCEd3xmMWwPp5yxgGXnJGnT++tR5kQP419XUvk3iALgohZOy+9H5REdctOX7KB5MjfktS/NtZDqow+VUjU4tO/W8Sh2XzxpeCLhHkFGj+g5BWwR1YQm1uqLWABhlAhaSr7H1ndpBo46Q/mItSn0JxquvrONbNM2q3fCLBdepAcM5XcnPQij/ER65BSmZY2u5rEPf/smQsotqLL66AuMnbTDgnkte4cO8ke8yTHEeYHmCOWi72rD2jt38v8xrkEwG5IfuiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7d7qBHymFaVtaRms77acxzMssMDY+LNAAX/oxmlp1u0=; b=h2cOGZc7kYoLMj+ERg4lp+jyqTMHdXpQGZWeoOzJGxNCkvLosKTnlQjlLL/Ji/R9fgc+d32qyBZPtK5iAOIx5hvvUjQwcpDBMC5ZVmchiQUvbNtiMAr+yGRcJIjgjygUuWc8Tr4I02nXGigG0b0Mr2dG2xfPuY70QGhsJlpHjEVSf3bUc5kvIISN/t5ziYbXghlUMSWVZoStH/DVdhxB77smY9EZSExE3jSDzsptYv1toQtvr/3YYFieJ64eRoykqkuf9hBUp0H4FW/cun8aragvNVbNRtE7F5DsbFj/qWASArdiMZcswSrgBLtPXNqodq2x39D9kFOkOU8v7Lll6g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7d7qBHymFaVtaRms77acxzMssMDY+LNAAX/oxmlp1u0=; b=H5nBN+kw67/1ZCFVrgKAW+XtxtM0vPtLu/kKlE8v/7R2zPnoaNhDlcc2c0mjbQ2IQtiKD9d+kBiHUTT8nLKkr7FOBxC1TOD1In/L8ttaaxlqeSfilJ2gSq6Je2Fq3kfLamqGfMATkgchEqYeuHIK1pbOPEDwOI0V6Fa5dEjgf8VyDOBG/Og2AC3iVZlWdY0JUHUnE3L2g9V/4P0YMRurCy5SwcaTGVd445lNh+XcpAAZte6dR53Kr4qXEzqxPxkABXoxFYS0eS+wWnhnceNVo+71CFtw73mcEbKNIowhMfCjCMVpqemRrY/ECuoHli6hAa/ningWsFe/2rtSj45yCg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by AS4P192MB1672.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:507::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.17; Thu, 21 May 2026 10:10:05 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Thu, 21 May 2026 10:10:05 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>, Bruno Vernay <bruno.vernay@se.com> Subject: [scarthgap][PATCH 05/14] go: patch CVE-2026-33811 Date: Thu, 21 May 2026 12:09:38 +0200 Message-ID: <20260521100949.1299757-5-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260521100949.1299757-1-tgaige.opensource@witekio.com> References: <20260521100949.1299757-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0104.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::19) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|AS4P192MB1672:EE_ X-MS-Office365-Filtering-Correlation-Id: c564b392-83cc-4ace-fd91-08deb7212131 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|52116014|376014|22082099003|18002099003|56012099003|38350700014|3023799007|6133799003; X-Microsoft-Antispam-Message-Info: Q+s++vTrAqMIdwVCdM09cCU+qa9HGoWidPPdr8D75ngrcepKdOxcgTHioRGKf4Yq+8T150WC9TRlDLVygzwAAVQ8tp1Br6gv5IY/2V6nCaa4weCLS++W5JykKPKMRPTyM9fA9/9nvbUR+79U/md32rlqSuBza3Tj31qX2dZrCM6yoHnAi1EhGQ2HHw7mp+djjQq1PF1fJRvCpc9kOfJRVp33hDUnggFxyYHXcxOy0fzKBQ9fTrHcqLFl0qt0C4SceFia4JZTBj7L+RgnScY+x1YGbXiSh/7mzHIQzCpOBug5sOQuS6Gui/8+IcRNPQtzn9O4C1n7ZuZd/H1Fm0p3px9EAdtfiJGK8aT0f9FI0rGaaLXWQarFswoNLv0cjKspIoMEJ8+S+B58PzpnY9FQF8jP2Q65tKWyCubk3Q5iS7jaF21/sfaDEdwDVJSzY/F50MXU6UNvvIEpDbOm2l5dFBWwscnLAvq7WTmkOjnSl4pVkbSxHvNIuTRxs/FjcrdUlLCK0HVXCNqxg8ooV/OIB9xkNP66v3QQTKIQK0y2R0VwdDdBAPiZFJqlPrqis4vFpyQIJaNEFkDiCir16lQKsmpC85YAPQXSMjfNeqocCvBCpQNkKSLSgIRTtbWPA2Suz352fTArb9BWtYQUyrAUnidvAOYfgnd3oADWk6fXp2Ua40yg0l589Xmz0LpMrbnOd3h1kMGUMujmj4HLj4RctA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(52116014)(376014)(22082099003)(18002099003)(56012099003)(38350700014)(3023799007)(6133799003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: c8hZwZhOhcb6kfa8rv2BCxbXh4AFlgyL9zibryRukHcf7iYJEcfiP6qm1rPNV7mFORZSDBz4bU+u33+wDFqsyY1CA/f2OZoMviGyxTX1NnmAyYQL6sHIDI2s5oyjqbcjgUxPlgPOl4h9RMXIYdhchYLJOBHcTDDLtENOXzr5OhvZGQpyjCT5QRC6UlvHYqMScpcDzoCHD7IXctjC+F9N+oJtQ78yIp2exE0Gp3eC9r4BM1GnZFw3Bm49+3G+AkHX/3bO5iyWOMnwNIJzMjCKCE97lEXr4DinYE/7wmmMLgKazssUR6g7mNGEmz6z20sKIRYF+v2rtK83tC04aoFcUURkKAb/I5k6uXPa0gAlF6dwBA1j8cJoiYI6eRPVAEsoG/2pZvUEK4UvAdS7hiPR0OMlEq6dtRrI1QTzWugx3Jq0edaZmi52xMMBNEqXG2CA3xhVvnYBd5MdYUFZXiZ+R8VTpLrCFlrHL7N+QBUvkhu/VdorATrXPC+CsftA/c36UXoDzl7OTUiXJKrHckQfd1LU5yYS26iwtZ/JalkCduI4dEm8sb0I3/u99hq6B0AdT6l/bt29Ygx6id29WoXXkvRu1Md6qVTUSxg2s0xFNjSkG8E8BsqB6VVsjM9mOxmCUSmNguKpgjmhdcN34jvFdmjLRafC9fSstcDO51wQtdgARbQ4ELmi9H5Vn8wjxWt9uP/2cmAK/csjX6vzM0aMs2shTpgEJPYgEw8Gqg5FqFX1XShEcHSSAfjlmEEZnVsE7VXgZjjoetipSO4ELFcmKLflIHSXEp49NdK8F+f898yD7wGcjCkyXlhb1+vcx4ht5nPTaSIxIqeJ0PvAFUOVaS7Dy9QFfd3vSfIBQUVCZKWLGXICQcTrDpuK9iGM8Yy2Wo++OaCUyRKAZLrZ9HfWnGTrY+siGxogxKjKZFMYOheddZD+GQM6GartEbFIW8E2Ab604biby080cKd7wqZ9C9UlNvWCooJQFtcMIdn/ieebUByy1zx808LTVWe/e19JDB1eTlJMgUP/rJ/Yv2xiyLG6ImRQ/y0swz8PDAlpyEWMdxh02AnZWWCIjKmxYUWwDbFwe7YoEsHMecOaeW4H9zaSUyBI0yYyCUtqoi3T8iD2SQSlfWBiTmbpmABLdynUO8QAZGzppqPTmDZxO2Z9XkbbVlHmwTzwTQka0sigOvCJkjndJcW5/i+VFHa6zOdPO0OuUIpd4yIC6T12D2Vpg4g1r4rZ1bJrohh4MupXYoxlqIrT/lm7jqQsbgmUmXlbxeMKL66ANmT19IAJErrNCUEoFtRy9k/8smQ3DVLtG8VnQZKwWh6oKPWJ1RxySmeB5vKPFeGczZy2yuDQX3eKrftcvaawdLUXL/MCiX/MOMekBjv8vkurpWDTdYhkp6x8w6P8NnJj2NrJAyF8zYaU8yJaALzllYzhkI5RUx9SGh7jTpWwvv1KPnng8g5qzdQPRTjobvmyDtqnLbS2djYNK5yvY21vMP/GxQKTO+Eg8txvWG46p/g7lza4+G/2zKVyQjmG664hTDvRo+UFfYwpkD4UQfda6rffUv8Jzwyi7saMz+w1XVTINFMgTKAGF8QEu0pPj/2uViMr6ox15UpOjyF+I4ZhPeaR+b17tsg77ZaNUpek6bLRzQd4BDc4Y6aeVckwzxpyOau007BNqng6VVnQGS8tlsIadPyRX1uYud1Hc1NGT/lJxU4GwI21EJlQH1oVXY1ppgiRTd0lzypMiA== X-Exchange-RoutingPolicyChecked: bJvuA7xFI+JCrtlNTBzfnErD6na7iRcrvqTm7XTlqvpjotEXSOTEJ54HHf95ijxMWVB4JlbN3NoiBRCOU4YORh75nsRHRD6WNxEFqPOIKIGj1O5H1IOEiQDc1XKGajwiIE4Pkkvvd3h3s2CoMGhjY2fJs8qBjQWAwMnByP2T/keTgbWJEsLf59aVFT7x2tWKrKQowPL8RSFBDOWrGc71nOwIHwEGt/5hZ5u0xRZfavgy9XdzdbmLHBqvJgMN2kqcPC2U/uh6a+A94HsKNZAOlasquXkTYLIrOS6a16crgA4bTneCrKJeVdOga7acdwRX44O+79M7fH7jvJSckwC4dQ== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 51hNDyqSg120l6ciR1mVf5NN45Z0BHsXaEsuqgcMxb8Z24z/TmjxyG0CyN8SbimxRWc/2smjzQkYuNWHpbpD1Kmv/9Uz85EQuJ6/pqEHPJh6HM5v6Tg7wLPeo3F7IWnOJHwXv3aeuK8x+cUFDeZCNn2qO/QqCe7xThuEjyWb1XzmH3OmMup0Qyv3bnj/nD/o1r074QOFjT4lGchw3zXjOEYiBEympqnIRwaNpesYjhrDBlXLIUw1cW7khOgy9tLrGS9exkyuzQzdrhrEQdzbCjln1cy0qebuZxauSXrvTW1BFpaRDlI8yU8kkyVifjaAb7qZB1E7QKZ4Q1Bs6kLurHQFEkEh9ptZSvzhULm178HWDUV7hOWxTYHvXUc/Jc3Ihyq+4sp3Ho01/rjUvU+B1CEJvfQJxHFVnl3wsmhOGTMiUV+iR+hJradLbbvEs0nUi96hE33LqYVGmOkvHfoCGJnzJ+2/rorVtcp2ArWhMiwmqrwwgjZiFru8hc0+bDYVo648Bs4BS119TBLxqHq5LXGHvJRP9dgm23eHdooCfiaPRvITiZRulMYrsicfkh7LaAEdIKal3/4lw/reZgCooCoNlpMngUrHIcbsOMLrw3+oWmq5is5jRqmpGxaQXtPr X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: c564b392-83cc-4ace-fd91-08deb7212131 X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 10:10:05.2764 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ZxUSuzxqSjVuMMvYbiLruL7ePYMf1yvE4k3Grc8Nn/wwQHzqVwMPvxgjnZNe/+j5SnIcc8VyWgQEbpT3shbd5A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4P192MB1672 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate151-hz1 with 4gLkgD1xrLz1fyR7 X-cloud-security-connect: mail-swedencentralazon11023073.outbound.protection.outlook.com[52.101.83.73], TLS=1, IP=52.101.83.73 X-cloud-security-Digest: e7977a9deee380870a6dc0efcbe4cd4b X-cloud-security: scantime:2.037 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 10:10:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237491 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/767860 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-33811.patch | 46 +++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-33811.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 288cd5c95f..9a7695e754 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -45,6 +45,7 @@ SRC_URI += "\ file://CVE-2026-32280.patch \ file://CVE-2026-32283.patch \ file://CVE-2026-32289.patch \ + file://CVE-2026-33811.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-33811.patch b/meta/recipes-devtools/go/go/CVE-2026-33811.patch new file mode 100644 index 0000000000..216b33ed8b --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-33811.patch @@ -0,0 +1,46 @@ +From 9082277a0a78af39190c1f23b622f02b89e46196 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 26 Mar 2026 12:17:06 -0700 +Subject: [PATCH] net: avoid double-free of cgo pointer when handling large DNS + response + +No test, unfortunately: I've had no luck triggering this without +the ability to override the local recursive resolver. + +Thanks to hamayanhamayan for reporting this issue. + +Fixes CVE-2026-33811 +Fixes #78803 + +Change-Id: I9e51410337316c20e4b9fd5b86657f436a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/767860 +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Nicholas Husin <husin@google.com> + +CVE: CVE-2026-33811 +Upstream-Status: Backport [https://github.com/golang/go/commit/ab2c7eb1c43011dda118282c1e757d8c27cd7d4f] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/cgo_unix.go | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/net/cgo_unix.go b/src/net/cgo_unix.go +index 7ed5daad73..bd694859ab 100644 +--- a/src/net/cgo_unix.go ++++ b/src/net/cgo_unix.go +@@ -343,7 +343,10 @@ func cgoResSearch(hostname string, rtype, class int) ([]dnsmessage.Resource, err + // useful in the response, even though there *is* a response. + bufSize := maxDNSPacketSize + buf := (*_C_uchar)(_C_malloc(uintptr(bufSize))) +- defer _C_free(unsafe.Pointer(buf)) ++ defer func() { ++ // Free in a closure which captures buf to pick up a reallocated buffer from below. ++ _C_free(unsafe.Pointer(buf)) ++ }() + + s, err := syscall.BytePtrFromString(hostname) + if err != nil { +-- +2.43.0 + From patchwork Thu May 21 10:09:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88568 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: <tgaige.opensource@witekio.com> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4C101CD4F5E for <webhook@archiver.kernel.org>; Thu, 21 May 2026 10:10:28 +0000 (UTC) Received: from mx-relay25-hz12-if1.hornetsecurity.com (mx-relay25-hz12-if1.hornetsecurity.com [94.100.139.225]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.33068.1779358224187956528 for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 03:10:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=IpScfYhZ; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.225, mailfrom: tgaige@witekio.com) Received: from mail-francecentralazon11023101.outbound.protection.outlook.com ([40.107.162.101]) by mx-gate25-hz12; Thu, 21 May 2026 12:10:22 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=U7b7XTys2tAijvBVx3U6U08R/VWWjjH8FNHC8CwWSFG24nBriwNPuK8imC+q1ZZM6YCyGkFQ0KJJ463Wv/cbJE++e0HyKPKuzqrgJ3H0XXzKoH3OCCy5Y4VVg1eyYQLVUoYwGZuE5i1SHZC/GelzQpq/uJoOkNLckBeg3m+V9x0t7E8yF1e6toH7uvqwB8RS0o0r2cZMGFNI6MAib/sqXKbH8fZKqM/+LNV7CRsbDfxcUFTO4a2E+OyQK5+N37Ox3UtXtux+CB5tm8eDCTtJxqBuD4HthMZRvvE0h+As+c0exuWTy+K3JRf0SM7wpupvF4dZZCLlhccCXIE0qfWVJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PVPfj7eCuC+/u/zZJ5M9kHOjrCfaXhujF7UZDQa5WxI=; b=ZhjPefKJ3ly63mLzMFTKouKsdxhd2XUeAhtbWb0TzYy6ntFI0zpTyaTK3WAjLEkzc0EaXQ6ZfDNbBCw2uUKGjtEU2pVIPtSnUes6w8EAxM+j14Ax5+/qlupo6RcdNW+u7FiSpd98shT9Kqc8Yg8b3Ptt0B2gCAbwpWq/1Cp7SadxUIHtaBQ/L0aEPsYF3ocPdWdM483DOLc/6qndMVKgScxjVDDnCzDKiTYDhKuVe8gsMnNDPRYtzCwLxphMXRAEH2Pg4pRpji7O+T4Dz3Pd9rp8j64n3rBLhZROJi7IlKHVzRMoA1LFInoYEzv2ingbgI/SgGHhhG++UMUN5rXSzg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PVPfj7eCuC+/u/zZJ5M9kHOjrCfaXhujF7UZDQa5WxI=; b=IpScfYhZJeEcZvb7JUyRRRx6ZLyATmeAOGiyRY1lhBZgblmtOUeFez3onNg5GILOv6bwqRRtO3M0CwhiCJ6MSiy1mTSNYzgpWHlwsQCiJPR9zo2dSkkfciix1lqL9ylB4PrRi2Jl6NUWXBGVSiyQeAyXGkv9J4+DCATl1i6K21kKtx8fOXuUFXRkSW/ylr/lZw4EQkG+Es3VWjtka6Z/eEldOaBqYSk/qiqqxYXInNV7iVDMb2ceG0mitgYTlGkioztj6/8bKEhiGsL0lml2+KxRPQQ+rMaHYWaaPwfPCYzHXChUW/1XR7GDdI4qXaIokPflsybdcjg9G/FV1zpCPw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by AS4P192MB1672.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:507::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.17; Thu, 21 May 2026 10:10:06 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Thu, 21 May 2026 10:10:06 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>, Bruno Vernay <bruno.vernay@se.com> Subject: [scarthgap][PATCH 06/14] go: patch CVE-2026-39817 Date: Thu, 21 May 2026 12:09:39 +0200 Message-ID: <20260521100949.1299757-6-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260521100949.1299757-1-tgaige.opensource@witekio.com> References: <20260521100949.1299757-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0104.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::19) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|AS4P192MB1672:EE_ X-MS-Office365-Filtering-Correlation-Id: 075f6dee-6c21-411f-549b-08deb72121e3 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|52116014|376014|22082099003|18002099003|56012099003|38350700014|3023799007|6133799003; X-Microsoft-Antispam-Message-Info: R5NiGmqpyv1GSEavsW745viSg+UW23aGWXECljBFJzgWTYCL0gemhZOv86mR6gHtKZhDOF1TJEkB8Ak74O6CjmA+tck4bbw78QPAyIZULYvfxnNrspJURQlg4oiiHMnXb7wf0mpnWH9+hhoZgHyf4cw/hpEXMVJ+s+gBvJSc1pAvEnZzzJslbhCitHvrdJYbasD4OwbKlbw37H2628opr/m/KIJZF0O3T0U3JXtUXKAsw1Hz6zu6L1JLVc9c7PAwb6ErtkhVLGMx4fvLLJ0MJdXlV/RWZO3GTOl+hDpJJp982ez3kW+M4k+eVTS6HMWHaj3U5QYXhB+XN0aCim65bMUlqtvwxjPi756br3nqqdPrPE2qyywV9HY/2d9uoJ8ZhbP9TL6d91w891GgJ7qF5kqH1uwjT88BU+N/CMciySl+2eGBxpbj3558IokaQxqSUmD6U84f+zAFymB0a1ARe+vRMMR+Ku5Yys+iuWbvAVgyCGxpaSiXg61TMBzdxrPqKzveFCLLBl5vhCWRyQpKpNmKH/LNBqDeu54o+nApbYFwRQAMw/KIQpV4uNasVr0/kv7MlStfO+cShaj0SgIrS6Q6DKModBDqbHMicjfHRhc5qf5ILrvvuB8z65TeO2zGM+zMNVv+4lBMGbAx7j01rUVFulXJne3FDWp2WHFWnrWR9FqdJOjNMgVekRyU7X2GVUDooHkbghNEtENoX8A8Aw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(52116014)(376014)(22082099003)(18002099003)(56012099003)(38350700014)(3023799007)(6133799003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: iBMpP2kungl0J6fmu0M38gRgl3Pu+H7pOdxhF4mQmWDc/68LrEpEDrDujCD1/b6jBX535SQNJx+heLjS6D/InmC2d40eBK56cxPNUYr34gDKPH4cCMmgTLBUavw+d3pv+QZHqbedCWufuWsDNJZElzP8ZVD2MMEgod8ARAV9nHLEN5SyKR/iuza29XPIM+ssN8kRb5LOU9vqeSK2DbGlqW2oeG9Ex1z/Zy10DLHycWerQuDM6S1bEo/6e0G2MmJvjMcROmThIPWADMuy8GXeOMztQ9A0BllWu0w0EJBKYLTOBg4u3hcnVAB6afxIKw9cyBSF+xQN9JMquZ2odOUMh7mM1M/T96pULFr7ganziJCMFhM3QUTtBhWIZVmxpYLbz/QFma1FJJ7Blm5O9QoFOqYZTPpzgfRC/LqDdbd1nLAOu8CUdUdhrO5M0kptuutHfyCjmPKlwn1LcbXXsrdWNIRMZWuTQHTnU/Bi4ESm/aCc91wY48zUM+ZbNlanHgmIOKHa+/OhPDFas9Yioaq42mTAEbBBxDRtCNOETsJ1zPulDv/LsvvQv4aflNJD6N7Wn8src73UYbpLMIwQjdQa9JxmptwFd+SlpetgmUxZwAhzNbLnvY9HdP4amnnuzlJTOQioQk/J+N6MvscIWEj5138yHNAxEcJh071jJ2AqpAUKyHlT5McWBNuO5dNx9/dmHVt/+uBNDjLriSOs5cVOI8KpY3gDr/svKdnFjGIkLoDfl2lRe601DXKq3OFtMqkkEaqDyyBSfmg2ZM04U5qVNUPv8hLDmaYuh6AANWql9DgMOINsgvT6qk/tVlik2G/nhShYkVFKslIqcTWRtnIcarBLwCbZp1G6+FjFMIzXo/3tzAzS80tQxxUuOJg+i6ljwVTEEt/l2LBHXSanHGMBD9QvaNRUo59Hc1yUy1+0zm4JYKwGO2vFEaQQCUOTtr3fcWlxxuqtKbSgTZ2KTLxxfzfUy9C+vQvTbs/pMv6PmuLklWVsPNUAu9skUY+2gSP+9ZpJ9z3dd5TpsQ0H8VwZ9stf1lxNqlTeMGUzo+XU7eC0Bp+Hxptuvd4qJpwIBWBQuw+fzfuserQIiM4kmPCv03rghB2q14usgge2CJSbBLTdhXGMwh0rgrOzlPh2LLm21GKAfTlXghAUnCs6ks247TFAfnlUYTS+zWnfCbYpRfqktrOevKZhdK+ZwaGHoryGH/OvDA58g/KfB+MeST1gElGn9myPnU71a+GdtO0WIkq2CpE8JI1bvEwIx5KjfubH5b8+HpTgV4B7bbDxFGZsxu4QC6dKU5tWaoasj1dan7WCFy0Ly+jrI60VHl9wwo+oT40KGvf7ZqjnAQc5Ry8zEcs6e/OTKD5B2GXS0tPdlJ+nHfKuGsXMnHcJxmmYQMWrzwPDBmecxnEwSW7tIsvDBHs4YiANP3euGqwlXx2pFngE+f8bCNRWl5DB4mIYo1orM0E8Zve28P35irBQKAbJpEW7ijScObQADSefJiBGw4oGFdP5xe+tqzwTasgTn5OhwGK9iWwkIC3+4D7uxYmswDfDgEz2wsebYf/k4GvvkbM21HnqvP6FF0u3UkAYGlb9DGtRG0XLURAYt/6hQ9lbdwEOgholiNNXiFO41zdevh9ZtGyRrmTgQeu0JpYpBfzGrf0kyrblfW7EiQQHf0PwdBR1rxtkxL0W3+cnJpeLOwCEwu0Rh8jV4kiNznYo/ktNEoCRS/QFjYag9T04NNVICQ== X-Exchange-RoutingPolicyChecked: