From patchwork Fri Jun 12 14:25:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jeremy Rosen X-Patchwork-Id: 89930 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B915CD98D9 for ; Fri, 12 Jun 2026 14:26:49 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.71815.1781274398938563800 for ; Fri, 12 Jun 2026 07:26:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=Sa54+V+3; spf=pass (domain: smile.fr, ip: 209.85.128.47, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-490cf3000f0so10919415e9.1 for ; Fri, 12 Jun 2026 07:26:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274397; x=1781879197; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=baiDgtDLq5oPeEErJdBbeGnt2IRa6nMi8jR6aOLq8s0=; b=Sa54+V+3GO199G4OIB3fM0Kark8XB4Rhry27iHCZiR3iKdo1yHUstyOXK+3oPfnepM pPXKPR7n3F3LoF5uZpNUsA/rTvzKrMQZiP0UpBmeFHCvOt3ApGA4qF4F2QpYpJKoaCfv BUe+DTruqI8OMsP9Fxw2T33PYDQO5RDzu9NRw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274397; x=1781879197; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=baiDgtDLq5oPeEErJdBbeGnt2IRa6nMi8jR6aOLq8s0=; b=AlnaJoAba7MorAkuLNXqrRZhmMFKu+H4z9UyV9n2t33f3DKQKN5gwOeG1Ztr2F4td9 cs4q3PRfFhR2Q2JZivgrNLhp77WOUBGyumDRVKzjE893hPpxsXZSK6HXKoLe2tslWcEo 1nIrE/fWvD4BOP/VUu7pf5/mNe6ijQNl0Hd1AIWToot+xU2EMqOjsXXgcOWg1RlmrN3x l2sixD44gcUd96KXIxUyJUzRRq7Z9dmKdFGYrfLNGhnnhwZyAc36wL6hxyaejq7gjZ72 YvI8shKtySOAxW16Y3PV5DFGxdDvWYC0vtTwLLYfZNnGjPeFbWIIeoVfgNm/GaodHu+r 7fPg== X-Gm-Message-State: AOJu0Yy0lD318OCsr5qYiFAkuRI0WzT37oH0FO6O8yyWxSBLPfUfQa2z mUvZ4jGK7ddB1bezCuZdrXBvw7l559eiCFVmTRJJZwT5VzofZjUq82rxkyoDG0r7HPFPC/efICJ 0Tcu3hg== X-Gm-Gg: Acq92OHhDL+2KNlFlENpUmez4xzkKj60AWH8B9I9DGorOUN17PpVhRSTRko2SLrwCs7 k6KnDNKOm4hfonVb936kT5NxoX2Xwap9vSA4EoIgAx9NfhfN+U8UUp3vH1lq4gf+DhBIzVNbYIv gtpPveaByjG5PLcFuhigZqHj5fo4Gsrtavxet/JtpqUR7luqvdSMmaTL3nZsfYOgytfnPcBONRP ZzRozl7TIzvSCi3/9sYUfdGMDC19hUOQmi3t1i6GeNNipQHyqZ1AhXkHqwGwWaAKd81BB7ufj6g 7CuWs9VpveL2ArVXkiGuhPSnYfqNkdcownEWL/SHhFFGqIRurB7CP2QBFkuOWDhMcKVaJxGEvWH YcoK0sRQLMwnpLlnNupHFaThyi/jZgn04qDvm6AWdgtn/45EcYnwwCcXJA+aapPlbKrOieSIj0D T65dzR+dKM+gKR5DPSWsJEZUM= X-Received: by 2002:a05:600c:6612:b0:490:bb45:79ee with SMTP id 5b1f17b1804b1-490ec33d4cfmr40334835e9.0.1781274396982; Fri, 12 Jun 2026 07:26:36 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:36 -0700 (PDT) From: Jeremy Rosen To: openembedded-core@lists.openembedded.org Cc: Paul Barker Subject: [OE-core][scarthgap 01/21] libpng: Fix CVE-2026-33416 Date: Fri, 12 Jun 2026 16:25:51 +0200 Message-ID: <2bf388381ae3de76db288a859040c1130786d41b.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Jun 2026 14:26:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238623 From: Zahir Hussain Backport fixes for CVE-2026-33416 Backport patches from security debian tracker [1] also mentioned at NVD Report [2] [1] https://security-tracker.debian.org/tracker/CVE-2026-33416 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-33416 Add below patches to fix the CVE: CVE-2026-33416-01.patch CVE-2026-33416-02.patch CVE-2026-33416-03.patch CVE-2026-33416-04.patch Signed-off-by: Sourav Kumar Pramanik Signed-off-by: Zahir Hussain Signed-off-by: Jérémy Rosen Signed-off-by: Jeremy Rosen --- .../libpng/files/CVE-2026-33416-01.patch | 143 +++++++++++++++ .../libpng/files/CVE-2026-33416-02.patch | 53 ++++++ .../libpng/files/CVE-2026-33416-03.patch | 163 ++++++++++++++++++ .../libpng/files/CVE-2026-33416-04.patch | 53 ++++++ .../libpng/libpng_1.6.42.bb | 4 + 5 files changed, 416 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch new file mode 100644 index 0000000000..a60a8d6b5b --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-01.patch @@ -0,0 +1,143 @@ +From 23019269764e35ed8458e517f1897bd3c54820eb Mon Sep 17 00:00:00 2001 +From: Oblivionsage +Date: Sun, 15 Mar 2026 10:35:29 +0100 +Subject: [PATCH] fix: Resolve use-after-free on `png_ptr->trans_alpha` + +The function `png_set_tRNS` sets `png_ptr->trans_alpha` to point at +`info_ptr->trans_alpha` directly, so both structs share the same heap +buffer. If the application calls `png_free_data(PNG_FREE_TRNS)`, or if +`png_set_tRNS` is called a second time, the buffer is freed through +`info_ptr` while `png_ptr` still holds a dangling reference. Any +subsequent row read that hits the function `png_do_expand_palette` will +dereference freed memory. + +The fix gives `png_struct` its own allocation instead of aliasing the +`info_ptr` pointer. This was already flagged with a TODO in +`png_handle_tRNS` ("horrible side effect ... Fix this.") but it was +never addressed. + +Verified with AddressSanitizer. All 34 existing tests pass without +regressions. + +CVE: CVE-2026-33416 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb] +Comment: Refreshed hunk to match latest scarthgap + +Reviewed-by: Cosmin Truta +Signed-off-by: Cosmin Truta +Signed-off-by: Sourav Kumar Pramanik +Signed-off-by: Zahir Hussain +--- + pngread.c | 11 +++++------ + pngrutil.c | 4 ---- + pngset.c | 31 +++++++++++++++++++------------ + pngwrite.c | 6 ++++++ + 4 files changed, 30 insertions(+), 22 deletions(-) + +diff --git a/pngread.c b/pngread.c +index 01b731d8eb..0086edf6cf 100644 +--- a/pngread.c ++++ b/pngread.c +@@ -968,12 +968,11 @@ png_read_destroy(png_structrp png_ptr) + + #if defined(PNG_tRNS_SUPPORTED) || \ + defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) +- if ((png_ptr->free_me & PNG_FREE_TRNS) != 0) +- { +- png_free(png_ptr, png_ptr->trans_alpha); +- png_ptr->trans_alpha = NULL; +- } +- png_ptr->free_me &= ~PNG_FREE_TRNS; ++ /* png_ptr->trans_alpha is always independently allocated (not aliased ++ * with info_ptr->trans_alpha), so free it unconditionally. ++ */ ++ png_free(png_ptr, png_ptr->trans_alpha); ++ png_ptr->trans_alpha = NULL; + #endif + + inflateEnd(&png_ptr->zstream); +diff --git a/pngrutil.c b/pngrutil.c +index 366379b991..a19507bf1b 100644 +--- a/pngrutil.c ++++ b/pngrutil.c +@@ -1905,10 +1905,6 @@ png_handle_tRNS(png_structrp png_ptr, pn + return; + } + +- /* TODO: this is a horrible side effect in the palette case because the +- * png_struct ends up with a pointer to the tRNS buffer owned by the +- * png_info. Fix this. +- */ + png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans, + &(png_ptr->trans_color)); + } +diff --git a/pngset.c b/pngset.c +index 4b78b8960c..47883684e4 100644 +--- a/pngset.c ++++ b/pngset.c +@@ -990,28 +990,36 @@ png_set_tRNS(png_structrp png_ptr, png_i + + if (trans_alpha != NULL) + { +- /* It may not actually be necessary to set png_ptr->trans_alpha here; +- * we do it for backward compatibility with the way the png_handle_tRNS +- * function used to do the allocation. +- * +- * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively +- * relies on png_set_tRNS storing the information in png_struct +- * (otherwise it won't be there for the code in pngrtran.c). +- */ +- + png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0); + + if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH) + { +- /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */ ++ /* Allocate info_ptr's copy of the transparency data. */ + info_ptr->trans_alpha = png_voidcast(png_bytep, + png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); + memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans); +- + info_ptr->free_me |= PNG_FREE_TRNS; + info_ptr->valid |= PNG_INFO_tRNS; ++ ++ ++ /* Allocate an independent copy for png_struct, so that the ++ * lifetime of png_ptr->trans_alpha is decoupled from the ++ * lifetime of info_ptr->trans_alpha. Previously these two ++ * pointers were aliased, which caused a use-after-free if ++ * png_free_data freed info_ptr->trans_alpha while ++ * png_ptr->trans_alpha was still in use by the row transform ++ * functions (e.g. png_do_expand_palette). ++ */ ++ png_free(png_ptr, png_ptr->trans_alpha); ++ png_ptr->trans_alpha = png_voidcast(png_bytep, ++ png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); ++ memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans); ++ } ++ else ++ { ++ png_free(png_ptr, png_ptr->trans_alpha); ++ png_ptr->trans_alpha = NULL; + } +- png_ptr->trans_alpha = info_ptr->trans_alpha; + } + + if (trans_color != NULL) +diff --git a/pngwrite.c b/pngwrite.c +index 5fc77d91f7..84af1e73fb 100644 +--- a/pngwrite.c ++++ b/pngwrite.c +@@ -977,6 +977,12 @@ png_write_destroy(png_structrp png_ptr) + png_ptr->chunk_list = NULL; + #endif + ++#if defined(PNG_tRNS_SUPPORTED) ++ /* Free the independent copy of trans_alpha owned by png_struct. */ ++ png_free(png_ptr, png_ptr->trans_alpha); ++ png_ptr->trans_alpha = NULL; ++#endif ++ + /* The error handling and memory handling information is left intact at this + * point: the jmp_buf may still have to be freed. See png_destroy_png_struct + * for how this happens. diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch new file mode 100644 index 0000000000..e746293bf2 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-02.patch @@ -0,0 +1,53 @@ +From a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25 Mon Sep 17 00:00:00 2001 +From: Oblivionsage +Date: Tue, 17 Mar 2026 08:55:18 +0100 +Subject: [PATCH] fix: Initialize tail bytes in `trans_alpha` buffers + +Although the arrays `info_ptr->trans_alpha` and `png_ptr->trans_alpha` +are allocated 256 bytes, only `num_trans` bytes are copied. +The remaining entries were left uninitialized. Set them to 0xff (fully +opaque) before copying, which matches the conventional treatment of +entries beyond `num_trans`. + +This is a follow-up to the previous use-after-free fix. + +CVE: CVE-2026-33416 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25] +Comment: Refreshed hunk to match latest scarthgap + +Reported-by: Cosmin Truta +Reviewed-by: Cosmin Truta +Signed-off-by: Cosmin Truta +Signed-off-by: Sourav Kumar Pramanik +Signed-off-by: Zahir Hussain +--- + pngset.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/pngset.c b/pngset.c +index 47883684e4..dccc6498d7 100644 +--- a/pngset.c ++++ b/pngset.c +@@ -994,9 +994,13 @@ png_set_tRNS(png_structrp png_ptr, png_i + + if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH) + { +- /* Allocate info_ptr's copy of the transparency data. */ ++ /* Allocate info_ptr's copy of the transparency data. ++ * Initialize all entries to fully opaque (0xff), then overwrite ++ * the first num_trans entries with the actual values. ++ */ + info_ptr->trans_alpha = png_voidcast(png_bytep, + png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); ++ memset(info_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH); + memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans); + info_ptr->free_me |= PNG_FREE_TRNS; + info_ptr->valid |= PNG_INFO_tRNS; +@@ -1013,6 +1017,7 @@ png_set_tRNS(png_structrp png_ptr, png_i + png_free(png_ptr, png_ptr->trans_alpha); + png_ptr->trans_alpha = png_voidcast(png_bytep, + png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); ++ memset(png_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH); + memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans); + } + else diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch new file mode 100644 index 0000000000..21ce35dcd1 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-03.patch @@ -0,0 +1,163 @@ +From 7ea9eea884a2328cc7fdcb3c0c00246a50d90667 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Fri, 20 Mar 2026 17:37:22 +0200 +Subject: [PATCH] fix: Resolve use-after-free on `png_ptr->palette` + +Give `png_struct` its own independently-allocated copy of the palette +buffer, decoupling it from `info_struct`'s palette. Allocate both +copies with `png_calloc` to zero-fill, because the ARM NEON palette +riffle reads all 256 entries unconditionally. + +In function `png_set_PLTE`, `png_ptr->palette` was aliased directly to +`info_ptr->palette`: a single heap buffer shared across two structs +with independent lifetimes. If the buffer was freed through `info_ptr` +(via `png_free_data(PNG_FREE_PLTE)` or a second call to `png_set_PLTE`), +`png_ptr->palette` became a dangling pointer. Subsequent row reads, +performed in `png_do_expand_palette` and in other transform functions, +dereferenced (and in the bit-shift path, wrote to) freed memory. + +Also fix `png_set_quantize` to allocate an owned copy of the caller's +palette rather than aliasing the user pointer, so that the unconditional +free in `png_read_destroy` does not free unmanaged memory. + +CVE: CVE-2026-33416 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667] +Comment: Refreshed hunk to match latest scarthgap + +Signed-off-by: Sourav Kumar Pramanik +Signed-off-by: Zahir Hussain +--- + pngread.c | 11 +++++------ + pngrtran.c | 8 +++++++- + pngrutil.c | 13 ------------- + pngset.c | 28 +++++++++++++++++++--------- + pngwrite.c | 4 ++++ + 5 files changed, 35 insertions(+), 29 deletions(-) + +diff --git a/pngread.c b/pngread.c +index 0086edf6cf..e1d38d578a 100644 +--- a/pngread.c ++++ b/pngread.c +@@ -959,12 +959,11 @@ png_read_destroy(png_structrp png_ptr) + png_ptr->quantize_index = NULL; + #endif + +- if ((png_ptr->free_me & PNG_FREE_PLTE) != 0) +- { +- png_zfree(png_ptr, png_ptr->palette); +- png_ptr->palette = NULL; +- } +- png_ptr->free_me &= ~PNG_FREE_PLTE; ++ /* png_ptr->palette is always independently allocated (not aliased ++ * with info_ptr->palette), so free it unconditionally. ++ */ ++ png_free(png_ptr, png_ptr->palette); ++ png_ptr->palette = NULL; + + #if defined(PNG_tRNS_SUPPORTED) || \ + defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) +diff --git a/pngrtran.c b/pngrtran.c +index bfb7d423b7..fd736ab672 100644 +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -750,7 +750,13 @@ png_set_quantize(png_structrp png_ptr, p + } + if (png_ptr->palette == NULL) + { +- png_ptr->palette = palette; ++ /* Allocate an owned copy rather than aliasing the caller's pointer, ++ * so that png_read_destroy can free png_ptr->palette unconditionally. ++ */ ++ png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, ++ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); ++ memcpy(png_ptr->palette, palette, (unsigned int)num_palette * ++ (sizeof (png_color))); + } + png_ptr->num_palette = (png_uint_16)num_palette; + +diff --git a/pngrutil.c b/pngrutil.c +index a19507bf1b..3a35fe9de2 100644 +--- a/pngrutil.c ++++ b/pngrutil.c +@@ -1047,14 +1047,6 @@ png_handle_PLTE(png_structrp png_ptr, pn + } + #endif + +- /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its +- * own copy of the palette. This has the side effect that when png_start_row +- * is called (this happens after any call to png_read_update_info) the +- * info_ptr palette gets changed. This is extremely unexpected and +- * confusing. +- * +- * Fix this by not sharing the palette in this way. +- */ + png_set_PLTE(png_ptr, info_ptr, palette, num); + + /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before +diff --git a/pngset.c b/pngset.c +index dccc6498d7..b9ccb7fb15 100644 +--- a/pngset.c ++++ b/pngset.c +@@ -595,28 +595,38 @@ png_set_PLTE(png_structrp png_ptr, png_i + png_error(png_ptr, "Invalid palette"); + } + +- /* It may not actually be necessary to set png_ptr->palette here; +- * we do it for backward compatibility with the way the png_handle_tRNS +- * function used to do the allocation. +- * +- * 1.6.0: the above statement appears to be incorrect; something has to set +- * the palette inside png_struct on read. +- */ + png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0); + + /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead + * of num_palette entries, in case of an invalid PNG file or incorrect + * call to png_set_PLTE() with too-large sample values. ++ * ++ * Allocate independent buffers for info_ptr and png_ptr so that the ++ * lifetime of png_ptr->palette is decoupled from the lifetime of ++ * info_ptr->palette. Previously, these two pointers were aliased, ++ * which caused a use-after-free vulnerability if png_free_data freed ++ * info_ptr->palette while png_ptr->palette was still in use by the ++ * row transform functions (e.g. png_do_expand_palette). ++ * ++ * Both buffers are allocated with png_calloc to zero-fill, because ++ * the ARM NEON palette riffle reads all 256 entries unconditionally, ++ * regardless of num_palette. + */ ++ png_free(png_ptr, png_ptr->palette); + png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, + PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); ++ info_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, ++ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); ++ png_ptr->num_palette = info_ptr->num_palette = (png_uint_16)num_palette; + + if (num_palette > 0) ++ { ++ memcpy(info_ptr->palette, palette, (unsigned int)num_palette * ++ (sizeof (png_color))); + memcpy(png_ptr->palette, palette, (unsigned int)num_palette * + (sizeof (png_color))); ++ } + +- info_ptr->palette = png_ptr->palette; +- info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette; + info_ptr->free_me |= PNG_FREE_PLTE; + info_ptr->valid |= PNG_INFO_PLTE; + } +diff --git a/pngwrite.c b/pngwrite.c +index 84af1e73fb..348763e940 100644 +--- a/pngwrite.c ++++ b/pngwrite.c +@@ -982,6 +982,10 @@ png_write_destroy(png_structrp png_ptr) + png_free(png_ptr, png_ptr->trans_alpha); + png_ptr->trans_alpha = NULL; + #endif ++ ++ /* Free the independent copy of the palette owned by png_struct. */ ++ png_free(png_ptr, png_ptr->palette); ++ png_ptr->palette = NULL; + + /* The error handling and memory handling information is left intact at this + * point: the jmp_buf may still have to be freed. See png_destroy_png_struct diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch new file mode 100644 index 0000000000..ff7db53c81 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2026-33416-04.patch @@ -0,0 +1,53 @@ +From c1b0318b393c90679e6fa5bc1d329fd5d5012ec1 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Fri, 20 Mar 2026 21:25:12 +0200 +Subject: [PATCH] fix: Sync `info_ptr->palette` after in-place transforms + +Copy `png_ptr->palette` into `info_ptr->palette` upon entering +the function that runs immediately after the in-place transforms. + +The palette decoupling in the previous commit gave `png_struct` +and `png_info` independently-allocated palette buffers, fixing a +use-after-free vulnerability. However, `png_init_read_transformations` +modifies `png_ptr->palette` in place (e.g. for gamma correction or +background compositing), and the old aliasing made those modifications +visible through `png_get_PLTE`. With independent buffers, +`info_ptr->palette` retained the original values, causing our tests to +fail on indexed-colour background compositing. + +CVE: CVE-2026-33416 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1] +Comment: Refreshed hunk to match latest scarthgap + +Signed-off-by: Sourav Kumar Pramanik +Signed-off-by: Zahir Hussain +--- + pngrtran.