dv7+HxgySPSFshFXXdR7k35OooSWehS1X0xa0aoUlUQZ0kinCh8c+xBt6U+W2qU69/ztwa5Q2VxZbP/G8xQ9ngq/+HPR9tAYXYWxxI3Znx83RueKDiS7vnSiQ9tQxPmxbV5uCFLj+gOi4/xyGQZwBr9I7C5cKUhJYPx1FRDXu7BsSj74ZjecCtBJLP4AHgus6Q+Dmjp2A7A7miEglg2FHL/v+YPYDaNhi2HQltBaxWoTS8+2WrCP72nGbke/dJzKknlxUX7zUkHBmGEp38wYFGV4bT0/2UZJFXBEw3MHD2fR1/MhP8MP37A9cx5JsdsKADZJnvdK5/Gfx7tj5fw68Q== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: EP7wH2iPahT2iqpcMgDtOfFbhh3xXtKp3dHYf27+Ex8gIEJFa/tLB/xYpD0HdhMRyUqp3ohvGlvii/9NZgi8/kYt4erHE3pECl1CT5z21nl7FwFzRS7aNonHjJYSjr1BJnRvcyMEZVehwxqfCusJzjbfVPC0U0emhoJatNXa0B2LMSm8ZQxmQBpFsd1MB/i1fS2xx7TTUrUFatkYr+8S74BCRTO4GO/j41kTCOw/W0EPnrPPCPvQDwWkrxewT3pzb2iVoKy0QXwnvFF+9ItjMUARm5WwNuh35Bcl0q5F4npwYyurUww69HR7DZMK1NbdmvLr8+0vC2P3AaG7Cs0YFkol59o/1mz1bNuT5D3lea4vINKQE0G7P6nBFx6TDov06ObW69q9F4F1ClPqyB6k9sRDu8YOKyvU7nNewiAUx9iYoLFWOuBPICg0kWA6mWe0cPlKIs/pwFF8VQUYXU4HhYI0vccMt2NFIkKYzj1artsTukMJSUfgSABct8x155FPaj9B0K2ozsS0Eh06IIDZAG6hmOfPhgr0c+jkHYpPPvZsi5YjNQWlj8RZULnwY2TDwfXB0kU6Um+Ds6+QzSEblcm9leA+PtCn4sskIiKwFD6Rla+HeMwGwym55D/+HYF0 X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 075f6dee-6c21-411f-549b-08deb72121e3 X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 10:10:06.4431 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: EYkE6klI6mxVQtVviYbzSPoxzgXhEqF9srZqJm82gPJDiI4jPrF3Tet83c/yJQAuZyg/oRXq8wMyE6fkT+YYUQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4P192MB1672 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate25-hz12 with 4gLkgF4CjLz1X42l X-cloud-security-connect: mail-francecentralazon11023101.outbound.protection.outlook.com[40.107.162.101], TLS=1, IP=40.107.162.101 X-cloud-security-Digest: 01c7caf8122536ca97396a79218291a5 X-cloud-security: scantime:1.358 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 10:10:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237490 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] mentionned in [2] [1] https://go.dev/cl/767520 [2] https://security-tracker.debian.org/tracker/CVE-2026-39817 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39817.patch | 105 ++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39817.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 9a7695e754..f06b974e04 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -46,6 +46,7 @@ SRC_URI += "\ file://CVE-2026-32283.patch \ file://CVE-2026-32289.patch \ file://CVE-2026-33811.patch \ + file://CVE-2026-39817.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39817.patch b/meta/recipes-devtools/go/go/CVE-2026-39817.patch new file mode 100644 index 0000000000..103fbedb7a --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39817.patch @@ -0,0 +1,105 @@ +From 7d35508ad684c808ec11fb6ef3ab27f9258a9418 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Wed, 15 Apr 2026 16:27:23 -0400 +Subject: [PATCH] cmd/pack: refuse to extract files with directory components + +Do not write to /etc/passwd when running "go tool pack x evil.a" +on an archive containing a file named /etc/passwd. + +Fixes #78778 + +Change-Id: I4cf69b81af62321ffbb41ace679672a86a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/767520 +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Nicholas Husin <husin@google.com> + +CVE: CVE-2026-39817 +Upstream-Status: Backport [https://github.com/golang/go/commit/7409ada33f99c0d74db2b0389c51a15de116e48d] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/cmd/pack/pack.go | 5 +++++ + src/cmd/pack/pack_test.go | 44 +++++++++++++++++++++++++++++++++++++++ + 2 files changed, 49 insertions(+) + +diff --git a/src/cmd/pack/pack.go b/src/cmd/pack/pack.go +index 412ea36d60..2fe0258f01 100644 +--- a/src/cmd/pack/pack.go ++++ b/src/cmd/pack/pack.go +@@ -135,6 +135,11 @@ func openArchive(name string, mode int, files []string) *Archive { + if err != nil { + log.Fatal(err) + } ++ for _, f := range a.Entries { ++ if !filepath.IsLocal(f.Name) || filepath.Base(f.Name) != f.Name { ++ log.Fatalf("%q: invalid name", f.Name) ++ } ++ } + return &Archive{ + a: a, + files: files, +diff --git a/src/cmd/pack/pack_test.go b/src/cmd/pack/pack_test.go +index c3a63424dd..c4a8c78cbf 100644 +--- a/src/cmd/pack/pack_test.go ++++ b/src/cmd/pack/pack_test.go +@@ -6,6 +6,7 @@ package main + + import ( + "bufio" ++ "bytes" + "cmd/internal/archive" + "fmt" + "internal/testenv" +@@ -409,6 +410,49 @@ func TestRWithNonexistentFile(t *testing.T) { + run(packPath(t), "r", "p.a", "p.o") // should succeed + } + ++func TestOutputPathSanitization(t *testing.T) { ++ dir := t.TempDir() ++ ++ // Create pack.a containing a file named "longpathname". ++ // Note that "go tool pack" requires that all files be at least 8 bytes long. ++ const validPathName = "longpathname" ++ if err := os.WriteFile(dir+"/"+validPathName, make([]byte, 8), 0o666); err != nil { ++ t.Fatal(err) ++ } ++ doRun(t, dir, packPath(t), "grc", "pack.a", validPathName) ++ ++ // Create evil.a from pack.a, replacing "longpathname" with "out/pathname". ++ b, err := os.ReadFile(dir + "/pack.a") ++ if err != nil { ++ t.Fatal(err) ++ } ++ idx := bytes.Index(b, []byte(validPathName)) ++ if idx < 0 { ++ t.Fatalf("%v not found in pack.a", validPathName) ++ } ++ copy(b[idx:], "out/") ++ os.WriteFile(dir+"/evil.a", b, 0o666) ++ ++ // Extract evil.a. It should fail and not extract a file to /out. ++ os.Mkdir(dir+"/out", 0o777) ++ ++ cmd := testenv.Command(t, packPath(t), "x", "evil.a") ++ cmd.Dir = dir ++ _, err = cmd.CombinedOutput() ++ if err == nil { ++ t.Errorf("pack x evil.a: unexpected success") ++ } ++ ++ ents, err := os.ReadDir(dir + "/out") ++ if err != nil { ++ t.Error(err) ++ } ++ for _, e := range ents { ++ t.Errorf("unexpected file in /out: %q", e.Name()) ++ } ++ ++} ++ + // doRun runs a program in a directory and returns the output. + func doRun(t *testing.T, dir string, args ...string) string { + cmd := testenv.Command(t, args[0], args[1:]...) +-- +2.43.0 + From patchwork Thu May 21 10:09:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88575 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: <tgaige.opensource@witekio.com> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 93036CD5BAC for <webhook@archiver.kernel.org>; Thu, 21 May 2026 10:10:38 +0000 (UTC) Received: from mx-relay25-hz12-if1.hornetsecurity.com (mx-relay25-hz12-if1.hornetsecurity.com [94.100.139.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.33226.1779358228770279756 for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 03:10:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=auTmsS5q; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.225, mailfrom: tgaige@witekio.com) Received: from mail-francecentralazon11023101.outbound.protection.outlook.com ([40.107.162.101]) by mx-gate25-hz12; Thu, 21 May 2026 12:10:26 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=lLB+m2x2f8fBoYEw3KeyvNqBkXEngRyoqwpRPNK0NyH357T5YKgeNbl4e/gm/QACc+zTfEw2tY9qAd/aRKu33qdOhVITCXWUT/ClfnrAbTuRj78B0t1qLsMW8cYlJXA47PbZj5sf1JNqQLJ5mFdRK1+puhnrFAr/Gr2A7mHX+qeSiTbcRtEgb3yKJJ6OQHCdbjM9wAhzQ8xDzTCvhDcBfxnPuI9ol5CtrbSLeaE0tHE5cE0V6lYeLhoXJwiQkeXa3S26igBbonyQHpkQqkMM00kPD+ErbCXusUs82IR+Md9snBuZdEygan90V8gPMtS3IMfoNmQJQqI9vQI3kLgSHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LeSduU0HRdOjUaFoK75zIoMWMulgkHzCMZLW1DU8wFc=; b=NUJDvVR7eD/QWEdVUTK6w0ubISOfgStitMAN4BSD8ynmeL8rJJbuQcMGtkfkVXpTQhBrzk++n/9S2tQcNZiccxxOsd5xqe+NpeExob/wKlX49PknxnPu2YelbW2qf3weOyaHrh6eg5RKhGIkoSaBIGjI9G8i/SnR1+l39jwJLVfx8uaJJPTAwu3MshQHaJ21zbTtpEl1jewG7eo3EIy7H6HUX8yMtqSvqGSmwc3VY9ukwnT5xVAULq21wmd93ddbYqRk435KBQ1y85A+mj0YIErgHryivbmYeQHLFZQX8R5O9T0FyWYQ4T7lmc4CnM+KBaTGUmf3jRZZp1K7r1JBkw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LeSduU0HRdOjUaFoK75zIoMWMulgkHzCMZLW1DU8wFc=; b=auTmsS5qE7jJUpxjlMPQBnyLhx3YNRrXp/+8xcMZl632x3Tg1pmUYCkKogNaD9GcbNtZmPxruwvAf1jrtFTdbDTEkpzhGKPXuf+BBiPbobHFf7BT5bFJzkZq9cxuM4A4eojHBn8CEmacetjlxjiQENzrNqHTo7XTL/YNVCPU8ScI6kJF9gLdpBhDHKhQnzr0n3Y8cyc2qyY0jgCf7SXVlt4Egx+hMgN8RH95lCL8oYt/fiwRFrth17xJBDg0xGKOwRxkl/2ixki1/tRzkp+4zsmqF3VJ7AnqWpwWPZ3FR6oPlA7f0Q3tyufxmRWxYQqQPgZCs+nlRQGmBhWzrtVGBg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by AS4P192MB1672.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:507::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.17; Thu, 21 May 2026 10:10:07 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Thu, 21 May 2026 10:10:07 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>, Bruno Vernay <bruno.vernay@se.com> Subject: [scarthgap][PATCH 07/14] go: patch CVE-2026-39819 Date: Thu, 21 May 2026 12:09:40 +0200 Message-ID: <20260521100949.1299757-7-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260521100949.1299757-1-tgaige.opensource@witekio.com> References: <20260521100949.1299757-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0104.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::19) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|AS4P192MB1672:EE_ X-MS-Office365-Filtering-Correlation-Id: 4c9e272a-45d3-4846-dc10-08deb721229b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|52116014|376014|22082099003|18002099003|56012099003|38350700014|6133799003; X-Microsoft-Antispam-Message-Info: ejPVXcCwyUNB513SbgTDsNSEQN8mACV/rq3AT2Pibz9KUkgGpTF07tVRd3gHvYFKSLxSgKQ5tzxtw6G1XwsGGxKMvCMjcAT85M3xfOPLT5igHS/znrrn8rKEU6/xGCQRzHRBOJYqYD/rheyf3jKHrodtIe8F3JcnhfXIzbnu51iHwMBocXECvsCejiui1XoYOzdnDZJlZ6UmnuJlBksk+wKqtCqMRFCqtkLE0VaVFLn2dPoS/nfqRLlMndjXfxe3B3pQjebzmzh4XJozviWV2xIhsaMDpaFnzBdtgFOVOwYemd+6qmVoF6DHdGH6f7n1o8IlBKdMn1M8vn5M4Pc2Pg+BXfqAdW2BHiAWNkil/3ooggqwDGX8CkyIX69/Q2ms7xYBJunDq2SosZqh3SZK5UzAByNREg47hYtxLUWkzhyUk3FaXQh4AVujEgxI3X5pajxaJNud42Tc8kyPtUccojQOSV4CwlhFPYGZIOgSjdQPzmIytpRoLfEPap2AiyhpBvmb2bDUlIngbCuBgsH7yEXyRSCU48K/WkoVsWG62PLbEnH9qKfRc/ev8cb+1IBAHQZXGCm5F2u7KkTGTcVK55iNQpIe80CfOuqvpGCQIB/GRPNHsbIjF3dEN1ewmeO8jISs3ZBlUWbYa9iZ4LSARGEa71MHXSK3AqSl9wNkIFYh4OnLj5EoygKKh0Cqfh3fb6xQCQ9GLpv0LI6uSWgxRQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(52116014)(376014)(22082099003)(18002099003)(56012099003)(38350700014)(6133799003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 3hcun5QSsdjMvZvprSg5eZ5759Hm7S6WSWwRLqrH5ebZWw355V6sdaqypAGZ/AkMkqjahZflkgcCMc6xVxGfnbJPnQCXjj/gqLLkKQoxnpKSML5Mx3lcILu1cUN+DqL258RYDbsuIPEscPbgN0FwvqVuYzO/jYGryeJjb6UjHPOLXuuwLLx/u1UYGoe23GGhEI2SxxF5NrdTl49bienL+sBgfiQtYo9uzJe/8oCd9ygth883Cg0gm1zTZ7k2WVeQYxcnF7plD0FsC/lTbdisheubagb1L5aam4xzD28zS1AMTs3nlMdxZoCCyKz6JzBkw3nn73S0oJBj0+1CAPiwrxiH1qOQeyvl5Dfqn5d63cMT3dnwqbf9UB++0yUMUI+dkLv6ZAhVtn/oi1UV/m1V64i2+LwXDWXTnCTnsADo77Pl2fVtIqYqhDHOCY8DzdxjyX1zW+elQwmgTzlm/GdndWK3V1O0AqjS2XfWsGtnzwR7m1llKcIDesWRVEybq8YCJjQ8g/PVFd2KTqQ6+wd6qDTbsv09/GsV1cVtpK+TK1EzfFT+zEjKVV6rsoyZNQwdYO+IOhr69vdooEA5LQIm80W2HD6Cjq1LhxldzDyH8kGiZNtmKecp1mmjGMsNhTudpnAGYJoPPI78aHGW4OKQgzf8N6ULJnIgDN7Dfndd3eUs9i4hhEISGPLNzyOYwFCuJhpIYvtYV++L15kELawe/NLmXsyZStLxielV1wiXVt0F9szXQ9DciMKOF6Hd2+Zrxq/XQ87zeVxpxgJJeEw5tuUohCO8NgN6Z0z4XCar8U4xnE3VTs6E6KIkwbnKZ3rXFNYkRkuOKPjDPddu49uKBozptTDpar074V0Q1CawZWeJa0rkis4879047h6MokWrSaZzh9TWQEV/zrOyudMmTtdvcfi3SpZmDDvKdYW9joPDI7d0AfO76PYpRkoOs7uLQBkXWxw1iHTuvLQAtcePvYRWB37K4c8460w0r8cfc7PhmwTyNEBtb4V/5565xXeuZsHcl2O3odo+O6PSxJrFIE9LgydDVUB5vturgAHfJoN75DcYKTTkN/QgZXtUQg51cLJ5ZcRuHA1RL4N5QbgPvM5Qry1C/LYg/CCx8JWHDdXnO+iY7DcMDd7wVQMKaVKmxig2v4E15WHoYd0oPc58jmkeopTL9+/4B2AWkVchzhZwk2FDWbvAJnKjiSismbcCX52+8+Q/FKEbpwXroldHWkbc3KHLN8d7jC8QwgxTqYnNzQetvvuxUI194jMdGfmGPFI8jwXRJh948Alz+ovfjQD5cAHkNn4bQjRr0KUmae42RGq75agz4ojyVVECKtc6rPzGmnqEV1FrOe927lc43pXm9zYMy7vRDF20aGyutxSqPjXSgm1k9o7Vh652lcQBhP3FpM55Vl2rXDjpjrnAx8+wtNmrSm8y4nnlVjeM/a12vCU1ZEJgkELqdc1UBLxrqrYWBwoycPMtAVc0hr+YosboUy7NSjwe6xoqDDTFHK36+2Yl6NF217F9vrTCL+8NYs8c2yTsk5Hf/sYYN8ez/DuRzAM53IuO85KpxUE7VCRZz6T8+bnrm0PVFkZKFR6ZL/orGyp1jkRttv7ZpHh+288DwOKezTjbzGRjnY40nHwZKOYNl15+J6aboRkKJB4gmPl9xfyRLTtaA33LkEWwCL0kpVBrDZlj/N36ts7TdRDith7V14+0Td9aoCfn63DqpMt/h7yRxoaQhNnoLRAdpg== X-Exchange-RoutingPolicyChecked: tH1QEPNCebbHIzFTrVefd2Scme/gaUOuJWnWunbiT4SZOY4h2ZOFPAeCiLaVPPrwo5xiM9El4eBy1AK0pU5Y+YJVoK/zZrfkL0kjYR11pxshOTTd+/Ls2/x6IOrk6safMq4+8xGvM9Y2v6rlMZ9uuxnjWS+MqK08d+JIMEVMvLJXNn1ZntLx/W4vxlR8TXC6woXEJwFRDBeiXR0lfZuNcBzWINxm05VfXhFAXhlVr6If4r428Se3MD2raS3Vbv8LIPeDOaFqnmQa+IOpA6AwTyf4y7CdBA4weA5MGqUr5GE+spq79nO2d8KPbXZhnMWREqSWSzJloMlFDBZNgrenuw== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: fIZIRyjtiCxnK/cDjmPAe0UwzACLuqHlZz2bZ0PW+PeNuBhuGFVuYilhVdAXk6W9MzcWm0vlpKUP3D/QLHGjrWp4bjqcLKPpgtxj5ntEw2xVgctZJrFeUPsoMhH2Z9Slx11mCHhZQdhMMiz4OhZ783QRCO26AUmcfj1xF/0lHpe35xePuwwYeRwx3gqxRZ04lQgrnS4UEQ7UEVBG48ieIjnuEum3X2QQGNppwDiFwrsFYzod1umMQwJ5gy8l9AzeVAcWItv4Tw4cciB8ihUTPf1cNtRxrqSbbJTChLou+24wJ3MEeUlw4ckeI6Jr+QFMEFBpnwzVjjQbfMHZ/K4i6GQMthZNFjcoJOxcQ5IwIPMPcSdkQlr9gUrcqRdYfcSVFN3qqVUYvN9uKBX/Lgx/NHmxlDEbJHjC8aNvyOD8KUf0f7gWcX2arIpB9YoTtWw10hV+LqLk+5/snzNo7cCptMiX84E474EIKizDvWUxr0603rCf43CupkOIUMPoC57LwUnO/l2SelIbdpQyVLm7n7nbWSh2Qq/eCkDiGuOcpT3NDJBZMigTO+YUgCmcW55y+gbBQGfcwenoYRzKXrQnsBQcKvJ1RoVqMF9n290S8pF8EDpJPFylTiHFPl9BzYj8 X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4c9e272a-45d3-4846-dc10-08deb721229b X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 10:10:07.6440 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: O4QSqtHlM85syLhglLYXrd2VDblrIUIV4pqzkl+r/5J6ZXoIpS6OhxzM4TAkwCDUcvLHAS6egv/k1PhdsnETdw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4P192MB1672 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate25-hz12 with 4gLkgL38CGz1X4Q4 X-cloud-security-connect: mail-francecentralazon11023101.outbound.protection.outlook.com[40.107.162.101], TLS=1, IP=40.107.162.101 X-cloud-security-Digest: b2dbd07ef9fd5b9d1a5d8d830558dd4d X-cloud-security: scantime:1.360 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 10:10:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237493 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/763882 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39819.patch | 48 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39819.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index f06b974e04..dba826011b 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -47,6 +47,7 @@ SRC_URI += "\ file://CVE-2026-32289.patch \ file://CVE-2026-33811.patch \ file://CVE-2026-39817.patch \ + file://CVE-2026-39819.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39819.patch b/meta/recipes-devtools/go/go/CVE-2026-39819.patch new file mode 100644 index 0000000000..cb767e1320 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39819.patch @@ -0,0 +1,48 @@ +From db6ceacb046779c763f87060d8a1ba5c936309c9 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Wed, 8 Apr 2026 09:55:54 -0700 +Subject: [PATCH] cmd/go: use MkdirTemp to create temp directory for "go bug" + +Don't use a predictable, potentially attacker-controlled filename in /tmp. + +Fixes #78584 +Fixes CVE-2026-39819 + +Change-Id: I72116aa6dd8fa50f65b6dc0292a15a8c6a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/763882 +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-39819 +Upstream-Status: Backport [https://github.com/golang/go/commit/5d6aa23e5b6151d25955a512532383c28c745e18] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/cmd/go/internal/bug/bug.go | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/cmd/go/internal/bug/bug.go b/src/cmd/go/internal/bug/bug.go +index ed1813605e..9bf97dd511 100644 +--- a/src/cmd/go/internal/bug/bug.go ++++ b/src/cmd/go/internal/bug/bug.go +@@ -182,14 +182,14 @@ func firstLine(buf []byte) []byte { + // printGlibcVersion prints information about the glibc version. + // It ignores failures. + func printGlibcVersion(w io.Writer) { +- tempdir := os.TempDir() +- if tempdir == "" { ++ tempdir, err := os.MkdirTemp("", "") ++ if err != nil { + return + } + src := []byte(`int main() {}`) + srcfile := filepath.Join(tempdir, "go-bug.c") + outfile := filepath.Join(tempdir, "go-bug") +- err := os.WriteFile(srcfile, src, 0644) ++ err = os.WriteFile(srcfile, src, 0644) + if err != nil { + return + } +-- +2.43.0 + From patchwork Thu May 21 10:09:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88565 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: <tgaige.opensource@witekio.com> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0AA44CD4F5E for <webhook@archiver.kernel.org>; Thu, 21 May 2026 10:10:18 +0000 (UTC) Received: from mx-relay08-hz12-if1.hornetsecurity.com (mx-relay08-hz12-if1.hornetsecurity.com [94.100.139.208]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.33222.1779358216615093967 for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 03:10:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=Fup9+gds; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.208, mailfrom: tgaige@witekio.com) Received: from mail-francecentralazon11023073.outbound.protection.outlook.com ([40.107.162.73]) by mx-gate08-hz12; Thu, 21 May 2026 12:10:14 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=kEzxqmpBeqVtTQXLsEreN/z3YNuREhfFx8/nZJmi+FuIiKQd4xX5/aV27hdPGB3msMu0eNvKsyeh2swqUxMXUzcVPdQ5FLrY8ikuAtdCPjPxYRLzw3ivxkHMJ6jrEn2Rg1Ghr3rVsjOdOyzJdb8O4GTCS9oGDfE2ZAEDbzhtBKnA108AvV/CSVUPD/CjThbJM1bTcA4Kfs6OAUN9Aj4D/5WfkjaCPudmvMBWKlrb+LfGCPOKDmHTTHTUlr9zaVi89ebSLpykOjque78IJtbKABDbc5jFoLJ2Wr6QxUE77p5/PggQ+gIEEOiupehuyOQNv+cge1i9gfRwBv1LZsCsfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LHQfpXt2r/9BOx05q0Is2BIK7Gf15UOnQwvduk5qv14=; b=cMApj5E9WErfMI7gaKu1JRxrMuiFe0LdfzvKdKQZzt5C11fm7Kgp3bIhoitIe9rS8KVYN13BIqjTtRJB2LY0gCA2lSrANJg9WxiL8FLZuQvpUOVSAsxJ67a0Aw9dsr6b1nkoM/cTKjjTaAF0wQmog1Wp6qyfXsGcqEbqOBeRT5xfJzlEFH5jEF6pfIYW67li7LiagqX0uHhc8AygtoEX+NLhlQMcvsTQMYkS8ttjoQ9Gl2j+wb0HQXyFmwCEQnb9ENyv8+18BYwdrXwLm5ZiR5H/URW/a1YIxYund65uDALnC0Bu3HJPR4peYUeHdFquDR4U1EGLAlGZPXjkxxBjTw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LHQfpXt2r/9BOx05q0Is2BIK7Gf15UOnQwvduk5qv14=; b=Fup9+gdsGeSROveIBeahw/PQ2U3BNe1Vn5j8DjggyEqP2szW7q6uklf0Mei/93lMnto5YcltbtGl3b0gWF29XnFj83FxoLzkkSiM9SXdY0pyuHs0xvpDRPaTbBjwOZWAl1hMvFTHae+28SKJV7y5tlwEDSZ2C2jYlcnpxBOVUbCIuCb3QO/bbPvUJVjun/UJMP/k6wm7SCpjGwAD8I2hZOnH/s4w1c8Ju/Q3YTAadt1kN9gxqm/w+jTNtAv4qJzm0U/E6WiODva3kwPz9F9E8Srk8fYRTJ+hFZv7aG3kGsVy1GdclKpGjvAx46YMmZrAK4/oEgLRt3t4lQTuAodnhg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by AMBP192MB2913.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:6a5::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.16; Thu, 21 May 2026 10:10:08 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Thu, 21 May 2026 10:10:08 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>, Bruno Vernay <bruno.vernay@se.com> Subject: [scarthgap][PATCH 08/14] go: patch CVE-2026-39820 Date: Thu, 21 May 2026 12:09:41 +0200 Message-ID: <20260521100949.1299757-8-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260521100949.1299757-1-tgaige.opensource@witekio.com> References: <20260521100949.1299757-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0104.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::19) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|AMBP192MB2913:EE_ X-MS-Office365-Filtering-Correlation-Id: e0a57ca7-d0b7-47a3-2a3c-08deb7212351 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014|52116014|18002099003|56012099003|22082099003|38350700014|6133799003|3023799007; X-Microsoft-Antispam-Message-Info: Gqg4v7pJmzqS+gm8U0d1cG3xyGyUwBcojwjxz+6j/hP7lXFRCLCW9LjsYSiJXp8en2oOBTBF6yo3QqHeZ9ma5gi5WNL90PfmtjpNmVblUeQfAvdbWCsLiggNuL0qSas+DxG4U74NNPcy55JvJsy6x1aTBuSv4jdrY0Xs0DDx1sTY9/GmqFW/UODQ8jJistIhkR63OG6wIboFPqgxB+n2q8pstqjMEX/3LjmI9MQ8WoJoQd5vXC/m4UxsrDUUAQ3GUJsQUgr4zczjVDwglw62ikGl2iPX0MNUo8GJ5CfUT6x4hzf3GUZDxwHqd3q6fBInQgNq100MTb7UU86oX1RnGPo+ChyGmp8F/96N+dyBotYh8Aoq7Q2J+dH2WYP2xsMDvkEmjZATOKsCJ0fk4IE8feqEfe2irWasbdpiQb2S8m3/smCpc0E6Jft10ppOmMWyU5pOWu1D9Dg0IYZ91sa+u0GBGZ1VftK+bIJRs2dTDU4l3Rr66SxIyF420tBUelx5uX6y93fpjPHOrZlO4muXFeLJtiU4LSkWv//BYP3zbaILdweYs+t2P7uLo/wz2+qPT/e1IHAU32t1x1AfrU+fDbjJRwP7ajSlU7xx9hp21PL4vr9s9CsqfMH7SfHzkMa0kQ6kEy5KX5Xqra9tXGiTMRk4goUnJH3sUEzwH8Pb0dYdBvfBy1xrvVsRj8pyVmJXmYHqU0Nz1JCcygeS9ZBeJQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(52116014)(18002099003)(56012099003)(22082099003)(38350700014)(6133799003)(3023799007);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: G6/grSvjZ555ZeHXly551aBjev8G1ZbZll3NIrd7dz5vBqG0GfWM2eNvhyWnsj+cqAmp4BZn0SeMzIimrR9CiX+T7saMzj+dCTMVxxk8L6otHGMPu2ZLjIn1ir2Gf/BSgmU5QDRo4IlV8A80Zg2EFkim/VYkm/9QKzs8P+Wrz95Chqarrf4Q809yKBDf9X3Nyu/PLSL+zM/8qL+h87pZ1LT1SYYkcmptRfGceZXQfLQEhfaVS9TSs5d0tlV+9L4/BMqYeyuWDl9LrkRslTfMyf1HIVB9dEDYYKf5dNa9/OM059gDQeXxNZhA1HHl4k3FBtm1nqBk7ltFK7a8QqcaKJUVa6236w5DLOCUEps83V8zzrffb0/dGegyc3YQQhy0OzrW7BfA/c+y8uTuN4OOv6iUQUivaDoiC/n7nOjiQAaS6ELnyXt9qhJAN3hA48JZKxGbNWDPu9CbbGyU5JroH2In2vz2J3eFDI+RLcSpD8PwjxCWSK52LZq+aWgZcMxb2HogsQIxMidkpEYmcgyDSbZayVx7VAGz3sdVwjFs9iQMLItLFxdUzAzAVwHcydnp6Sj8AJhXP1n8CvBaSpBb4srd4h/609BAJ0NwTpbAfFqqsZ3s5ENxeeZ94ibR1nbBIzGvzmZYG7rxIvez/kiqb6Cwjqz5xsNDFW86d3JVd6sv5B9Lf8JYcoGGoTreAxPySJTz9vdynU/c5LXzo9/xD6F6d0ek6dlhqb+P3jFL5KYlGkkvreVM/VWloaP7F8ofQP/tqPkhQypunTA2peHgGBxvtyEdW3f1nQwE4CTIl94mjxh8BV3GZjCv+DZNAYgLp//calj6jH04jcWUfI3HjuA2azz0ftqPXbqRfnsWGougo0HDSROtvlLDYyJQKT3RRmFJOi+qIZs9G0p9C2CogCzfxdO61ojE+7SVrQRJ2U5YkjnGLAyMgw/1ZBe0YcQWQM28cwygTGNrLzVTb0iEjXeQvk8cDiMiuJEShQbQiOuBXoZRIs1ZcrTSqdfKutK7GgRlmHvyTh5tLXI4/1iTSmCjq2I3RtZeFJO5p12joR3zE6f0n4e/49BHI0d6C7AcVnvu8KHEqeVRmTqrwwNo0kVD11jRld/Ns+TAqBWdJvMIkmPq5dKm0m9a/8N+/KZeNLnPfTnSGp6pAne21IWtnRmJqryA+gWPpEWjvd/y9BHWsEuYxy88WX8e6LFLw4PIX8lHxWVD1cXp7v1nEMK5jjZxMfBNNGcnFgM5yTSxNLJbGg6wFtVotoD8y0bGUjusAZCMBzjNq0j6VA72mJjz4huxkMw0OMJqoln+6dOJqbWL8HzWJYh66zNv3pjkjTEVQSLsK7kcxEF/zBVJpKSS+shoKBB/HqoGlYykdU95I6GAJcfBCpFS07y+IvOE5KjETBdkY4sNApJwlxngqpXzuby1BfX/0HKzs/g0wVYJc9QoTUTOotagAHBFZ729jHr0Ec1+ppsCt5MvuwgUOyhZTeK4ANH305j5tc3NT2G/Q51w0yuweyw0y5orpK47nKXoDNMjm5/rQDcdT4OYTeK8ymNOkKLk9LF+NzGJ0LLRQHGZ40AMhn1HMMXwXFCFxjcmCZRbB0X/hIiDhK3RbQg6FjiSgrHQ1M6qpHE44llRiMQYTRTrD2cKN8h256KyStdd4ZEfRC7aMEmR0M9XKqSMTK9u0iQ2EY/UDM+5ZexmFLyL16yHh3XIvA+mtWiwms34+CVTY9jqmwGhXUa7achR5A== X-Exchange-RoutingPolicyChecked: NkcAOgCbLEkfvIuqz5tdFwlUvW2CmnRfiCRIPuJ81h/xzoZMzbI2Kn5O5QJ//6XSwkmLLGDw7MW0pLACeLK4Dm0Senutasc9lIUTG6pQDsnGxH3uxO+A2Y6N7xwokxkIJpy8WEY29UT/qC371/PDRL4iVewJLIFtDAORX1hUQ99H0WUenvrbJWqgJvOpDb/xpIPzEblF1DaVYQqjqYnLLSjwpA+EantUgJ1TIYNd/4zAiPanK0dnZNeLdaK4Wvz00BT2SME9Y1aMpoqHLCS/0Hfn5BRwbvw5F/77ElVDIUQpyrqQAvKoVrgKlnrw92Ksyhomr/z+pUAfBq0eRrKppA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 64l+l6q5/we/zNIX8xouZJF1NaCU6yBl9EtZpzrj77lLX/j9zfMLUp3rQoDSD2dBsUDuFfjoZ7cXTI2Dytk8sucq/Imy08gAN/QzT8Kpsvol9PSZSLQz//PEzQ04y3q3zzPSDsajvqjHygmvdmC/HVWkixvml5p+FaQTMuqPcUHt7+mxa/+0i5Bj5NsMWSvT9aIcJEWuTbaWgt85OjL2rCIIFwhnOwvEuwvuKZ86fjmn6f37cGxhE8s38KIrd81Gn9/S3qrIsGf7IrYeluCOOZlmQ6O/ovmIatnIseQWzNHbMK1Zx4w6YNhqEQ6wzs86wG7SWP6eWPh66JYpPxfZji+sSN46AlIYoBv1To6JIFS4WF9W6HJloMst57RGogCo8KxfuuX8uJSOxagDpQzJRyHoIVvKnCqiinVJ4TYOcXDWlCbYtudskgcPBf4mqVTtQMfm4hVVsjoFD8I3qKfWBB4xYl/Am6D9f5L8p4/wB1+pWlAXMH+uy3imzVJhgiwIHPSMEkbLiHwcFZmQPOD5ri6WJowyXcIko9nDxlz/cQPL9ZBvdBBdapXZhdJu3hH3rk6yLXh1eTqgUujGQZcaPM+sebnOtwS7oZTRkwI1TmxiPSF75S8JBYt87uuD71Xh X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: e0a57ca7-d0b7-47a3-2a3c-08deb7212351 X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 10:10:08.8377 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: sW57DHmXAJQR3X7dEyBzDFtGZGWUxubI71ZudQcmgYQF+BfckegzW5i12c7onSnqFaEuRI/X9wdSRtSxTgvaeg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AMBP192MB2913 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate08-hz12 with 4gLkg55Vpfz4HMKR X-cloud-security-connect: mail-francecentralazon11023073.outbound.protection.outlook.com[40.107.162.73], TLS=1, IP=40.107.162.73 X-cloud-security-Digest: 731a9930aa06e92ea60cb5630f3acf7b X-cloud-security: scantime:1.423 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 10:10:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237487 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] mentionned in [2] [1] https://go.dev/cl/759940 [2] https://security-tracker.debian.org/tracker/CVE-2026-39820 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39820.patch | 112 ++++++++++++++++++ 2 files changed, 113 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39820.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index dba826011b..002d443059 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -48,6 +48,7 @@ SRC_URI += "\ file://CVE-2026-33811.patch \ file://CVE-2026-39817.patch \ file://CVE-2026-39819.patch \ + file://CVE-2026-39820.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39820.patch b/meta/recipes-devtools/go/go/CVE-2026-39820.patch new file mode 100644 index 0000000000..c5f84282a9 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39820.patch @@ -0,0 +1,112 @@ +From e459f8fe1061679f866c599210466db386348f08 Mon Sep 17 00:00:00 2001 +From: mohammadmseet-hue <mohammadmseet@gmail.com> +Date: Sat, 4 Apr 2026 05:17:25 +0000 +Subject: [PATCH] net/mail: fix quadratic complexity in consumeComment + +consumeComment builds the comment string by repeated string +concatenation inside a loop. Each concatenation copies the +entire string built so far, making the function O(n^2) in the +depth of nested comments. + +Replace the concatenation with a strings.Builder, which +amortizes allocation by doubling its internal buffer. This +reduces consumeComment from O(n^2) to O(n). + +This is the same bug class as the consumeDomainLiteral fix +in CVE-2025-61725. + +Benchmark results (benchstat, 8 runs): + + name old time/op new time/op delta + ConsumeComment/depth10 2.481us 1.838us -25.92% + ConsumeComment/depth100 86.58us 6.498us -92.50% + ConsumeComment/depth1000 7.963ms 52.82us -99.34% + ConsumeComment/depth10000 897.8ms 521.3us -99.94% + +The quadratic cost becomes visible at depth 100 and dominant +by depth 1000. At depth 10000, the fix is roughly 1700x +faster. + +Change-Id: I3c927f02646fcab7bab167cb82fd46d3327d6d34 +GitHub-Last-Rev: 7742dad716ee371766543f88e82bd163bd9d7ac2 +GitHub-Pull-Request: golang/go#78393 +Reviewed-on: https://go-review.googlesource.com/c/go/+/759940 +Reviewed-by: Sean Liao <sean@liao.dev> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Auto-Submit: Sean Liao <sean@liao.dev> +Reviewed-by: David Chase <drchase@google.com> +Reviewed-by: Junyang Shao <shaojunyang@google.com> + +CVE: CVE-2026-39820 +Upstream-Status: Backport [https://github.com/golang/go/commit/0d0799f055dcc9b3b41df74bee3fbe398ae2f0e7] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/mail/message.go | 6 +++--- + src/net/mail/message_test.go | 19 +++++++++++++++++++ + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/src/net/mail/message.go b/src/net/mail/message.go +index fc2a9e46f8..37d7ff5df1 100644 +--- a/src/net/mail/message.go ++++ b/src/net/mail/message.go +@@ -780,7 +780,7 @@ func (p *addrParser) consumeComment() (string, bool) { + // '(' already consumed. + depth := 1 + +- var comment string ++ var comment strings.Builder + for { + if p.empty() || depth == 0 { + break +@@ -794,12 +794,12 @@ func (p *addrParser) consumeComment() (string, bool) { + depth-- + } + if depth > 0 { +- comment += p.s[:1] ++ comment.WriteByte(p.s[0]) + } + p.s = p.s[1:] + } + +- return comment, depth == 0 ++ return comment.String(), depth == 0 + } + + func (p *addrParser) decodeRFC2047Word(s string) (word string, isEncoded bool, err error) { +diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go +index 1f2f62afbf..1b165317f9 100644 +--- a/src/net/mail/message_test.go ++++ b/src/net/mail/message_test.go +@@ -6,6 +6,7 @@ package mail + + import ( + "bytes" ++ "fmt" + "io" + "mime" + "reflect" +@@ -1217,3 +1218,21 @@ func TestEmptyAddress(t *testing.T) { + t.Errorf(`ParseAddressList("") = %v, %v, want nil, error`, list, err) + } + } ++ ++func BenchmarkConsumeComment(b *testing.B) { ++ for _, n := range []int{10, 100, 1000, 10000} { ++ b.Run(fmt.Sprintf("depth-%d", n), func(b *testing.B) { ++ // Build a deeply nested comment: (((...a...))) ++ open := strings.Repeat("(", n) ++ close := strings.Repeat(")", n) ++ // consumeComment expects the leading '(' already consumed, ++ // so we start with one fewer opening paren and the parser ++ // will handle nesting from there. ++ input := open[:n-1] + "a" + close ++ for b.Loop() { ++ p := addrParser{s: input} ++ p.consumeComment() ++ } ++ }) ++ } ++} +-- +2.43.0 + From patchwork Thu May 21 10:09:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88571 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: <tgaige.opensource@witekio.com> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 70978CD5BB0 for <webhook@archiver.kernel.org>; Thu, 21 May 2026 10:10:28 +0000 (UTC) Received: from mx-relay08-hz12-if1.hornetsecurity.com (mx-relay08-hz12-if1.hornetsecurity.com [94.100.139.208]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.33067.1779358222260076140 for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 03:10:22 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=psxMg6k8; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.208, mailfrom: tgaige@witekio.com) Received: from mail-francecentralazon11023073.outbound.protection.outlook.com ([40.107.162.73]) by mx-gate08-hz12; Thu, 21 May 2026 12:10:20 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dsST8zmLH+I2AsorDopmlyBGZR/yVfXKOQVA9U6iaGdZ2e0glGTbNrFUin5RB5CfMTTU0KFR5yCbyqlbcEV74cS7kjSJrxCxA6xsoYMM9l37CfTilEqyB7PSdaytzPapdN6mgNdpXwxhw8LaLvCU5hHepiMBb4gINiDD5vzAdKj+WMpjkcxq5dR0l7Z4ek80r8t2FOXJjbyUrsY7JN9tMt6GStnD5bMfv7EhH9OzSFcW81u4v1td6vH7qOLxNcZPWq9Jb/z15bC5necIu68y4mJQUE5PlD64waHiFKhoBE5BL5wki7gpReoRGKJDF/FJAH0sb8vBtW64yPItCQ+D1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HK/7tdhmjTP1kmVNMuvUuIBTz+DCp+t6Tl7amrUc1Cg=; b=dzkBoM+shtFeVqx0B+72fYvMli7h7klFH4yp9Nt8Qx/F6q4howUxtgCGcTQJzF21PdYOHK8lViBrBrdVcaaqjnVB02bs+19tw55SZccGNfcL83OmQ/JyCcRlw8af/R7sFL4nrCm0oi5TgZ0zXt6LcteOxoR6QBaxaM0ispN05huTYUzMZGNZ/tGxUJfvWg3CX07oreP05djS/hhnud+OvBYRtzkd71LDmSVoXkOm9mEen1RVkZ4fN6GniHrTXTvZWL1Vr2jlA2qa7g0hf2PvBOKbemawdNEhLZeAqrCZBDsh202JTLKm7N1OrkoNzNesTc3tufeF0Fs28mAywNdQ/w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HK/7tdhmjTP1kmVNMuvUuIBTz+DCp+t6Tl7amrUc1Cg=; b=psxMg6k8CnvrglrwG3aI9/P+1DE2wIJxAjCoW19DMn9EY0KdACfPqI361+wG4/ObqU5RRxObqTNh5JZQ1p3LLvstlRHmj8WMOcpA/SYH+wTVPNlJUtu2CVOmJp+9mo0OV7xm2AzYs42RAqc5x44IffKSVIaA9uMsr0pRzVhwWcAnZyBh0bgpBG8CTQgS1typGgsZMGeYkvdxlfILm3rfpmuoRz06EN3QC7VeucjoM1utPNnj+yNhEAsYMDaqSTTIs/pKFT/sqlwGF4Dz7VEC+WDqsNVFd2YFMnKraDmwamG+jJ4BbiSGSIqsQ2R4Zx8xE/ZhOdeDVTr9WG00iz7OkA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by AMBP192MB2913.