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/pngrtran.c b/pngrtran.c +index fd736ab672..978dac5888 100644 +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -1984,6 +1984,21 @@ png_read_transform_info(png_structrp png + { + png_debug(1, "in png_read_transform_info"); + ++ if (png_ptr->transformations != 0) ++ { ++ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE && ++ info_ptr->palette != NULL && png_ptr->palette != NULL) ++ { ++ /* Sync info_ptr->palette with png_ptr->palette. ++ * The function png_init_read_transformations may have modified ++ * png_ptr->palette in place (e.g. for gamma correction or for ++ * background compositing). ++ */ ++ memcpy(info_ptr->palette, png_ptr->palette, ++ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))); ++ } ++ } ++ + #ifdef PNG_READ_EXPAND_SUPPORTED + if ((png_ptr->transformations & PNG_EXPAND) != 0) + { diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb index 923ed79896..e4cc63686e 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb @@ -25,6 +25,10 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz file://CVE-2026-22801.patch \ file://CVE-2026-25646.patch \ file://CVE-2026-33636.patch \ + file://CVE-2026-33416-01.patch \ + file://CVE-2026-33416-02.patch \ + file://CVE-2026-33416-03.patch \ + file://CVE-2026-33416-04.patch \ " SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450" From patchwork Fri Jun 12 14:25:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen X-Patchwork-Id: 89939 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8FEFCD98E6 for ; Fri, 12 Jun 2026 14:26:49 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71887.1781274399576061437 for ; Fri, 12 Jun 2026 07:26:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=2V4cy128; spf=pass (domain: smile.fr, ip: 209.85.221.54, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-46066e640easo619885f8f.1 for ; Fri, 12 Jun 2026 07:26:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274398; x=1781879198; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=V0D6X1BHS6vEvh7YnTo3VHeYE2SYHH1cVVFuewjv1ss=; b=2V4cy128Ofow1rv1MlkPx1PLeA+FeDG3mxMMglm/jezWbyK8sY5wbvmdS+4YB1/cYC cTRiNrqW1CDqg0vEF2/Q8KsAIvqbmVUgbuNw5rmfcgT8ctnrvMMT7maRBN/h7lYvHqFx XpdlUqfdY9Om8ZK+vh5z4hWm5FelbtRZ3kH6A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274398; x=1781879198; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=V0D6X1BHS6vEvh7YnTo3VHeYE2SYHH1cVVFuewjv1ss=; b=FyGlqbT/DBuXbDaDXPobOI2Nv6/DmT7xmGeunzB+48GREwVo3MmB3sqhzHce/STVff nRmO4GDvOai9O1K8IE3JmMb5MHFIawTtLiVa6dEHNOrExBtuvnhpbCtyWJtF3748jf0e ubVZKpYp0tE9yP93Qf/5tzM4sv+GB24C4xMIEGhaCc5pNQaWAQ010MkdSc9qkJ81khkW LL5tGgfvQEV6DNkthrqvNXiaNlwE4Bc2i3l6Xf7xxcmfwLdKt5x7vl6quAdIUrtdeP9w sbPuAJSl7XnhfH+IMpZZG5k9n7VyDu3MDK0FWNHSQmCNEd15UVQJljit/Hr2rQFNWTYz 4XqA== X-Gm-Message-State: AOJu0YwOVp16Unf9zFTuJ2hHy6b0pVyTdrJSedDdQHOsmCkGzKeBs72f Gm+PyWhWyqNxZe+dberCJodoDVSbUuaRdQBJxrGBHlVqscvswZBeHr9lQ9MYDF+VJPG/V7Oiy02 pIICPWg== X-Gm-Gg: Acq92OGU1iYAHIbRTzxOdIi2dHmbCD8ZWBiQNgqWAv+u8MZ0yjxRXgukf2zbhxAHANY +nd9jZabbazqKqDP5B5Q0jQw3wLGIqYVrdo2NbW/yZxP9ZwyGOtN+UPvvw2yo3m0MaFMFNvLz5q boWkKhhNFSXyNz/LRADWSbAh9s64DrQyhWJ9sYXWsuhbdOzKphuvm4Ij5R9eFvKLIW+9fkk6dS3 v3QSsCex57jxZfaA6UywjN3Dq/+jkF0IWOytZOdtE2IW3Q9TGNIMhYwehxwWLe64+l7Vlh4iea/ D/YeDzT5z8AXA/Y82ZWFmygmIXIQ1eeR/Rrj19Ibw75nlg5YRE94QZqqZPZnj3qWUe4GtBdtmWu y2saZZMbz2LRJuYOGCmedqiwOiWCti0TDdlIFgb9P5dsDSJKzL6vdsC5pgZVj3P51g6MFpVpxWJ wxckBKk+mszNK9Gjz51HtyloM7+yTjA1Zu8A== X-Received: by 2002:a05:6000:25f8:b0:45e:ea46:3346 with SMTP id ffacd0b85a97d-4606da8d036mr4928600f8f.6.1781274397539; Fri, 12 Jun 2026 07:26:37 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:37 -0700 (PDT) From: Jeremy Rosen To: openembedded-core@lists.openembedded.org Cc: Paul Barker Subject: [OE-core][scarthgap 02/21] busybox: Fix CVE-2026-29004 Date: Fri, 12 Jun 2026 16:25:52 +0200 Message-ID: X-Mailer: git-send-email 2.53.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Jun 2026 14:26:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238624 From: "Hugo SIMELIERE (Schneider Electric)" Pick patches from [1] and [2] as mentioned in Debian report in [3]. [1] https://git.busybox.net/busybox/commit/archival?id=42202bfb1e6ac51fa995beda8be4d7b654aeee2a [2] https://git.busybox.net/busybox/commit/archival?id=d368f3f7836d1c2484c8f839316e5c93e76d4409 [3] https://security-tracker.debian.org/tracker/CVE-2026-29004 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY Signed-off-by: Jeremy Rosen --- .../busybox/busybox/CVE-2026-29004-01.patch | 41 +++++++++++++++++ .../busybox/busybox/CVE-2026-29004-02.patch | 46 +++++++++++++++++++ meta/recipes-core/busybox/busybox_1.36.1.bb | 2 + 3 files changed, 89 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch new file mode 100644 index 0000000000..0423a76730 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-01.patch @@ -0,0 +1,41 @@ +From e49fb0f6ad0a0f924ec2cfe6838d04c4f1f4c3ba Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Thu, 12 Mar 2026 07:25:38 +0100 +Subject: [PATCH 1/2] udhcpc6: fix buffer overflow + +CVE: CVE-2026-29004 +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/archival?id=42202bfb1e6ac51fa995beda8be4d7b654aeee2a] + +Signed-off-by: Denys Vlasenko +(cherry picked from commit 42202bfb1e6ac51fa995beda8be4d7b654aeee2a) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + networking/udhcp/d6_dhcpc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c +index cdd06188e..62cc0f466 100644 +--- a/networking/udhcp/d6_dhcpc.c ++++ b/networking/udhcp/d6_dhcpc.c +@@ -351,15 +351,15 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end) + addrs = option[3] >> 4; + + /* Setup environment variable */ +- *new_env() = dlist = xmalloc(4 + addrs * 40 - 1); ++ *new_env() = dlist = xmalloc(4 + addrs * 40 + 1); + dlist = stpcpy(dlist, "dns="); + option_offset = 0; + +- while (addrs--) { ++ while (addrs-- != 0) { + sprint_nip6(dlist, option + 4 + option_offset); + dlist += 39; + option_offset += 16; +- if (addrs) ++ if (addrs != 0) + *dlist++ = ' '; + } + +-- +2.43.0 + diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch new file mode 100644 index 0000000000..ac8c031cc6 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2026-29004-02.patch @@ -0,0 +1,46 @@ +From 4d8d5b7c4426e62375235cf4903b6cb53bb193d3 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Thu, 12 Mar 2026 13:23:48 +0100 +Subject: [PATCH 2/2] udhcpc6: check the size of D6_OPT_IAPREFIX option + +function old new delta +option_to_env 694 711 +17 + +CVE: CVE-2026-29004 +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/archival?id=d368f3f7836d1c2484c8f839316e5c93e76d4409] + +Signed-off-by: Denys Vlasenko +(cherry picked from commit d368f3f7836d1c2484c8f839316e5c93e76d4409) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + networking/udhcp/d6_dhcpc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/networking/udhcp/d6_dhcpc.c b/networking/udhcp/d6_dhcpc.c +index 62cc0f466..64a41c9d8 100644 +--- a/networking/udhcp/d6_dhcpc.c ++++ b/networking/udhcp/d6_dhcpc.c +@@ -287,8 +287,8 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end) + * | valid-lifetime | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ +- /* Make sure payload contains an address */ +- if (option[3] < 24) ++ /* Make sure payload exists */ ++ if (option[3] < (16 + 4 + 4)) + break; + + sprint_nip6(ipv6str, option + 4); +@@ -332,6 +332,9 @@ static void option_to_env(const uint8_t *option, const uint8_t *option_end) + * | | + * +-+-+-+-+-+-+-+-+ + */ ++ /* Make sure payload exists */ ++ if (option[3] < (4 + 4 + 1 + 16)) ++ break; + move_from_unaligned32(v32, option + 4 + 4); + v32 = ntohl(v32); + *new_env() = xasprintf("ipv6prefix_lease=%u", (unsigned)v32); +-- +2.43.0 + diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb index 228bfdadd3..7929d396c8 100644 --- a/meta/recipes-core/busybox/busybox_1.36.1.bb +++ b/meta/recipes-core/busybox/busybox_1.36.1.bb @@ -64,6 +64,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://CVE-2025-60876.patch \ file://CVE-2026-26157-CVE-2026-26158-01.patch \ file://CVE-2026-26157-CVE-2026-26158-02.patch \ + file://CVE-2026-29004-01.patch \ + file://CVE-2026-29004-02.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg " # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html From patchwork Fri Jun 12 14:25:53 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jeremy Rosen X-Patchwork-Id: 89934 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23CCFCD98DC for ; Fri, 12 Jun 2026 14:26:49 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71888.1781274400169903798 for ; Fri, 12 Jun 2026 07:26:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=RkmEyDrC; spf=pass (domain: smile.fr, ip: 209.85.128.50, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-490b2b037d2so8976705e9.3 for ; Fri, 12 Jun 2026 07:26:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274398; x=1781879198; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=E2NzR+jo5/d07wSnBj2KIdUYTYoLwcmYKe6UPOwiHCk=; b=RkmEyDrCNVNqdq95ndFK2/F+3xKHHDntt0UqHiVqUPPp3WaJvpH5fMnWyWhZ3XbAFd zYyBZQaOkb08Qwk5XpDDAWwJHUwsWw73yEfLvpoLlkoUKRrnf+s5JVXKjo6jwyibQam7 YbHbZkvcEjDTP48M0WM2xla9eqUh1Clf9SAEA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274398; x=1781879198; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=E2NzR+jo5/d07wSnBj2KIdUYTYoLwcmYKe6UPOwiHCk=; b=dki3AtTag/odK5SiALrrjZfxolqrbJJWOByAsFKK09p+y9+aQA2vetdoUlut0oDdAN z8MwlfhC1DwwSpHmz7xCvI0iT4u1SUH5p7EtyBSUiyrc0Qic/3iwgIWvhxAMA1y1e+a6 XMQyZV8n7S5zqQCYmCW1t9rP7TTz0Ebwe2bvBaGDRQ+Pk/jICP5ljz77ug32uk8EYoqX vSNYncnR29hu2SHRDLOsRvVPhakOvwrRcW85EMTZkUF+T+LEYNu0mpBQGNxhtSIZ9sj/ z0AZv4/S4sEG7r7O06jQ1q5WRok9QmAlUtS4FNS+p0XqinNkZYAKaPgkajeMM9iCTGQ0 XT2Q== X-Gm-Message-State: AOJu0YxFiOFCXYSSLzx9DFZ33MMKeib+CEwk9vW8s2a0EcHB7srB5a18 2ClwkOwQduNtB7OMh7PWhkARwlvMCo5wkfkbNmaf4cjc1S9oPQ/BqlBs703iCJGg3vYJBD77Uar iRxHuRw== X-Gm-Gg: Acq92OHPmC1ObTRdjEA9Ho7dPUMFvTSJwdWeRBB3Fm6p2sIlgH/TQk4CQqeTxYc4pub a7aBjBVFeJS7H9TUEznTBh8hgK6/HO9W58/u8CPDyH24UHkB4astH8cPt3AZnRA+GR2tzbXyd1k zZWfcceksPWYAFqnbDmMA3H94SnpaCr5FWRhGS2XJHgWwFckAyP5QwOx+/eQRVg8HSKEnLTyhzY g7gkFJGxoBH3nvuhBhgxJZ47EvYYQ4SPr2fhkGMalNfImyjQ/gNspp4lb4HGFR92K3G8TyHMEai zeRODTHm84PK+0qNa9EmwJ2ZPBakczBtJm+pSuHjLSOPlDdV/Ko/mF4Pb3eqt+B9lf3WG+dXGdy BzB7ERfA5TTx2EymTw7+zNwdKoUUrGUXBc/RM0NZQiSW0Pah/Y/aiajsJv4s5enppfsTr7bhN41 bPgpdVJsMoaIdDeQdJIHFcoic= X-Received: by 2002:a05:600c:a219:b0:490:b58a:dcc1 with SMTP id 5b1f17b1804b1-490ec50af2dmr24785655e9.29.1781274398189; Fri, 12 Jun 2026 07:26:38 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:37 -0700 (PDT) From: Jeremy Rosen To: openembedded-core@lists.openembedded.org Cc: Paul Barker Subject: [OE-core][scarthgap 03/21] nfs-utils: fix CVE-2025-12801 Date: Fri, 12 Jun 2026 16:25:53 +0200 Message-ID: <33321e687cf18e03bb1d824d58214d758b02078f.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Jun 2026 14:26:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238625 From: Sudhir Dumbhare - This patch applies the upstream fix [5] as referenced in [7]. - To successfully apply the fixed commit, apply the dependent commits [2] to [4] which are included in v2.8.6, as referenced in [7]. - Additionally, include dependent commit [1] from v2.8.3, as referenced in [8] under the [2.5.4-38.2] description, along with compilation fix commit [6] from v2.7.1 - Reference: [1] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=cd90f2925790 [2] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=7e8b36522f58 [3] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=42f01e6a78fe [4] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=51738ae56d92 [5] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=f36bd900a899 [6] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=a2c95e4f557a [7] https://security-tracker.debian.org/tracker/CVE-2025-12801 [8] https://linux.oracle.com/errata/ELSA-2026-3940.html Signed-off-by: Sudhir Dumbhare Signed-off-by: Jeremy Rosen --- .../nfs-utils/CVE-2025-12801-build-fix.patch | 44 ++ .../CVE-2025-12801-dependent_p1.patch | 71 +++ .../CVE-2025-12801-dependent_p2.patch | 81 +++ .../CVE-2025-12801-dependent_p3.patch | 185 +++++++ .../CVE-2025-12801-dependent_p4.patch | 468 ++++++++++++++++++ .../nfs-utils/nfs-utils/CVE-2025-12801.patch | 254 ++++++++++ .../nfs-utils/nfs-utils_2.6.4.bb | 6 + 7 files changed, 1109 insertions(+) create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch new file mode 100644 index 0000000000..d7aaca2242 --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch @@ -0,0 +1,44 @@ +From 30e0f57fff545b0bb3071fa071c7b12c2923bac8 Mon Sep 17 00:00:00 2001 +From: Steve Dickson +Date: Mon, 22 Jan 2024 13:23:57 -0500 +Subject: [PATCH] reexport.c: Some Distros need the following include to + avoid the following error + +reexport.c: In function ‘connect_fsid_service’: +reexport.c:41:28: error: implicit declaration of function ‘offsetof’ [-Werror=implicit-function-declaration] + 41 | addr_len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path); + | ^~~~~~~~ +reexport.c:19:1: note: ‘offsetof’ is defined in header ‘’; did you forget to ‘#include ’? + 18 | #include "xlog.h" + +++ |+#include + 19 | +reexport.c:41:37: error: expected expression before ‘struct’ + 41 | addr_len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path); + | ^~~~~~ +cc1: some warnings being treated as errors + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=a2c95e4f557a71b482bb62bad6d93ddde51e5dc6] + +Signed-off-by: Steve Dickson +(cherry picked from commit a2c95e4f557a71b482bb62bad6d93ddde51e5dc6) +Signed-off-by: Sudhir Dumbhare +--- + support/reexport/reexport.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/support/reexport/reexport.c b/support/reexport/reexport.c +index 78516586..16dde0fb 100644 +--- a/support/reexport/reexport.c ++++ b/support/reexport/reexport.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + #include "nfsd_path.h" + #include "conffile.h" +-- +2.44.4 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch new file mode 100644 index 0000000000..223249a9d6 --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch @@ -0,0 +1,71 @@ +From 647c9cb3ac3cbdf9ffd9e29f7d5dd04da84afdbc Mon Sep 17 00:00:00 2001 +From: Christopher Bii +Date: Wed, 15 Jan 2025 12:10:48 -0500 +Subject: [PATCH] NFS export symlink vulnerability fix + +Replaced dangerous use of realpath within support/nfs/export.c with +nfsd_realpath variant that is executed within the chrooted thread +rather than main thread. + +Implemented nfsd_path.h methods to work securely within chrooted +thread using nfsd_run_task() help + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=cd90f29257904f36509ea5a04a86f42398fbe94a] + +Backport Changes: +- In support/misc/nfsd_path.c file, only nfsd_run_task() and the + struct nfsd_task_t have been included to resolve a compilation + issue. All other non-essential changes were excluded. +- The non-required file support/export/cache.c and support/nfs/exports.c + has been excluded. + +Signed-off-by: Christopher Bii +Signed-off-by: Steve Dickson +(cherry picked from commit cd90f29257904f36509ea5a04a86f42398fbe94a) +Signed-off-by: Sudhir Dumbhare +--- + support/include/nfsd_path.h | 1 + + support/misc/nfsd_path.c | 14 +++++++++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h +index aa1e1dd0..4f5fc44e 100644 +--- a/support/include/nfsd_path.h ++++ b/support/include/nfsd_path.h +@@ -8,6 +8,7 @@ + + struct file_handle; + struct statfs; ++struct nfsd_task_t; + + void nfsd_path_init(void); + +diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c +index c3dea4f0..fa908f7c 100644 +--- a/support/misc/nfsd_path.c ++++ b/support/misc/nfsd_path.c +@@ -19,7 +19,19 @@ + #include "nfsd_path.h" + #include "workqueue.h" + +-static struct xthread_workqueue *nfsd_wq; ++static struct xthread_workqueue *nfsd_wq = NULL; ++ ++struct nfsd_task_t { ++ int ret; ++ void* data; ++}; ++/* Function used to offload tasks that must be ran within the correct ++ * chroot environment. ++ */ ++static void ++nfsd_run_task(void (*func)(void*), void* data){ ++ nfsd_wq ? xthread_work_run_sync(nfsd_wq, func, data) : func(data); ++}; + + static int + nfsd_path_isslash(const char *path) +-- +2.35.6 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch new file mode 100644 index 0000000000..f088eadb4b --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch @@ -0,0 +1,81 @@ +From a6ddd0e9594884cf61816478e8c561f1b3aac709 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 10 Nov 2025 11:26:03 -0500 +Subject: [PATCH] mountd: Minor refactor of get_rootfh() + +Perform the mountpoint checks before checking the user path. + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=7e8b36522f58657359c6842119fc516c6dd1baa4] + +Reviewed-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Steve Dickson +(cherry picked from commit 7e8b36522f58657359c6842119fc516c6dd1baa4) +Signed-off-by: Sudhir Dumbhare +--- + utils/mountd/mountd.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c +index dbd5546d..39afd4aa 100644 +--- a/utils/mountd/mountd.c ++++ b/utils/mountd/mountd.c +@@ -412,6 +412,23 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + *error = MNT3ERR_ACCES; + return NULL; + } ++ if (nfsd_path_stat(exp->m_export.e_path, &estb) < 0) { ++ xlog(L_WARNING, "can't stat export point %s: %s", ++ p, strerror(errno)); ++ *error = MNT3ERR_NOENT; ++ return NULL; ++ } ++ if (exp->m_export.e_mountpoint && ++ !check_is_mountpoint(exp->m_export.e_mountpoint[0]? ++ exp->m_export.e_mountpoint: ++ exp->m_export.e_path, ++ nfsd_path_lstat)) { ++ xlog(L_WARNING, "request to export an unmounted filesystem: %s", ++ p); ++ *error = MNT3ERR_NOENT; ++ return NULL; ++ } ++ + if (nfsd_path_stat(p, &stb) < 0) { + xlog(L_WARNING, "can't stat exported dir %s: %s", + p, strerror(errno)); +@@ -426,12 +443,6 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + *error = MNT3ERR_NOTDIR; + return NULL; + } +- if (nfsd_path_stat(exp->m_export.e_path, &estb) < 0) { +- xlog(L_WARNING, "can't stat export point %s: %s", +- p, strerror(errno)); +- *error = MNT3ERR_NOENT; +- return NULL; +- } + if (estb.st_dev != stb.st_dev + && !(exp->m_export.e_flags & NFSEXP_CROSSMOUNT)) { + xlog(L_WARNING, "request to export directory %s below nearest filesystem %s", +@@ -439,17 +450,6 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + *error = MNT3ERR_ACCES; + return NULL; + } +- if (exp->m_export.e_mountpoint && +- !check_is_mountpoint(exp->m_export.e_mountpoint[0]? +- exp->m_export.e_mountpoint: +- exp->m_export.e_path, +- nfsd_path_lstat)) { +- xlog(L_WARNING, "request to export an unmounted filesystem: %s", +- p); +- *error = MNT3ERR_NOENT; +- return NULL; +- } +- + /* This will be a static private nfs_export with just one + * address. We feed it to kernel then extract the filehandle, + */ +-- +2.44.4 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch new file mode 100644 index 0000000000..59b28b557a --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch @@ -0,0 +1,185 @@ +From 0c2561328ce5e09636663ac2312b5f1f52fc0111 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 10 Nov 2025 11:28:39 -0500 +Subject: [PATCH] mountd: Separate lookup of the exported directory and the + mount path + +When the caller asks to mount a path that does not terminate with an +exported directory, we want to split up the lookups so that we can +look up the exported directory using the mountd privileged credential, +and the remaining subdirectory lookups using the RPC caller's +credential. + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=42f01e6a78fed98f12437ac8b28cfb12b6bad056] + +Backport Changes: +- In support/misc/nfsd_path.c, the closing brace of struct + nfsd_read_data was adjusted from line 320 to 282. + +Reviewed-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Steve Dickson +(cherry picked from commit 42f01e6a78fed98f12437ac8b28cfb12b6bad056) +Signed-off-by: Sudhir Dumbhare +--- + support/include/nfsd_path.h | 1 + + support/misc/nfsd_path.c | 31 ++++++++++++++++++ + utils/mountd/mountd.c | 63 +++++++++++++++++++++++++++++++------ + 3 files changed, 86 insertions(+), 9 deletions(-) + +diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h +index 4f5fc44e..be2dc38d 100644 +--- a/support/include/nfsd_path.h ++++ b/support/include/nfsd_path.h +@@ -18,6 +18,7 @@ char * nfsd_path_prepend_dir(const char *dir, const char *pathname); + + int nfsd_path_stat(const char *pathname, struct stat *statbuf); + int nfsd_path_lstat(const char *pathname, struct stat *statbuf); ++int nfsd_openat(int dirfd, const char *path, int flags); + + int nfsd_path_statfs(const char *pathname, + struct statfs *statbuf); +diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c +index fa908f7c..1c5aa3f3 100644 +--- a/support/misc/nfsd_path.c ++++ b/support/misc/nfsd_path.c +@@ -280,6 +280,37 @@ struct nfsd_read_data { + int err; + }; + ++struct nfsd_openat_t { ++ const char *path; ++ int dirfd; ++ int flags; ++ int res_fd; ++ int res_error; ++}; ++ ++static void nfsd_openatfunc(void *data) ++{ ++ struct nfsd_openat_t *d = data; ++ ++ d->res_fd = openat(d->dirfd, d->path, d->flags); ++ if (d->res_fd == -1) ++ d->res_error = errno; ++} ++ ++int nfsd_openat(int dirfd, const char *path, int flags) ++{ ++ struct nfsd_openat_t open_buf = { ++ .path = path, ++ .dirfd = dirfd, ++ .flags = flags, ++ }; ++ ++ nfsd_run_task(nfsd_openatfunc, &open_buf); ++ if (open_buf.res_fd == -1) ++ errno = open_buf.res_error; ++ return open_buf.res_fd; ++} ++ + static void + nfsd_readfunc(void *data) + { +diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c +index 39afd4aa..f43ebef5 100644 +--- a/utils/mountd/mountd.c ++++ b/utils/mountd/mountd.c +@@ -392,7 +392,10 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + struct nfs_fh_len *fh; + char rpath[MAXPATHLEN+1]; + char *p = *path; ++ char *subpath; + char buf[INET6_ADDRSTRLEN]; ++ size_t epathlen; ++ int dirfd; + + if (*p == '\0') + p = "/"; +@@ -412,12 +415,21 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + *error = MNT3ERR_ACCES; + return NULL; + } +- if (nfsd_path_stat(exp->m_export.e_path, &estb) < 0) { +- xlog(L_WARNING, "can't stat export point %s: %s", ++ ++ dirfd = nfsd_openat(AT_FDCWD, exp->m_export.e_path, O_PATH); ++ if (dirfd == -1) { ++ xlog(L_WARNING, "can't open export point %s: %s", + p, strerror(errno)); + *error = MNT3ERR_NOENT; + return NULL; + } ++ if (fstat(dirfd, &estb) == -1) { ++ xlog(L_WARNING, "can't stat export point %s: %s", ++ p, strerror(errno)); ++ *error = MNT3ERR_ACCES; ++ close(dirfd); ++ return NULL; ++ } + if (exp->m_export.e_mountpoint && + !check_is_mountpoint(exp->m_export.e_mountpoint[0]? + exp->m_export.e_mountpoint: +@@ -426,18 +438,51 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + xlog(L_WARNING, "request to export an unmounted filesystem: %s", + p); + *error = MNT3ERR_NOENT; ++ close(dirfd); + return NULL; + } + +- if (nfsd_path_stat(p, &stb) < 0) { +- xlog(L_WARNING, "can't stat exported dir %s: %s", +- p, strerror(errno)); +- if (errno == ENOENT) +- *error = MNT3ERR_NOENT; +- else +- *error = MNT3ERR_ACCES; ++ epathlen = strlen(exp->m_export.e_path); ++ if (epathlen > strlen(p)) { ++ xlog(L_WARNING, "raced with change of exported path: %s", p); ++ *error = MNT3ERR_NOENT; ++ close(dirfd); + return NULL; + } ++ subpath = &p[epathlen]; ++ while (*subpath == '/') ++ subpath++; ++ if (*subpath != '\0') { ++ int fd; ++ ++ /* Just perform a lookup of the path */ ++ fd = nfsd_openat(dirfd, subpath, O_PATH); ++ close(dirfd); ++ if (fd == -1) { ++ xlog(L_WARNING, "can't open exported dir %s: %s", p, ++ strerror(errno)); ++ if (errno == ENOENT) ++ *error = MNT3ERR_NOENT; ++ else ++ *error = MNT3ERR_ACCES; ++ return NULL; ++ } ++ if (fstat(fd, &stb) == -1) { ++ xlog(L_WARNING, "can't open exported dir %s: %s", p, ++ strerror(errno)); ++ if (errno == ENOENT) ++ *error = MNT3ERR_NOENT; ++ else ++ *error = MNT3ERR_ACCES; ++ close(fd); ++ return NULL; ++ } ++ close(fd); ++ } else { ++ close(dirfd); ++ stb = estb; ++ } ++ + if (!S_ISDIR(stb.st_mode) && !S_ISREG(stb.st_mode)) { + xlog(L_WARNING, "%s is not a directory or regular file", p); + *error = MNT3ERR_NOTDIR; +-- +2.44.4 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch new file mode 100644 index 0000000000..4ef529e737 --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch @@ -0,0 +1,468 @@ +From 7eef498b6bd01adc45415b03ddf321c84f82aa45 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 10 Nov 2025 12:18:38 -0500 +Subject: [PATCH] support: Add a mini-library to extract and apply RPC + credentials + +Add server functionality to extract the credentials from the client RPC +call, and apply them. This is needed in order to perform access checking +on the requested path in the mountd daemon. + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=51738ae56d922d4961e60dad73ad1c2d97d8d99b] + +Backport Changes: +- In support/misc/Makefile.am, the non-essential file.c was omitted + as it does not exist in the current nfs-utils version. + +Reviewed-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Steve Dickson +(cherry picked from commit 51738ae56d922d4961e60dad73ad1c2d97d8d99b) +Signed-off-by: Sudhir Dumbhare +--- + aclocal/libtirpc.m4 | 11 +++ + support/include/Makefile.am | 1 + + support/include/nfs_ucred.h | 44 ++++++++++ + support/misc/Makefile.am | 2 +- + support/misc/ucred.c | 162 ++++++++++++++++++++++++++++++++++++ + support/nfs/Makefile.am | 2 +- + support/nfs/ucred.c | 147 ++++++++++++++++++++++++++++++++ + 7 files changed, 367 insertions(+), 2 deletions(-) + create mode 100644 support/include/nfs_ucred.h + create mode 100644 support/misc/ucred.c + create mode 100644 support/nfs/ucred.c + +diff --git a/aclocal/libtirpc.m4 b/aclocal/libtirpc.m4 +index bddae022..84e18f7e 100644 +--- a/aclocal/libtirpc.m4 ++++ b/aclocal/libtirpc.m4 +@@ -26,6 +26,17 @@ AC_DEFUN([AC_LIBTIRPC], [ + [Define to 1 if your tirpc library provides libtirpc_set_debug])],, + [${LIBS}])]) + ++ AS_IF([test -n "${LIBTIRPC}"], ++ [AC_CHECK_LIB([tirpc], [rpc_gss_getcred], ++ [AC_DEFINE([HAVE_TIRPC_GSS_GETCRED], [1], ++ [Define to 1 if your tirpc library provides rpc_gss_getcred])],, ++ [${LIBS}])]) ++ ++ AS_IF([test -n "${LIBTIRPC}"], ++ [AC_CHECK_LIB([tirpc], [authdes_getucred], ++ [AC_DEFINE([HAVE_TIRPC_AUTHDES_GETUCRED], [1], ++ [Define to 1 if your tirpc library provides authdes_getucred])],, ++ [${LIBS}])]) + AC_SUBST([AM_CPPFLAGS]) + AC_SUBST(LIBTIRPC) + +diff --git a/support/include/Makefile.am b/support/include/Makefile.am +index 1373891a..631a84f8 100644 +--- a/support/include/Makefile.am ++++ b/support/include/Makefile.am +@@ -10,6 +10,7 @@ noinst_HEADERS = \ + misc.h \ + nfs_mntent.h \ + nfs_paths.h \ ++ nfs_ucred.h \ + nfsd_path.h \ + nfslib.h \ + nfsrpc.h \ +diff --git a/support/include/nfs_ucred.h b/support/include/nfs_ucred.h +new file mode 100644 +index 00000000..d58b61e4 +--- /dev/null ++++ b/support/include/nfs_ucred.h +@@ -0,0 +1,44 @@ ++#ifndef _NFS_UCRED_H ++#define _NFS_UCRED_H ++ ++#include ++ ++struct nfs_ucred { ++ uid_t uid; ++ gid_t gid; ++ int ngroups; ++ gid_t *groups; ++}; ++ ++struct svc_req; ++struct exportent; ++ ++int nfs_ucred_get(struct nfs_ucred **credp, struct svc_req *rqst, ++ const struct exportent *ep); ++ ++void nfs_ucred_squash_groups(struct nfs_ucred *cred, ++ const struct exportent *ep); ++int nfs_ucred_reload_groups(struct nfs_ucred *cred, const struct exportent *ep); ++int nfs_ucred_swap_effective(const struct nfs_ucred *cred, ++ struct nfs_ucred **savedp); ++ ++static inline void nfs_ucred_free(struct nfs_ucred *cred) ++{ ++ free(cred->groups); ++ free(cred); ++} ++ ++static inline void nfs_ucred_init_groups(struct nfs_ucred *cred, gid_t *groups, ++ int ngroups) ++{ ++ cred->groups = groups; ++ cred->ngroups = ngroups; ++} ++ ++static inline void nfs_ucred_free_groups(struct nfs_ucred *cred) ++{ ++ free(cred->groups); ++ nfs_ucred_init_groups(cred, NULL, 0); ++} ++ ++#endif /* _NFS_UCRED_H */ +diff --git a/support/misc/Makefile.am b/support/misc/Makefile.am +index 8b0e9db9..ea970064 100644 +--- a/support/misc/Makefile.am ++++ b/support/misc/Makefile.am +@@ -2,6 +2,6 @@ + + noinst_LIBRARIES = libmisc.a + libmisc_a_SOURCES = tcpwrapper.c from_local.c mountpoint.c misc.c \ +- nfsd_path.c workqueue.c xstat.c ++ nfsd_path.c ucred.c workqueue.c xstat.c + + MAINTAINERCLEANFILES = Makefile.in +diff --git a/support/misc/ucred.c b/support/misc/ucred.c +new file mode 100644 +index 00000000..92d97912 +--- /dev/null ++++ b/support/misc/ucred.c +@@ -0,0 +1,162 @@ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "exportfs.h" ++#include "nfs_ucred.h" ++ ++#include "xlog.h" ++ ++void nfs_ucred_squash_groups(struct nfs_ucred *cred, const struct exportent *ep) ++{ ++ int i; ++ ++ if (!(ep->e_flags & NFSEXP_ROOTSQUASH)) ++ return; ++ if (cred->gid == 0) ++ cred->gid = ep->e_anongid; ++ for (i = 0; i < cred->ngroups; i++) { ++ if (cred->groups[i] == 0) ++ cred->groups[i] = ep->e_anongid; ++ } ++} ++ ++static int nfs_ucred_init_effective(struct nfs_ucred *cred) ++{ ++ int ngroups = getgroups(0, NULL); ++ ++ if (ngroups > 0) { ++ size_t sz = ngroups * sizeof(gid_t); ++ gid_t *groups = malloc(sz); ++ if (groups == NULL) ++ return ENOMEM; ++ if (getgroups(ngroups, groups) == -1) { ++ free(groups); ++ return errno; ++ } ++ nfs_ucred_init_groups(cred, groups, ngroups); ++ } else ++ nfs_ucred_init_groups(cred, NULL, 0); ++ cred->uid = geteuid(); ++ cred->gid = getegid(); ++ return 0; ++} ++ ++static size_t nfs_ucred_getpw_r_size_max(void) ++{ ++ long buflen = sysconf(_SC_GETPW_R_SIZE_MAX); ++ ++ if (buflen == -1) ++ return 16384; ++ return buflen; ++} ++ ++int nfs_ucred_reload_groups(struct nfs_ucred *cred, const struct exportent *ep) ++{ ++ struct passwd pwd, *pw; ++ uid_t uid = cred->uid; ++ gid_t gid = cred->gid; ++ size_t buflen; ++ char *buf; ++ int ngroups = 0; ++ int ret; ++ ++ if (ep->e_flags & (NFSEXP_ALLSQUASH | NFSEXP_ROOTSQUASH) && ++ (int)uid == ep->e_anonuid) ++ return 0; ++ buflen = nfs_ucred_getpw_r_size_max(); ++ buf = alloca(buflen); ++ ret = getpwuid_r(uid, &pwd, buf, buflen, &pw); ++ if (ret != 0) ++ return ret; ++ if (!pw) ++ return ENOENT; ++ if (getgrouplist(pw->pw_name, gid, NULL, &ngroups) == -1 && ++ ngroups > 0) { ++ gid_t *groups = malloc(ngroups * sizeof(groups[0])); ++ if (groups == NULL) ++ return ENOMEM; ++ if (getgrouplist(pw->pw_name, gid, groups, &ngroups) == -1) { ++ free(groups); ++ return ENOMEM; ++ } ++ free(cred->groups); ++ nfs_ucred_init_groups(cred, groups, ngroups); ++ nfs_ucred_squash_groups(cred, ep); ++ } else ++ nfs_ucred_free_groups(cred); ++ return 0; ++} ++ ++static int nfs_ucred_set_effective(const struct nfs_ucred *cred, ++ const struct nfs_ucred *saved) ++{ ++ uid_t suid = saved ? saved->uid : geteuid(); ++ gid_t sgid = saved ? saved->gid : getegid(); ++ int ret; ++ ++ /* Start with a privileged effective user */ ++ if (setresuid(-1, 0, -1) < 0) { ++ xlog(L_WARNING, "can't change privileged user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ return errno; ++ } ++ ++ if (setgroups(cred->ngroups, cred->groups) == -1) { ++ xlog(L_WARNING, "can't change groups for user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ return errno; ++ } ++ if (setresgid(-1, cred->gid, sgid) == -1) { ++ xlog(L_WARNING, "can't change gid for user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ ret = errno; ++ goto restore_groups; ++ } ++ if (setresuid(-1, cred->uid, suid) == -1) { ++ xlog(L_WARNING, "can't change uid for user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ ret = errno; ++ goto restore_gid; ++ } ++ return 0; ++restore_gid: ++ if (setresgid(-1, sgid, -1) < 0) { ++ xlog(L_WARNING, "can't restore privileged user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ } ++restore_groups: ++ if (saved) ++ setgroups(saved->ngroups, saved->groups); ++ else ++ setgroups(0, NULL); ++ return ret; ++} ++ ++int nfs_ucred_swap_effective(const struct nfs_ucred *cred, ++ struct nfs_ucred **savedp) ++{ ++ struct nfs_ucred *saved = malloc(sizeof(*saved)); ++ int ret; ++ ++ if (saved == NULL) ++ return ENOMEM; ++ ret = nfs_ucred_init_effective(saved); ++ if (ret != 0) { ++ free(saved); ++ return ret; ++ } ++ ret = nfs_ucred_set_effective(cred, saved); ++ if (savedp == NULL || ret != 0) ++ nfs_ucred_free(saved); ++ else ++ *savedp = saved; ++ return ret; ++} +diff --git a/support/nfs/Makefile.am b/support/nfs/Makefile.am +index 2e1577cc..f6921265 100644 +--- a/support/nfs/Makefile.am ++++ b/support/nfs/Makefile.am +@@ -7,7 +7,7 @@ libnfs_la_SOURCES = exports.c rmtab.c xio.c rpcmisc.c rpcdispatch.c \ + xcommon.c wildmat.c mydaemon.c \ + rpc_socket.c getport.c \ + svc_socket.c cacheio.c closeall.c nfs_mntent.c \ +- svc_create.c atomicio.c strlcat.c strlcpy.c ++ svc_create.c atomicio.c strlcat.c strlcpy.c ucred.c + libnfs_la_LIBADD = libnfsconf.la + libnfs_la_CPPFLAGS = $(AM_CPPFLAGS) $(CPPFLAGS) -I$(top_srcdir)/support/reexport + +diff --git a/support/nfs/ucred.c b/support/nfs/ucred.c +new file mode 100644 +index 00000000..6ea8efdf +--- /dev/null ++++ b/support/nfs/ucred.c +@@ -0,0 +1,147 @@ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++ ++#include "exportfs.h" ++#include "nfs_ucred.h" ++ ++#ifdef HAVE_TIRPC_GSS_GETCRED ++#include ++#endif /* HAVE_TIRPC_GSS_GETCRED */ ++#ifdef HAVE_TIRPC_AUTHDES_GETUCRED ++#include ++#endif /* HAVE_TIRPC_AUTHDES_GETUCRED */ ++ ++static int nfs_ucred_copy_cred(struct nfs_ucred *cred, uid_t uid, gid_t gid, ++ const gid_t *groups, int ngroups) ++{ ++ if (ngroups > 0) { ++ size_t sz = ngroups * sizeof(groups[0]); ++ cred->groups = malloc(sz); ++ if (cred->groups == NULL) ++ return ENOMEM; ++ cred->ngroups = ngroups; ++ memcpy(cred->groups, groups, sz); ++ } else ++ nfs_ucred_init_groups(cred, NULL, 0); ++ cred->uid = uid; ++ cred->gid = gid; ++ return 0; ++} ++ ++static int nfs_ucred_init_cred_squashed(struct nfs_ucred *cred, ++ const struct exportent *ep) ++{ ++ cred->uid = ep->e_anonuid; ++ cred->gid = ep->e_anongid; ++ nfs_ucred_init_groups(cred, NULL, 0); ++ return 0; ++} ++ ++static int nfs_ucred_init_cred(struct nfs_ucred *cred, uid_t uid, gid_t gid, ++ const gid_t *groups, int ngroups, ++ const struct exportent *ep) ++{ ++ if (ep->e_flags & NFSEXP_ALLSQUASH) { ++ nfs_ucred_init_cred_squashed(cred, ep); ++ } else if (ep->e_flags & NFSEXP_ROOTSQUASH && uid == 0) { ++ nfs_ucred_init_cred_squashed(cred, ep); ++ if (gid != 0) ++ cred->gid = gid; ++ } else { ++ int ret = nfs_ucred_copy_cred(cred, uid, gid, groups, ngroups); ++ if (ret != 0) ++ return ret; ++ nfs_ucred_squash_groups(cred, ep); ++ } ++ return 0; ++} ++ ++static int nfs_ucred_init_null(struct nfs_ucred *cred, ++ const struct exportent *ep) ++{ ++ return nfs_ucred_init_cred_squashed(cred, ep); ++} ++ ++static int nfs_ucred_init_unix(struct nfs_ucred *cred, struct svc_req *rqst, ++ const struct exportent *ep) ++{ ++ struct authunix_parms *aup; ++ ++ aup = (struct authunix_parms *)rqst->rq_clntcred; ++ return nfs_ucred_init_cred(cred, aup->aup_uid, aup->aup_gid, ++ aup->aup_gids, aup->aup_len, ep); ++} ++ ++#ifdef HAVE_TIRPC_GSS_GETCRED ++static int nfs_ucred_init_gss(struct nfs_ucred *cred, struct svc_req *rqst, ++ const struct exportent *ep) ++{ ++ rpc_gss_ucred_t *gss_ucred = NULL; ++ ++ if (!rpc_gss_getcred(rqst, NULL, &gss_ucred, NULL) || gss_ucred == NULL) ++ return EINVAL; ++ return nfs_ucred_init_cred(cred, gss_ucred->uid, gss_ucred->gid, ++ gss_ucred->gidlist, gss_ucred->gidlen, ep); ++} ++#endif /* HAVE_TIRPC_GSS_GETCRED */ ++ ++#ifdef HAVE_TIRPC_AUTHDES_GETUCRED ++int authdes_getucred(struct authdes_cred *adc, uid_t *uid, gid_t *gid, ++ int *grouplen, gid_t *groups); ++ ++static int nfs_ucred_init_des(struct nfs_ucred *cred, struct svc_req *rqst, ++ const struct exportent *ep) ++{ ++ struct authdes_cred *des_cred; ++ uid_t uid; ++ gid_t gid; ++ int grouplen; ++ gid_t groups[NGROUPS]; ++ ++ des_cred = (struct authdes_cred *)rqst->rq_clntcred; ++ if (!authdes_getucred(des_cred, &uid, &gid, &grouplen, &groups[0])) ++ return EINVAL; ++ return nfs_ucred_init_cred(cred, uid, gid, groups, grouplen, ep); ++} ++#endif /* HAVE_TIRPC_AUTHDES_GETUCRED */ ++ ++int nfs_ucred_get(struct nfs_ucred **credp, struct svc_req *rqst, ++ const struct exportent *ep) ++{ ++ struct nfs_ucred *cred = malloc(sizeof(*cred)); ++ int ret; ++ ++ *credp = NULL; ++ if (cred == NULL) ++ return ENOMEM; ++ switch (rqst->rq_cred.oa_flavor) { ++ case AUTH_UNIX: ++ ret = nfs_ucred_init_unix(cred, rqst, ep); ++ break; ++#ifdef HAVE_TIRPC_GSS_GETCRED ++ case RPCSEC_GSS: ++ ret = nfs_ucred_init_gss(cred, rqst, ep); ++ break; ++#endif /* HAVE_TIRPC_GSS_GETCRED */ ++#ifdef HAVE_TIRPC_AUTHDES_GETUCRED ++ case AUTH_DES: ++ ret = nfs_ucred_init_des(cred, rqst, ep); ++ break; ++#endif /* HAVE_TIRPC_AUTHDES_GETUCRED */ ++ default: ++ ret = nfs_ucred_init_null(cred, ep); ++ break; ++ } ++ if (ret == 0) { ++ *credp = cred; ++ return 0; ++ } ++ free(cred); ++ return ret; ++} +-- +2.44.4 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch new file mode 100644 index 0000000000..3381d6e645 --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch @@ -0,0 +1,254 @@ +From e22a15eb39c88367c35bfd4e057bccbddc6519d4 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 5 Mar 2026 10:41:02 -0500 +Subject: [PATCH] Fix access checks when mounting subdirectories in NFSv3 + +If a NFSv3 client asks to mount a subdirectory of one of the exported +directories, then apply the RPC credential together with any root +or all squash rules that would apply to the client in question. + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=f36bd900a899088ca1925de079bd58d6205a1f3c] + +Reviewed-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Scott Mayhew +Signed-off-by: Steve Dickson +(cherry picked from commit f36bd900a899088ca1925de079bd58d6205a1f3c) +Signed-off-by: Sudhir Dumbhare +--- + nfs.conf | 1 + + support/include/nfsd_path.h | 9 ++++++++- + support/misc/nfsd_path.c | 32 ++++++++++++++++++++++++++++++-- + utils/mountd/mountd.c | 28 ++++++++++++++++++++++++++-- + utils/mountd/mountd.man | 26 ++++++++++++++++++++++++++ + 5 files changed, 91 insertions(+), 5 deletions(-) + +diff --git a/nfs.conf b/nfs.conf +index 323f072b..e08cd9a9 100644 +--- a/nfs.conf ++++ b/nfs.conf +@@ -45,6 +45,7 @@ + # ttl=1800 + [mountd] + # debug="all|auth|call|general|parse" ++# apply-root-cred=n + # manage-gids=n + # descriptors=0 + # port=0 +diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h +index be2dc38d..834925ec 100644 +--- a/support/include/nfsd_path.h ++++ b/support/include/nfsd_path.h +@@ -9,6 +9,7 @@ + struct file_handle; + struct statfs; + struct nfsd_task_t; ++struct nfs_ucred; + + void nfsd_path_init(void); + +@@ -18,7 +19,8 @@ char * nfsd_path_prepend_dir(const char *dir, const char *pathname); + + int nfsd_path_stat(const char *pathname, struct stat *statbuf); + int nfsd_path_lstat(const char *pathname, struct stat *statbuf); +-int nfsd_openat(int dirfd, const char *path, int flags); ++int nfsd_cred_openat(const struct nfs_ucred *cred, int dirfd, ++ const char *path, int flags); + + int nfsd_path_statfs(const char *pathname, + struct statfs *statbuf); +@@ -31,4 +33,9 @@ ssize_t nfsd_path_write(int fd, const char *buf, size_t len); + int nfsd_name_to_handle_at(int fd, const char *path, + struct file_handle *fh, + int *mount_id, int flags); ++ ++static inline int nfsd_openat(int dirfd, const char *path, int flags) ++{ ++ return nfsd_cred_openat(NULL, dirfd, path, flags); ++} + #endif +diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c +index 1c5aa3f3..a2083989 100644 +--- a/support/misc/nfsd_path.c ++++ b/support/misc/nfsd_path.c +@@ -17,6 +17,7 @@ + #include "xstat.h" + #include "nfslib.h" + #include "nfsd_path.h" ++#include "nfs_ucred.h" + #include "workqueue.h" + + static struct xthread_workqueue *nfsd_wq = NULL; +@@ -281,6 +282,7 @@ struct nfsd_read_data { + }; + + struct nfsd_openat_t { ++ const struct nfs_ucred *cred; + const char *path; + int dirfd; + int flags; +@@ -297,15 +299,41 @@ static void nfsd_openatfunc(void *data) + d->res_error = errno; + } + +-int nfsd_openat(int dirfd, const char *path, int flags) ++static void nfsd_cred_openatfunc(void *data) ++{ ++ struct nfsd_openat_t *d = data; ++ struct nfs_ucred *saved = NULL; ++ int ret; ++ ++ ret = nfs_ucred_swap_effective(d->cred, &saved); ++ if (ret != 0) { ++ d->res_fd = -1; ++ d->res_error = ret; ++ return; ++ } ++ ++ nfsd_openatfunc(data); ++ ++ if (saved != NULL) { ++ nfs_ucred_swap_effective(saved, NULL); ++ nfs_ucred_free(saved); ++ } ++} ++ ++int nfsd_cred_openat(const struct nfs_ucred *cred, int dirfd, const char *path, ++ int flags) + { + struct nfsd_openat_t open_buf = { ++ .cred = cred, + .path = path, + .dirfd = dirfd, + .flags = flags, + }; + +- nfsd_run_task(nfsd_openatfunc, &open_buf); ++ if (cred) ++ nfsd_run_task(nfsd_cred_openatfunc, &open_buf); ++ else ++ nfsd_run_task(nfsd_openatfunc, &open_buf); + if (open_buf.res_fd == -1) + errno = open_buf.res_error; + return open_buf.res_fd; +diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c +index f43ebef5..6e6777cd 100644 +--- a/utils/mountd/mountd.c ++++ b/utils/mountd/mountd.c +@@ -31,6 +31,7 @@ + #include "nfsd_path.h" + #include "nfslib.h" + #include "export.h" ++#include "nfs_ucred.h" + + extern void my_svc_run(void); + +@@ -40,6 +41,7 @@ static struct nfs_fh_len *get_rootfh(struct svc_req *, dirpath *, nfs_export **, + + int reverse_resolve = 0; + int manage_gids; ++int apply_root_cred; + int use_ipaddr = -1; + + /* PRC: a high-availability callout program can be specified with -H +@@ -74,9 +76,10 @@ static struct option longopts[] = + { "log-auth", 0, 0, 'l'}, + { "cache-use-ipaddr", 0, 0, 'i'}, + { "ttl", 1, 0, 'T'}, ++ { "apply-root-cred", 0, 0, 'c' }, + { NULL, 