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:6a5::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.16; Thu, 21 May 2026 10:10:10 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Thu, 21 May 2026 10:10:10 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>, Bruno Vernay <bruno.vernay@se.com> Subject: [scarthgap][PATCH 09/14] go: patch CVE-2026-39825 Date: Thu, 21 May 2026 12:09:42 +0200 Message-ID: <20260521100949.1299757-9-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260521100949.1299757-1-tgaige.opensource@witekio.com> References: <20260521100949.1299757-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0104.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::19) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|AMBP192MB2913:EE_ X-MS-Office365-Filtering-Correlation-Id: 9b81923d-f1cb-4127-424a-08deb7212408 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014|52116014|18002099003|56012099003|22082099003|38350700014|6133799003|3023799007; X-Microsoft-Antispam-Message-Info: U6aPX9w6Y/QKMmYdmEgxDLtgfBTQfC6ngYGfKg3I+n8Jf219m4MM6vZMPNcbvW/AISBp0XxKBzvE1zKNswkIvuxaPC/Di1xb6sTGp8iaVBzaxdvDFbE5V6MVihIBIMiedWdEgCvHpyQW+eG9q1s39qlS0k5jBOORV+PwggrSVVEo1mTNALEZdyT38l9FvxGIevj6fXTZXzWFVVdCFFgtar941CeOcQLIjH8ijDRb3IWPqSm3ShpVIo6kwMqaqIqxFIntH2uaafXtFrYzhStNqDHCyT1dpa43llb9D4/FoGmXOgHuAUYVk0GcWVacXi50Ff1hcAG+39r69n3tMoqX2hrfZVPZuy/D8+BgpCb61Jb5dex3zWup/fTF01C0lZimC+tbThXlkXx+f1V0XFprzvbNaiyhp7wk4IFmua2cn14Wk4rhP2D6nmBjkEKrl18XPKWuGkXp//H+M7ecAbZn6v33HoRid7c8oOpAYMhHXpktqrPsBsfI1FlEFiHSWlA47ERaAuPLQfjCCRPadakOVPSFrxhU6Gmv5bnUVvlpzHV99yB9P9R+gM6DHg+Ac8p/Yl9Q++/xHwUIulgON6KY7A2BCmWKt2cPcEUZtramRaKEzvA+02jXOlgl4EeqiXYlxIy2U6Wyd/Q5MaMbYmWH0XXKOSXvFIgBr5o0JWa1UEfcKEsMLfUsDForn88ZMJFAHnhJH418hx5OwMecRRQIPw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(52116014)(18002099003)(56012099003)(22082099003)(38350700014)(6133799003)(3023799007);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: CXXb8xZKIfVLJ/Be1wEO4ENtoJrDFg2GIeSen4bwpiGHLLEnoPrMADseAHpOfR1mQotdhjjBb/EGPoXmUodg1IRx5LA8NZj0nbNEEvS32XJY19O3vfuQ4X7+PfLcsnLH6agUZigwBVoTSzbB1kdLdVenrR2PEkM1S367PiVbLUxDCMlbhzaebs1qGIFITZToqtWsvZGZ9TocJ2Z3YNFnMCsbldETeSnw3IvNkpZCLcPs4jpS0PLKaCC4o9q76K1L6wU/ppWygXJt/F/dAiU8n9qXWFjRoNRcp8+csdtEZeDdtGEeRFslBEp00Rc52YV2mycBQ3PK0CLPiWDXbV87+kKg3oSUSQgXXiQW6kwg971FDnXcvCRi3UidiGisjlN9l7X9a2Md1xxIKPYH/X+ZNZDB0oSsyQiNlFdu0Yt/PuMd4DMkAQKuQm5UWKRdvnVXxjI7G0GPLyjMOhRQyqCNB5482/ORAmrm+Hi33HQ/aCYniosof3IZdQyTPH+mB2Sn7L/t/IwQyAZ092Yn6/rmX8HETk/+U7XnEhVk8AR2JAN1yFPqDKKHvcuAgtX8eZPU0L6xF5oLs7mDK42s4HdChJLM3fNy6meJPPBdNOHy1wdrow12+vtGYLXSiGDQGNR+VcCkLLGcdnwjWlZPxUXAbTmB0JYtw5sGmZT0MSRxV5GLoSxuE0xEnYBUqZYT6575n9IlgIGhryLboUqg4vT87dpmbxcPlyh7xMsNjhXpFMCWb65FIdMGnErLdg/vN9cGSr/57zCxfRh1V0R75G502wMQBCapY/ATkbg7amODek6M+q7BSGdNrg7ZrwV62JICdQ+TikjljAnb1TYGz0Ry0vupbwbEtn9dFXcdzox9hxz5Ngdu8oWlSzNLCIgc8lOyH71vWttqvP7w2afZyy6qaE1+xawG6aIubFXM9Ah0uix576cpnz+hnD+01JTaNvWnnwEkWeBBW2I0sMdTO+EWXdNbK1w45/4x3fuq1VMqgC1b7/TuaYsCOB1K94UY5RpFwJOYeb/YxoRDOgC57u9XhSXzpEdEOlUE3Jo9KzCbVXHa09JCsytGcSVyx63o8bqVdZ44fTwulMzareW14YnAEoEo4QWUc3NSDjnOcRxiMJHEi8nXg9FRh02zRA3gGrGzTV8/YFWivYuI94dyhGoE9aPidL1X0gdFeSiDgvyXK9irkZS2cubCiyQDOg9KD5VkNbfGLs+14C5AXc2HMeGf6dZSJwbNQtYtMp7kjW0D6HtqSv7Ycbk9S2tO1ELqy9GAgU/KwKMwUvjB4NO6oTYjlsMxQh2SbKYd01sA+vfe+jfw2kRtVk4nYTE5zbcwXBTRNl2Og0d4Jag0kSQAMOjyJ5pqRQ7Q7EjaBP+ZSNe4YC88AGGyQ8abI1VhT2LCsieJS+hcwmGgVYKAPyWhJnjcrIGwLCBeQgRQS0+k0sT2tQoLEwiH4YsoVTr8IyrhR55On+PpGs57vf56pZ4pFAlBv72Q3Cf/DXBFeASvSPJNUDpXL/eNvU+BV2qT+rqpdcMFv5wpAAv5yPH8M2XZ3O/3lHuADlMOrv7x/Ylz5zM4a6/1Q69CYSOkYUEwi5eFBSAj++Kd1xNRA5PG4Avq3K+cNfygJfDbtw3FplyVIH02YlSBu11lpfIx44eHMScmS8s2vyh4gSCPbydJQmiDlUMkzee7zKEypmZT0pxf8RVxKjXyTcSV2uXU/Q6ROE/lOQl4ODWy66OsdHIFBTtJ5QtRoA== X-Exchange-RoutingPolicyChecked: RvPsNEW4l9h5YWTYDoX21zQdGjuxkYhC5z0xiFjue3VWs826dn2QzvJaDjD8xmIThseMZE5UVQcTj8BZPzcsXi9Ye+JrvlQzHKkqgP61lAlwDz9h5U893905snmHrcB4+kbnpmeFIQvUvVCN7433Jms2+gJRQWvc8rqI3/RQPJoGwR++XWEM/7LZ7kMjGx0Wzx6AqSRdIiWauVZv/Bb5j14tp2bx9qXReYzt354rQOh7CiIXbwkjhqQBpz0VRLZwC3Q22ge7LXF9MoOqwvrLGVaw1Wkzk8xY+C/XUpxP272/X5ACntAqZhxguozk+dstZNSXuEXmqCu7BVFVSH5woA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 6K2HLl40xP7ahAjG+cuvmIPbmJBqyAStzpo8MWHJw7SjzPYtXImBtcH7byEV7YgZ5c8MwgPWgWqRwGmmFLC6hrfo9FM8juAScVJeWvCV4Kg+may2Yl3/+/ca4t/mcB4grJ+VCdyrIkqDStvaj3l4cxlKy9digDE6Z+N6QE3xgEcDHmCqukdXdVVfiew7xBk0fyL6tIbHM7bzOn+E5Chv1fbHAoIKsA36lgvIrCavAOvi3eMWAwaCAafz3K60Esajzs5CvivRzZ/IihGSgDhYn0NkGRUP+eSHWy3928wRiYh2pN+zx7kjK8ijasfBI0GsYmmmUDGNCThSuGw332e7hOy6bokw2GQmB+J5L0lMhh+3eOabz9d4+NVPCPlHafgcOCcnTAIyQdp6faVOjmM55MRU09huD8m/Pw6Cy5gYVOERkZ2yLXJnb5XD24DAIKfibUQ4b9nv+ByWk8Sv60tPhzxmxnSbvFpH8ZVoHHB8hFvp22um5l1xJmo/TY1NBSCx2RQ2EQLxtEF6MCaOgJOPvQstJY6YhjVmZSZocBoZZMzZvnipAMZ8Whd+7hT3iuKYW4iZjzjax1taBA9mjnwhg5kJ37uxRw3IhtowPniGs0x9FT4uWHWCqkUeOtPiywaW X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9b81923d-f1cb-4127-424a-08deb7212408 X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 10:10:10.0510 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: m7iV75bUnRBNZdGZjOzt3K5DJS0L2Itl04zkVNKzeqUdXr1cQg/HjLi0B36AThzT2oqVJ/HS6htj7JxEFzKlQQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AMBP192MB2913 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate08-hz12 with 4gLkgB5Rx4z4HMcD X-cloud-security-connect: mail-francecentralazon11023073.outbound.protection.outlook.com[40.107.162.73], TLS=1, IP=40.107.162.73 X-cloud-security-Digest: 8993aa7c0b55e104cf54ccaed682c5bd X-cloud-security: scantime:1.637 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 10:10:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237489 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/770541 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39825.patch | 104 ++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39825.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 002d443059..952c0e4638 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -49,6 +49,7 @@ SRC_URI += "\ file://CVE-2026-39817.patch \ file://CVE-2026-39819.patch \ file://CVE-2026-39820.patch \ + file://CVE-2026-39825.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39825.patch b/meta/recipes-devtools/go/go/CVE-2026-39825.patch new file mode 100644 index 0000000000..6082f5fc37 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39825.patch @@ -0,0 +1,104 @@ +From 96b1a3f872971fc38d9f2c0ed4a3d1f3ceeb517f Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Fri, 24 Apr 2026 14:10:47 -0700 +Subject: [PATCH] net/http/httputil: reencode queries with many parameters in + proxy + +When ReverseProxy forwards a request containing more than +urlmaxqueryparams (GODEBUG) query parameters, reencode the +outbound query parameters. + +Avoids potential smuggling of query parameters, where the +sender sends many query parameters, the user's Rewrite hook +fails to observe those parameters due to the limit being +exceeded, and the request is forwarded with the full set +of parameters. + +Fixes #78948 +Fixes CVE-2026-39825 + +Change-Id: I691be7899c4b6208bf61f6b78dacfdf56a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/770541 +Reviewed-by: Nicholas Husin <nsh@golang.org> +Reviewed-by: Nicholas Husin <husin@google.com> +Auto-Submit: Damien Neil <dneil@google.com> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-39825 +Upstream-Status: Backport [https://github.com/golang/go/commit/6795bb331782b33691f772d30c810b4c3a317aeb] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/http/httputil/reverseproxy.go | 14 ++++++++++++++ + src/net/http/httputil/reverseproxy_test.go | 6 ++++++ + src/net/url/url.go | 1 + + 3 files changed, 21 insertions(+) + +diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go +index 5c70f0d27b..37b0eab6b0 100644 +--- a/src/net/http/httputil/reverseproxy.go ++++ b/src/net/http/httputil/reverseproxy.go +@@ -10,6 +10,7 @@ import ( + "context" + "errors" + "fmt" ++ "internal/godebug" + "io" + "log" + "mime" +@@ -797,11 +798,24 @@ func (c switchProtocolCopier) copyToBackend(errc chan<- error) { + errc <- err + } + ++var urlmaxqueryparams = godebug.New("urlmaxqueryparams") ++ ++// Keep this in sync with net/url. ++const defaultMaxParams = 10000 ++ + func cleanQueryParams(s string) string { + reencode := func(s string) string { + v, _ := url.ParseQuery(s) + return v.Encode() + } ++ if urlmaxqueryparams.Value() != "" { ++ // Always reencode when a non-default urlmaxqueryparams is set. ++ return reencode(s) ++ } ++ if numParams := strings.Count(s, "&") + 1; numParams > defaultMaxParams { ++ // Too many query parameters. ++ return reencode(s) ++ } + for i := 0; i < len(s); { + switch s[i] { + case ';': +diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go +index dd3330b615..deb1ab9ce2 100644 +--- a/src/net/http/httputil/reverseproxy_test.go ++++ b/src/net/http/httputil/reverseproxy_test.go +@@ -1845,6 +1845,12 @@ func testReverseProxyQueryParameterSmuggling(t *testing.T, wantCleanQuery bool, + }, { + rawQuery: "a=1&a=%zz&b=3", + cleanQuery: "a=1&b=3", ++ }, { ++ rawQuery: "a=%zz", ++ cleanQuery: "", ++ }, { ++ rawQuery: strings.Repeat("a=1&", 10000) + "a=1", ++ cleanQuery: "", + }} { + res, err := frontend.Client().Get(frontend.URL + "?" + test.rawQuery) + if err != nil { +diff --git a/src/net/url/url.go b/src/net/url/url.go +index 5219e3c130..41f3bef1ee 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -961,6 +961,7 @@ func ParseQuery(query string) (Values, error) { + + var urlmaxqueryparams = godebug.New("urlmaxqueryparams") + ++// Keep this in sync with net/http/httputil. + const defaultMaxParams = 10000 + + func urlParamsWithinMax(params int) bool { +-- +2.43.0 + From patchwork Thu May 21 10:09:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88570 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: <tgaige.opensource@witekio.com> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 809E4CD5BB2 for <webhook@archiver.kernel.org>; Thu, 21 May 2026 10:10:28 +0000 (UTC) Received: from mx-relay08-hz12-if1.hornetsecurity.com (mx-relay08-hz12-if1.hornetsecurity.com [94.100.139.208]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.33225.1779358227275345040 for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 03:10:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=UGQIrcex; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.208, mailfrom: tgaige@witekio.com) Received: from mail-francecentralazon11023073.outbound.protection.outlook.com ([40.107.162.73]) by mx-gate08-hz12; Thu, 21 May 2026 12:10:25 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=i+csqGZosbVHBY/+pRIPaF7hjvAD3hPKndtYofh7OMqXo7PLDjRfUaLu+xXzbfcS7U7tzaMFps1ZYOjVXrlB9yvnJm7pORqvKJ28EHMWHYQYHMwRVwJEtxbdplZyFV8nTp7W4dGwAtdHP8ThzIuAEfvdbMqukyiGmS48gj3bgbXW6yn1BPEXSLbGQY27dP3gu+iydRFFuBbXlKuhjlOxEKD9b3f4UbQQFPYfkn/Rs74446/XqV2DqQpCGVLOieE0SXHX0kX/sqEtxmgTdpAuRMd7sxVF1+nB/dngCaW3+U/04CXojOJ7KwRSkkTyedPfWI+C/MPt3gcbrDaqIyRoEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kr46NG6TuJa9DePcx7A3fGRr6NlDVmdBPJ+LkvBC3Vc=; b=YooWNNu215b9U/XMoIyXXg1BHDcTlNYcE6804J1sFVv6KHMvAVn4vMQbotC8CZVy4k7+PdTzoYbxwapoeBtK+w7/NvDI7W+sEGm3TksFk/JIGNjZg+WFBEzhWBCry/9nx637pTh6p/I+3AoZbZoFZFjsdTdXmoluyUN0vvuySDY5g1byrFfgAQLnA3ceZYi1cQGqEHb7bioaqaTUEYwWi9IMmUY35MI9WUEWCo7WakP0gsljyUV58H1YGNbAT6JzQlVHlviRGRuRFxGMCfdIeQ0fswf4TACmA6QLwSJrW8IhRe1uB1Xiogt5haUkLz6fnrjLNsCfXXIkp6yUmwbSYw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kr46NG6TuJa9DePcx7A3fGRr6NlDVmdBPJ+LkvBC3Vc=; b=UGQIrcexLgif/zy97352n6gg3pN6sgj+/n4AqzwuyVUiRSyi/lgyz8ER5q9VRMNGN7LXM2UXSCfmjPDMraf28Flvata7JmxwUk5WbNqPHqvOgpiiv+92dzDKh64d+HpIma7FYBZ5z3B+j9pH5nafaBrVOuyKZJydh8U9cTwOqBSBaJs6E3+mme48hjy7KsV8NnIbCySq3ul9IDqZfMGZR073bKUeE776067JEmoL43oGiWhuCpZOWabu6Y8XjzRk28JHbZuwtGk9IeZnekYa7DCIV2p27bCoI9rrjwJdcsBqPTRMFgwPp7ZutUGfH4NTKA8BCaTRND9QuY6h2xVZAg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by AMBP192MB2913.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:6a5::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.16; Thu, 21 May 2026 10:10:11 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Thu, 21 May 2026 10:10:11 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>, Bruno Vernay <bruno.vernay@se.com> Subject: [scarthgap][PATCH 10/14] go: patch CVE-2026-39826 Date: Thu, 21 May 2026 12:09:43 +0200 Message-ID: <20260521100949.1299757-10-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260521100949.1299757-1-tgaige.opensource@witekio.com> References: <20260521100949.1299757-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0104.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::19) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|AMBP192MB2913:EE_ X-MS-Office365-Filtering-Correlation-Id: 38065bad-8e83-4d9f-f819-08deb72124bc X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014|52116014|18002099003|56012099003|22082099003|38350700014|6133799003; X-Microsoft-Antispam-Message-Info: GvdxyGbnbX5knDOZHuFYuThojfVWrTn6eVNQPni5r3su5x0JvN7Lar3cPD1ox3JkyySQ9EghWVnMljlvkNF8kwkSLiwVSoUBYDRBcqQ3Cqovoy2ERrV/ZvTOPxxC7aOtwUWx1eE9xl0BrDBu4hR4dA4dfevWfMEyJYdx2UrIfKr436S0mxN4oT127LVmbGwBqazQwgE2W4ktqzl+P+IYXhCUPi8uQGvuy9ZSvPvt8wxeKhYtoOsH+Sm8SjOR2wG4IyuRkgGSEiteoTTA6alzn/7nC8r2ExEwL2H7MRY5z++6cFnED7XtR0DP88xdOlTfMDCrur9ojA1Uv7gxdGc0lRzOQEwqevSAmO6ajEyDmX7+X2W2FG1SyaA5IISi+1gJ5WfUbZHLz1u9QboNnfooiOFPFbc7eGS/K21YSjRW0kFdr+/Y+aVSLz3OxbQ7YKW5Q0xy5bqSBF3u8h+T27tS6buoXq2idYY3QsDeV3b5nO7OrkRr26ZQ3MITRijgVjO8h/fjbwp1jEfqtxytDPBMUQZQwcFZkIddojk6z5Ai7c450zE08CvUj8bC86PoGu+ch1Xbspm8GYBwxGfSpzAD20yvE7xAU+kwIxF9ZS9+6+9WkvEjONwDrnfDz4jWqcAmt9cMZFsMqjUYRb6FF74OnzOYfheQVxNqDyffqLkKp9qEypfJ9aICP0eeKdQqaXhie5ofXJ4GGhi8NB23W+rX8w== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(52116014)(18002099003)(56012099003)(22082099003)(38350700014)(6133799003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: bGZazaJ+CWEetbQPxeBPawq23Nf1854nxejXfs3L5TcZjMi4+f+UD8/2L5bR7ECx3YM2SXNRWTwI7dzcAHIQyNEa7jCG5P+8fMXixkE5IqQvPJb6JbiJHYpG+7g67iI0UF/ySQi08Ou63hP7kj2ungMP/0HMjB9jmxgjLj6Mjv4i0IEkwQ4gc+9btRNeDA5mKY4XISMS6F6Wh6lYH4py68YfvtIReegV/BlninjCRQ45l2bgkqHYsBbgr8iQvuU9JMenScmAmqY1Y4YGdUUKDcc/jHX4cfYsTQrPv+6buoRK5P+tHkLc46AGGsrsADECWJnTOpRLw86xVruK4OuiLzK0PrW7ifagRn+QUq7Lb8atb4lYCk0oMAuNN3NGVUmM+Shjqf+em/1BD8511323Xn0SJvyqZdBAsr005bEW+96EtzuIS6Gp8kvn970BGeoYHcgTdJeUKTn7A5sRh+sYmyyzdzpcVf1HkHzV5qsCw30hCPTbHHsgyCjVVS2okonUBVzRkCIS7FXM0rISBKXWsRNDn7uUP2prBSyj7JiEeeUVxqKRTcHcxcRfQSXk3TVHPeWQu/+QhYxJfdNy4KqDPKBnxZDVyMmvG4PxlGoxHvBhoHtD6iziT+pEpkc1Cul187gpY884agQ71jj8qdpXSk3feDyYX4iC2e+tZn1mwI9HLt/NA34Bxr9iKtNZDiVXZXO//cY2+SximcNI7DyV1DzTDJJ2nFR2Hcfvk7BOtjqakrEiW1X7gDwsVtT+9S671G52TtggQFPVMzoeaQpZ11CMxKUDIskJKhzM1LLMykgllLSbl8hrPpa/zZmluXQQU6ng9Y4WhpDg1ab+5swPzXIygVYxapTwjKiggKD9Qjc8H5ZuE70ctWau0vT4jCfo/4gzRtTYuh7qrlztBIjFSLBHhU7d1pF/WPlJCnF5gRSYDvAyO0wpsgW27ha6j7pcTd3YpW/MAEb38TQgLWRghef2jhZJVPZPbycpcYWGyKdOMqCcpU9hThqwKGryR3rcSlzbZmYNh+OBDfb1hRLVAe7uhBmapfT/ut4UNyfHSZPe5atniyw7xFN/GKEHntqPfdmZ6SwptHzQ9DJEIqLmlJrplPWqAuAXSIQ0vz8oppWCOI3LwZIKI8jwqZx09sNykpumrTiBYxfCHtrxFo6FscI0SX6TTr3LyxpqNjDrbuRvQqBYfCVdywd8eo4Pfg6zC0sI4iUlxOMmtb9K2ivy01npiq8p+a6PRcj2vc4t4xijQ/h9F7garwjf+fpdsQkd6B3/2sB9FV3y+QkVeZ9KyQzX3FS20mmXjeKU/N7pQ2asrGo2a7Kc4tmE3CA9b8axBtXlZ2E6F/h0H+hE7sg59Ub3SE4ipQdjS53+8RH2STYM8aFjxrJKZ6OFfOcHKar9XLasvE1x4Mig5gvWkGRIAzncK2bV4gRes+7xzfezQllyj2AIOKWl/kyxA0H/pxsvQa/5XtIBq74IIxBzPhCbTOgt6tn28sYIh40JRelssodY2E3Ef3Aib0bvJwKjU8OIDN0dqJj2EH3a5Vt1O+no8YyX5GFc4qaVoScaOJRcqZjeAN84MdjBY+Eita8ymlGJ8fZszviWWw6MfBbUnBiMsLc718+0/ChVkcHleLT8bSyfk+qlC/rH66InPZdehaazMx8kb7VQiDiLhEZqlEJRVnpCY7pD0H7JQsgGb1b36S4HVjMwjsHmgz6weFZU6KBFJXxsjvZ25WTu0RnGYpkO7w== X-Exchange-RoutingPolicyChecked: RSZJ8da4yWz3THRHurGwqrZRaN/EGwT6IVKCj4UZvFI8KPv1e9P5ADnhFgy6iiDSEMt+JLeKkcSfdIbWwQQGY3YS7GQBpk+Qy/HTTCugNK6ZmwcVS9BPe+QpzUBd+5qNaRn7EzpWT4oAQS0TIN0I+a2EjUjQkc1A5sHxrgHD2YVlouRWfw1C+HIYxT/MuY/BCtNuPVR6emDbp2FzeGdCNmtdd34XD8GrP8lyj8mFbBtaR94WPDqLyl6bxsodQ4BMNYJviPDkOu4x4TUUHerYK6O5355cVCVYVQiuKat5Zzt/K4Bve/d9gtPUQHQ7osxJ++Iz7POX+VlO+hYO4Bz/aA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: gnr/qVJZvFbS63GV9jD51SRx06dmvTsCZ5GlJVQWnfUThtceHwnwImeYZBQapl7byGzqQW0gn7DXLP9jUpc7tkOwiwaCyHXlo+CnLXoxeeI7Yoi7LqbfhSr4Lvw1euHA4EyBfXfa8W/7OJ0SODZIga+bv1vF181di505gQGRM5rfnBls1JY8IaSa6ulX49DkZDFzzDfywRucoDSLFEhG0sRloKG0CGgzdEWXLJKn0vE+Lhi5L5h1uv+XCN2ZVMPZ0aNtPTKZoaImeJyEni88HQ6q5E/xFP4EVOBTlzczqNCzied2DP2GPWKMpR2B5r8mR/K/QoLQBEvK+lP4Qaeq+UNwSAT+DupoTWPS6Q73p5Rgu20iMbeuWtj5/4KTL1gGx8nr/+mDkCYEjldKiSojR+bzQotVWCqc65xlP/WSSE5yasXLkTooJv6qCPrXTdYqrS6EXMc5oLWLI8Ca2gdSZ11IS3A/uCUXMLlO0RkktOYVx7C3zqfxbrrDiVhbxfDApinkRzz1oRdY3HrL5QryEvggocgF4rbPD72QU2Rha/MnVb94qHnU6EJM7RUYVw2ljWHD1yX+bK1icHv7S20mniXPHd5JX/RXEh2lnzasCCk1lvmYKSfbbXNTb2MVphzP X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 38065bad-8e83-4d9f-f819-08deb72124bc X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 10:10:11.2233 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: E/DGOaq/JJ5wg0LjKbctPiBX84LJHw1IaU9o1ea5YCQg1JdHHFPuB9XsjFAqFjISIPPTt2HLK2eUVk0EfuEiDw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AMBP192MB2913 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate08-hz12 with 4gLkgJ37qTz4HMjq X-cloud-security-connect: mail-francecentralazon11023073.outbound.protection.outlook.com[40.107.162.73], TLS=1, IP=40.107.162.73 X-cloud-security-Digest: 19a8a7efb30543788514116fd27106e2 X-cloud-security: scantime:1.449 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 10:10:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237492 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/771180 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39826.patch | 65 +++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39826.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 952c0e4638..77e6bcd59d 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -50,6 +50,7 @@ SRC_URI += "\ file://CVE-2026-39819.patch \ file://CVE-2026-39820.patch \ file://CVE-2026-39825.patch \ + file://CVE-2026-39826.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39826.patch b/meta/recipes-devtools/go/go/CVE-2026-39826.patch new file mode 100644 index 0000000000..d9fa751adc --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39826.patch @@ -0,0 +1,65 @@ +From 0d41a827f4d691be89c0285cd136cc45640341d4 Mon Sep 17 00:00:00 2001 +From: Neal Patel <nealpatel@google.com> +Date: Mon, 27 Apr 2026 17:34:58 -0400 +Subject: [PATCH] html/template: fix escaper bypass by treating empty script + type as JavaScript + +Thank you to Mundur (https://github.com/M0nd0R) for reporting this issue. + +Fixes #78981 +Fixes CVE-2026-39826 + +Change-Id: I3f2e06496020ece655d156fb099ff556af8cc836 +Reviewed-on: https://go-review.googlesource.com/c/go/+/771180 +Reviewed-by: Roland Shoemaker <roland@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-39826 +Upstream-Status: Backport [https://github.com/golang/go/commit/a63b23ffb2eebc9ca3a14c369b615ca623bb20f7] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/html/template/escape_test.go | 15 +++++++++++++++ + src/html/template/js.go | 1 + + 2 files changed, 16 insertions(+) + +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index 435c83378f..ce06440738 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -231,6 +231,21 @@ func TestEscape(t *testing.T) { + "<script>alert({{.A}})</script>", + `<script>alert(["\u003ca\u003e","\u003cb\u003e"])</script>`, + }, ++ { ++ "scriptTypeSpace", ++ "<script type=\" \">{{.H}}</script>", ++ "<script type=\" \">\"\\u003cHello\\u003e\"</script>", ++ }, ++ { ++ "scriptTypeTab", ++ "<script type=\"\t\">{{.H}}</script>", ++ "<script type=\"\t\">\"\\u003cHello\\u003e\"</script>", ++ }, ++ { ++ "scriptTypeEmpty", ++ "<script type=\"\">{{.H}}</script>", ++ "<script type=\"\">\"\\u003cHello\\u003e\"</script>", ++ }, + { + "jsObjValueNotOverEscaped", + "<button onclick='alert({{.A | html}})'>", +diff --git a/src/html/template/js.go b/src/html/template/js.go +index d911ada26d..90cf2dc982 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -459,6 +459,7 @@ func isJSType(mimeType string) bool { + mimeType = strings.TrimSpace(mimeType) + switch mimeType { + case ++ "", + "application/ecmascript", + "application/javascript", + "application/json", +-- +2.43.0 + From patchwork Thu May 21 10:09:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88573 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: <tgaige.opensource@witekio.com> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 840EECD4F5E for <webhook@archiver.kernel.org>; Thu, 21 May 2026 10:10:38 +0000 (UTC) Received: from mx-relay151-hz1-if1.hornetsecurity.com (mx-relay151-hz1-if1.hornetsecurity.com [94.100.128.161]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.33073.1779358236241546678 for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 03:10:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=dr5E02kn; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.161, mailfrom: tgaige@witekio.com) Received: from mail-swedencentralazon11023073.outbound.protection.outlook.com ([52.101.83.73]) by mx-gate151-hz1; Thu, 21 May 2026 12:10:33 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=g0YYpP5TqHsUsZj4oUa9hPF9EmSoIhYBa8DH0uz2wIFzrEBniJ4ba0VcAlw1C5IeG36NVgPeWW0e6H3fAE+nWWUSS1nZekuvorHJstrxc75NYZVO2wy2eQAcL7a1TtJj/yRAxZP18GoibxaWdS+W/19C3dpREVKzo3Kz4rbsr3BvLoQiEqRGaIcxoa1IxFyVXbp5EkL6ro3fxS4XTq9LPd4dL0UhA562+VCKgjzca1i5UZxLTl2Q+Fw4RY5xYRFDy6gFJ0VScvZVRRCXxoh1lWmEhp0rMOzfxlMMoxSuDzUCo9WaPBKlGrF9J6NAiv+Mkt5W7agXcS54IRNT2Rf+4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VLRI2ZKSof5GMCPtgt361xmCiD25ffud00faAOkrxY0=; b=YCjFvebEiix/DlPW2udqfb9YRxADuihWv4aIJk5PPxnT35mxfCePa5joocbEcig6VN+0CvhyVAtCK9M2wAfpjXGlon1mVdKF2K2fvgG6hBYUfYZC8pCELqNLkA1MySd+2mD5vgm+vjpt4V/VzBufVUowmJxBvjlTZdNETMOEJnGyjmS6ZjCpNsK/aL3QqBPEmp6/NKLSWyjWFnyZRZnFK2nFcJ4wiNWHXBPGVrsgFFn6TexY0ebBSoBn9PIxFHddg3FgF7nkjeUdLcK/a1bxfGbAPMg3YCLP1fNOVWTSnxXr6OkqzhvJVKjhtelnj31xBYkndcrXHhfsJUDbonrJqg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VLRI2ZKSof5GMCPtgt361xmCiD25ffud00faAOkrxY0=; b=dr5E02knhEWQr4Fg5sykPbSb1ZHYdvwYev6QYCIz/pl8xiLQsAp2ksreFX0M/qvTAQHt7TWP8apTPPOBx1CDmHCRbwPsTEtiPxjhYh3USXH0y6bTycrBJZOkqG8PYPS83dwyNwfH/gFCGY8Tp6TsjE+x/9nCsdz+eWvoPVyEJk5816mMwgaoGAbQQOPbgL+T41KSlcojhlhKmO6vUqbOnRroSbBjJI3ocFlYuKjAdrj+YD9TpZ9Jh+e2ivxiWj/HdOAGLUvCP1FylLlnmBTnYGS/n4QEBgF3dn1i/2A5uzqz+/EKCle5DuAWo7jC8nDHd1BXhkd89cW7Xmz38XArAQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by AS4P192MB1672.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:507::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.17; Thu, 21 May 2026 10:10:12 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Thu, 21 May 2026 10:10:12 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>, Bruno Vernay <bruno.vernay@se.com> Subject: [scarthgap][PATCH 11/14] go: patch CVE-2026-42499 Date: Thu, 21 May 2026 12:09:44 +0200 Message-ID: <20260521100949.1299757-11-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260521100949.1299757-1-tgaige.opensource@witekio.com> References: <20260521100949.1299757-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0104.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::19) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|AS4P192MB1672:EE_ X-MS-Office365-Filtering-Correlation-Id: fd538601-27d7-43b0-9b43-08deb7212597 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|52116014|376014|22082099003|18002099003|56012099003|38350700014|3023799007|6133799003; X-Microsoft-Antispam-Message-Info: K+MYFJK6DZRYaMmMKkqTjAfwl3vXLil5ivkj0qLxjP/HG/ox+vpYUnhLihfmj4Ee9QWmIHsOK8ArIfpaDPgPPsRD2r+bzr8ZH5vhfh7bT4tmQYQitmaKeaVedZSMvIMUtWAW2s9fPK8fK8R++JXCfXIIEDN/PmCAut/lNOR6AVkEhyjtk+EGgjdluwgf05KfqTk8P60EnqH60DpW0LSxwaQxT0qxI9XT+y9Z/r+Lu6HqgnOm6ZD0i2PaqJOezOdt5obgYoOgm5KsCYHUHg+I39x9T27yU4wRdPMGHAs7GWF54SA5fiv4QfYhOaCucLsuEMvXBZhxDKAPDDiVHdj6sUezLw5n3MsWY1glxzgPuQg3MseR69VgezkiQCtRCE0dTtv1EXfP1V//Ibrgw0aIEUFHNnzlqYHdFFlKjvJCJCgXuD6jj/lgoIGaPhGQ0Jx+PgAhLDU4JtLS/dDjrn1vwcQ5ON56yra9qWgl+9P9gG4ypABvPJLOttT3+y3I3seNaoqf9bVGbj1n8r5Y7almb/kasCl7HhLMVbV0ubEJZHYspYloZ6yvnQZmze7ZVOOOtR+xl2t95A8x/T61PZv5+lTR7ZuzJPZZhHwBaTd3xLUowpQcuzizD0xB9ElHV8G2WCP69nSyE0FIwq22cBm5DwNTvVnGI0FCqDXjH8eJlb4SNsxTxA8SwJXIQFsqOgJywBZFmDtlNRw/LonEBOcCsQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(52116014)(376014)(22082099003)(18002099003)(56012099003)(38350700014)(3023799007)(6133799003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: dkSM0suhGfmeN7H7YzriEv8dNjGsAdUTHs82Zyi+03FBc45wpj//Qiz1U6X7w4KzhiMyJXt6Zdp+t0nHJagLR+zJ+xwJSy178elu+Utlckk2qgLc1PmAeZv0zCbtb4OYQ/ohfXJ7wEp9YY9YD8pLyszCdw9cjJjBtB+tyXk5qlwPEaxxrU44b0KzNNkiiEFPc9PXUWb+72onX6eICWDUoVEtAvo5b6Ocn5qcVeGNTCs0pYPfqH9SRXPDNBmil2EbsUIetK6jRGw9wDERDfx3MtJpizwyIFubJnKC1vxF6wHKRZ9hR4sAZd0pdqRHJYKSyBiw97vB0goTBLpc1z5JB5JmC/JzPJo/mtLqUVRXF3rI0Xzv3DJvNs4ZqoUcVpbVYQpYOYPidynX5p9AFtdo3qFsHe/JcyKRuFhNLT2rTvQPI1/tDp4HOjCuVDfdf55UmRuG5MgYbSkRvwhZH1nSekTES5+zL71Bz4sPj1oBwz7/qIU8zUuXuU+ZGBQXJSL8VKH9ftheuy2Pv5QVz4534eFpK8T/iBwfOaCKgw34FwzdqyWJUvDtCXhYiq3MRcW9Hd8gGNCScA8k9IVQA/pyBVq0pcGtMvHvR9eTg1kyGgAVJxPVLy8Lj2Fr7vGENuCiUGT/gt+255fZc9j/bQTMbBuzBBFAqrQMAnVmx1Y8KwGx3lUCs22WJpBxBQnpupDHtUOR7Pq83JuS3SMgcSbu3R4+LSq3NqWyJPfXsWqTkGtLjrn5BtwLefQ+XW4t/PTyRH3D/TiexgN0QAfxXmWuPVqrbiFrIVsTunlBk97ieltsP97GTeZ5zaLNLpZpkJ6xmk/yf/+V037i6h52LotXjmaj68f35gz8XztuV8Ghbx4rGr2FjyC1sBnrJoUVUk52q6QUvmkfLGPNiExAH4I7pnjg1zVdnrA50HJ/4br7g8ejjJe/FKutKxxWMusuxPuRM5FAYt6JgZ5d2o+HZGyE05H8L/f5GvShkkl8j2YsX1HVW0R3wasy1RJWAXwkFdLDixe/gANjCouzPkaPs/r5LmSoFcMfNigEQJRK52ZrUA99qku3PhtfwCO1Y9iZmXbgIjtGCgMZnpyIWWX4A3oo3BFJc+1BkBOgr89uZ1+jdGhw7OdFdME0nB12M+TrZMERxQADZCTwJdbzeua1mm7xkKOinVRfL0JS894cT7CRAJi/P5TpFrjOj+v6fFN/UtTEqJAq+62PpQTRtwHqoL9ub3uBwtkfq/zp984w8V10wD+B9gJg3bTK4QJvCYutSZdkGCWsmI7BdsW++EYVxfe01Ag/+KY4pRaQMDtizWxiuzmMYEJtMxHaz3m6VxcsZVwKN9fM4MtllDgmzLUPk97olfWVqdzdO52+bAr+1r26Vc9p25D5hmvRwu7hothCqJ9wyz5xA0PFrqt3T3hJOb5NPTRe7UbQ9LOQY3tizUCss9CETi1/wZ3bdvk19AGbmNWZ/MRYjSfDJoXat8I3b22iSI7fYCkftEB1Kgl88au0yB6E9Jr7rAVLwUv+eOCgsy+r6Q/vEJqs/5cCQFfDNXQdxHajhtVaIz4mznHovNbtxgmtxdbxdBCTIfsPcZKUlf3/8/Vu6DJLsqNc4IwTPtEO/3b/ldLvtMxrG2SGoXQWUnGM48laK1rJcx0m1WxbYU5sCt17CKphrwyc8QMWPk8GBmpsZLyFJz8EWxgZ6hbXJxrmJtwWE/V5eFtTzbU6qoO9tn09Ntg88sIETibW0A7yHA== X-Exchange-RoutingPolicyChecked: FG/6er6qO1YEGQWiursZ7aZe8HtIJXDoPxqzv4JHAtb3Yu/Hl8W2JlcEjoj11LIFfuFTNXaptBq+MtD16I+ArESBWSOBO+OLWjTjJvp8+JhtbrK2WpRei45mP/JZYVvkh8xX7A4U+4Fez5PM+5V+a3tAGG1hhS1gE+OIWjdKxmAk2Pw8nV18n5SC6hz795uALqFwPi5Q8FUQl4LQ+h5x63TJSSAFxZRqxcjuUfEt/umIJV4KBgDew/PMrGAhBAihdy0U5exT8aqR96QKlNt7wBACBNs1sKWGvctda+eUBUpoexAEhtvstwKGVPuiwGhG8rJeiolCDbnqaY+QEv/43A== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: Tx/zb9/tVPEK7LYOK3gpXa8uRqoLuJNSjdlWKUuw90zma1slxaHvqPDGjHv2nnTM/DuEu5/2ZgzqjaFJbWsvUqs1/riY8tTmCA9hdOy5XdJP0sMhhEA7rJH5XMNxUn2Qk4iB/EeVzwDaUD/kme+vmM4WNOB2jckqnohsmf98ncT2tjxcmOhqxsM4EFRbspcj0g6a1b2QmrMO0RA72mw4ARJcZU4HZTMN76LfYuAb6YyOE1ywC1YzDQvTwhFwqF0Dx2Sq0NcnNkLSWNq0cb+eInpOfZspqgiGdccqN+VnCRhFycPAqqUBwg7y3F8tGkzwLqLI3LXpAYiJgkcT5GEiCuebLIUWf7IeuOockcKWQKu7tSFubUD9YdPjRctWlVQT0Yfa5wzo+Z5oSkX+SmYbDX6cvPhnKHFkYb+fJXf220hWJiyWgzYPYinHI3v7e47CFSK4IOcmXY2JqxOFDbUpwjmtffQ21xcvqW6iEMnOi8MmOjjgea95/uANiWkDnsDgDPolj+mzBbXuK6mCuvxm+GJL2Ul9zyqMHYT5E5R+sfPXXTmitY02g+NFaKn9j5JGmZ2KTh4dIFAIP4zHKp/Lh/znqr7XFeaDlq31B4CoLfVanSzzF8SQXZ5ItnQaWEl6 X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: fd538601-27d7-43b0-9b43-08deb7212597 X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 10:10:12.7225 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 1pSXsh8fOKiyfWeLLn2IVQghWyrVa9IAWZXrc4hAEBjDTUjBLR9N6XKW2MAbisucDGs6HrPGkWqstHxJf23rYA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4P192MB1672 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate151-hz1 with 4gLkgN4H8Gz1g0CW X-cloud-security-connect: mail-swedencentralazon11023073.outbound.protection.outlook.com[52.101.83.73], TLS=1, IP=52.101.83.73 X-cloud-security-Digest: e549d7882c8f8fc911d512b448fd38e2 X-cloud-security: scantime:2.204 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 10:10:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237495 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/771520 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-42499.patch | 91 +++++++++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-42499.