0, 0, 0 } + }; +-static char shortopts[] = "o:nFd:p:P:hH:N:V:vurs:t:gliT:"; ++static char shortopts[] = "o:nFd:p:P:hH:N:V:vurs:t:gliT:c"; + + #define NFSVERSBIT(vers) (0x1 << (vers - 1)) + #define NFSVERSBIT_ALL (NFSVERSBIT(2) | NFSVERSBIT(3) | NFSVERSBIT(4)) +@@ -453,11 +456,27 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + while (*subpath == '/') + subpath++; + if (*subpath != '\0') { ++ struct nfs_ucred *cred = NULL; + int fd; + ++ /* Load the user cred */ ++ if (!apply_root_cred) { ++ nfs_ucred_get(&cred, rqstp, &exp->m_export); ++ if (cred == NULL) { ++ xlog(L_WARNING, "can't retrieve credential"); ++ *error = MNT3ERR_ACCES; ++ close(dirfd); ++ return NULL; ++ } ++ if (manage_gids) ++ nfs_ucred_reload_groups(cred, &exp->m_export); ++ } ++ + /* Just perform a lookup of the path */ +- fd = nfsd_openat(dirfd, subpath, O_PATH); ++ fd = nfsd_cred_openat(cred, dirfd, subpath, O_PATH); + close(dirfd); ++ if (cred) ++ nfs_ucred_free(cred); + if (fd == -1) { + xlog(L_WARNING, "can't open exported dir %s: %s", p, + strerror(errno)); +@@ -681,6 +700,8 @@ read_mountd_conf(char **argv) + ttl = conf_get_num("mountd", "ttl", default_ttl); + if (ttl > 0) + default_ttl = ttl; ++ apply_root_cred = conf_get_bool("mountd", "apply-root-cred", ++ apply_root_cred); + } + + int +@@ -794,6 +815,9 @@ main(int argc, char **argv) + } + default_ttl = ttl; + break; ++ case 'c': ++ apply_root_cred = 1; ++ break; + case 0: + break; + case '?': +diff --git a/utils/mountd/mountd.man b/utils/mountd/mountd.man +index a206a3e2..f4f1fc23 100644 +--- a/utils/mountd/mountd.man ++++ b/utils/mountd/mountd.man +@@ -242,6 +242,32 @@ can support both NFS version 2 and the newer version 3. + Print the version of + .B rpc.mountd + and exit. ++.TP ++.B \-c " or " \-\-apply-root-cred ++When mountd is asked to allow a NFSv3 mount to a subdirectory of the ++exported directory, then it will check if the user asking to mount has ++lookup rights to the directories below that exported directory. When ++performing the check, mountd will apply any root squash or all squash ++rules that were specified for that client. ++ ++Performing lookup checks as the user requires that the mountd daemon ++be run as root or that it be given CAP_SETUID and CAP_SETGID privileges ++so that it can change its own effective user and effective group settings. ++When troubleshooting, please also note that LSM frameworks such as SELinux ++can sometimes prevent the daemon from changing the effective user/groups ++despite the capability settings. ++ ++In earlier versions of mountd, the same checks were performed using the ++mountd daemon's root privileges, meaning that it could authorise access ++to directories that are not normally accessible to the user requesting ++to mount them. This option enables that legacy behaviour. ++ ++.BR Note: ++If there is a need to provide access to specific subdirectories that ++are not normally accessible to a client, it is always possible to add ++export entries that explicitly grant such access. That ability does ++not depend on this option being enabled. ++ + .TP + .B \-g " or " \-\-manage-gids + Accept requests from the kernel to map user id numbers into lists of +-- +2.44.4 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb index 2f2644f9a8..91c74fe5ef 100644 --- a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb @@ -33,6 +33,12 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.x file://0001-locktest-Makefile.am-Do-not-use-build-flags.patch \ file://0001-tools-locktest-Use-intmax_t-to-print-off_t.patch \ file://0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch \ + file://CVE-2025-12801-dependent_p1.patch \ + file://CVE-2025-12801-dependent_p2.patch \ + file://CVE-2025-12801-dependent_p3.patch \ + file://CVE-2025-12801-dependent_p4.patch \ + file://CVE-2025-12801.patch \ + file://CVE-2025-12801-build-fix.patch \ " SRC_URI[sha256sum] = "01b3b0fb9c7d0bbabf5114c736542030748c788ec2fd9734744201e9b0a1119d" From patchwork Fri Jun 12 14:25:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen X-Patchwork-Id: 89937 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AEB1CD98E2 for ; Fri, 12 Jun 2026 14:26:49 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.71816.1781274400612204407 for ; Fri, 12 Jun 2026 07:26:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=s3M8okF9; spf=pass (domain: smile.fr, ip: 209.85.221.49, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-45ef779c1c2so801620f8f.1 for ; Fri, 12 Jun 2026 07:26:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274399; x=1781879199; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=e0l2p8A6n1NaPggTuVk1CRG8TBotFpX1AApPCUUg8e8=; b=s3M8okF9cK53XDNM8rBeyLe5OtWF1j5IYg0/vI1EEZnfVpH4orb4LfN+VZmxNAjGdN LWE1xkqKC7/5JKwTXfYx+5Iqa7KUqNu/Uf2ycfW9AQAi2pr+GKxcNFKLtzQWVCq+OCDB UcV8ovQvWsV0pYkmqvtIpJldqBD973/aYyxUM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274399; x=1781879199; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=e0l2p8A6n1NaPggTuVk1CRG8TBotFpX1AApPCUUg8e8=; b=P27vAnnx4ePIA0Wh9dx8NyphCcz/0wKtxVNNkt0AvoI6r+bo3ZPw5aMC6HiizAtnRr Da2lPugshUSp27R9+UVK+wWd0f4repHclDPetVgGzb2N8+4oNYS+S2HVYAqxiygzUB6J 3Bo358wDwcHo11hjafgqKyvFXP7jOKqqCISuu3e6yHziPPrN/wFkB/Cek2qF80D4TX68 +zhV80K5p9Berv6oxTe2Lh+3mc4HW+1uu8DeCfQJnEkEGtQogQb2plbGc9fhMsQVsTGE 1+IhrtkKq6yqzLHDAlRc3tutOjtaySsCfM92iu0ATYMnz3fRC2vgRGlm2wl6MPzh00Tv Z9Vw== X-Gm-Message-State: AOJu0YyHXH7DhB5eUPG9mm8A2w0kl4FtopdxRmiBHiFGV1w1uknodGAv OcVjo0TEJB6sMkxdLey2pUDyurOWrKUS2kUeU9A1kQ0p/PFo8nBXwR7Tcx6SIkxJw5sMgUrVnjf Vykf7ow== X-Gm-Gg: Acq92OFXgXNVGn8wqvJdw4vWip/erhVMQEkW9GeBxPDiejYraewErl1AnnG4Fc9yNgA 0gGqtADu14xnTYXueX6hI4+oqNEo3NU0CHE5MypJajUwG/CVuAv9aefAP6AIEpIT7zYsbyZBSA1 CU5gusKlGQqakBKpyPwtmrQxEYonEQqGArYqZrDXYLNJoUj4s54AzKNfcGv3AfwJ3KYHe1C3tZF /Y53iePqfbUJKMdy9DzLQFGryDDjLccBnFynVde1LaXlkLg7r51/WmnJsYsvTHesb+RyM4Jlwjs gn4cm0Dkk8/LklThBopPXvJ/SilLL+Az2Km1V3d4MBOI9vxa+vhXLvfil67yAtKPkAateigSDhm Z/W7TPgWomJharJTP1NZwtUPbW824ZJZ2bX8tlVF5TX5Q74NUJQyV9A1hIv6RnDoihgl/vBwD6d b856hKYVOBSRffPp1I/HnatWE= X-Received: by 2002:a05:6000:2087:b0:452:6aaf:76cb with SMTP id ffacd0b85a97d-4606da57b8fmr4283795f8f.1.1781274398702; Fri, 12 Jun 2026 07:26:38 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:38 -0700 (PDT) From: Jeremy Rosen To: openembedded-core@lists.openembedded.org Cc: Paul Barker Subject: [OE-core][scarthgap 04/21] xz: Fix CVE-2026-34743 Date: Fri, 12 Jun 2026 16:25:54 +0200 Message-ID: <6c72dc8a05546ab625d6a853ca6eb58f980bf249.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Jun 2026 14:26:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238626 From: "Hugo SIMELIERE (Schneider Electric)" Pick patch from [1] as 5.4.x upstream backport of [2] mentioned in Debian report in [3]. [1] https://github.com/tukaani-project/xz/commit/8538443d08591693a8c61f3a03656650f39c7c32 [2] https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87 [3] https://security-tracker.debian.org/tracker/CVE-2026-34743 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY Signed-off-by: Jeremy Rosen --- .../xz/xz/CVE-2026-34743.patch | 68 +++++++++++++++++++ meta/recipes-extended/xz/xz_5.4.7.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-extended/xz/xz/CVE-2026-34743.patch diff --git a/meta/recipes-extended/xz/xz/CVE-2026-34743.patch b/meta/recipes-extended/xz/xz/CVE-2026-34743.patch new file mode 100644 index 0000000000..f890851cb2 --- /dev/null +++ b/meta/recipes-extended/xz/xz/CVE-2026-34743.patch @@ -0,0 +1,68 @@ +From ae7abca7c721c73bb4aadf41a82a720a842a4364 Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Sun, 29 Mar 2026 19:11:21 +0300 +Subject: [PATCH] liblzma: Fix a buffer overflow in lzma_index_append() + +If lzma_index_decoder() was used to decode an Index that contained no +Records, the resulting lzma_index had an invalid internal "prealloc" +value. If lzma_index_append() was called on this lzma_index, too +little memory would be allocated and a buffer overflow would occur. + +While this combination of the API functions is meant to work, in the +real-world apps this call sequence is rare or might not exist at all. + +This bug is older than xz 5.0.0, so all stable releases are affected. + +CVE: CVE-2026-34743 +Upstream-Status: Backport [https://github.com/tukaani-project/xz/commit/8538443d08591693a8c61f3a03656650f39c7c32] + +Reported-by: GitHub user christos-spearbit +(cherry picked from commit c8c22869e780ff57c96b46939c3d79ff99395f87) +(cherry picked from commit 8538443d08591693a8c61f3a03656650f39c7c32) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + src/liblzma/common/index.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c +index 8a35f439..dae7cab5 100644 +--- a/src/liblzma/common/index.c ++++ b/src/liblzma/common/index.c +@@ -434,6 +434,26 @@ lzma_index_prealloc(lzma_index *i, lzma_vli records) + if (records > PREALLOC_MAX) + records = PREALLOC_MAX; + ++ // If index_decoder.c calls us with records == 0, it's decoding ++ // an Index that has no Records. In that case the decoder won't call ++ // lzma_index_append() at all, and i->prealloc isn't used during ++ // the Index decoding either. ++ // ++ // Normally the first lzma_index_append() call from the Index decoder ++ // would reset i->prealloc to INDEX_GROUP_SIZE. With no Records, ++ // lzma_index_append() isn't called and the resetting of prealloc ++ // won't occur either. Thus, if records == 0, use the default value ++ // INDEX_GROUP_SIZE instead. ++ // ++ // NOTE: lzma_index_append() assumes i->prealloc > 0. liblzma <= 5.8.2 ++ // didn't have this check and could set i->prealloc = 0, which would ++ // result in a buffer overflow if the application called ++ // lzma_index_append() after decoding an empty Index. Appending ++ // Records after decoding an Index is a rare thing to do, but ++ // it is supposed to work. ++ if (records == 0) ++ records = INDEX_GROUP_SIZE; ++ + i->prealloc = (size_t)(records); + return; + } +@@ -686,6 +706,7 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator, + ++g->last; + } else { + // We need to allocate a new group. ++ assert(i->prealloc > 0); + g = lzma_alloc(sizeof(index_group) + + i->prealloc * sizeof(index_record), + allocator); +-- +2.43.0 + diff --git a/meta/recipes-extended/xz/xz_5.4.7.bb b/meta/recipes-extended/xz/xz_5.4.7.bb index 30a4c8e88c..72759edea0 100644 --- a/meta/recipes-extended/xz/xz_5.4.7.bb +++ b/meta/recipes-extended/xz/xz_5.4.7.bb @@ -30,6 +30,7 @@ SRC_URI = "https://github.com/tukaani-project/xz/releases/download/v${PV}/xz-${P file://CVE-2025-31115-02.patch \ file://CVE-2025-31115-03.patch \ file://CVE-2025-31115-04.patch \ + file://CVE-2026-34743.patch \ " SRC_URI[sha256sum] = "8db6664c48ca07908b92baedcfe7f3ba23f49ef2476864518ab5db6723836e71" UPSTREAM_CHECK_REGEX = "releases/tag/v(?P\d+(\.\d+)+)" From patchwork Fri Jun 12 14:25:55 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen X-Patchwork-Id: 89941 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C6B12CD98E3 for ; Fri, 12 Jun 2026 14:26:49 +0000 (UTC) Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.71817.1781274401087436875 for ; Fri, 12 Jun 2026 07:26:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=CtHNUq2C; spf=pass (domain: smile.fr, ip: 209.85.221.52, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-45ee5cdbd28so1342293f8f.1 for ; Fri, 12 Jun 2026 07:26:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274399; x=1781879199; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Jfd4ageqIPVzcycMCaK8VS5kE9alBzdWXoZWgDx9KAk=; b=CtHNUq2CfiOdT/TzGzlDhNy7ZL0F4Ft2rI+847ZM4ApdoOWmaJmUFmJikSwlgJ7Tit j48Bm51vwaI9yZT7zWfMeS79Nnmia4XgTchbCavl0zl5d2wzdzFlnGCS6OL6cTzsvbaJ k3ZoYvBz3y4XjwtKVLzMakMfmofJ4rKqB8ut4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274399; x=1781879199; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Jfd4ageqIPVzcycMCaK8VS5kE9alBzdWXoZWgDx9KAk=; b=jy2hZLSMInpcbQR6djLTlbUnqGOGkxyOX9Dv9JogHU1Kb4IiJpaTB2cP88VEmjFtDL Z1xdMSTS+ZQ3WFusRYNFrpMs9UiJbOygyTqMSPfS5OldSN9LuVaKD+Q/UkXtPKxnoqCs HzqQDAnPQoadrrJN9PMK2nmuam69QZ+HAap9LnCDNFOjIoJ0qR2/GoOOyXKm71Ad2lYu OJiarUdtxT3Y6of/j/7LMZsET9uDCAvy7iJAkm8N9ZsiPsrAuNpQsNnt+6UZulqbkx85 oJh3SI+f9H6cWpDHuw3CpOSuvM/aVyXTilcifWGHg71x5WjTu2s8fdhbd72V0dBBQNxL g1WQ== X-Gm-Message-State: AOJu0Yx2RsxhtE5qbs8+D3qX6Bvo9E8M0KwEtAZAsLcRBKR29au6K8Ux 8Of2Q6fdchQ9elSdzHd820K8/gt0IYIigp6Wgw6afB4qMCny7ua3fEJFFS7Pg5FG5j4OMv3jw68 XWT7ROw== X-Gm-Gg: Acq92OF8d2zd+SMN5i4rEF1gziF71wJnF2X8TPK4h7FfjvcIwnHtNKzyrQttca18rMT 4hx4PO6DC/BkAbimbXkQtgbr+OekXJbRIPzFHbNG+nhpkMg51iOQtW72PHa0XyPNuiVXGwaGu4g uKvGarVmhpLeYi00Rnrc6habc+z+Aev5XvkwgZtszD6jKT/C4p770SVB3F1cW1sesOGte82okK4 GuIGtuKBCbwkEPfi08NA4qNDxM4MdMZwGAUPGYwVKuO1YLpq/lceRZCt30MP/VQpcJouxREx4vo FIYLuHNimMP2ot3W+hiAftNaQdzdZe8N2aXf+mNyG1uXSdWgfTyFDWmscJq/H/D7cowMeLaGw6w v+cA7OYTUjdorX8MMW1sT87OySA7aYMGUlGm4KQP+ZS6Yo4gvqhXF7m7O1zuNuW+qWZrx0b74bI QfYd3SeIlbLc8xeYkf+i8oFD4= X-Received: by 2002:a05:6000:4709:b0:460:602f:85ac with SMTP id ffacd0b85a97d-4606cae532fmr4203713f8f.0.1781274399289; Fri, 12 Jun 2026 07:26:39 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:38 -0700 (PDT) From: Jeremy Rosen To: openembedded-core@lists.openembedded.org Cc: Paul Barker Subject: [OE-core][scarthgap 05/21] util-linux: Fix CVE-2026-27456 Date: Fri, 12 Jun 2026 16:25:55 +0200 Message-ID: <8a9fefa317baff6022334e46ab4ee87676c07699.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Jun 2026 14:26:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238627 From: "Hugo SIMELIERE (Schneider Electric)" Pick patch from [1] as 2.39.x upstream backport of [2] mentioned in Debian report in [3]. [1] https://github.com/util-linux/util-linux/commit/79164668a412b71fcb1495c7d299cc5e9741fa30 [2] https://github.com/util-linux/util-linux/commit/0ba0f14caa812349424df0da00ac2d97fee9d972 [3] https://security-tracker.debian.org/tracker/CVE-2026-27456 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY Signed-off-by: Jeremy Rosen --- meta/recipes-core/util-linux/util-linux.inc | 1 + .../util-linux/CVE-2026-27456.patch | 115 ++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2026-27456.patch diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc index 4797682c5d..8380419634 100644 --- a/meta/recipes-core/util-linux/util-linux.inc +++ b/meta/recipes-core/util-linux/util-linux.inc @@ -46,6 +46,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin file://sys-utils-hwclock-rtc-fix-pointer-usage.patch \ file://CVE-2025-14104-01.patch \ file://CVE-2025-14104-02.patch \ + file://CVE-2026-27456.patch \ " SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f" diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2026-27456.patch b/meta/recipes-core/util-linux/util-linux/CVE-2026-27456.patch new file mode 100644 index 0000000000..4a5fef26d3 --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2026-27456.patch @@ -0,0 +1,115 @@ +From af0b619f8eb15f738c69e33e0bb3a794e9cccf17 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 19 Feb 2026 13:59:46 +0100 +Subject: [PATCH] loopdev: add LOOPDEV_FL_NOFOLLOW to prevent symlink attacks + +Add a new LOOPDEV_FL_NOFOLLOW flag for loop device context that +prevents symlink following in both path canonicalization and file open. + +When set: +- loopcxt_set_backing_file() uses strdup() instead of + ul_canonicalize_path() (which calls realpath() and follows symlinks) +- loopcxt_setup_device() adds O_NOFOLLOW to open() flags + +The flag is set for non-root (restricted) mount operations in +libmount's loop device hook. This prevents a TOCTOU race condition +where an attacker could replace the backing file (specified in +/etc/fstab) with a symlink to an arbitrary root-owned file between +path resolution and open(). + +Vulnerable Code Flow: + + mount /mnt/point (non-root, SUID) + mount.c: sanitize_paths() on user args (mountpoint only) + mnt_context_mount() + mnt_context_prepare_mount() + mnt_context_apply_fstab() <-- source path from fstab + hooks run at MNT_STAGE_PREP_SOURCE + hook_loopdev.c: setup_loopdev() + backing_file = fstab source path ("/home/user/disk.img") + loopcxt_set_backing_file() <-- calls realpath() as ROOT + ul_canonicalize_path() <-- follows symlinks! + loopcxt_setup_device() + open(lc->filename, O_RDWR|O_CLOEXEC) <-- no O_NOFOLLOW + +Two vulnerabilities in the path: + +1) loopcxt_set_backing_file() calls ul_canonicalize_path() which uses + realpath() -- this follows symlinks as euid=0. If the attacker swaps + the file to a symlink before this call, lc->filename becomes the + resolved target path (e.g., /root/secret.img). + +2) loopcxt_setup_device() opens lc->filename without O_NOFOLLOW. Even + if canonicalization happened correctly, the file can be swapped to a + symlink between canonicalize and open. + +CVE: CVE-2026-27456 +Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/79164668a412b71fcb1495c7d299cc5e9741fa30] + +Addresses: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g +Signed-off-by: Karel Zak +(cherry picked from commit 5e390467b26a3cf3fecc04e1a0d482dff3162fc4) +(cherry picked from commit 79164668a412b71fcb1495c7d299cc5e9741fa30) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + include/loopdev.h | 3 ++- + lib/loopdev.c | 7 ++++++- + libmount/src/hook_loopdev.c | 3 ++- + 3 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/include/loopdev.h b/include/loopdev.h +index 903adc491..d03e9b65e 100644 +--- a/include/loopdev.h ++++ b/include/loopdev.h +@@ -139,7 +139,8 @@ enum { + LOOPDEV_FL_NOIOCTL = (1 << 6), + LOOPDEV_FL_DEVSUBDIR = (1 << 7), + LOOPDEV_FL_CONTROL = (1 << 8), /* system with /dev/loop-control */ +- LOOPDEV_FL_SIZELIMIT = (1 << 9) ++ LOOPDEV_FL_SIZELIMIT = (1 << 9), ++ LOOPDEV_FL_NOFOLLOW = (1 << 10) /* O_NOFOLLOW, don't follow symlinks */ + }; + + /* +diff --git a/lib/loopdev.c b/lib/loopdev.c +index dd9ead3ee..4da251812 100644 +--- a/lib/loopdev.c ++++ b/lib/loopdev.c +@@ -1193,7 +1193,10 @@ int loopcxt_set_backing_file(struct loopdev_cxt *lc, const char *filename) + if (!lc) + return -EINVAL; + +- lc->filename = canonicalize_path(filename); ++ if (lc->flags & LOOPDEV_FL_NOFOLLOW) ++ lc->filename = strdup(filename); ++ else ++ lc->filename = canonicalize_path(filename); + if (!lc->filename) + return -errno; + +@@ -1332,6 +1335,8 @@ int loopcxt_setup_device(struct loopdev_cxt *lc) + + if (lc->config.info.lo_flags & LO_FLAGS_DIRECT_IO) + flags |= O_DIRECT; ++ if (lc->flags & LOOPDEV_FL_NOFOLLOW) ++ flags |= O_NOFOLLOW; + + if ((file_fd = open(lc->filename, mode | flags)) < 0) { + if (mode != O_RDONLY && (errno == EROFS || errno == EACCES)) +diff --git a/libmount/src/hook_loopdev.c b/libmount/src/hook_loopdev.c +index 8c8f7f218..ce39a7a70 100644 +--- a/libmount/src/hook_loopdev.c ++++ b/libmount/src/hook_loopdev.c +@@ -276,7 +276,8 @@ static int setup_loopdev(struct libmnt_context *cxt, + } + + DBG(LOOP, ul_debugobj(cxt, "not found; create a new loop device")); +- rc = loopcxt_init(&lc, 0); ++ rc = loopcxt_init(&lc, ++ mnt_context_is_restricted(cxt) ? LOOPDEV_FL_NOFOLLOW : 0); + if (rc) + goto done_no_deinit; + if (mnt_opt_has_value(loopopt)) { +-- +2.43.0 + From patchwork Fri Jun 12 14:25:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jeremy Rosen X-Patchwork-Id: 89935 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9534DCD98E0 for ; Fri, 12 Jun 2026 14:26:49 +0000 (UTC) Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71889.1781274401607547464 for ; Fri, 12 Jun 2026 07:26:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=PrjtxqCj; spf=pass (domain: smile.fr, ip: 209.85.221.43, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-45ef1198766so604804f8f.0 for ; Fri, 12 Jun 2026 07:26:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274400; x=1781879200; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6eXhXD+T85nklAXiM5owdkzCGp0RPxcyndUdXkWLMTc=; b=PrjtxqCjrBaQ900i2ZtlCfKJXgSosaOHuP+QPPM/P8yfKmuSW82I60CQ+Q9zzgWL/7 CC/DVGn+fh8etv8wzc+eg28q1/tBl0pNxwSOYIRhFJseLhFgW/dNVkG+aiiRd8aNXbk4 RkZUHylBVqyZWyc534ctbhNk1UQ+v09U8Akhg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274400; x=1781879200; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=6eXhXD+T85nklAXiM5owdkzCGp0RPxcyndUdXkWLMTc=; b=qrDAI/8OT1ATDVx2RGnjssuNiZ10y8BDsDYGqktvpDfLdgI6fTGNfU41/9ghfBon6U KToZbPpBBIyWDkcxUGeRqrqzxdMDaB5zVF77VK2xFe1SZM4AH5T+aGAmb4lg14nnUWOz 8sk/0Il+Lqv7QLTHg0UQ1zimrAoshneO2PK6v4EcYHaIEOcZiztJL/pAv3NEPzF4eZkU nktbrH6FTWp0PLdlhuF4lbgD82+KHAH0qJgik7U11ltpNtkZC3euVG9oylTl5zKOW+vn VfAlLQj1hlocvkXiTyx33Xx0e98ksD8bEl+KX+i6L6n7qcQ3UlszNuJVubMVDH6gNOeS cCOw== X-Gm-Message-State: AOJu0YxlsjyxcgyJQPxA1bpl8h6MRU0dwXlFUxBnD3CVp8o719ZLlprk Yllz2ccG6+2X8JRfOgi3hExNot6efwN2pJ7iOxyDdzoBTyLS70ODLeRmgupa3+O6C7FlY8uf065 ncSeC9g== X-Gm-Gg: Acq92OHlgaxqUPEmofieWZroNsRuamEhg23I8hB+QuLSd2jWHvY2UX0+opyWmQ2WYd6 vvS0yCGRlhJTp5d2jLoxwGlaUTMxT4Hl2pCCxtbgk0FbaYPfdvqQn1vo0sHuUASzLC1MFgTar42 zZlLT7dq4u+cH0HaurPBvxw0aP9AL0BWZveCRu+zLeripdtAvgw7j5lZ8AlcQno6dEOdlshaEN1 lqGP+avKMjuI7sEuGhxhOptHLMjcajXF8NfEzk85Gv7+omzzNhAGHHIWYZcl3eu4rffYIOu+4y5 zBO+BPz+D24hUS4EhKPWic5dsM3maecmmRhRZISfWnRxrX3Hl4LKvQCfDnvjB5BqxA6GRdLWZE5 3P99haWxVkKZhfJPH2xpHZ0ZNMolm8pj+wDxfbbqZqmjAdeMX/5aSOMIgiwJXFnPK2shCGkaeKR 2uQ00YWHBI7YGX0pXm6MhCQWg= X-Received: by 2002:a05:6000:41f7:b0:45e:dc0a:bcb with SMTP id ffacd0b85a97d-4606d024020mr4538210f8f.22.1781274399919; Fri, 12 Jun 2026 07:26:39 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:39 -0700 (PDT) From: Jeremy Rosen To: openembedded-core@lists.openembedded.org Cc: Paul Barker Subject: [OE-core][scarthgap 06/21] devtool: prevent 'devtool modify -n' from corrupting kernel Git repos Date: Fri, 12 Jun 2026 16:25:56 +0200 Message-ID: <17570092dd08b72ec025a159cc3915fc94344a76.