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 77e6bcd59d..85f75f0d89 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -51,6 +51,7 @@ SRC_URI += "\ file://CVE-2026-39820.patch \ file://CVE-2026-39825.patch \ file://CVE-2026-39826.patch \ + file://CVE-2026-42499.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-42499.patch b/meta/recipes-devtools/go/go/CVE-2026-42499.patch new file mode 100644 index 0000000000..d4ac9b3823 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-42499.patch @@ -0,0 +1,91 @@ +From dd339e72189d59f249786afd4021b9fb391f3562 Mon Sep 17 00:00:00 2001 +From: Neal Patel <nealpatel@google.com> +Date: Tue, 28 Apr 2026 12:10:24 -0400 +Subject: [PATCH] net/mail: fix quadratic consumePhrase behavior + +Updates #78987 +Fixes CVE-2026-42499 + +Change-Id: I8438e5dee7e6433573d4161baf8fb2151e7fbc2f +Reviewed-on: https://go-review.googlesource.com/c/go/+/771520 +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-42499 +Upstream-Status: Backport [https://github.com/golang/go/commit/2c59389fcc5194aeae742fb413e55b656c22343f] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/mail/message.go | 23 +++++++++++++++++------ + src/net/mail/message_test.go | 11 +++++++++++ + 2 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/src/net/mail/message.go b/src/net/mail/message.go +index 37d7ff5df1..f57742068e 100644 +--- a/src/net/mail/message.go ++++ b/src/net/mail/message.go +@@ -567,8 +567,10 @@ func (p *addrParser) consumeAddrSpec() (spec string, err error) { + func (p *addrParser) consumePhrase() (phrase string, err error) { + debug.Printf("consumePhrase: [%s]", p.s) + // phrase = 1*word +- var words []string +- var isPrevEncoded bool ++ var ( ++ words []string ++ sb strings.Builder ++ ) + for { + // obs-phrase allows CFWS after one word + if len(words) > 0 { +@@ -600,13 +602,22 @@ func (p *addrParser) consumePhrase() (phrase string, err error) { + break + } + debug.Printf("consumePhrase: consumed %q", word) +- if isPrevEncoded && isEncoded { +- words[len(words)-1] += word +- } else { ++ switch { ++ case isEncoded: ++ sb.WriteString(word) ++ case !isEncoded && sb.Len() > 0: ++ words = append(words, sb.String()) ++ sb.Reset() ++ words = append(words, word) ++ default: + words = append(words, word) + } +- isPrevEncoded = isEncoded + } ++ ++ if sb.Len() > 0 { ++ words = append(words, sb.String()) ++ } ++ + // Ignore any error if we got at least one word. + if err != nil && len(words) == 0 { + debug.Printf("consumePhrase: hit err: %v", err) +diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go +index 1b165317f9..27837a9cbd 100644 +--- a/src/net/mail/message_test.go ++++ b/src/net/mail/message_test.go +@@ -1219,6 +1219,17 @@ func TestEmptyAddress(t *testing.T) { + } + } + ++func BenchmarkConsumePhrase(b *testing.B) { ++ for _, n := range []int{10, 100, 1000, 10000} { ++ b.Run(fmt.Sprintf("words-%d", n), func(b *testing.B) { ++ input := strings.Repeat("=?utf-8?q?hello?= ", n) + "<user@example.com>" ++ for b.Loop() { ++ (&addrParser{s: input}).consumePhrase() ++ } ++ }) ++ } ++} ++ + func BenchmarkConsumeComment(b *testing.B) { + for _, n := range []int{10, 100, 1000, 10000} { + b.Run(fmt.Sprintf("depth-%d", n), func(b *testing.B) { +-- +2.43.0 + From patchwork Thu May 21 10:09:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88574 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: <tgaige.opensource@witekio.com> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C729CD5BB0 for <webhook@archiver.kernel.org>; Thu, 21 May 2026 10:10:38 +0000 (UTC) Received: from mx-relay25-hz12-if1.hornetsecurity.com (mx-relay25-hz12-if1.hornetsecurity.com [94.100.139.225]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.33072.1779358233704116491 for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 03:10:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=MuHCWIso; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.225, mailfrom: tgaige@witekio.com) Received: from mail-francecentralazon11023101.outbound.protection.outlook.com ([40.107.162.101]) by mx-gate25-hz12; Thu, 21 May 2026 12:10:31 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=NFXBQlltLaSIjU92Ihi3Edvq8D5UKmh0hx/BI56GsrJcgIRKaDONzgPK7yHM8DCcBfpAa6uenH9dsVuucbl26kIX27KxxdAb1NJ3/IN/rC5Egmgpthbh1bTNS6M8cNCCl104KQoLNViyAhQMmZBK1IfW77JgglAteqMxG0L3iqhmnNxFtISB2NC5/qNfq9dEL+8NdksuCN8AWo0oSJoQaMn4CjwnWRphRBSpziwt69R94DwVraWFL04ZTCCavfAaY6JbG3PSzhKwpMi8xTkdlO7JpWjPUjNEls4IKaesPS2FQjpPym1sWu/lb/5/qpBpBAxZ3Wk/8L7EIRHiYzcnUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EC25waZUfvCC13ZmSCemq5oF80IXs4qDh3HXAg1SyQU=; b=KmiR9VgB+HtoR3GxL4/yXC74mKUHosENMGqbKd/PIk4OOBjyFvD5wBwYnQxv1RAGuz3DH3yXJ9VD3IyzIQmMLI1gghymR/W+mNzuBGLu1MRLTMLLGNzIaNEiQ7moQqIa2Mb4r51erijXnK1UZrmxqU3mcBV0ipbSVAvECGgWs6ThxZe+sJyEXbUE9sqIQtkNsd2sbVNLrA356oZLUINl8ankvhRoAgEZ3WPNtQEMS6ZxS4mppZdmRep7/l5C0wRyXDjmgGFsGPAMAU0gcZp6jz1r6O9VWk1sg4e/Xb5DY+ecKHvnBc+4OpWOpi+6yx9KUQVay6+uqL50Q+JX2SQ+Zw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EC25waZUfvCC13ZmSCemq5oF80IXs4qDh3HXAg1SyQU=; b=MuHCWIsomo35qoCr0ZousAnmGkU2+BM5xVHeZ9sdkhS0a4U8tKediBGLbxqi8KXEcgyaR39sM4FlpkccFr4tkO16qDozAtP9ACcrzSi1hZVKMuUMI4D1rNEVtKqNWU/jM6sUNViclCGO3yLBkjQ6trWF8v5b7isdwCRHN3QnsFoY8afLpbSEOqaQJBa7QySsk7R0wS9It7J/3Hf/03+r5vZQik4rD3dHa5cT7wLbbzUJhTMU0EXNOq5mi/VlKxxzbA3FTBhIKiso1JXZ708kd039q7Ie+u22Z1OVBgh6JTaUAuLYE1SwcAeJMZ7688kQxs30NICPPNM7WG73HbqP7A== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by AS4P192MB1672.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:507::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.17; Thu, 21 May 2026 10:10:14 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Thu, 21 May 2026 10:10:14 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>, Bruno Vernay <bruno.vernay@se.com> Subject: [scarthgap][PATCH 12/14] go: patch CVE-2026-42501 Date: Thu, 21 May 2026 12:09:45 +0200 Message-ID: <20260521100949.1299757-12-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260521100949.1299757-1-tgaige.opensource@witekio.com> References: <20260521100949.1299757-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0104.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::19) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|AS4P192MB1672:EE_ X-MS-Office365-Filtering-Correlation-Id: 7d9352f9-c025-4752-26d0-08deb721266f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|52116014|376014|22082099003|18002099003|56012099003|38350700014|6133799003; X-Microsoft-Antispam-Message-Info: XYdIiQY+LrD+mnyar3bsFsdWBEzP4pW75dFmEllg8hUUCV+Ni3hHyYucVwQzYBlGM2+ghkAearY/ZbpJywxkP71SeYJOsOieUAS3nJoFOjV3oPV28FQqufY3vGO+GzeKJXAdgO+XyHmhmtpE3m7XHTVa0Ww3DtcmJ2KdtxCo1cQBKD6ZELRvd1NQJK62swN/iwl2gE1xxSK6Q7c6xZugaFk9tWXQ6hvZPMTa1woE+R2spYOQSTKIV370hcEdpmu3Py8pTr2UZga/NHMsnE7i+/ewnn6mCi9spgqBM3rM4H9eo/Po+gTCF/hQzQif+E8+LDHM2e+lqN3S/JA0XG0YG8qrX3V2NZoOSTxV9UONnboWNnat0qYTZZSHo8To+8r+U6J8+10RwVy9u3a4aWw60YmaUH0mN5Ty3j9MNqHomKmC4QyB0vO7KCq3cWOPctXmadfULM9I4xy9gHD1Pw2164sI6KTPMG4FbZ2VxC6VvOBRSVYpB34GUlY0UX0kb2Nw93F66tein777/C+Kda020tgFzB6QUYIT1ho09F617fOTbj2ydewfB7vJFVpbAE9ziW68BKcFnRLD9lB2aF1lPp3tAPh1r7/2WKMxHSaahGC+/zu8mQfpiWDRuDwDg1lMK2uV9ZplRBPGTBZ+1ffyQ0FLI3xXXvmdM3Aps650/ZozmY967xKaftD+XSZNJFGDZu4GvStnFcOSacC65Cq9pw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(52116014)(376014)(22082099003)(18002099003)(56012099003)(38350700014)(6133799003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: QalH3X+Ktpb3Y3kTXYnSPHehqu3lOVF5sb1sBecfctzQMcYr5noywH5XiMFKg08+W4ADb+4ib3P2+gkz9XbnozwbRWIeNpJwWXPKZYnFMfUNGBv44g8H7C9UfZre08w0Upb3o6pq/JMqXBuuT5cuIflZ0I7WPHUqxzmLEq1IvyDLPEx04O6q+1OoSUQG3Qwa5YXW8U7yYYFpVihIZY+8011D2OhxW+MVJ4MpkHotsRFusC7nStuBiegAlM8x31qzYG2IsMxmjBz77sTtXc15f4Jd2zVpD56MGu8nQLUnSOp2KU5YUCdgiVM+zGjnHEtD91sRTp2Q+6n/QtDQCXHcc0jX7VbRcV02qKZO5ZyFT6POG7lzQMQv94yxoSv/fBFgPEQMxIkBUaRIerZr7s2HUgtW9tMDUg7Tkg1281VdwbNIee84REoWISQhmWM8YCxUJLAVnnYDfBhR/HWQxiLHgMMdAgb5av4rQAEPjX6+W1OZubai9LfuDYn6ACUwvYYnQQqB5HuMwYr16hqMZdoQOOvO3A3TEcrOsoWETpFJGXBJNHdwsLfhG92oyl6h2iSCyAwuWshSGli+8Vo1RqKBt4Ayqb/er+lcf4EaLouqex9VW97HWLVC1atoHduiVtSr7E3QTX8oo/vzttJgOEdwDQH69KCkJitD/R1ddUAh8b6wvZZBc4y/PyOKs5g8JL4jQkqeo2sIrAoDzig0NLqL7M/b0YJvPBrnYY1JiYoYR/sAP5KaR0BASBzXDVPAZTlnRwG7fglEnB1vpFpc6GzQAQ3uTWSmCNP9uiHn5KpWgryH85Mv0tHIRvcKdY549WzsLvxOWeIzmaTPTpwY7zfxVOVfVArUwdx9g64ipiq7BL4cz0szphu6/hOTV58YlJPSAtSrvTc27VMFmEGDCASmGpXgyHr65HiXY/EP/YReEzcp9U55GCoMaxwTxuUyqCmC1WwbqdGHUut8Igi7QG0bLB9LJYDBGRs8pzcIpQ3lnBjnsXvqC45e3j9WUJ4dZvMQGKcWtvzCU5Rg+1LllCAbpduUoY0TiaesNbziOURrvfd40rcS69aEzCewDYjVydIRi/SPG4lLuFUVeFn7yJ08t+Ow71Zxt6mKUnwlN+Y4S/T7KqrCan5SRf74TOxbNV/uMYbWjeRW+ux1/8KdqGR7Ce4Vd8e9zhaFUO/ZPKikqea2UMApuIKCypj4bGFI4fq7u1E3tHq4WcvVBR0xHTKrPvkVuCRcwWQonX336krr9f6ZTuRc0us2a0Grwyo2SF2zNJk7KO0cf/ojyDXDTMOZibvIT1MeYip19z+W3I7i2XFMuWJfHvzi8OSPT7H5g7oBKgj/1Nwk+z/6cJV97R1VD8qCAKfLDd5ENEyRSE5TY4A4fztPk56asxTVNUMjn8SGVFrehwcWCzrvZQrAu33lh5U2GU609WbmoQ6UGJMwCyt2j7AIUtyPAioH3zTCjHlFA9XLcVstbe4vQOM/BHoSmM74yKWVo8pLtgpBTOcSamxBZn7ikVDHM0K4kgsQxTTUZOYDkQG0Mh162++QBi0sq9c8L7kY0lNM4IFSonXg9v25C54F0ZKJuIeRnYwlBhFUPvHM2cHZSqSzO6jxwnK+CGuhvq+B1a/rAapXOxbRXYr2u3D4JIrkUa2KNruiekZEC9+eQMsUuH7LdKlY3DWB4fWT6oWocIU3UI6ze2cxBM10Gn4PIsNTx0vmDmyNJItOxcACinGP/6ho6LdsHwy4AQ== X-Exchange-RoutingPolicyChecked: JRJyJGLCXgAfJJoK0JfBc08ujwTnlhKZeZGaDd+eBLE1xpRMEtZXPCOs8wAoDousQzVTRAUscV1MfCDj7pl8J20EXfHLiR27BvhANt9Ei7mHDSEM1f5k//Z4d3jKE0LkYxlQ35CtGR7FmFdylIQRJm/bjx6pMDsbefd9Gpjrvf/VpWSb6WIgqOMVgVIB26yZ3OKsO70pAnMRmRjCJWcZrfJPlziiMYBK0SMl2lJTMZIgy1bZK6v24hj7d+mwmWJAFdPy75RPJGTHe3/mj7tBiw11xKwv16xYhX2SsrIfv2KQYqCCSjK41p5OHy3hMKh0w6p48GfOembMHjg3gUYDHQ== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: b0RyJ4zN+yhobc8fTX4/4Rk7LM+IYByhBK1dgDJeqxGp9Hj6sTUy6Gtblyo4MIsMNLYO4OTyZNrsRcYY36r6b8n3ZA+d26vnAJpXqdCImHMq0SOMKUq2xPYkmEjHtpGnfQOyX0YIohUkbOwE7cKgy57olMs/S0lT4BqpmPYiNWhicDLAn9PYSVLuPAiZZmm0TLSHVSSFJdVEuu8E8BZnS9CMt9O3gcHXtQjQ8jFmzwfAnVZgKNGKSi17qAyqXt3Dd7am3E0ElEnp+7JLzB4baPnd5AlRLIOC0tm3cxDLM15a1fZ+FHm6fzyDJWSdTbiuyDOz/Hj+CwilrFXuWxkos+whHhBXXjjyaAaMO7/0e7Rz/GJnUoCkqR5lC+t0QE++SSol6tcdYSKeGEx/jR0Xo/V8x5S9H6Je4zfIPHr1UXWd8E30GCmhwdCZEQikgaeTYu8rqKZoh/j6wmxPPPInnDtOAQc1LwzSOEYzL8kh/+3gKKnl4WDFIbgzCsmIkCC1l+OjaU8uJx/ltIZHQANl4kHBfp1g04rXfmA83LWOT2XCOYiiS4Z2Xn0BFohykP4OLi3IAuCVwRn2zPG9JLysyEDTu+Duq3mw9VqPFkNn/0J5mmyE//TWcbQws55kU6Kk X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7d9352f9-c025-4752-26d0-08deb721266f X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 10:10:14.0838 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: wR5TilkVSZckXPq2KT2ovn3e0Xtrv2C30qhKkY4yeLHfNj5oj330zdlWrcrzdw3PMOmK7scN5nef69SVGA30hA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4P192MB1672 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate25-hz12 with 4gLkgQ753wz1X4Xb X-cloud-security-connect: mail-francecentralazon11023101.outbound.protection.outlook.com[40.107.162.101], TLS=1, IP=40.107.162.101 X-cloud-security-Digest: f64902ea04615d1566dde001f55d92a8 X-cloud-security: scantime:1.426 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 10:10:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237494 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/775321 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-42501.patch | 127 ++++++++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-42501.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 85f75f0d89..03a1a81fc3 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -52,6 +52,7 @@ SRC_URI += "\ file://CVE-2026-39825.patch \ file://CVE-2026-39826.patch \ file://CVE-2026-42499.patch \ + file://CVE-2026-42501.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-42501.patch b/meta/recipes-devtools/go/go/CVE-2026-42501.patch new file mode 100644 index 0000000000..82b2fa02a1 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-42501.patch @@ -0,0 +1,127 @@ +From 52d8958ce7e102a5ebd3b4748aa03989b5469084 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 30 Apr 2026 13:10:49 -0700 +Subject: [PATCH] cmd/go: reject sumdb response lacking module hash + +Report an error when a sumdb /lookup/ request does not +include a hash for the requested module, rather than +silently proceeding. + +Previously, we would verify that a returned sum matched +the expected module hash, but did not verify that the +response contained a sum. This permits a malicous +proxy to serve a corrupted module along with a +valid-but-irrelevant sumdb response for some other +module. We now ensure that the sumdb response contains +a valid hash for the module we are validating. + +Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue. + +Fixes CVE-2026-42501 +Fixes #79070 + +Change-Id: I7d9a367deb237aa70cade2434495998f6a6a6964 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4340 +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-by: Neal Patel <nealpatel@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/775321 +Reviewed-by: Michael Pratt <mpratt@google.com> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-42501 +Upstream-Status: Backport [https://github.com/golang/go/commit/1a9af07120312d368815712a4dce2dd2070342e5] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/cmd/go/internal/modfetch/fetch.go | 15 ++++++++++++++- + src/cmd/go/proxy_test.go | 17 +++++++++++++++++ + src/cmd/go/testdata/script/mod_sum_absent.txt | 17 +++++++++++++++++ + 3 files changed, 48 insertions(+), 1 deletion(-) + create mode 100644 src/cmd/go/testdata/script/mod_sum_absent.txt + +diff --git a/src/cmd/go/internal/modfetch/fetch.go b/src/cmd/go/internal/modfetch/fetch.go +index eeab6da62a..75769d7c61 100644 +--- a/src/cmd/go/internal/modfetch/fetch.go ++++ b/src/cmd/go/internal/modfetch/fetch.go +@@ -740,7 +740,7 @@ func checkSumDB(mod module.Version, h string) error { + return module.VersionError(modWithoutSuffix, fmt.Errorf("verifying %s: checksum mismatch\n\tdownloaded: %v\n\t%s: %v"+sumdbMismatch, noun, h, db, line[len(prefix)-len("h1:"):])) + } + } +- return nil ++ return module.VersionError(modWithoutSuffix, fmt.Errorf("verifying %s: checksum missing from sumdb response"+sumdbAbsent, noun)) + } + + // Sum returns the checksum for the downloaded copy of the given module, +@@ -931,6 +931,19 @@ have intercepted the download attempt. + For more information, see 'go help module-auth'. + ` + ++const sumdbAbsent = ` ++ ++SECURITY ERROR ++This download does NOT match one reported by the checksum server. ++The checksum server has provided checksums, but the checksums do ++not contain an entry for the download. ++The checksum server may be malfunctioning, or an attacker may have ++intercepted the checksum request. ++The download cannot be verified. ++ ++For more information, see 'go help module-auth'. ++` ++ + const hashVersionMismatch = ` + + SECURITY WARNING +diff --git a/src/cmd/go/proxy_test.go b/src/cmd/go/proxy_test.go +index cb3d9f92f1..88e5052b89 100644 +--- a/src/cmd/go/proxy_test.go ++++ b/src/cmd/go/proxy_test.go +@@ -172,6 +172,23 @@ func proxyHandler(w http.ResponseWriter, r *http.Request) { + return + } + ++ // Request for $GOPROXY/sumdb-redirect/module@version:/lookup/... ++ // performs a lookup for module@version rather than the requested module. ++ if strings.HasPrefix(path, "sumdb-redirect/") { ++ redirect, rest, ok := strings.Cut(path[len("sumdb-redirect"):], ":") ++ if !ok { ++ w.WriteHeader(500) ++ return ++ } ++ if strings.HasPrefix(rest, "/lookup/") { ++ r.URL.Path = "/lookup" + redirect ++ } else { ++ r.URL.Path = rest ++ } ++ sumdbServer.ServeHTTP(w, r) ++ return ++ } ++ + // Request for $GOPROXY/redirect/<count>/... goes to redirects. + if strings.HasPrefix(path, "redirect/") { + path = path[len("redirect/"):] +diff --git a/src/cmd/go/testdata/script/mod_sum_absent.txt b/src/cmd/go/testdata/script/mod_sum_absent.txt +new file mode 100644 +index 0000000000..c2dd814542 +--- /dev/null ++++ b/src/cmd/go/testdata/script/mod_sum_absent.txt +@@ -0,0 +1,17 @@ ++# When the sumdb returns a response which does not ++# include a sum for the requested module, ++# we should report an error. ++# Verifies CVE-2026-42501. ++env sumdb=$GOSUMDB ++env proxy=$GOPROXY ++env GOPROXY GONOPROXY GOSUMDB GONOSUMDB ++ ++# /sumdb-redirect/ causes the sumdb to return /lookup/ responses ++# for rsc.io/quote@v1.0.0, not for the requested module. ++env GOSUMDB=$sumdb' '$proxy/sumdb-redirect/rsc.io/quote@v1.0.0: ++ ++! go get rsc.io/fortune@v1.0.0 ++stderr 'SECURITY ERROR' ++! grep rsc.io go.sum ++-- go.mod -- ++module m +-- +2.43.0 + From patchwork Thu May 21 10:09:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88576 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: <tgaige.opensource@witekio.com> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A578CD5BB0 for <webhook@archiver.kernel.org>; Thu, 21 May 2026 10:10:48 +0000 (UTC) Received: from mx-relay25-hz12-if1.hornetsecurity.com (mx-relay25-hz12-if1.hornetsecurity.com [94.100.139.225]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.33229.1779358238533228389 for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 03:10:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=ir32K6p4; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.225, mailfrom: tgaige@witekio.com) Received: from mail-francecentralazon11023101.outbound.protection.outlook.com ([40.107.162.101]) by mx-gate25-hz12; Thu, 21 May 2026 12:10:36 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dJ+SWbs3pNlxo4Mdv+75YcZ+EOMYp/f8KytOr3+DaJbWr6dmRUoMjlhTgRWh9yefeQNkr4kDZxXj65lWU15Bk3fHeHsLMhR/dS55E4M/Sj86OzAtKGAy72hA8J0yz+wOKYYoBApAhKJLWzBp24maJcJpXiAHKRZMpow8fBnC1hFXcxpXwbv2b72wWDI7KU0qD1xsOt9F8uBrPI53jeBp5IMPzo2r1gw1OzI+OTzqVyYDm5jGRMpBJpTRLzCaTIeIIJ/XPSZYUoK8T00DqPNMjFgjHcwJUGsuwxRXQyPOFDABLL09R91Ko+rXPzfPLkT0CJqRuIVKR8XQNWdjxUzeog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lTNYcddcrGVfvb+QBr+GuUG0H58CV1VvlBc4Es4y+FM=; b=CjtJsKI+zbOajzPcEs7w5OPnUFHSKf56Tu97qZGBcOEawTWysSfGipyzQ7/Gf6BeEoPDp4TOzpIQrc9dBp3f2FyXyniU3N063y0tQ5nXTCYpDotaKqdHqkyqWd2mLBkcgnSeP9pEBXDNWM2pTUEWintti8CSvWWfci3Qm8FuHryml73rLSSMmJ1rWFTRNvjvUfVapyB7O1qelJjkvOKlMkiPP5sKlWYzovSXeHGzPPJ4XXBYvG3lxn1/jAxakfSiU80CKmYm+/kjTg/U0qN090YfiDb4AgTp2rl2hmAPQn6NBUJIEd6XB0u4bAVEdOjyKf695FjU1iw0llufnZEcYw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lTNYcddcrGVfvb+QBr+GuUG0H58CV1VvlBc4Es4y+FM=; b=ir32K6p4OWMzxsnZy1Y0DsirjBEtszbjUCPOhrsSYpZGoh6Z72wkFW+de+e/OBGIXdIVnRwCCXK5uRncLJBPATuDpeOod2GasYyaj5RD2/yUX2ckZkvGEDES9ri8uoH/3KUkyX20Q5yXGO6Vo+yMY/Hkv+7+pCGXCqaCS7DoVA5heSb0b55LL+m8JyLPX227RdKzMBV8EJot6SugtJETlZ8GZ0j/ojLfL37eSgapTDhRrv+2a7SnB9dAqB6U+ReFluxSISBHsu8KuQm2MR8kqa7p5cbdeZ/pebHgeX7Ch8Q5Y1cqOl58uXgWNsMNlzVRJxtZh7ZI3adGSyOegsG8zQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by AS4P192MB1672.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:507::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.17; Thu, 21 May 2026 10:10:15 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Thu, 21 May 2026 10:10:15 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>, Bruno Vernay <bruno.vernay@se.com> Subject: [scarthgap][PATCH 13/14] go: patch CVE-2026-42504 Date: Thu, 21 May 2026 12:09:46 +0200 Message-ID: <20260521100949.1299757-13-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260521100949.1299757-1-tgaige.opensource@witekio.com> References: <20260521100949.1299757-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0104.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::19) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|AS4P192MB1672:EE_ X-MS-Office365-Filtering-Correlation-Id: 8eb8fb94-68e9-4e88-2c20-08deb721272e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|52116014|376014|22082099003|18002099003|56012099003|38350700014|3023799007|6133799003; X-Microsoft-Antispam-Message-Info: gHyQckRBK39SCus5/7taF9hjYFb/DNhzpqFmtwoy8sx8w30emXR3G0iu9P3k2jacsNizSBL2Ejoh0iMS8zNYcmd98IZFAUkP+vEqZHUD997ArQf7JCRRajQ+OpnZPTThxTqduRV6E3xBUcZtUJst4XaXa706kToy8jLUbbAHWOfmw3gZKW9eWxtDp6ILCjtKa/BMirQL5dd7nFEwty9UjCS38583wGBMpZWlOhwpnxjZoW6ntIZUjPuYIPKmrE5iqojaBQ9dmn5v9xP4lfZQ3u7xFBRvl11KdQzexUO3uhw6tzdn8tk58dACcHIiLVk7o/YCVs6Pn0IYE59Rzdq5xdSbUqnqqa13QaAKY1OXNaZEEqTRcGYG8rNAWp/pJ2J5pCbgspAPH2o1xyPyhnHF3fYFoIowJgo2dQIlW6NsphIDFBwX7sbOTM2feh6CTj1gwj/VdwuZCvQm7gIgNkW5A00G+XElQBgl5VM4V4y8D6RVTd83M+W0Zf54YjeNAV2B8sJaL33BKVh946LgUL1KNN9H7Zih+Yb9LRRxuJN+mflS8/7kdPRocJiFC0C/mR2vUTtyR8NOiHwp94zzbG4JglOgguTUUum3oaazTLV9cuC6BvUAAYWRncFhtdANIhZNSDd7D7fPFD6M9mEMvq6sDoEnvivGCqPmrzOhYoRc5sTE4rTcGcaDu5DybWeOH4UtnwJ/whG2N4vX4gFlzgQopA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(52116014)(376014)(22082099003)(18002099003)(56012099003)(38350700014)(3023799007)(6133799003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?ZcQ1um/YWPtn0EqLf282aTk77bXj?= =?utf-8?q?imb/tSWQECtEJuUCUdrkWqBjquMnl/2oT2Jeroz90KUmKBAHzPiakVHWmp/OgXt/j?= =?utf-8?q?6r7g/3WuDqXprRlVWa2OHsLHeGJpJHbFqQLHnNZhXHoQmyYmZJX5ew3iKwONrcp6z?= =?utf-8?q?5FCOFJM41GNPDy2ZQSne8OlrS3tNNRvBSDqZN07cgUkQN5IOO0X8yx6qoYVBIgsDy?= =?utf-8?q?kL9DfFBLioEpDypPBlq4w1MitwdYTeBsvWBVQcnMbbR0AGT0DYytV/DiocC/hENFk?= =?utf-8?q?OxtI6kxZI2g++angqBRmoSMcKowj6PCLjRJTJfJVaV7DUGse4svgmL/tR8ZOuOuxP?= =?utf-8?q?tLkH9jS6DHjPuXsA+6d3yt4mhdBcZ/CpTp+s7ORLFQbCFNwsZf48FDvvKzLxyWmny?= =?utf-8?q?vbecF15IJ2HUWVuRB6036BmwfcY6BFRjZ9ckjrfry4pbArcbCKO4hYp6aP0i/w4uh?= =?utf-8?q?3YyXwkXaw31iTjCD88Xg5lc0VveQ5Tm/u1IS9NU4YEGgIImoN17z4yEPgVIM1Bg5C?= =?utf-8?q?PS3b7WyhxbJgZB6dqjIbF54MYIa27dGtAfCBdTqIxgeS7X9wpWRbkd0aShoR1Rgeu?= =?utf-8?q?lUWJyzkom/8xIfkCH8mm/9vluM8QoA8kDZ45FbASSwkFUz175Ko1ED+bC3IihNQq2?= =?utf-8?q?Eo8UByIycSamMNErEkQLs1DODEaqxsnoJkELwm8mY+pGpFsiyFc6jFV1B5B3xyk1s?= =?utf-8?q?jaLMKEhwJB8uyZMrwFt0bxrJtKhQLMMHRZFA2MxBL/ZOLbRah2VL+oz8Caqh7Uq4h?= =?utf-8?q?7HqoEbufdY6NoPxqoNm8e94maGcLlJVSwctZvmz4OZ+I4mdPtklx0uZvsszTaJx/d?= =?utf-8?q?fe+nbulhHy8xbghMkagDBdb/KZChYd8JDpnJKHtFRVgQVbt0oIoL26FaI2tr/6o+1?= =?utf-8?q?lqoXVM/+Ms6cRVeWFmtzIDFl4vwFT+Mt4k0CapysO+7NYIu6qc/+0JKmeZwQA6UIu?= =?utf-8?q?L3pBukbOPkylbCS6SmlYBvemRJJeOv/FLq7er6yYpFX5U8e6Z4efRV62UjO2ToVt7?= =?utf-8?q?7X0R5oCRBJrgnAYbFCJP9ZfR6nAZZExgHp68mDJkg4MOLtE1HVsAOIExvtiBIn6tK?= =?utf-8?q?h8uegiSL5b1wJ7xttQBIUPokjSRVQDrBINScI70rBqLqHrDkYBLNiMB8sN2Kk+6GB?= =?utf-8?q?C9tiQ255Mdt7Ig8ZIMAhkNbzYBe6h1vDwDgRsQwqFZadc+95p/Q37H9qH6cFGfnoN?= =?utf-8?q?7t88SrUVcOOffvBk1HDxOOhHa6tdIBDOnTNbH5CFLUm084tp7VbTtHv45//7gkMWX?= =?utf-8?q?jtm24A2ktS2ORT9NnSD5K1LPi6d8tV3R8Q8xiQ/t6UXprVIdR82Y6YYfAoBm4s7O7?= =?utf-8?q?8H3EsdmFPYfseJ4x4kFa1TPyrNQuACj1I/ebxsAGlucSHQm25OGRcsyTLhjnDHZyq?= =?utf-8?q?5G7az7vFB5VPVVS0P5yZc4KBkPYi6cpZPNFK6zWN64aErcsPvUXtnUwvcGoKqn/Wp?= =?utf-8?q?hqSqU1tb1B99MBCrYjZS07+60HxAmFbxWgzXyqw0SCx27oTow+gAJFmiGwb59IWoi?= =?utf-8?q?jmMeZr4R1CRGhcupTcbKS6SUwaqFSeSqcEoqy9JEHc+E5GLLh6rJBuKjWI89YJBBy?= =?utf-8?q?W8duR45yRz/VapQKMobsDIU8wYkXxOUhBMsZ0Jex8cGNk167d84qn7KiiYzd+0evn?= =?utf-8?q?HBV8cCytNazYowGC4JI4z6lPTFzYgZ2g=3D=3D?= X-Exchange-RoutingPolicyChecked: JKdQtY61bUCvrA8/X/geoXnSNkHNMdeVV2cUobRbIuyRma61PRBXLKiNjNMmXAd13H7zVUYgSIkmie3FV4h38HOC2Zn1e37lnAdEss2sarX94B3if2KI0bOhGQ47wMuuVdGrFkAorshQH8XPH3RCcv2TtgEb6Gk4C68LaEF/eBDqP3re05nlpfnokQnM4EtOX/vK4+R5gkQDov0bOSfKktuDJnVH853TmfOoQcrH630GrmizaGr9+zgy2dxkVC62fEO8TAsd1F4Naz0shG1O/NCsHZUOJSMZw3Y49hg51rNJvCB4+XFji3WrYFAFk3BhcT+rGiyJnVPcbqMR7Eka2w== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: xBoSUo/7syuboMFpbIbZirFrCueWZW7/1dKLeUzO7a6n+RQep6fO9akbEpW1EEK/ti1w1hbJl/fL7jth/QboB7tcFkAhBpaKrcyPdp4ktAujX45AEdOsHBJVS4XXLEoR7KEY1WE9DeisSiNAACjTmyO9N0386caOeTD8u+ff6aGNXRDc0GW4etYDRx/qdEPieWqLNMFyc+B9BTWpDLe4EMHMXxU8D7VVi2m3cCOdA32dsZsN0HvHyRaQh9xAZy27a8aAeae+Qx91MGLBavv/pRsrMZMyh4JvzmDd/q8oLfcGXEsjb9i3G1T6xNFOGYE56rhFHGL5NWk74UD5d1YFMBpHiL0ZTHnm/OYd10ZksZRPwSft0jwpa9IoXwxtwgQzTc7c4KxDbjEYoEt9df3fc8loY/CExTR+eW7BhCXA2t7KQZ2bvGwxrB+fJVzP2pPE/T24CCMb6IFId2p4biMyPOt8eAoZn6jBWVjorEvZ1R4hvQoo+grAalJW7siDjXtz/bRCPxO2XTOfSgvBMVRRQYYbgjAVBoyKNPuFuECf/6lugQa/zB9JOAKGXT6THr+a2lwGHiH9Xj/czmsmF/vH2Ut4t/Aydyf1npio+5BW6JqgUUD37FuJRfzDBYE368d9 X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8eb8fb94-68e9-4e88-2c20-08deb721272e X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 10:10:15.3330 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: zQSREPjirpG1m0AinsPJINIBkdU+0LwAoKVaBEAIUco0DgDNzmeqtPPkQb03PPesERub8PRoI+5I0Qs2ixsPJw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4P192MB1672 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate25-hz12 with 4gLkgW6nRWz1X2Xr X-cloud-security-connect: mail-francecentralazon11023101.outbound.protection.outlook.com[40.107.162.101], TLS=1, IP=40.107.162.101 X-cloud-security-Digest: 6da34fb3f6d673473c9233e63053a13e X-cloud-security: scantime:1.443 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 10:10:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237496 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/774481 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-42504.patch | 58 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-42504.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 03a1a81fc3..ba4fe9a734 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -53,6 +53,7 @@ SRC_URI += "\ file://CVE-2026-39826.patch \ file://CVE-2026-42499.patch \ file://CVE-2026-42501.patch \ + file://CVE-2026-42504.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-42504.patch b/meta/recipes-devtools/go/go/CVE-2026-42504.patch new file mode 100644 index 0000000000..1ae104ae19 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-42504.patch @@ -0,0 +1,58 @@ +From 41ca50d68cd74e0a68f3917cd902885c84fedbf7 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Tue, 5 May 2026 15:20:34 -0700 +Subject: [PATCH] mime: avoid quadratic complexity in WordDecoder.DecodeHeader + +When encountering an undecodable encoded-word, +skip over the entire word rather than just the initial "=?". + +Fixes #79217 +Fixes CVE-2026-42504 + +Change-Id: I28605faa235459d2ba71bd0f3ae3dce96a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/774481 +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Nicholas Husin <husin@google.com> + +CVE: CVE-2026-42504 +Upstream-Status: Backport [https://github.com/golang/go/commit/f230dd8a1d0a63d73e92685e378dcd725f7aac00] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/mime/encodedword.go | 4 ++-- + src/mime/encodedword_test.go | 4 ++++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/mime/encodedword.go b/src/mime/encodedword.go +index e6b470b1fb..a7059f3bc4 100644 +--- a/src/mime/encodedword.go ++++ b/src/mime/encodedword.go +@@ -275,8 +275,8 @@ func (d *WordDecoder) DecodeHeader(header string) (string, error) { + content, err := decode(encoding, text) + if err != nil { + betweenWords = false +- buf.WriteString(header[:start+2]) +- header = header[start+2:] ++ buf.WriteString(header[:end]) ++ header = header[end:] + continue + } + +diff --git a/src/mime/encodedword_test.go b/src/mime/encodedword_test.go +index 2a98794380..befc3cd996 100644 +--- a/src/mime/encodedword_test.go ++++ b/src/mime/encodedword_test.go +@@ -140,6 +140,10 @@ func TestDecodeHeader(t *testing.T) { + {"=?ISO-8859-1?Q?a?= =?ISO-8859-1?Q?b?=", "ab"}, + {"=?ISO-8859-1?Q?a?= \r\n\t =?ISO-8859-1?Q?b?=", "ab"}, + {"=?ISO-8859-1?Q?a_b?=", "a b"}, ++ // Undecodable words ++ {"=?UTF-8?b?garbage?= =?UTF-8?b?QW5kcsOp?= =?UTF-8?b?garbage?=", "=?UTF-8?b?garbage?= AndrĂ© =?UTF-8?b?garbage?="}, ++ {"=?UTF-8?b?QW5kcsOp", "=?UTF-8?b?QW5kcsOp"}, ++ {"=?UTF-8?x?y?=?UTF-8?x?y=?", "=?UTF-8?x?y?=?UTF-8?x?y=?"