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Jun 2026 14:26:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238628 From: Enrico Jörns Running 'devtool modify -n' on a kernel recipe that inherits 'kernel-yocto' can unintentionally corrupt an existing Git repo or worktree. The work-shared optimization introduced in 3c3a9bae ("devtool/standard.py: Update devtool modify to copy source from work-shared if its already downloaded") is not skipped when '--no-extract' ('args.no_extract') is set. As a result, for kernel builds where STAGING_KERNEL_DIR was already populated when running 'devtool modify -n', the existing source tree is overwritten (via oe.path.copyhardlinktree()) with the contents of STAGING_KERNEL_DIR. Fix by adding 'and not args.no_extract' to the kernel-yocto guard condition. (cherry picked from commit d383ea37e4987ecabe011226f1a8e658a52ede12) Signed-off-by: Enrico Jörns Signed-off-by: Richard Purdie Signed-off-by: Jeremy Rosen --- scripts/lib/devtool/standard.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/lib/devtool/standard.py b/scripts/lib/devtool/standard.py index 908869cc4f..e1e519ce5b 100644 --- a/scripts/lib/devtool/standard.py +++ b/scripts/lib/devtool/standard.py @@ -841,7 +841,8 @@ def modify(args, config, basepath, workspace): commits = {} check_commits = False - if bb.data.inherits_class('kernel-yocto', rd): + if bb.data.inherits_class('kernel-yocto', rd) and not args.no_extract: + # Current set kernel version kernelVersion = rd.getVar('LINUX_VERSION') srcdir = rd.getVar('STAGING_KERNEL_DIR') From patchwork Fri Jun 12 14:25:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen X-Patchwork-Id: 89940 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D312CCD98E4 for ; Fri, 12 Jun 2026 14:26:49 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.71820.1781274402680570151 for ; Fri, 12 Jun 2026 07:26:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=o+Oqi3fF; spf=pass (domain: smile.fr, ip: 209.85.221.41, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-45fd461e4a5so887655f8f.0 for ; Fri, 12 Jun 2026 07:26:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274401; x=1781879201; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EcDoHeR6CJQKLkQADLcnm9MMdBr63558ouu3EzWmbDI=; b=o+Oqi3fFw/OJnejtQUFGGlbyK4609/PD7bu3QAF0pfPo7hlIFiXDib3B35ctiQmfnT X+PgHn/1hb31VY7HOtfsxXALmsivMHMNxG+2x4uve2NIo8Ig6cIMl3OootWIdxmfo7/h OQEHF6uVcvje17yqgZGG3SOSFR1zV2MKuZP98= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274401; x=1781879201; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=EcDoHeR6CJQKLkQADLcnm9MMdBr63558ouu3EzWmbDI=; b=hMJQ+dbjX2hPlj8U/Ac16J8afxQlWxCZJF66aW1eP58NdQ7JiLfgPZCtL/JXi8CejW 5rMHLmxGNmOUpPpxQoIBVAxJHfqg4Tdwg0v+dJJdlj9cxZl8fvUIeMIYbAq9Lb3pE6qG Fs6LysWEDyxCk3BcpbIbaNWyp0mjQLEF/4QKnnu9DSZSorEiqxDnptNPVzS3y2C+JAru 15g5QPaM0+0jVlEq8BgKotB/w5YRBJbk5dWCTj0vjf8BRqDmcQUIbNkvnLTB+gTSf7/d v502T0nqGb9cDH5DzWFsW4126jPqBwsKws4TwbK34nGRBxXGOK+396jLhsPGrhfH6rnv ITiQ== X-Gm-Message-State: AOJu0YwIIN+YTKH40VLZrXuvl19PtgmIJhDNsT3XGR7MeLnccU+d8eoF 2wG6MQh7QuDmO24tnbFAcikOJNC9mbHI7z06eBpQKTbRc5Op8rZMuX618Ea2cIBZoTsyB7pTbRo RL+Ee9g== X-Gm-Gg: Acq92OH9N2dc5tuL8fwRW32GAmKeyMOOZI+uNzZyne65ZLZ1XhCYmlInZtNnriDuZnc nXEO5vRHFMQyg+DdCCsjfjyQwUxymwXspa+hjHHpaMB7VEYnSNmCAhM4+zPuma5yCcl0V1cv5Cv 0GQpsWu8yXonPiz9NGH/KTXOSmk6GUvhnFQqAQCJ2HdIg0+GCe8RhUW9z7tF2z0UO2asl33bgES W1J5WZcAJT+mLJvdEC2A1PbiIhcSHybk2nGeUUmZ9muf4PsPvt3F5SEWIjxkAyuTTGIFkh6vJ01 nGkHA1hpgjEG17fCcNrw4M5U14NwLJ47VylOI/FidnQap7BCPUcPuXwBe1FPk5Can/YEDbT8luy xAIlu1jWZ1io28y4cFJ8qGxoPGxG3v3W1nDj/OH9h+uRSLJeZLqHNmLiaOa99BP1kOAvyHerUbi kbhR9GUWxKrL589VkaSZJo0wA= X-Received: by 2002:a05:6000:428a:b0:45e:edcc:f6dc with SMTP id ffacd0b85a97d-4606db9667amr4783477f8f.6.1781274400838; Fri, 12 Jun 2026 07:26:40 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:40 -0700 (PDT) From: Jeremy Rosen To: openembedded-core@lists.openembedded.org Cc: Paul Barker Subject: [OE-core][scarthgap 07/21] go: patch CVE-2026-27142 Date: Fri, 12 Jun 2026 16:25:57 +0200 Message-ID: X-Mailer: git-send-email 2.53.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 12 Jun 2026 14:26:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238629 From: "Theo Gaige (Schneider Electric)" Backport patch from [1] [1] https://go.dev/cl/752081 Signed-off-by: Theo Gaige (Schneider Electric) Reviewed-by: Bruno Vernay Signed-off-by: Jeremy Rosen --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-27142.patch | 386 ++++++++++++++++++ 2 files changed, 387 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-27142.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 3fa421e223..8efa82f862 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -41,6 +41,7 @@ SRC_URI += "\ file://CVE-2025-68121_p1.patch \ file://CVE-2025-68121_p2.patch \ file://CVE-2025-68121_p3.patch \ + file://CVE-2026-27142.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-27142.patch b/meta/recipes-devtools/go/go/CVE-2026-27142.patch new file mode 100644 index 0000000000..e735abaf4b --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-27142.patch @@ -0,0 +1,386 @@ +From 1ac19df75e9c25951c04008a52b23a1cd95e81cc Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Fri, 9 Jan 2026 11:12:01 -0800 +Subject: [PATCH] html/template: properly escape URLs in meta content + attributes + +The meta tag can include a content attribute that contains URLs, which +we currently don't escape if they are inserted via a template action. +This can plausibly lead to XSS vulnerabilities if untrusted data is +inserted there, the http-equiv attribute is set to "refresh", and the +content attribute contains an action like `url={{.}}`. + +Track whether we are inside of a meta element, if we are inside of a +content attribute, _and_ if the content attribute contains "url=". If +all of those are true, then we will apply the same URL escaping that we +use elsewhere. + +Also add a new GODEBUG, htmlmetacontenturlescape, to allow disabling this +escaping for cases where this behavior is considered safe. The behavior +can be disabled by setting htmlmetacontenturlescape=0. + +Updates #77954 +Fixes #77972 +Fixes CVE-2026-27142 + +Change-Id: I9bbca263be9894688e6ef1e9a8f8d2f4304f5873 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3360 +Reviewed-by: Neal Patel +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3643 +Reviewed-by: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/go/+/752081 +Auto-Submit: Gopher Robot +Reviewed-by: Cherry Mui +TryBot-Bypass: Gopher Robot +Reviewed-by: Dmitri Shuralyov + +CVE: CVE-2026-27142 +Upstream-Status: Backport [https://github.com/golang/go/commit/994692847a2cd3efd319f0cb61a07c0012c8a4ff] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + doc/godebug.md | 5 +++ + src/html/template/attr_string.go | 5 +-- + src/html/template/context.go | 8 +++++ + src/html/template/element_string.go | 5 +-- + src/html/template/escape.go | 14 +++++++++ + src/html/template/escape_test.go | 34 +++++++++++++++++++++ + src/html/template/state_string.go | 8 +++-- + src/html/template/transition.go | 47 +++++++++++++++++++++++++---- + src/internal/godebugs/table.go | 1 + + src/runtime/metrics/doc.go | 5 +++ + 10 files changed, 119 insertions(+), 13 deletions(-) + +diff --git a/doc/godebug.md b/doc/godebug.md +index 635597e..07b63cb 100644 +--- a/doc/godebug.md ++++ b/doc/godebug.md +@@ -126,6 +126,11 @@ for example, + see the [runtime documentation](/pkg/runtime#hdr-Environment_Variables) + and the [go command documentation](/cmd/go#hdr-Build_and_test_caching). + ++Go 1.26.1 added a new `htmlmetacontenturlescape` setting that controls whether ++html/template will escape URLs in the `url=` portion of the content attribute of ++HTML meta tags. The default `htmlmetacontentescape=1` will cause URLs to be ++escaped. Setting `htmlmetacontentescape=0` disables this behavior. ++ + Go 1.26 added a new `urlmaxqueryparams` setting that controls the maximum number + of query parameters that net/url will accept when parsing a URL-encoded query string. + If the number of parameters exceeds the number set in `urlmaxqueryparams`, +diff --git a/src/html/template/attr_string.go b/src/html/template/attr_string.go +index 51c3f26..7159fa9 100644 +--- a/src/html/template/attr_string.go ++++ b/src/html/template/attr_string.go +@@ -14,11 +14,12 @@ func _() { + _ = x[attrStyle-3] + _ = x[attrURL-4] + _ = x[attrSrcset-5] ++ _ = x[attrMetaContent-6] + } + +-const _attr_name = "attrNoneattrScriptattrScriptTypeattrStyleattrURLattrSrcset" ++const _attr_name = "attrNoneattrScriptattrScriptTypeattrStyleattrURLattrSrcsetattrMetaContent" + +-var _attr_index = [...]uint8{0, 8, 18, 32, 41, 48, 58} ++var _attr_index = [...]uint8{0, 8, 18, 32, 41, 48, 58, 73} + + func (i attr) String() string { + if i >= attr(len(_attr_index)-1) { +diff --git a/src/html/template/context.go b/src/html/template/context.go +index b78f0f7..8b3af2f 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -156,6 +156,10 @@ const ( + // stateError is an infectious error state outside any valid + // HTML/CSS/JS construct. + stateError ++ // stateMetaContent occurs inside a HTML meta element content attribute. ++ stateMetaContent ++ // stateMetaContentURL occurs inside a "url=" tag in a HTML meta element content attribute. ++ stateMetaContentURL + // stateDead marks unreachable code after a {{break}} or {{continue}}. + stateDead + ) +@@ -267,6 +271,8 @@ const ( + elementTextarea + // elementTitle corresponds to the RCDATA element. + elementTitle ++ // elementMeta corresponds to the HTML <meta> element. ++ elementMeta + ) + + //go:generate stringer -type attr +@@ -288,4 +294,6 @@ const ( + attrURL + // attrSrcset corresponds to a srcset attribute. + attrSrcset ++ // attrMetaContent corresponds to the content attribute in meta HTML element. ++ attrMetaContent + ) +diff --git a/src/html/template/element_string.go b/src/html/template/element_string.go +index db28665..bdf9da7 100644 +--- a/src/html/template/element_string.go ++++ b/src/html/template/element_string.go +@@ -13,11 +13,12 @@ func _() { + _ = x[elementStyle-2] + _ = x[elementTextarea-3] + _ = x[elementTitle-4] ++ _ = x[elementMeta-5] + } + +-const _element_name = "elementNoneelementScriptelementStyleelementTextareaelementTitle" ++const _element_name = "elementNoneelementScriptelementStyleelementTextareaelementTitleelementMeta" + +-var _element_index = [...]uint8{0, 11, 24, 36, 51, 63} ++var _element_index = [...]uint8{0, 11, 24, 36, 51, 63, 74} + + func (i element) String() string { + if i >= element(len(_element_index)-1) { +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index 1eace16..b368cab 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -165,6 +165,8 @@ func (e *escaper) escape(c context, n parse.Node) context { + + var debugAllowActionJSTmpl = godebug.New("jstmpllitinterp") + ++var htmlmetacontenturlescape = godebug.New("htmlmetacontenturlescape") ++ + // escapeAction escapes an action template node. + func (e *escaper) escapeAction(c context, n *parse.ActionNode) context { + if len(n.Pipe.Decl) != 0 { +@@ -222,6 +224,18 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context { + default: + panic(c.urlPart.String()) + } ++ case stateMetaContent: ++ // Handled below in delim check. ++ case stateMetaContentURL: ++ if htmlmetacontenturlescape.Value() != "0" { ++ s = append(s, "_html_template_urlfilter") ++ } else { ++ // We don't have a great place to increment this, since it's hard to ++ // know if we actually escape any urls in _html_template_urlfilter, ++ // since it has no information about what context it is being ++ // executed in etc. This is probably the best we can do. ++ htmlmetacontenturlescape.IncNonDefault() ++ } + case stateJS: + s = append(s, "_html_template_jsvalescaper") + // A slash after a value starts a div operator. +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index 497ead8..1970db1 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -734,6 +734,16 @@ func TestEscape(t *testing.T) { + "<script>var a = `${ var a = \"{{\"a \\\" d\"}}\" }`</script>", + "<script>var a = `${ var a = \"a \\u0022 d\" }`</script>", + }, ++ { ++ "meta content attribute url", ++ `<meta http-equiv="refresh" content="asd; url={{"javascript:alert(1)"}}; asd; url={{"vbscript:alert(1)"}}; asd">`, ++ `<meta http-equiv="refresh" content="asd; url=#ZgotmplZ; asd; url=#ZgotmplZ; asd">`, ++ }, ++ { ++ "meta content string", ++ `<meta http-equiv="refresh" content="{{"asd: 123"}}">`, ++ `<meta http-equiv="refresh" content="asd: 123">`, ++ }, + } + + for _, test := range tests { +@@ -1016,6 +1026,14 @@ func TestErrors(t *testing.T) { + "<script>var tmpl = `asd ${return \"{\"}`;</script>", + ``, + }, ++ { ++ `{{if eq "" ""}}<meta>{{end}}`, ++ ``, ++ }, ++ { ++ `{{if eq "" ""}}<meta content="url={{"asd"}}">{{end}}`, ++ ``, ++ }, + + // Error cases. + { +@@ -2194,3 +2212,19 @@ func TestAliasedParseTreeDoesNotOverescape(t *testing.T) { + t.Fatalf(`Template "foo" and "bar" rendered %q and %q respectively, expected equal values`, got1, got2) + } + } ++ ++func TestMetaContentEscapeGODEBUG(t *testing.T) { ++ savedGODEBUG := os.Getenv("GODEBUG") ++ os.Setenv("GODEBUG", savedGODEBUG+",htmlmetacontenturlescape=0") ++ defer func() { os.Setenv("GODEBUG", savedGODEBUG) }() ++ ++ tmpl := Must(New("").Parse(`<meta http-equiv="refresh" content="asd; url={{"javascript:alert(1)"}}; asd; url={{"vbscript:alert(1)"}}; asd">`)) ++ var b strings.Builder ++ if err := tmpl.Execute(&b, nil); err != nil { ++ t.Fatalf("unexpected error: %s", err) ++ } ++ want := `<meta http-equiv="refresh" content="asd; url=javascript:alert(1); asd; url=vbscript:alert(1); asd">` ++ if got := b.String(); got != want { ++ t.Fatalf("got %q, want %q", got, want) ++ } ++} +diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go +index eed1e8b..f5a70b2 100644 +--- a/src/html/template/state_string.go ++++ b/src/html/template/state_string.go +@@ -36,12 +36,14 @@ func _() { + _ = x[stateCSSBlockCmt-25] + _ = x[stateCSSLineCmt-26] + _ = x[stateError-27] +- _ = x[stateDead-28] ++ _ = x[stateMetaContent-28] ++ _ = x[stateMetaContentURL-29] ++ _ = x[stateDead-30] + } + +-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead" ++const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateMetaContentstateMetaContentURLstateDead" + +-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 156, 169, 184, 198, 216, 235, 243, 256, 269, 282, 295, 306, 322, 337, 347, 356} ++var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 156, 169, 184, 198, 216, 235, 243, 256, 269, 282, 295, 306, 322, 337, 347, 363, 382, 391} + + func (i state) String() string { + if i >= state(len(_state_index)-1) { +diff --git a/src/html/template/transition.go b/src/html/template/transition.go +index d5a05f6..5aa3c35 100644 +--- a/src/html/template/transition.go ++++ b/src/html/template/transition.go +@@ -23,6 +23,8 @@ var transitionFunc = [...]func(context, []byte) (context, int){ + stateRCDATA: tSpecialTagEnd, + stateAttr: tAttr, + stateURL: tURL, ++ stateMetaContent: tMetaContent, ++ stateMetaContentURL: tMetaContentURL, + stateSrcset: tURL, + stateJS: tJS, + stateJSDqStr: tJSDelimited, +@@ -83,6 +85,7 @@ var elementContentType = [...]state{ + elementStyle: stateCSS, + elementTextarea: stateRCDATA, + elementTitle: stateRCDATA, ++ elementMeta: stateText, + } + + // tTag is the context transition function for the tag state. +@@ -93,6 +96,11 @@ func tTag(c context, s []byte) (context, int) { + return c, len(s) + } + if s[i] == '>' { ++ // Treat <meta> specially, because it doesn't have an end tag, and we ++ // want to transition into the correct state/element for it. ++ if c.element == elementMeta { ++ return context{state: stateText, element: elementNone}, i + 1 ++ } + return context{ + state: elementContentType[c.element], + element: c.element, +@@ -113,6 +121,8 @@ func tTag(c context, s []byte) (context, int) { + attrName := strings.ToLower(string(s[i:j])) + if c.element == elementScript && attrName == "type" { + attr = attrScriptType ++ } else if c.element == elementMeta && attrName == "content" { ++ attr = attrMetaContent + } else { + switch attrType(attrName) { + case contentTypeURL: +@@ -162,12 +172,13 @@ func tAfterName(c context, s []byte) (context, int) { + } + + var attrStartStates = [...]state{ +- attrNone: stateAttr, +- attrScript: stateJS, +- attrScriptType: stateAttr, +- attrStyle: stateCSS, +- attrURL: stateURL, +- attrSrcset: stateSrcset, ++ attrNone: stateAttr, ++ attrScript: stateJS, ++ attrScriptType: stateAttr, ++ attrStyle: stateCSS, ++ attrURL: stateURL, ++ attrSrcset: stateSrcset, ++ attrMetaContent: stateMetaContent, + } + + // tBeforeValue is the context transition function for stateBeforeValue. +@@ -203,6 +214,7 @@ var specialTagEndMarkers = [...][]byte{ + elementStyle: []byte("style"), + elementTextarea: []byte("textarea"), + elementTitle: []byte("title"), ++ elementMeta: []byte(""), + } + + var ( +@@ -612,6 +624,28 @@ func tError(c context, s []byte) (context, int) { + return c, len(s) + } + ++// tMetaContent is the context transition function for the meta content attribute state. ++func tMetaContent(c context, s []byte) (context, int) { ++ for i := 0; i < len(s); i++ { ++ if i+3 <= len(s)-1 && bytes.Equal(bytes.ToLower(s[i:i+4]), []byte("url=")) { ++ c.state = stateMetaContentURL ++ return c, i + 4 ++ } ++ } ++ return c, len(s) ++} ++ ++// tMetaContentURL is the context transition function for the "url=" part of a meta content attribute state. ++func tMetaContentURL(c context, s []byte) (context, int) { ++ for i := 0; i < len(s); i++ { ++ if s[i] == ';' { ++ c.state = stateMetaContent ++ return c, i + 1 ++ } ++ } ++ return c, len(s) ++} ++ + // eatAttrName returns the largest j such that s[i:j] is an attribute name. + // It returns an error if s[i:] does not look like it begins with an + // attribute name, such as encountering a quote mark without a preceding +@@ -638,6 +672,7 @@ var elementNameMap = map[string]element{ + "style": elementStyle, + "textarea": elementTextarea, + "title": elementTitle, ++ "meta": elementMeta, + } + + // asciiAlpha reports whether c is an ASCII letter. +diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go +index 7178df6..90311eb 100644 +--- a/src/internal/godebugs/table.go ++++ b/src/internal/godebugs/table.go +@@ -31,6 +31,7 @@ var All = []Info{ + {Name: "gocachetest", Package: "cmd/go"}, + {Name: "gocacheverify", Package: "cmd/go"}, + {Name: "gotypesalias", Package: "go/types"}, ++ {Name: "htmlmetacontenturlescape", Package: "html/template"}, + {Name: "http2client", Package: "net/http"}, + {Name: "http2debug", Package: "net/http", Opaque: true}, + {Name: "http2server", Package: "net/http"}, +diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go +index 335f787..f68e386 100644 +--- a/src/runtime/metrics/doc.go ++++ b/src/runtime/metrics/doc.go +@@ -255,6 +255,11 @@ Below is the full list of supported metrics, ordered lexicographically. + The number of non-default behaviors executed by the go/types + package due to a non-default GODEBUG=gotypesalias=... setting. + ++ /godebug/non-default-behavior/htmlmetacontenturlescape:events ++ The number of non-default behaviors executed by ++ the html/template package due to a non-default ++ GODEBUG=htmlmetacontenturlescape=... setting. ++ + /godebug/non-default-behavior/http2client:events + The number of non-default behaviors executed by the net/http + package due to a non-default GODEBUG=http2client=... setting. +-- +2.43.0 + From patchwork Fri Jun 12 14:25:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr> X-Patchwork-Id: 89936 Return-Path: <jeremy.rosen@smile.fr> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5DEC0CD98DF for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:26:49 +0000 (UTC) Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.71821.1781274404621740809 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=z+CD+Aer; spf=pass (domain: smile.fr, ip: 209.85.221.46, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-45ef1629ff4so716125f8f.0 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274403; x=1781879203; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=o+m7xvI3JP75fOs7c+0IIxjCM1KKmKu28fwIJag5BcA=; b=z+CD+Aertl3EUtZSYVNUCtmG3SxSngdkAxQE02X+zEGHgc9+gffdYV8qJz5mxHYwwU S0SS1NK4Cl1dvAfH6uQ9T7EbHc2bRtwshxxFn1NZxwjknxkRwhvQBugkUq+PWWoYlqZZ 3dpa6kRH+cfcbQkIZZRzi3pxXfeAB6pg2llVE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274403; x=1781879203; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=o+m7xvI3JP75fOs7c+0IIxjCM1KKmKu28fwIJag5BcA=; b=B6o8MnTC242tTVDT63fAaQOVn/bnLFIsMmVvdDRazGTYZPZjeqgeYVrJkZFqJX717Z vvfBJL38m56zJzz3tMNtcaFKsjC4w/J4EwsVDDfZ42JQJC1nyrYvMxUn714zZ2hjFode uPr7eOxx0h37ArL9TesqDtgQek0hlvbFwkAoR6T1ysDLunv2f1iYvJBROKgcf6R0/GF9 F/fkp6uaWbQTqm1Z2pYOiksliQ78JoOp4FfsAFUdefQpMHerxjqUnWZvJeE/6GHGa+je YTEMdxFiRb0L2HHKi7d9R5wycPvka8qTiCeydl6bfzu/Ys0IYyA/MMNL2b/zE23i7p+o PTBw== X-Gm-Message-State: AOJu0YyD+XHCHA/QXrcwbH/2Ab78mxVb2QraVCT79tpxPNEqK0uq+upk p1vaYDZrpXLFOe11zqJi9z3DXdslggg69vm3Uk50g/zo7u3vuOQByKHZYNYSfSk42QaAs5ocAR6 Bm+ydhw== X-Gm-Gg: Acq92OGoxlQ3eylTk18/1AxFvMYG/5qM4U8cEJ15zTgQHgg3XA3CsKrwMNtACNsTV7y VgEiYAumk3jn0apa2oiTP3uqhVnE0iu/NT1X7hjsYoIsR/WhESGtWR4mFc3XKcggyV7OIU2iiY6 oMU4UhhpKFHgBNYLLcmyhRr+P8531PHvD7XmGMDwf1HgIhV1YA6e13eTpSA424qeklPImZFujk2 Q1QiDPO9O9nZoVxGpTpCYL/lLYDfkta3r4Y1RB8wT3yTPq2xcG4VpYIc1hIhytsH/bfLC4DtWo5 ERolT0pFskhErehOfqc8/SsTFqQUaiYRU4Sv8HXlqkhskpqlLXV6xtiFTJ1Wg2FwrXs9B7R6UVa s9JKiidp4UKx59D3Mf5bfrgJ/Kz/fyNMRMxJRP574yONeprb35wnpbwR/N3U7n8gdOwwnq5U30p op4bPDjMl5cb5V/35/xaXDhyY= X-Received: by 2002:a5d:5d83:0:b0:460:51ef:f81f with SMTP id ffacd0b85a97d-4606da5bf12mr4621017f8f.6.1781274402653; Fri, 12 Jun 2026 07:26:42 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:41 -0700 (PDT) From: Jeremy Rosen <jeremy.rosen@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][scarthgap 08/21] go: patch CVE-2026-32280 Date: Fri, 12 Jun 2026 16:25:58 +0200 Message-ID: <76f60545d2f925962be0f058ae14e5ae4ff4abd1.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: <cover.1781270474.git.jeremy.rosen@smile.fr> References: <cover.1781270474.git.jeremy.rosen@smile.fr> MIME-Version: 1.0 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 14:26:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238630 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/758320 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-32280.patch | 289 ++++++++++++++++++ 2 files changed, 290 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-32280.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 8efa82f862..0d4dff6c21 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -42,6 +42,7 @@ SRC_URI += "\ file://CVE-2025-68121_p2.patch \ file://CVE-2025-68121_p3.patch \ file://CVE-2026-27142.patch \ + file://CVE-2026-32280.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-32280.patch b/meta/recipes-devtools/go/go/CVE-2026-32280.patch new file mode 100644 index 0000000000..9a6f7950ae --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-32280.patch @@ -0,0 +1,289 @@ +From 1d71a2882078ea5057e68a7d2fedc83a5227c764 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Thu, 5 Mar 2026 14:28:44 -0800 +Subject: [PATCH] crypto/x509: fix signature checking limit + +We added the "is this cert already in the chain" check (alreadyInChain) +to considerCandidates before the signature limit. considerCandidates +bails out when we exceed the signature check, but buildChains keeps +calling considerCandidates until it exhausts all potential parents. In +the case where a large number of certificates look to have signed each +other (e.g. all have subject==issuerSubject and the same key), +alreadyInChain is not particularly cheap, meaning even though we hit our +"this is too much work" limit, we still do a lot of work. + +Move alreadyInChain after the signature limit, and also return a +sentinel error, and check it in buildChains so we can break out of the +loop early if we aren't actually going to do any more work. + +Thanks to Jakub Ciolek for reporting this issue. + +Fixes #78282 +Fixes CVE-2026-32280 + +Change-Id: Ie6f05c6ba3b0a40c21f64f7c4f846e74fae3b10e +Reviewed-on: https://go-review.googlesource.com/c/go/+/758320 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Neal Patel <nealpatel@google.com> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Jakub Ciolek <jakub@ciolek.dev> + +CVE: CVE-2026-32280 +Upstream-Status: Backport [https://github.com/golang/go/commit/26d8a902002a2b41bc4c302044110f2eae8d597f] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/crypto/x509/verify.go | 31 ++++--- + src/crypto/x509/verify_test.go | 150 ++++++++++++++++----------------- + 2 files changed, 96 insertions(+), 85 deletions(-) + +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 0ae8aef..1de06bc 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -939,6 +939,8 @@ func alreadyInChain(candidate *Certificate, chain []*Certificate) bool { + // for failed checks due to different intermediates having the same Subject. + const maxChainSignatureChecks = 100 + ++var errSignatureLimit = errors.New("x509: signature check attempts limit reached while verifying certificate chain") ++ + func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*Certificate, err error) { + var ( + hintErr error +@@ -946,16 +948,16 @@ func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, o + ) + + considerCandidate := func(certType int, candidate potentialParent) { +- if candidate.cert.PublicKey == nil || alreadyInChain(candidate.cert, currentChain) { +- return +- } +- + if sigChecks == nil { + sigChecks = new(int) + } + *sigChecks++ + if *sigChecks > maxChainSignatureChecks { +- err = errors.New("x509: signature check attempts limit reached while verifying certificate chain") ++ err = errSignatureLimit ++ return ++ } ++ ++ if candidate.cert.PublicKey == nil || alreadyInChain(candidate.cert, currentChain) { + return + } + +@@ -996,11 +998,20 @@ func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, o + } + } + +- for _, root := range opts.Roots.findPotentialParents(c) { +- considerCandidate(rootCertificate, root) +- } +- for _, intermediate := range opts.Intermediates.findPotentialParents(c) { +- considerCandidate(intermediateCertificate, intermediate) ++candidateLoop: ++ for _, parents := range []struct { ++ certType int ++ potentials []potentialParent ++ }{ ++ {rootCertificate, opts.Roots.findPotentialParents(c)}, ++ {intermediateCertificate, opts.Intermediates.findPotentialParents(c)}, ++ } { ++ for _, parent := range parents.potentials { ++ considerCandidate(parents.certType, parent) ++ if err == errSignatureLimit { ++ break candidateLoop ++ } ++ } + } + + if len(chains) > 0 { +diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go +index 223c250..f3711ac 100644 +--- a/src/crypto/x509/verify_test.go ++++ b/src/crypto/x509/verify_test.go +@@ -1765,10 +1765,13 @@ func TestValidHostname(t *testing.T) { + } + } + +-func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.PrivateKey) (*Certificate, crypto.PrivateKey, error) { +- priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) +- if err != nil { +- return nil, nil, err ++func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.PrivateKey, priv crypto.PrivateKey) (*Certificate, crypto.PrivateKey, error) { ++ if priv == nil { ++ var err error ++ priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) ++ if err != nil { ++ return nil, nil, err ++ } + } + + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) +@@ -1779,6 +1782,7 @@ func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.Pr + Subject: pkix.Name{CommonName: cn}, + NotBefore: time.Now().Add(-1 * time.Hour), + NotAfter: time.Now().Add(24 * time.Hour), ++ DNSNames: []string{rand.Text()}, + + KeyUsage: KeyUsageKeyEncipherment | KeyUsageDigitalSignature | KeyUsageCertSign, + ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageServerAuth}, +@@ -1790,7 +1794,7 @@ func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.Pr + issuerKey = priv + } + +- derBytes, err := CreateCertificate(rand.Reader, template, issuer, priv.Public(), issuerKey) ++ derBytes, err := CreateCertificate(rand.Reader, template, issuer, priv.(crypto.Signer).Public(), issuerKey) + if err != nil { + return nil, nil, err + } +@@ -1802,81 +1806,77 @@ func generateCert(cn string, isCA bool, issuer *Certificate, issuerKey crypto.Pr + return cert, priv, nil + } + +-func TestPathologicalChain(t *testing.T) { +- if testing.Short() { +- t.Skip("skipping generation of a long chain of certificates in short mode") +- } +- +- // Build a chain where all intermediates share the same subject, to hit the +- // path building worst behavior. +- roots, intermediates := NewCertPool(), NewCertPool() +- +- parent, parentKey, err := generateCert("Root CA", true, nil, nil) +- if err != nil { +- t.Fatal(err) +- } +- roots.AddCert(parent) +- +- for i := 1; i < 100; i++ { +- parent, parentKey, err = generateCert("Intermediate CA", true, parent, parentKey) +- if err != nil { +- t.Fatal(err) +- } +- intermediates.AddCert(parent) +- } +- +- leaf, _, err := generateCert("Leaf", false, parent, parentKey) +- if err != nil { +- t.Fatal(err) +- } +- +- start := time.Now() +- _, err = leaf.Verify(VerifyOptions{ +- Roots: roots, +- Intermediates: intermediates, +- }) +- t.Logf("verification took %v", time.Since(start)) +- +- if err == nil || !strings.Contains(err.Error(), "signature check attempts limit") { +- t.Errorf("expected verification to fail with a signature checks limit error; got %v", err) +- } +-} +- +-func TestLongChain(t *testing.T) { ++func TestPathologicalChains(t *testing.T) { + if testing.Short() { +- t.Skip("skipping generation of a long chain of certificates in short mode") +- } +- +- roots, intermediates := NewCertPool(), NewCertPool() +- +- parent, parentKey, err := generateCert("Root CA", true, nil, nil) +- if err != nil { +- t.Fatal(err) +- } +- roots.AddCert(parent) ++ t.Skip("skipping generation of a long chains of certificates in short mode") ++ } ++ ++ // Test four pathological cases, where the intermediates in the chain have ++ // the same/different subjects and the same/different keys. This covers a ++ // number of cases where the chain building algorithm might be inefficient, ++ // such as when there are many intermediates with the same subject but ++ // different keys, many intermediates with the same key but different ++ // subjects, many intermediates with the same subject and key, or many ++ // intermediates with different subjects and keys. ++ // ++ // The worst case for our algorithm is when all of the intermediates share ++ // both subject and key, in which case all of the intermediates appear to ++ // have signed each other, causing us to see a large number of potential ++ // parents for each intermediate. ++ // ++ // All of these cases, Certificate.Verify should return errSignatureLimit. ++ // ++ // In all cases, don't have a root in the pool, so a valid chain cannot actually be built. ++ ++ for _, test := range []struct { ++ sameSubject bool ++ sameKey bool ++ }{ ++ {sameSubject: false, sameKey: false}, ++ {sameSubject: true, sameKey: false}, ++ {sameSubject: false, sameKey: true}, ++ {sameSubject: true, sameKey: true}, ++ } { ++ t.Run(fmt.Sprintf("sameSubject=%t,sameKey=%t", test.sameSubject, test.sameKey), func(t *testing.T) { ++ intermediates := NewCertPool() ++ ++ var intermediateKey crypto.PrivateKey ++ if test.sameKey { ++ var err error ++ intermediateKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) ++ if err != nil { ++ t.Fatal(err) ++ } ++ } + +- for i := 1; i < 15; i++ { +- name := fmt.Sprintf("Intermediate CA #%d", i) +- parent, parentKey, err = generateCert(name, true, parent, parentKey) +- if err != nil { +- t.Fatal(err) +- } +- intermediates.AddCert(parent) +- } ++ var leafSigner crypto.PrivateKey ++ var intermediate *Certificate ++ for i := range 100 { ++ cn := "Intermediate CA" ++ if !test.sameSubject { ++ cn += fmt.Sprintf(" #%d", i) ++ } ++ var err error ++ intermediate, leafSigner, err = generateCert(cn, true, intermediate, leafSigner, intermediateKey) ++ if err != nil { ++ t.Fatal(err) ++ } ++ intermediates.AddCert(intermediate) ++ } + +- leaf, _, err := generateCert("Leaf", false, parent, parentKey) +- if err != nil { +- t.Fatal(err) +- } ++ leaf, _, err := generateCert("Leaf", false, intermediate, leafSigner, nil) ++ if err != nil { ++ t.Fatal(err) ++ } + +- start := time.Now() +- if _, err := leaf.Verify(VerifyOptions{ +- Roots: roots, +- Intermediates: intermediates, +- }); err != nil { +- t.Error(err) ++ start := time.Now() ++ _, err = leaf.Verify(VerifyOptions{ ++ Roots: NewCertPool(), ++ Intermediates: intermediates, ++ }) ++ t.Logf("verification took %v", time.Since(start)) ++ }) + } +- t.Logf("verification took %v", time.Since(start)) + } + + func TestSystemRootsError(t *testing.T) { +-- +2.43.0 + From patchwork Fri Jun 12 14:25:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr> X-Patchwork-Id: 89933 Return-Path: <jeremy.rosen@smile.fr> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 516F0CD98DB for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:26:49 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.71822.1781274405164912875 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=LDr7lZH5; spf=pass (domain: smile.fr, ip: 209.85.221.53, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-45ef82204c6so655612f8f.3 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274403; x=1781879203; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=gOs6sq/cMPbYJuhREunQ8yRvDyooEsBKoxslelt9hzo=; b=LDr7lZH58t0A4k78qC/snUp9ZZgILxLOR5YTUxd9vishZrRscQ28Mfago84H1wGAXn pjJWWzkkakFEW9tUQkxmIW83QNHFB7at2TxDTDunJwrAj+eTrsvki9Y9zSWsS97nBQVB 8llo4cGqAdeha4sDU5NyJ6bSgC4ZdAEF6u2iY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274403; x=1781879203; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=gOs6sq/cMPbYJuhREunQ8yRvDyooEsBKoxslelt9hzo=; b=hd4tUwaEDA1+f4fg+mSB2qSFE7PwL1gAqIJpZTGP2ljb9Z2Y7zz1+t+QQFH5bPIuZo PSQPNbhA9FqXIWwoyCBhavlXjOMwjPUHEMkKIjUwNl7o98347spIAAfOT4loETTfB67H g2xTbe2n2l1dJY68FAPmPYEwhWjZYLpQd65xmypS9mTahI6VEpOFWyt/NsLuuv1zRvSH /pkE3kV+fuMoeLCBKu7b8ZQdJBh89JHC/WBFdP8UwB5BdIHyk6iGrUwhDG2jzIgI8kG/ +uxVoOYyznrZ/kbM2AtqPKHSmBM5vvejBn4AechzEVFSyIjJhGD8GqrJSdKz26F5Xk1z gowg== X-Gm-Message-State: AOJu0YyPRfH3zAc6+gMpDRcKqqKsuOtQtYaa8wa3I1KC4MivYqkDYviu Cf/MDizEVL6ROmEy1LJTqYD/XTTa47kyTU1KG1ADSSxaVE1C9HhNCyKx00q/eoVXYGUCNZEA1aS 7wmyStw== X-Gm-Gg: Acq92OFdSg85hz3CS2vysZXOocs/P9QnID2k/4xfRxbL9meAUpunIo/z4zjNdx0FC+0 ui6n4lGMWqLivdfa/BcHr12Zt/g9PevhgCT4v9w6/Lzp1Ok5ZEqolfZ3hFIcjFkGFqzVelnjZB7 ADxAQHhCcGOk0o1bQ/H5q5LxgFjWex6zVBsswjA3tZxCIePwuK73t9AbygdZvGKPsY8F+t57z24 X3zVICOLr9hU050yewIIF3AGHUgEKGG5P8oQgnXeHZRrx7fYJVpXYtOnw9bvgBU41/K7ouuRW5P AfzpIRz4X3MSqiBvQPxZ8euSKRNOIS3IqD5mgrJEEbgBphLt6hq2nwiFJ5HhuEnUW5IWBW66Lhs opQWNEQt8vLncIG0DaNyQgRwugQH4/3cZFp0nFeiLimJDdEJQz2/N8/xZdo1MbLLFfqNp10oskC 0bTd6iRvnspYfAGdpu20r7Q2XSHeU0IwhlxA== X-Received: by 2002:a05:6000:41e1:b0:460:2477:2277 with SMTP id ffacd0b85a97d-4606dba2ac3mr4353640f8f.31.1781274403360; Fri, 12 Jun 2026 07:26:43 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:42 -0700 (PDT) From: Jeremy Rosen <jeremy.rosen@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][scarthgap 09/21] go: patch CVE-2026-32283 Date: Fri, 12 Jun 2026 16:25:59 +0200 Message-ID: <b7d7d9279df23c3c8eaac2e9020f30f8dcf58e6c.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: <cover.1781270474.git.jeremy.rosen@smile.fr> References: <cover.1781270474.git.jeremy.rosen@smile.fr> MIME-Version: 1.0 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 14:26:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238631 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/763767 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-32283.patch | 177 ++++++++++++++++++ 2 files changed, 178 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-32283.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 0d4dff6c21..99c2945a8c 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -43,6 +43,7 @@ SRC_URI += "\ file://CVE-2025-68121_p3.patch \ file://CVE-2026-27142.patch \ file://CVE-2026-32280.patch \ + file://CVE-2026-32283.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-32283.patch b/meta/recipes-devtools/go/go/CVE-2026-32283.patch new file mode 100644 index 0000000000..87bcc5816f --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-32283.patch @@ -0,0 +1,177 @@ +From f560f55d3f804dcc3002dfe963b37bfa3a67202c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Mon, 23 Mar 2026 11:54:41 -0700 +Subject: [PATCH] crypto/tls: prevent deadlock when client sends multiple key + update messages + +When we made setReadTrafficSecret send an alert when there are pending +handshake messages, we introduced a deadlock when the client sends +multiple key update messages that request a response, as handleKeyUpdate +will lock the mutex, and defer the unlocking until the end of the +function, but setReadTrafficSecret called sendAlert in the failure case, +which also tries to lock the mutex. + +Add an argument to setReadTrafficSecret which lets the caller indicate +if the mutex is already locked, and if so, call sendAlertLocked instead +of sendAlert. + +Thanks to Jakub Ciolek for reporting this issue. + +Fixes #78334 +Fixes CVE-2026-32283 + +Change-Id: Id8e56974233c910e0d66ba96eafbd2ea57832610 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3881 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/763767 +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Auto-Submit: David Chase <drchase@google.com> +Reviewed-by: Russ Cox <rsc@golang.org> +Reviewed-by: Jakub Ciolek <jakub@ciolek.dev> + +CVE: CVE-2026-32283 +Upstream-Status: Backport [https://github.com/golang/go/commit/1ea7966042731bae941511fb2b261b9536ad268f] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/crypto/tls/conn.go | 10 +++-- + src/crypto/tls/handshake_client_tls13.go | 4 +- + src/crypto/tls/handshake_server_tls13.go | 4 +- + src/crypto/tls/handshake_test.go | 48 ++++++++++++++++++++++++ + 4 files changed, 59 insertions(+), 7 deletions(-) + +diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go +index 08609ce..770d456 100644 +--- a/src/crypto/tls/conn.go ++++ b/src/crypto/tls/conn.go +@@ -1345,7 +1345,7 @@ func (c *Conn) handleKeyUpdate(keyUpdate *keyUpdateMsg) error { + } + + newSecret := cipherSuite.nextTrafficSecret(c.in.trafficSecret) +- if err := c.setReadTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret); err != nil { ++ if err := c.setReadTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret, keyUpdate.updateRequested); err != nil { + return err + } + +@@ -1675,12 +1675,16 @@ func (c *Conn) VerifyHostname(host string) error { + // setReadTrafficSecret sets the read traffic secret for the given encryption level. If + // being called at the same time as setWriteTrafficSecret, the caller must ensure the call + // to setWriteTrafficSecret happens first so any alerts are sent at the write level. +-func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) error { ++func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte, locked bool) error { + // Ensure that there are no buffered handshake messages before changing the + // read keys, since that can cause messages to be parsed that were encrypted + // using old keys which are no longer appropriate. + if c.hand.Len() != 0 { +- c.sendAlert(alertUnexpectedMessage) ++ if locked { ++ c.sendAlertLocked(alertUnexpectedMessage) ++ } else { ++ c.sendAlert(alertUnexpectedMessage) ++ } + return errors.New("tls: handshake buffer not empty before setting read traffic secret") + } + c.in.setTrafficSecret(suite, level, secret) +diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go +index 68ff92b..2d58b21 100644 +--- a/src/crypto/tls/handshake_client_tls13.go ++++ b/src/crypto/tls/handshake_client_tls13.go +@@ -396,7 +396,7 @@ func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error { + c.setWriteTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret) + serverSecret := hs.suite.deriveSecret(handshakeSecret, + serverHandshakeTrafficLabel, hs.transcript) +- if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret); err != nil { ++ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret, false); err != nil { + return err + } + +@@ -607,7 +607,7 @@ func (hs *clientHandshakeStateTLS13) readServerFinished() error { + clientApplicationTrafficLabel, hs.transcript) + serverSecret := hs.suite.deriveSecret(hs.masterSecret, + serverApplicationTrafficLabel, hs.transcript) +- if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret); err != nil { ++ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret, false); err != nil { + return err + } + +diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go +index 1ecee3a..f73b536 100644 +--- a/src/crypto/tls/handshake_server_tls13.go ++++ b/src/crypto/tls/handshake_server_tls13.go +@@ -636,7 +636,7 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error { + c.setWriteTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret) + clientSecret := hs.suite.deriveSecret(hs.handshakeSecret, + clientHandshakeTrafficLabel, hs.transcript) +- if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret); err != nil { ++ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret, false); err != nil { + return err + } + +@@ -1005,7 +1005,7 @@ func (hs *serverHandshakeStateTLS13) readClientFinished() error { + return errors.New("tls: invalid client finished hash") + } + +- if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret); err != nil { ++ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret, false); err != nil { + return err + } + +diff --git a/src/crypto/tls/handshake_test.go b/src/crypto/tls/handshake_test.go +index 4991a0e..a95d751 100644 +--- a/src/crypto/tls/handshake_test.go ++++ b/src/crypto/tls/handshake_test.go +@@ -673,3 +673,51 @@ func concatHandshakeMessages(msgs ...handshakeMessage) ([]byte, error) { + outBuf = append(outBuf, marshalled...) + return outBuf, nil + } ++ ++func TestMultipleKeyUpdate(t *testing.T) { ++ for _, requestUpdate := range []bool{true, false} { ++ t.Run(fmt.Sprintf("requestUpdate=%t", requestUpdate), func(t *testing.T) { ++ ++ c, s := localPipe(t) ++ cfg := testConfig.Clone() ++ cfg.MinVersion = VersionTLS13 ++ cfg.MaxVersion = VersionTLS13 ++ client := Client(c, testConfig) ++ server := Server(s, testConfig) ++ ++ clientHandshakeDone := make(chan struct{}) ++ go func() { ++ if err := client.Handshake(); err != nil { ++ } ++ close(clientHandshakeDone) ++ io.Copy(io.Discard, server) ++ }() ++ ++ if err := server.Handshake(); err != nil { ++ t.Fatalf("server handshake failed: %v\n", err) ++ } ++ <-clientHandshakeDone ++ ++ c.SetReadDeadline(time.Now().Add(1 * time.Second)) ++ s.SetReadDeadline(time.Now().Add(1 * time.Second)) ++ ++ kuMsg, err := (&keyUpdateMsg{updateRequested: requestUpdate}).marshal() ++ if err != nil { ++ t.Fatalf("failed to marshal key update message: %v", err) ++ } ++ ++ client.out.Lock() ++ if _, err := client.writeRecordLocked(recordTypeHandshake, append(kuMsg, kuMsg...)); err != nil { ++ t.Fatalf("failed to write key update messages: %v", err) ++ } ++ client.out.Unlock() ++ ++ _, err = io.Copy(io.Discard, client) ++ if err == nil { ++ t.Fatal("expected multiple key update messages to cause an error, got nil") ++ } else if !strings.HasSuffix(err.Error(), "tls: unexpected message") { ++ t.Fatalf("unexpected error: %v", err) ++ } ++ }) ++ } ++} +-- +2.43.0 + From patchwork Fri Jun 12 14:26:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr> X-Patchwork-Id: 89932 Return-Path: <jeremy.rosen@smile.fr> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3B459CD98DE for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:26:49 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.71823.1781274406082271001 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=PvCpWhIT; spf=pass (domain: smile.fr, ip: 209.85.128.41, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-490cdae130cso5613695e9.0 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274404; x=1781879204; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/5bJ0DBsxxR/wbiooWq0/eucdvN/nWCrCvO80ft10pk=; b=PvCpWhITC96kLjRUk9CwMeWLICLCWyNQXWVf+Z8TJ+larcv3fqcJWWLxg20UibFnX5 n1L5RbUvMlSHHIGvM6DLu+DmT4OownQuNqdhJKYfvHPKv1xXGMEixbHFPzoqLVYBBkkc C8OhhWfv/vKJ5ra73CqBQggsr3OKycsVBcKq0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274404; x=1781879204; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/5bJ0DBsxxR/wbiooWq0/eucdvN/nWCrCvO80ft10pk=; b=rd/iMZVWqsuWRRc+Sm6CJA1Ga3erS6eGzVV6pTjTOU7lkRmtCevxEz4vphDwx21A30 FCJB1MDUvBhQ9NhePDfob62ZD2OFdmRcQIeyrb3oEWvKs28q5hvAQZ0ljTrGz66X6W9b DJBMoV/YnItefB25qqJqjkZe4CGYpRV8M14RLNtDTcgVxNz0U6pqTMaEEa31waw5C0Kt MwT8CWwdZWiEKZv+/q3mWwR07WgIFAxCr3qZl1YxM7Di8+8oTmF29mFETsYrhzMtFFyj PqPu35KEx32Rjl69Rw5hWRGTwMiH/NpZW9dnjtGumCjQQlq9m85XDBFD2V1U8cCspAxd +FNQ== X-Gm-Message-State: AOJu0Yy0hH+pO519I1ALH6ShPWlv5jjjWM3TFLTI45DaTfiuGD1EYGTS CeOLLIIhYKDe0qRXLUpczoRPFSUI6ZsRQruuynPFtubTK1ljyzy0orC2Ba6nArXlaq8PjxFNh+q pNOux3Q== X-Gm-Gg: Acq92OF71l/rkHE703LW5M91ymn1noHDtgd6zCgyj2AwM2LQn26YN9jt7UlyijsaBvC sEnhgtqqXv+bFwlzbzqrn8gfW8n5u7Ia6zymvmlp5oRZ1A3Pgpsrn2S1836bkt2uHd75UqP5LM2 kQiiR/5TtiNshWx6cbw0mAg1f5013gFVUuBdSfrPK9ZWDfi/iOJN2AE03WzDun4QBMslqPRVQdL 1x8a60D0QJqX+Rz0sjstv0mPhW7bs2dGqP3zev7Ju5NaBdR+AExKhFV64iC5XdFUo8jot/muvOw nfZzesot7Pyiok9sooQ5JsqMdQ92YA5dnGniMY6rRGYH/Aempi68DMVqQKiTpoGy2ZKTCLo7lzD f3tziDDvF5Ahb0QK1muYchJXZmInOxT+BKOiL+GY/49JDx4iB6jV3/IybtyS9bBoUJZ/xg40NV4 PL2jXGbClGxj1SXqw7DozNFAc= X-Received: by 2002:a05:600c:4745:b0:490:6e12:542d with SMTP id 5b1f17b1804b1-490ec4fd28bmr41529345e9.19.1781274404238; Fri, 12 Jun 2026 07:26:44 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:43 -0700 (PDT) From: Jeremy Rosen <jeremy.rosen@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][scarthgap 10/21] go: patch CVE-2026-32289 Date: Fri, 12 Jun 2026 16:26:00 +0200 Message-ID: <cb2f7073c4fe38c026b6696eb9f3a77ef73051b1.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: <cover.1781270474.git.jeremy.rosen@smile.fr> References: <cover.1781270474.git.jeremy.rosen@smile.fr> MIME-Version: 1.0 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 14:26:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238632 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/763762 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-32289.patch | 217 ++++++++++++++++++ 2 files changed, 218 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-32289.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 99c2945a8c..288cd5c95f 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -44,6 +44,7 @@ SRC_URI += "\ file://CVE-2026-27142.patch \ file://CVE-2026-32280.patch \ file://CVE-2026-32283.patch \ + file://CVE-2026-32289.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-32289.patch b/meta/recipes-devtools/go/go/CVE-2026-32289.patch new file mode 100644 index 0000000000..28ff0c00e0 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-32289.patch @@ -0,0 +1,217 @@ +From 5291c6d3e6d0bc0a764a9a6bd6b3de1be64b8264 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Mon, 23 Mar 2026 13:34:23 -0700 +Subject: [PATCH] html/template: properly track JS template literal brace depth + across contexts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Properly track JS template literal brace depth across branches/ranges, +and prevent accidental re-use of escape analysis by including the +brace depth in the stringification/mangling for contexts. + +Fixes #78331 +Fixes CVE-2026-32289 + +Change-Id: I9f3f47c29e042220b18e4d3299db7a3fae4207fa +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3882 +Reviewed-by: Neal Patel <nealpatel@google.com> +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/763762 +Reviewed-by: Russ Cox <rsc@golang.org> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Auto-Submit: David Chase <drchase@google.com> +Reviewed-by: Fan Mỹ Tâm Club <letrivien97@gmail.com> + +CVE: CVE-2026-32289 +Upstream-Status: Backport [https://github.com/golang/go/commit/199c4d1c3c9d509a51f777c81cb17d4b17728097] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/html/template/context.go | 14 +++++++++++- + src/html/template/escape.go | 4 ++-- + src/html/template/escape_test.go | 38 +++++++++++++++++++++----------- + 3 files changed, 40 insertions(+), 16 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index 8b3af2feab..132ae2d28d 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -6,6 +6,7 @@ package template + + import ( + "fmt" ++ "slices" + "text/template/parse" + ) + +@@ -37,7 +38,7 @@ func (c context) String() string { + if c.err != nil { + err = c.err + } +- return fmt.Sprintf("{%v %v %v %v %v %v %v}", c.state, c.delim, c.urlPart, c.jsCtx, c.attr, c.element, err) ++ return fmt.Sprintf("{%v %v %v %v %v %v %v %v}", c.state, c.delim, c.urlPart, c.jsCtx, c.jsBraceDepth, c.attr, c.element, err) + } + + // eq reports whether two contexts are equal. +@@ -46,6 +47,7 @@ func (c context) eq(d context) bool { + c.delim == d.delim && + c.urlPart == d.urlPart && + c.jsCtx == d.jsCtx && ++ slices.Equal(c.jsBraceDepth, d.jsBraceDepth) && + c.attr == d.attr && + c.element == d.element && + c.err == d.err +@@ -68,6 +70,9 @@ func (c context) mangle(templateName string) string { + if c.jsCtx != jsCtxRegexp { + s += "_" + c.jsCtx.String() + } ++ if c.jsBraceDepth != nil { ++ s += fmt.Sprintf("_jsBraceDepth(%v)", c.jsBraceDepth) ++ } + if c.attr != attrNone { + s += "_" + c.attr.String() + } +@@ -77,6 +82,13 @@ func (c context) mangle(templateName string) string { + return s + } + ++// clone returns a copy of c with the same field values. ++func (c context) clone() context { ++ clone := c ++ clone.jsBraceDepth = slices.Clone(c.jsBraceDepth) ++ return clone ++} ++ + // state describes a high-level HTML parser state. + // + // It bounds the top of the element stack, and by extension the HTML insertion +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index b368cab38c..c031ed27b9 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -522,7 +522,7 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) + if nodeName == "range" { + e.rangeContext = &rangeContext{outer: e.rangeContext} + } +- c0 := e.escapeList(c, n.List) ++ c0 := e.escapeList(c.clone(), n.List) + if nodeName == "range" { + if c0.state != stateError { + c0 = joinRange(c0, e.rangeContext) +@@ -553,7 +553,7 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) + return c0 + } + } +- c1 := e.escapeList(c, n.ElseList) ++ c1 := e.escapeList(c.clone(), n.ElseList) + return join(c0, c1, n, nodeName) + } + +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index 1970db1695..435c83378f 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -1181,6 +1181,18 @@ func TestErrors(t *testing.T) { + // html is allowed since it is the last command in the pipeline, but urlquery is not. + `predefined escaper "urlquery" disallowed in template`, + }, ++ { ++ "<script>var a = `{{if .X}}`{{end}}", ++ `{{if}} branches end in different contexts`, ++ }, ++ { ++ "<script>var a = `{{if .X}}a{{else}}`{{end}}", ++ `{{if}} branches end in different contexts`, ++ }, ++ { ++ "<script>var a = `{{if .X}}a{{else}}b{{end}}`</script>", ++ ``, ++ }, + } + for _, test := range tests { + buf := new(bytes.Buffer) +@@ -1752,7 +1764,7 @@ func TestEscapeText(t *testing.T) { + }, + { + "<script>var a = `${", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${}", +@@ -1760,27 +1772,27 @@ func TestEscapeText(t *testing.T) { + }, + { + "<script>var a = `${`", +- context{state: stateJSTmplLit, element: elementScript}, ++ context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${var a = \"", +- context{state: stateJSDqStr, element: elementScript}, ++ context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${var a = \"`", +- context{state: stateJSDqStr, element: elementScript}, ++ context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${var a = \"}", +- context{state: stateJSDqStr, element: elementScript}, ++ context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${``", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${`}", +- context{state: stateJSTmplLit, element: elementScript}, ++ context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>`${ {} } asd`</script><script>`${ {} }", +@@ -1788,7 +1800,7 @@ func TestEscapeText(t *testing.T) { + }, + { + "<script>var foo = `${ (_ => { return \"x\" })() + \"${", +- context{state: stateJSDqStr, element: elementScript}, ++ context{state: stateJSDqStr, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var a = `${ {</script><script>var b = `${ x }", +@@ -1816,23 +1828,23 @@ func TestEscapeText(t *testing.T) { + }, + { + "<script>`${ { `` }", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>`${ { }`", +- context{state: stateJSTmplLit, element: elementScript}, ++ context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}}, + }, + { + "<script>var foo = `${ foo({ a: { c: `${", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{2, 0}}, + }, + { + "<script>var foo = `${ foo({ a: { c: `${ {{.}} }` }, b: ", +- context{state: stateJS, element: elementScript}, ++ context{state: stateJS, element: elementScript, jsBraceDepth: []int{1}}, + }, + { + "<script>`${ `}", +- context{state: stateJSTmplLit, element: elementScript}, ++ context{state: stateJSTmplLit, element: elementScript, jsBraceDepth: []int{0}}, + }, + } + +-- +2.43.0 + From patchwork Fri Jun 12 14:26:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr> X-Patchwork-Id: 89938 Return-Path: <jeremy.rosen@smile.fr> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2139CD98E1 for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:26:49 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71891.1781274406598020494 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=b0hcRThv; spf=pass (domain: smile.fr, ip: 209.85.128.45, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-490b9318997so7906965e9.2 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274405; x=1781879205; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=aX8vSyS8xxE1FNa1uQN/JAFm5D39b9A8/4bFt+FIpRo=; b=b0hcRThvrZRQgySlIgmQNysgFNhIAjvAIqNkl5F7fWBXT4f500K3QqZFuXEuzvlDMR 9PFGTXNy5vsyS5orJrhXGLFvp0gdm/34ogMB7nGZ+Df4AALXcQSDkdrAelO3cKQYjwPh jg6xIVozgYLZ5mRMukpKBoEgRFApEnmmW0/0c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274405; x=1781879205; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=aX8vSyS8xxE1FNa1uQN/JAFm5D39b9A8/4bFt+FIpRo=; b=CuTXYhienUQV0rD4HIDTxczj/EsTchpEQm/XbQy5vi3dUQo7GN84BlhxNBUEuRcbq8 ozv7/JnyF3FsMNYtM4wNv9WOrvtNCX6HHP8GNuq43EwmPREM6r0Ux2vIfjSmCcaMV4u7 b84IdrC3kAj/7OCsCv6ghYD15+jAGW+QRjSYHtITN4j31V8SjgB6YVHJiC7QASo/HLal L8C8pyIHjYmcE7zCWoR2ZP2nmndW98ZEzC9ocaJO1S4tR2tQxkUl9s+RoirvEIwHZ30t l7QUjYo3Qp7FUuYaoBcnUM9SQGafE6cXJoz1e0rh5hSyHzhRh4t77UQaXZIo78UYGuNS Bp/w== X-Gm-Message-State: AOJu0YzFTsJF7skebYCX35CnyOhPckKejev0z90ZJkVSwmoKaMOZjBAg VINZ+pUpXovquivGH11hcFsns+jn8PLBk0zbjbHa6PREqAP6FG7MnOkI7T/LcO6Sh2M1vc3Q/99 NP2pMMw== X-Gm-Gg: Acq92OG/ImF9zF6os6OKnIKVIV16pQa0QhQi7alC+zYBCR5zv80SIbun1xmwlOXCSlZ Rde4gUUtGvCzk6mFnfcVgFsViV2z6r8RlojxrjFdnJQYzDoSBz9zm1pkt0AzhJBsGfkxzswL3uz qfKCUTcpiKmp7lphf2yrtPc0CTzIVPfOxc9cd1BcZPY3LYhvG8Ap+CRyLC82TnKVNtrUDBKuVE5 SpkxZlRicqGC3mPlJpWXflltHjiaKzmUu7JLOUmZ8YL5XX3z0Ae8pCwpyD5oioRkq/6x2MZc7kq QS5LUljKkTI/31iaw2B/QsNuKGKgfBxtq8uNGOhtFjO5zqkPjTde8y19Im/CWiIJZnAQci/vo7l peXJ8zSMfGiucapFRafIumAGZSQYEQMW3vyprx/bMXoFBamvVWPJGIz8qwBvfHlG4KH1IiEoP3f 3KJMvB/C4/CZ0QDlleXMVbLuQ= X-Received: by 2002:a05:600c:37c6:b0:492:1e7f:d41e with SMTP id 5b1f17b1804b1-4921e7fd528mr5988935e9.10.1781274404836; Fri, 12 Jun 2026 07:26:44 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:44 -0700 (PDT) From: Jeremy Rosen <jeremy.rosen@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][scarthgap 11/21] go: patch CVE-2026-33811 Date: Fri, 12 Jun 2026 16:26:01 +0200 Message-ID: <7daf5667fa96f78e847e39a2d06e3576338e3b91.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: <cover.1781270474.git.jeremy.rosen@smile.fr> References: <cover.1781270474.git.jeremy.rosen@smile.fr> MIME-Version: 1.0 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 14:26:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238633 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/767860 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-33811.patch | 46 +++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-33811.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 288cd5c95f..9a7695e754 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -45,6 +45,7 @@ SRC_URI += "\ file://CVE-2026-32280.patch \ file://CVE-2026-32283.patch \ file://CVE-2026-32289.patch \ + file://CVE-2026-33811.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-33811.patch b/meta/recipes-devtools/go/go/CVE-2026-33811.patch new file mode 100644 index 0000000000..216b33ed8b --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-33811.patch @@ -0,0 +1,46 @@ +From 9082277a0a78af39190c1f23b622f02b89e46196 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 26 Mar 2026 12:17:06 -0700 +Subject: [PATCH] net: avoid double-free of cgo pointer when handling large DNS + response + +No test, unfortunately: I've had no luck triggering this without +the ability to override the local recursive resolver. + +Thanks to hamayanhamayan for reporting this issue. + +Fixes CVE-2026-33811 +Fixes #78803 + +Change-Id: I9e51410337316c20e4b9fd5b86657f436a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/767860 +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Nicholas Husin <husin@google.com> + +CVE: CVE-2026-33811 +Upstream-Status: Backport [https://github.com/golang/go/commit/ab2c7eb1c43011dda118282c1e757d8c27cd7d4f] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/cgo_unix.go | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/net/cgo_unix.go b/src/net/cgo_unix.go +index 7ed5daad73..bd694859ab 100644 +--- a/src/net/cgo_unix.go ++++ b/src/net/cgo_unix.go +@@ -343,7 +343,10 @@ func cgoResSearch(hostname string, rtype, class int) ([]dnsmessage.Resource, err + // useful in the response, even though there *is* a response. + bufSize := maxDNSPacketSize + buf := (*_C_uchar)(_C_malloc(uintptr(bufSize))) +- defer _C_free(unsafe.Pointer(buf)) ++ defer func() { ++ // Free in a closure which captures buf to pick up a reallocated buffer from below. ++ _C_free(unsafe.Pointer(buf)) ++ }() + + s, err := syscall.BytePtrFromString(hostname) + if err != nil { +-- +2.43.0 + From patchwork Fri Jun 12 14:26:02 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr> X-Patchwork-Id: 89931 Return-Path: <jeremy.rosen@smile.fr> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0A5ACCD98CE for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:26:49 +0000 (UTC) Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.71824.1781274407489246200 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=PI9leKNj; spf=pass (domain: smile.fr, ip: 209.85.221.46, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-46019edc13dso550238f8f.1 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274406; x=1781879206; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=HeaPPdgV6Q82LRcqIiBFfUvWPRD9SHi5T/JOzDVqCO4=; b=PI9leKNjfsAP54bWVpqux1ENnlOS1j/OFy6UZaTvx5xKO3fG7EncE99km539cq5iC9 Tc4tAza1h7zWWrt81eVZLKMg8zJaQNs3W8ZJAC4wO7r0w2Kz12C2+VWfW0uaJaZdi2y0 6fPq+yKfnBb3zJLvAR1+gLMl+NSIfnyjqEf8o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274406; x=1781879206; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=HeaPPdgV6Q82LRcqIiBFfUvWPRD9SHi5T/JOzDVqCO4=; b=FXM/Z9SQicR4XlDgiArywHoGLpoW5i7nMzZP7jg2SFQRrq/QegqpJGFyTPnxiIuP1D ArfRqDHbAWVXLEcrgGjYAUwg6f3D7kvo+sIUuJUahtDSxj414LSluTCTz1Wk7803a+M3 l9rvZ/V4xhi1TktpeN0QRWCEUUB52BQPUUGUAfMM9xQmNr3C8D45EGwowqoRVYBXGVsd M/RaaRXUiuz1emmiRjtryr03MjI1PDMf0gBNMH9UutEpqqUAHS+WIE/+H04ZZ1lPpNjv Wc7ay48gvC96qc7Od9HU+UPy7EM4zuLIQCQ8ppScCulflIMR28ouWAElyLdSi3eXoNFn LANw== X-Gm-Message-State: AOJu0YwcWbkmH5lEyaplonLZXT9i4Se2OV/6Vs/PP/mgKt9M6f0P516v f37UkRHl5JX8jXmQfFNq9XiX/qIYVOkyTPB2UNaDLvhvrPY6V4zbfYE6wMaxhl/Sd5msIw4wdKG tfu+oPA== X-Gm-Gg: Acq92OHT9v1AFVHa40Emn2zLFgm24RxjveoIKdTyEXUKPsEb9jPumQPYoHgIu7M0Ysy 89U8T60/0FGqeG/ttNzdSUSGgMG4wbd5a3jLm3WozLRbiguQimowaAZ9eDChqWYB0CuFcUDQDOG WMPHEF2+TprjdCrd2/Z82Q12ey7SM2fk3MbpqGi0ohDh85nHgHtY3XLjuCrt9vuye9EHUWAlNi6 7sH+oZNPuSDjpsBvoXkp+Snb3kXcz/I5y6WVUnUqoAA1L7xoKEaNe4RGOEL2LRAumI0S9BY7A4B /KyiZkZHGjHf+nOyndCSFKm9PXoTCxmKbEwv+pfZGOqZXVyHy+Z3Zv9+i2v7xqoQyIJgAFOxSIf o7QUJGU1zsOGjFYO/JsM0KHx0RFwnrsJWcX7PQ3l6AhZohYn27/hOAZngEXU72yOhqYAA9sTA7T nU7DEwh1o0UhT24GDnzNc6tUk= X-Received: by 2002:a05:6000:40ca:b0:460:2d57:fcf2 with SMTP id ffacd0b85a97d-4606db9fd61mr5050162f8f.10.1781274405790; Fri, 12 Jun 2026 07:26:45 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:45 -0700 (PDT) From: Jeremy Rosen <jeremy.rosen@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][scarthgap 12/21] go: patch CVE-2026-39817 Date: Fri, 12 Jun 2026 16:26:02 +0200 Message-ID: <4b5d86a7c28fae1b4fb35c0076888e93f8d6ea42.