}, + } + + for _, test := range tests { +-- +2.43.0 + From patchwork Thu May 21 10:09:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88577 X-Patchwork-Delegate: jeremy.rosen@smile.fr Return-Path: <tgaige.opensource@witekio.com> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8CD6FCD5BAC for <webhook@archiver.kernel.org>; Thu, 21 May 2026 10:10:48 +0000 (UTC) Received: from mx-relay151-hz1-if1.hornetsecurity.com (mx-relay151-hz1-if1.hornetsecurity.com [94.100.128.161]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.33231.1779358243993056870 for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 03:10:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=cf2jJ9cA; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.161, mailfrom: tgaige@witekio.com) Received: from mail-swedencentralazon11023073.outbound.protection.outlook.com ([52.101.83.73]) by mx-gate151-hz1; Thu, 21 May 2026 12:10:41 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gl8vPrJD70wSKePAODJkuVeIcSsGN6iAGV/x5e5x2SQVzJaZ397FEgephHetgIP8LlFMmhzBc8MGWCKhf6cIxI/NDX1GMJLw6C0ishhijIv5f9SqNUazfT0o6uAYGCo2CQQM2ClfMjekwesfQvJWJxix8EARPfO2O79A8OAri5Pasz1gun/zMGCNlKK1rGhnq9JRn8PqkXC3dsnErP6GHi3BZEasJ1D2dsKzLLvNLLsbeIswN3ObfD2anAc6jTTekg2FcLHv84tQeeGVo+mD5SVEa8LygpUB1LBUrzoNceO/nfjiCIf5P7dBzLi26v/SyDZmTN8mm6MCN4dtN8inPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jZZezxMPqtSKci3R+aM2Py31yeIsHAMtPyLuxQZ1Jy4=; b=OTXOnFFB7iobzVZWL4zX4Q+cCO/wK/3WLbNAuXrUidL9hW/XCr51FFZ+5gA454U3VD3a0H5PhDNK/09iPw+brObEqVz2yFJOXKzbNm4X5ULeaKgf8b/LsqRCmSh1aswlkGfi/stwsXBooOuq7DhswjTUeIPjcjiptORR2X1jwdcTZtWmmMbWtKa6WxTo3TZFT/nQ9TM6CQiUvDW0AeKd3kH0HFW2xJhfrYgXNVMCyynplt0882saLXHDj/qCR9066PW8bTpH50qMEXYW3cdk9EuPLWt8zxB6vDs6+s2jD3sQmEwMNMNeT3mc8eMOd9oKTJdk1QCxMQMLVIDtJyFMeA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jZZezxMPqtSKci3R+aM2Py31yeIsHAMtPyLuxQZ1Jy4=; b=cf2jJ9cAPPXNgwa0b9jXmAz2jtMcGi+M9Gu5Aq4G6cIUJu1/+AznzXj12xJDLWfP7c1m/00Wh1pszL38L2TOVfKwXXu2x/gHzuNoV6/4p3N8+tVeZYs1xAjP4kdkghA1xfTnT/clCJIrDexMFWlr38wHWjP7aoBEvZfHvrdqQOfhSOPHW9gn8Aigap45bZfMbTbRd22NoOktlcR3EWbDeNci9IlD7XBvhmIGV7f7+IO2w7C15OgAexIQ1z0FvSk95K5O91r5/t6PHrj7UZr2opdrkzrpjBFWxXvcKwzFBPAD4+j9LqFdwogptMOHRnA91k9XIPZjo8h5oMAdnItopg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by AS4P192MB1672.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:507::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.17; Thu, 21 May 2026 10:10:17 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Thu, 21 May 2026 10:10:17 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Subject: [scarthgap][PATCH 14/14] go: patch CVE-2026-42507 Date: Thu, 21 May 2026 12:09:47 +0200 Message-ID: <20260521100949.1299757-14-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260521100949.1299757-1-tgaige.opensource@witekio.com> References: <20260521100949.1299757-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0104.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::19) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|AS4P192MB1672:EE_ X-MS-Office365-Filtering-Correlation-Id: 6bd37f21-7c7d-4c8c-e1de-08deb7212865 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|52116014|376014|13003099007|22082099003|18002099003|56012099003|38350700014|3023799007|5023799004|6133799003; X-Microsoft-Antispam-Message-Info: N4Zzdtt1fJzAMMsB4hCWKsNJIqGzpv8kCVYgzG3TexXKWsOygglGnXumZZ3WEq2+BCIoTpJon8LWo5qFmZUYTV9Zg8svMkH7AH3GNRg2WszhhHTV7kcrdYkzPFk5/VqxML0xmoSOqn71zqIYCKWo7fyikL2GUMDJyX6fsXbzI6oycHvVdz6qGW3jsFHOTiUvQ/eHW/hcnTkgOo+0DdtDMjU+CgVFh2J3h7GZfnynQAlLZYMSxdLPYnUbSSZjZ2QbZX141XcUl1RAtjMktlnAlVwqEiz71ah6ecjR4/+n2rpYG8fMVPgu6MeFyYxuzM0q3xGALItk/CcRZ5M849GocXrD89UTs+Fih98mHKM8GsJ6JFSh1mb2CzuDTQEMw2Rp3MXPP9m5zSPkXSX5URhmlcQDVKdaRuaSvdpREFacof5VuLtPJlJCY9uXjBYyGY7ALqquu4VH6SlKWm9peb+IyXP+99nr/3SrxXYu0T7geEbKplXFCopJm0OrsUjtkv5Y32CXFNQmGEsBFdeJRK5LgTyn9AStrRUnRyZl1zmHbjXBtL/oa/FqaHDH3Et8FCsYl1rXv3RMn37CWc2PlxZY5oogem3MAa2T7TtNeTS79TcHMrzb8Y1X4tp9EJ8vM3S2YDZlrVyafPyBUkOq6Z7oq9yM2FiZicflhE5wO+j1TOsX6GU+6g5LDglc727BsGoq X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(52116014)(376014)(13003099007)(22082099003)(18002099003)(56012099003)(38350700014)(3023799007)(5023799004)(6133799003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: LMIMAK7rqaKdF98KQ+5uLoxLmsmZtjonKjb9JjK4wR5NwFJlY5nCR+MUGZR/yZSr4k0oxv/le6UlJJfUBCEyZRYR3N8wf2qhE/0s7uXblED1k9kBFULgVuiBwqz7a7J0rA5pMo6WKMVofYPVaDBRPrMksooxkn3XI7IciottPGCK9MqmsZqdI4ZankcYeWuKqqu9l6SeIK/7Dzoh3tcMrrXGh6l48LzjgVZBLshGsQh5s4TeTN1hXeeBfGL57+Te1k0HpdJu9KHg/pWBcfa7w+KwqEI2K8ZGLrogq8lrhxVanE1LZEbDwOCqwNVJ/2mUTA+9832eE2pd9Vw8Mt5Hz0qFPIY0OT95G7t2rBa5Zt4eAVWUcYc3wBye7QzNUSVMwp1ePmqHU8saVCiRTte6fEoQksywdktjWnWNTIF6Ewa5psc3E/S6+b+tHzdgmg9TPmtrqER+i9lvIszYvGkWQmgVtrUHFV9UdnbgimeFzg6Ry6eF8Id1C3QyxPlbxImXJ7S8h0IgRiE/08TS2vwOHCF+FFmT4Rc7EKVc5oSgeGqnw41XZs21tNqnVAgHHut2aHAOz3JagGG+Bxlc/LI7KY1S+LVdeJs7PKQBt6RKhNHqfxGMxENSgsZNsRNwW0T3SkJE2YhNjMuKo3aMmxCNevxIk6J0SQtz3aWNv1bhrAfkdyhfvuMlVXW4pPsFKKIU3R10I2yNyhhqmOQl0gQ1oTyvJiZdnSurvd4sKXqgIc3Rp9jvQVsgIQVUIvHmWvpqnfVbgutx1PgrWFeWr+d+U0YrdBap10nfy01guNdY8wYhQnKBpJHYVPvdS2Rd9N6H06L1lIoRHtpm64Tq62iWSO37Hyvch5dOHzkbji7qxV9QtmYlwwXjFYkuWVXEqZlFmRy0WXi7otQAohqrLYBGDirlgjKQNMA31KkhbZiQfv1XVP4tLgB/3CU0xTVU7DaDziO1iQG8LWB7Ej/Ol/DL+ra8E/ee17bBWsBO+Xg+XULFvzab7dUlLg0Ks+eF5m0BGc1KB3muOTqzdvkYxlYxjpRAsFSWG8EwGEEHhQuOcnCZ4NewllxlfRySQAJST7YG+G1ypeR0CJ0b2bcwjMcouVKpq6rfbVt5Urvbi1iZX6+pTwLbREoXwTpp+Td0K4ACeRr81lhVY6iPoxIe6KXBJB0K58Jd+VQQUHlugZ9zjpV8knPcf0whUk6oTuF3EjXlZmcPWGb6Z3AmZw1vA9ZmSjmvDLbxrvSB2caqjqaa429Bj2sXQr/elWbRIf6TspkRau1PEdAW020gCAhuSOajzTFKOJ9kx5/rHbXaRqpGHAqGCQad3nOgXL2/29Hdn7uXCJN84IkLfXfuE8tlDNYxWL21G67GM866qeBjvDtMKI2JmgLapLiP5yYhyI4hmxda9g3sdbwUQPJKK0JeJU1MNWsxDfzsT+ADy336Oq8/VRYSNjVpqKMzECk0cCcAsw/AOHouFHCSMcqYsSQua5/Gll8GvBqNBRwBri0vri1FKzvRlo6wS9iHss8bb7YW520I+0YUE5HFvmAcB2Qj7xSM8Q0viYmv2ys+NHhhWTF4uZ0Wh5wCFpoyGxcvMvvRxCSDp5FoMivVXFraDoGReKSIbsMnLjKPU45cIuGKhMmU/b8ioxKYvabqjCoYbMbPdxbDTpsVo5pp+rmMZpT/culJaVdloMCoJhztUpVCO6dJAq6G24nwNBKqo5h5DspGER1mddxlGAIseIakEewTzbbHRw== X-Exchange-RoutingPolicyChecked: kVzXNHI5uuhuExqbSw/Mxy6jG86ssClM+UfnC5sDX8TKfRrBL/06SZ6i7aE8d0pSbaIipUtJVWs23Kdm+Lp8gpTRWQva15laqe1mYDKivNFLW6Br+ButJqaAAM0TOC2iV6NvQOVYxMs6fmftkzd80cjXYwZjjzN63xMVTYFIqnszZaxeFMHaixGybq0xXFfxz849ZOByl8svdIPajvrG+JK9e7N7d+Zm8XQhsqoYpxI9UwrGolBt+iCgUvvVkswKuWgqzz4Q3gUT95RcqYKlz2bjXoXh/ASJAPfQcsDfjKlPhj6p4GKH6IJAQeaTwv0opoDUE1WV/8wTGE1vvz9pBA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: Uhgp1WdY/3QGgAtAC7DUzEvnXHmy/5qeTVAfVpnL9vEf7jGiaijXAbj/J8WOSZtYK9LYedG2kSLWKkg8xUizlDMon4RJxgCZij3FO0SZKXgLnQ5apaBZFdxH1FB4xvOCP89y7luFZJvoEZL8uPM4upgTGu9JEKB9wNIF3LfGV6/iUddG6OpNLUX0J3D33fAAC6RqVha5WwUsVTo5QM5S+pK1mD9eG64F/XO+N5TumcaF5Fet/hM0hMM0ha7pwWnQWJorwcrbPDK7OudCf6qvgFlHGjuVB6iEJ9kilOIvscuMLucElt7pkMa9jrUeB35xSTrYOhxuPj54rKvGwkQU1A0sO1hVccuXFIZ0qQQXAXHRlg1SSD93brDtc6eUFgl7o/IgMOboalDTyIXLM0vQROKI1q6XLPejCbTLvHvK+2VgefA0doDlDzjBCXgk6HVdc2GhLi6XoVA8fpKoz5hPWRAxNTP646pH0PdZwIhTNQwVsuqoO83B5RXdXCT4UfaxYFF5Ep6IDjgOVa9oi+IP3OvG4LPBm+ROvFi4/zvHbn/EPgwLhUQDjmcq0Ax/5UPTu11Y5TUsegTlXtXO4+gkOLlnFwjBhnEpnGYktpdZHMtAIxVDcKvVEG+qOzHSAGTu X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6bd37f21-7c7d-4c8c-e1de-08deb7212865 X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2026 10:10:17.3680 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9MDart5YnlBrAwVzZSAKSE090zNEsgfMdgEckXkP10QCTEfGbGi3Tt9I9x8tWtBeYnalnbBBCPN16t/gQgl6AA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4P192MB1672 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate151-hz1 with 4gLkgZ1Pttz1g0t8 X-cloud-security-connect: mail-swedencentralazon11023073.outbound.protection.outlook.com[52.101.83.73], TLS=1, IP=52.101.83.73 X-cloud-security-Digest: 6d58408559a3c326a9afc74bd48fcc13 X-cloud-security: scantime:2.811 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Thu, 21 May 2026 10:10:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237497 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/777060 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-42507.patch | 160 ++++++++++++++++++ 2 files changed, 161 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-42507.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index ba4fe9a734..f67da3e078 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -54,6 +54,7 @@ SRC_URI += "\ file://CVE-2026-42499.patch \ file://CVE-2026-42501.patch \ file://CVE-2026-42504.patch \ + file://CVE-2026-42507.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-42507.patch b/meta/recipes-devtools/go/go/CVE-2026-42507.patch new file mode 100644 index 0000000000..d48b2b53eb --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-42507.patch @@ -0,0 +1,160 @@ +From 943e53a7b667a1570648b5f1c4592b9d9d5b4aac Mon Sep 17 00:00:00 2001 +From: "Nicholas S. Husin" <nsh@golang.org> +Date: Mon, 11 May 2026 18:04:07 -0400 +Subject: [PATCH] net/textproto: escape arbitrary input when including them in + errors + +When returning errors, functions in the net/textproto package would +include its input as part of the error, without any escaping. Note that +said input is often controlled by external parties when using this +package naturally. For example, a net/http client uses ReadMIMEHeader +when parsing the headers it receive from a server. + +As a result, an attacker could inject arbitrary content into the error. +Practically, this can result in an attacker injecting misleading +content, terminal control bytes, etc. into a victim's output or logs. + +Fix this issue by making sure that ProtocolError usages within the +package are properly escaped, and that Error.String will escape its Msg. + +Fixes #79346 +Fixes CVE-2026-42507 + +Change-Id: Ide4c1005d8254f90d95d7a389b8ca3a26a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/777060 +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Roland Shoemaker <roland@golang.org> +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-by: Damien Neil <dneil@google.com> + +CVE: CVE-2026-42507 +Upstream-Status: Backport [https://github.com/golang/go/commit/1a7e601d07b67aec8d795c8182ee7257ba7d1960] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/smtp/smtp_test.go | 6 +++--- + src/net/textproto/reader.go | 14 +++++++------- + src/net/textproto/reader_test.go | 6 ++++-- + src/net/textproto/textproto.go | 2 +- + 4 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/src/net/smtp/smtp_test.go b/src/net/smtp/smtp_test.go +index 259b10b93d..3e03da5208 100644 +--- a/src/net/smtp/smtp_test.go ++++ b/src/net/smtp/smtp_test.go +@@ -664,7 +664,7 @@ func TestHello(t *testing.T) { + err = c.Hello("customhost") + case 1: + err = c.StartTLS(nil) +- if err.Error() == "502 Not implemented" { ++ if err.Error() == `502 "Not implemented"` { + err = nil + } + case 2: +@@ -922,8 +922,8 @@ func TestAuthFailed(t *testing.T) { + + if err == nil { + t.Error("Auth: expected error; got none") +- } else if err.Error() != "535 Invalid credentials\nplease see www.example.com" { +- t.Errorf("Auth: got error: %v, want: %s", err, "535 Invalid credentials\nplease see www.example.com") ++ } else if err.Error() != `535 "Invalid credentials\nplease see www.example.com"` { ++ t.Errorf("Auth: got error: %v, want: %s", err, `535 "Invalid credentials\nplease see www.example.com"`) + } + + bcmdbuf.Flush() +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index 0027efe3ca..b4cd22a6ed 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -213,13 +213,13 @@ func (r *Reader) readCodeLine(expectCode int) (code int, continued bool, message + + func parseCodeLine(line string, expectCode int) (code int, continued bool, message string, err error) { + if len(line) < 4 || line[3] != ' ' && line[3] != '-' { +- err = ProtocolError("short response: " + line) ++ err = ProtocolError(fmt.Sprintf("short response: %q", line)) + return + } + continued = line[3] == '-' + code, err = strconv.Atoi(line[0:3]) + if err != nil || code < 100 { +- err = ProtocolError("invalid response code: " + line) ++ err = ProtocolError(fmt.Sprintf("invalid response code: %q", line)) + return + } + message = line[4:] +@@ -251,7 +251,7 @@ func parseCodeLine(line string, expectCode int) (code int, continued bool, messa + func (r *Reader) ReadCodeLine(expectCode int) (code int, message string, err error) { + code, continued, message, err := r.readCodeLine(expectCode) + if err == nil && continued { +- err = ProtocolError("unexpected multi-line response: " + message) ++ err = ProtocolError(fmt.Sprintf("unexpected multi-line response: %q", message)) + } + return + } +@@ -536,7 +536,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + if err != nil { + return m, err + } +- return m, ProtocolError("malformed MIME header initial line: " + string(line)) ++ return m, ProtocolError(fmt.Sprintf("malformed MIME header initial line: %q", line)) + } + + for { +@@ -548,15 +548,15 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + // Key ends at first colon. + k, v, ok := bytes.Cut(kv, colon) + if !ok { +- return m, ProtocolError("malformed MIME header line: " + string(kv)) ++ return m, ProtocolError(fmt.Sprintf("malformed MIME header line: %q", kv)) + } + key, ok := canonicalMIMEHeaderKey(k) + if !ok { +- return m, ProtocolError("malformed MIME header line: " + string(kv)) ++ return m, ProtocolError(fmt.Sprintf("malformed MIME header line: %q", kv)) + } + for _, c := range v { + if !validHeaderValueByte(c) { +- return m, ProtocolError("malformed MIME header line: " + string(kv)) ++ return m, ProtocolError(fmt.Sprintf("malformed MIME header line: %q", kv)) + } + } + +diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go +index 26ff617470..844069a4ad 100644 +--- a/src/net/textproto/reader_test.go ++++ b/src/net/textproto/reader_test.go +@@ -409,6 +409,8 @@ func TestReadMultiLineError(t *testing.T) { + "Unexpected but legal text!\n" + + "5.1.1 https://support.google.com/mail/answer/6596 h20si25154304pfd.166 - gsmtp" + ++ wantError := `550 "5.1.1 The email account that you tried to reach does not exist. Please try\n5.1.1 double-checking the recipient's email address for typos or\n5.1.1 unnecessary spaces. Learn more at\nUnexpected but legal text!\n5.1.1 https://support.google.com/mail/answer/6596 h20si25154304pfd.166 - gsmtp"` ++ + code, msg, err := r.ReadResponse(250) + if err == nil { + t.Errorf("ReadResponse: no error, want error") +@@ -419,8 +421,8 @@ func TestReadMultiLineError(t *testing.T) { + if msg != wantMsg { + t.Errorf("ReadResponse: msg=%q, want %q", msg, wantMsg) + } +- if err != nil && err.Error() != "550 "+wantMsg { +- t.Errorf("ReadResponse: error=%q, want %q", err.Error(), "550 "+wantMsg) ++ if err != nil && err.Error() != wantError { ++ t.Errorf("ReadResponse: error=%q, want %q", err.Error(), wantError) + } + } + +diff --git a/src/net/textproto/textproto.go b/src/net/textproto/textproto.go +index 4ae3ecff74..a2291eff2b 100644 +--- a/src/net/textproto/textproto.go ++++ b/src/net/textproto/textproto.go +@@ -38,7 +38,7 @@ type Error struct { + } + + func (e *Error) Error() string { +- return fmt.Sprintf("%03d %s", e.Code, e.Msg) ++ return fmt.Sprintf("%03d %q", e.Code, e.Msg) + } + + // A ProtocolError describes a protocol violation such +-- +2.43.0 +