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: <cover.1781270474.git.jeremy.rosen@smile.fr> References: <cover.1781270474.git.jeremy.rosen@smile.fr> MIME-Version: 1.0 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 14:26:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238634 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] mentionned in [2] [1] https://go.dev/cl/767520 [2] https://security-tracker.debian.org/tracker/CVE-2026-39817 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39817.patch | 105 ++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39817.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 9a7695e754..f06b974e04 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -46,6 +46,7 @@ SRC_URI += "\ file://CVE-2026-32283.patch \ file://CVE-2026-32289.patch \ file://CVE-2026-33811.patch \ + file://CVE-2026-39817.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39817.patch b/meta/recipes-devtools/go/go/CVE-2026-39817.patch new file mode 100644 index 0000000000..103fbedb7a --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39817.patch @@ -0,0 +1,105 @@ +From 7d35508ad684c808ec11fb6ef3ab27f9258a9418 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Wed, 15 Apr 2026 16:27:23 -0400 +Subject: [PATCH] cmd/pack: refuse to extract files with directory components + +Do not write to /etc/passwd when running "go tool pack x evil.a" +on an archive containing a file named /etc/passwd. + +Fixes #78778 + +Change-Id: I4cf69b81af62321ffbb41ace679672a86a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/767520 +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Nicholas Husin <husin@google.com> + +CVE: CVE-2026-39817 +Upstream-Status: Backport [https://github.com/golang/go/commit/7409ada33f99c0d74db2b0389c51a15de116e48d] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/cmd/pack/pack.go | 5 +++++ + src/cmd/pack/pack_test.go | 44 +++++++++++++++++++++++++++++++++++++++ + 2 files changed, 49 insertions(+) + +diff --git a/src/cmd/pack/pack.go b/src/cmd/pack/pack.go +index 412ea36d60..2fe0258f01 100644 +--- a/src/cmd/pack/pack.go ++++ b/src/cmd/pack/pack.go +@@ -135,6 +135,11 @@ func openArchive(name string, mode int, files []string) *Archive { + if err != nil { + log.Fatal(err) + } ++ for _, f := range a.Entries { ++ if !filepath.IsLocal(f.Name) || filepath.Base(f.Name) != f.Name { ++ log.Fatalf("%q: invalid name", f.Name) ++ } ++ } + return &Archive{ + a: a, + files: files, +diff --git a/src/cmd/pack/pack_test.go b/src/cmd/pack/pack_test.go +index c3a63424dd..c4a8c78cbf 100644 +--- a/src/cmd/pack/pack_test.go ++++ b/src/cmd/pack/pack_test.go +@@ -6,6 +6,7 @@ package main + + import ( + "bufio" ++ "bytes" + "cmd/internal/archive" + "fmt" + "internal/testenv" +@@ -409,6 +410,49 @@ func TestRWithNonexistentFile(t *testing.T) { + run(packPath(t), "r", "p.a", "p.o") // should succeed + } + ++func TestOutputPathSanitization(t *testing.T) { ++ dir := t.TempDir() ++ ++ // Create pack.a containing a file named "longpathname". ++ // Note that "go tool pack" requires that all files be at least 8 bytes long. ++ const validPathName = "longpathname" ++ if err := os.WriteFile(dir+"/"+validPathName, make([]byte, 8), 0o666); err != nil { ++ t.Fatal(err) ++ } ++ doRun(t, dir, packPath(t), "grc", "pack.a", validPathName) ++ ++ // Create evil.a from pack.a, replacing "longpathname" with "out/pathname". ++ b, err := os.ReadFile(dir + "/pack.a") ++ if err != nil { ++ t.Fatal(err) ++ } ++ idx := bytes.Index(b, []byte(validPathName)) ++ if idx < 0 { ++ t.Fatalf("%v not found in pack.a", validPathName) ++ } ++ copy(b[idx:], "out/") ++ os.WriteFile(dir+"/evil.a", b, 0o666) ++ ++ // Extract evil.a. It should fail and not extract a file to /out. ++ os.Mkdir(dir+"/out", 0o777) ++ ++ cmd := testenv.Command(t, packPath(t), "x", "evil.a") ++ cmd.Dir = dir ++ _, err = cmd.CombinedOutput() ++ if err == nil { ++ t.Errorf("pack x evil.a: unexpected success") ++ } ++ ++ ents, err := os.ReadDir(dir + "/out") ++ if err != nil { ++ t.Error(err) ++ } ++ for _, e := range ents { ++ t.Errorf("unexpected file in /out: %q", e.Name()) ++ } ++ ++} ++ + // doRun runs a program in a directory and returns the output. + func doRun(t *testing.T, dir string, args ...string) string { + cmd := testenv.Command(t, args[0], args[1:]...) +-- +2.43.0 + From patchwork Fri Jun 12 14:26:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr> X-Patchwork-Id: 89929 Return-Path: <jeremy.rosen@smile.fr> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8771CD8CA8 for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:26:48 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.71825.1781274408100564241 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:48 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=pNxNMU3x; spf=pass (domain: smile.fr, ip: 209.85.128.41, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-490b8ac62baso16905615e9.0 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274406; x=1781879206; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=LIiHLYimagvB4ULdeUo2gTLB7eiUG+oVMNNC9qaYqls=; b=pNxNMU3x8gAGdZGa1BWBRUj073rNtZGOVG+HdnUWs2gGeCvQq77tTw3ahfP+1c5BXS 3bQMTIKdSCQlF2JMqG8e7QsHzUHKiOwdDMX7UP9MZKj0Zm4mok3CXubNvUb0SY7veit2 fA4RSoL4Fo6T0E5B/Jq7mFpL5JJ+S6E+QQx5U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274406; x=1781879206; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=LIiHLYimagvB4ULdeUo2gTLB7eiUG+oVMNNC9qaYqls=; b=Q9nmGsQ8hO1gBde7XXL+cmrzhnDcirxenE9OC/B1w9+Jk/I/vGOPc+LzK3hpW4B3af NfL9rYQrkTcbxtzumTAiN38fcyXFaez6/XpSQF8NjQ8KZ2rCme61pC2yBpOUE14Kk3Ze ubpoWlzJa2Zjjuh246uoz/g/MEwxlwT63vjDwn/0FglVohryY3JDBEpzzrrIWKZi9Ytk vapftDzSeeymtczTeSj3IxNN7vveH2pj8yWXjsnLbU5XkDJzDo4EVXLtK55YBJX4IXtm THVQ/YmAAPbBCVgueBLM6EiHOhQem3FqWZcevHvJzbq1CJ2uo0fWOTOpKrqcDDI4TfkY jdGg== X-Gm-Message-State: AOJu0YwSFSW6Hh0+1rxvzTi50LKzCGdgdl9KHH1YjIRidzhLgVXBF6jq d1Vf6hfLJ2iy+4B1MxriK3dj528TnsTPrnwODwgb3sYIfQvEHjn7mrEvdTHu2X+YzfQz2Si7Tf+ fgAzp1g== X-Gm-Gg: Acq92OFWrSU84zQzKt/RmVlWie1twdwfeiEDhAUJF683UnQ0rS1FLTcyBiwVFZrwCi4 xhZG/aK3z4JdyX6ypfUwpryDH+LYLVrTMVy4wTS99Hl7IxnN7sTBRLZ9vewI932iFMCVUpjAkqA nVVhii40Xr4WcDXUbmepizFnXPIn/mTedlQllPamyGIzCZW4P0VyOa5R/BLH+ap5usuVajLBG3y IGC7W2aM4UnvQFPPPy2j9m9E0SScTT2yjgujxdd3scbdeqdHlDiyB0ErMjT3uIwzHQizSIn8LrB S7K2tNxFM/XDOYD6Ps0r8S+19KYwYYDybdYTCWfiCMmtdbMvjbvZw+P6h39zsRO4EJzKG/Mp0RG dg9KOA9vBvPkJT8Feye3R0ZVDBM0ZldEmoDkolt20F7v3hhs53fTYl84toctjiUESGrX6HLGXXo jLjsLsyBS7LkK1U1kLoa9skeE= X-Received: by 2002:a05:600c:4ca8:b0:490:b5ab:b41f with SMTP id 5b1f17b1804b1-490ea9e3753mr24690715e9.13.1781274406471; Fri, 12 Jun 2026 07:26:46 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:46 -0700 (PDT) From: Jeremy Rosen <jeremy.rosen@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][scarthgap 13/21] go: patch CVE-2026-39819 Date: Fri, 12 Jun 2026 16:26:03 +0200 Message-ID: <1cbe36a8bdcf6a32d7d0910f0ad2bb4dea9f7c6e.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: <cover.1781270474.git.jeremy.rosen@smile.fr> References: <cover.1781270474.git.jeremy.rosen@smile.fr> MIME-Version: 1.0 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 14:26:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238635 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/763882 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39819.patch | 48 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39819.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index f06b974e04..dba826011b 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -47,6 +47,7 @@ SRC_URI += "\ file://CVE-2026-32289.patch \ file://CVE-2026-33811.patch \ file://CVE-2026-39817.patch \ + file://CVE-2026-39819.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39819.patch b/meta/recipes-devtools/go/go/CVE-2026-39819.patch new file mode 100644 index 0000000000..cb767e1320 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39819.patch @@ -0,0 +1,48 @@ +From db6ceacb046779c763f87060d8a1ba5c936309c9 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Wed, 8 Apr 2026 09:55:54 -0700 +Subject: [PATCH] cmd/go: use MkdirTemp to create temp directory for "go bug" + +Don't use a predictable, potentially attacker-controlled filename in /tmp. + +Fixes #78584 +Fixes CVE-2026-39819 + +Change-Id: I72116aa6dd8fa50f65b6dc0292a15a8c6a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/763882 +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-39819 +Upstream-Status: Backport [https://github.com/golang/go/commit/5d6aa23e5b6151d25955a512532383c28c745e18] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/cmd/go/internal/bug/bug.go | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/cmd/go/internal/bug/bug.go b/src/cmd/go/internal/bug/bug.go +index ed1813605e..9bf97dd511 100644 +--- a/src/cmd/go/internal/bug/bug.go ++++ b/src/cmd/go/internal/bug/bug.go +@@ -182,14 +182,14 @@ func firstLine(buf []byte) []byte { + // printGlibcVersion prints information about the glibc version. + // It ignores failures. + func printGlibcVersion(w io.Writer) { +- tempdir := os.TempDir() +- if tempdir == "" { ++ tempdir, err := os.MkdirTemp("", "") ++ if err != nil { + return + } + src := []byte(`int main() {}`) + srcfile := filepath.Join(tempdir, "go-bug.c") + outfile := filepath.Join(tempdir, "go-bug") +- err := os.WriteFile(srcfile, src, 0644) ++ err = os.WriteFile(srcfile, src, 0644) + if err != nil { + return + } +-- +2.43.0 + From patchwork Fri Jun 12 14:26:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr> X-Patchwork-Id: 89942 Return-Path: <jeremy.rosen@smile.fr> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C788CD98E5 for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:26:50 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71892.1781274409093507616 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=PvLj4NwO; spf=pass (domain: smile.fr, ip: 209.85.128.42, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-4921eed3fa2so123915e9.0 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274407; x=1781879207; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/e2HHdfh3jaicgWbX7tEBFxmV9FhzCBp9a5wQOb4JZQ=; b=PvLj4NwOyvkBSewHqOT4azDuAl1UDPzk/XedvOVfkHFxQ/mqI0NRpiBRVMcAEXqNCy B0lxjSMsRYMOtm3ToJuyBDAE9D0aCXzBRYPhkns0DVs7MHwZ5+o+DBsA7kg40qApzgTk U1hdBB1AhS4yNMHsIIH814TrxszJNmemVtsXw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274407; x=1781879207; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/e2HHdfh3jaicgWbX7tEBFxmV9FhzCBp9a5wQOb4JZQ=; b=L813WvRQP6BEt8Y9sf5x8fMDkFTo9lES0y7Ip1FwpgJooGIsojEBdZPEncWchwFTeK T99dkgE0hTqJgmmDkR45MX7Cmpv6F+3vP3MKpG+MymD/azBAQBcFwrOXdm2ww5qkHR1F JkDDE1D9qzVwLk2KPxcEyISjjIota/NWMdzutqL3s5UWLM+BEKCKlzlAVVHXVM24Q84m oxdLOUqNrier9LJers6blhbEroM5wPAAPcAZIR4QBB+2Nfr2qg6qk3pDdDlZpQP5pD2D mf7l0x+/EZvBPCuwQIxgsEFoTYsjrvyk+qv2/EoLJ9hYmY6pKJegQcCtPUzKR0/gOMAs RFVw== X-Gm-Message-State: AOJu0YzcTleNl/CQ11c32xgsUl9wmy+HksVyFUEG/OOyutQWmljBsS/R jGZt14urofGX1Jha3CuIa1zhyyx+X9PJ8XhNh1oLjHND/E+SNZUwAL/2hPIIVtxDF0X6YCBqf2Q ikidbXQ== X-Gm-Gg: Acq92OFAsaTs5BKbP8yMA1yqUAx4rDBefGeFdIjZz4SIw9OanGc2tiRTZVh8t/BS+65 Om5qyOv2VmCu5usulQHtu6/Q5K8zVSTTzf+b0l0fkORZeAVm+5ImJ3LPWSPr74BPoAgCYR1l5bt k4pFtWV3sFGjGgbeO/diAsgHRDWNnkPVefcxrSoj5W0l6FV97kuxW9pi1I7F3TiUWzSpoDsHWlJ q0NTdCg5wZNGRkgdWKUr5HDHNlLIl1OWSSli9hl1BTiZSeCWSONmJ370l2qETQTX6cnSZhQqrnR 81uDG1srw0vzlLwc/T3SL+hSckjgRPWrG3x1qBf14gnGHfjUf0HoXjjE1RW6Mljq8ad2wkl3Wag SMhCaDc28/oVOYntRCZWjRWDB+EFGzQtWTVenK8bw7HA3n3jysOEfe/Qyvuyn1JnLKxfALu276C sIJOSZlQUNcF5XhCgVw7r2Ao8= X-Received: by 2002:a05:600c:4745:b0:490:d32b:39d6 with SMTP id 5b1f17b1804b1-490ec4fe770mr42407825e9.19.1781274407215; Fri, 12 Jun 2026 07:26:47 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:46 -0700 (PDT) From: Jeremy Rosen <jeremy.rosen@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][scarthgap 14/21] go: patch CVE-2026-39820 Date: Fri, 12 Jun 2026 16:26:04 +0200 Message-ID: <724767c15c6530fd3f4af6e0031ec2d1a040ab42.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: <cover.1781270474.git.jeremy.rosen@smile.fr> References: <cover.1781270474.git.jeremy.rosen@smile.fr> MIME-Version: 1.0 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 14:26:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238636 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] mentionned in [2] [1] https://go.dev/cl/759940 [2] https://security-tracker.debian.org/tracker/CVE-2026-39820 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39820.patch | 112 ++++++++++++++++++ 2 files changed, 113 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39820.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index dba826011b..002d443059 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -48,6 +48,7 @@ SRC_URI += "\ file://CVE-2026-33811.patch \ file://CVE-2026-39817.patch \ file://CVE-2026-39819.patch \ + file://CVE-2026-39820.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39820.patch b/meta/recipes-devtools/go/go/CVE-2026-39820.patch new file mode 100644 index 0000000000..c5f84282a9 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39820.patch @@ -0,0 +1,112 @@ +From e459f8fe1061679f866c599210466db386348f08 Mon Sep 17 00:00:00 2001 +From: mohammadmseet-hue <mohammadmseet@gmail.com> +Date: Sat, 4 Apr 2026 05:17:25 +0000 +Subject: [PATCH] net/mail: fix quadratic complexity in consumeComment + +consumeComment builds the comment string by repeated string +concatenation inside a loop. Each concatenation copies the +entire string built so far, making the function O(n^2) in the +depth of nested comments. + +Replace the concatenation with a strings.Builder, which +amortizes allocation by doubling its internal buffer. This +reduces consumeComment from O(n^2) to O(n). + +This is the same bug class as the consumeDomainLiteral fix +in CVE-2025-61725. + +Benchmark results (benchstat, 8 runs): + + name old time/op new time/op delta + ConsumeComment/depth10 2.481us 1.838us -25.92% + ConsumeComment/depth100 86.58us 6.498us -92.50% + ConsumeComment/depth1000 7.963ms 52.82us -99.34% + ConsumeComment/depth10000 897.8ms 521.3us -99.94% + +The quadratic cost becomes visible at depth 100 and dominant +by depth 1000. At depth 10000, the fix is roughly 1700x +faster. + +Change-Id: I3c927f02646fcab7bab167cb82fd46d3327d6d34 +GitHub-Last-Rev: 7742dad716ee371766543f88e82bd163bd9d7ac2 +GitHub-Pull-Request: golang/go#78393 +Reviewed-on: https://go-review.googlesource.com/c/go/+/759940 +Reviewed-by: Sean Liao <sean@liao.dev> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Auto-Submit: Sean Liao <sean@liao.dev> +Reviewed-by: David Chase <drchase@google.com> +Reviewed-by: Junyang Shao <shaojunyang@google.com> + +CVE: CVE-2026-39820 +Upstream-Status: Backport [https://github.com/golang/go/commit/0d0799f055dcc9b3b41df74bee3fbe398ae2f0e7] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/mail/message.go | 6 +++--- + src/net/mail/message_test.go | 19 +++++++++++++++++++ + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/src/net/mail/message.go b/src/net/mail/message.go +index fc2a9e46f8..37d7ff5df1 100644 +--- a/src/net/mail/message.go ++++ b/src/net/mail/message.go +@@ -780,7 +780,7 @@ func (p *addrParser) consumeComment() (string, bool) { + // '(' already consumed. + depth := 1 + +- var comment string ++ var comment strings.Builder + for { + if p.empty() || depth == 0 { + break +@@ -794,12 +794,12 @@ func (p *addrParser) consumeComment() (string, bool) { + depth-- + } + if depth > 0 { +- comment += p.s[:1] ++ comment.WriteByte(p.s[0]) + } + p.s = p.s[1:] + } + +- return comment, depth == 0 ++ return comment.String(), depth == 0 + } + + func (p *addrParser) decodeRFC2047Word(s string) (word string, isEncoded bool, err error) { +diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go +index 1f2f62afbf..1b165317f9 100644 +--- a/src/net/mail/message_test.go ++++ b/src/net/mail/message_test.go +@@ -6,6 +6,7 @@ package mail + + import ( + "bytes" ++ "fmt" + "io" + "mime" + "reflect" +@@ -1217,3 +1218,21 @@ func TestEmptyAddress(t *testing.T) { + t.Errorf(`ParseAddressList("") = %v, %v, want nil, error`, list, err) + } + } ++ ++func BenchmarkConsumeComment(b *testing.B) { ++ for _, n := range []int{10, 100, 1000, 10000} { ++ b.Run(fmt.Sprintf("depth-%d", n), func(b *testing.B) { ++ // Build a deeply nested comment: (((...a...))) ++ open := strings.Repeat("(", n) ++ close := strings.Repeat(")", n) ++ // consumeComment expects the leading '(' already consumed, ++ // so we start with one fewer opening paren and the parser ++ // will handle nesting from there. ++ input := open[:n-1] + "a" + close ++ for b.Loop() { ++ p := addrParser{s: input} ++ p.consumeComment() ++ } ++ }) ++ } ++} +-- +2.43.0 + From patchwork Fri Jun 12 14:26:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr> X-Patchwork-Id: 89944 Return-Path: <jeremy.rosen@smile.fr> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F902CD8CA8 for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:27:00 +0000 (UTC) Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71893.1781274409892009909 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=Y6BXTydf; spf=pass (domain: smile.fr, ip: 209.85.221.51, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-45ef29c5561so518691f8f.0 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274408; x=1781879208; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OjufYGpPW8WPsgiR3Xt8rsDvXww/9sPgg71jfiH1xHY=; b=Y6BXTydfCoo6IXIv07X6y9zfxCQ5wu3/v/7WrFRDNfL5piLow1IaetR8V9YCfliTzn hKGBU9YtEPzrZavo/KEhKkFgbEEXWwIXe3Yf+4xnDuxGwT5yN9UF/U/yxeKWYNAU6LTE AQqTULQ5J/otPyyyk0ZRH/B/bydytPlGUoEY0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274408; x=1781879208; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=OjufYGpPW8WPsgiR3Xt8rsDvXww/9sPgg71jfiH1xHY=; b=pRfsE9daLDlAnQ3p+ZgzHta8tHO65O+ixpWVEbuBiFiIMh+6zXhA4isrOA+8pQ+mcW YeWsELeyhNrxZX3pegXRWxmB+zWdJG6O6vt3AZBd06iuhT9PP9Ysu3G+wzw5B9hqBWbR 0cjRn3jkNrkfKOs31/55lMZQl9vVdq5kynf8We2S/1BLQqtrjtL3RvImkgftOcnZEYQt AiE+uMVt7cfRm6QclVrZSm8pjqUG/wVphpi+TaPKZ72IHwAogqegnzCSBw8Fh7gQprbW 2+hz3cKZr2UI3MR887Z4OcHjrac+9dyIaTT63cesqfgG8gUu8KujVzKCZXrkTRzss0/T kYwQ== X-Gm-Message-State: AOJu0YxYOD5ptbVZJ2wdI5iGE2LPey13l7c6Xw+rSVnhLB0j765fcKkl 0L9ntPrDyHYHy7DrmwMFLoaq9cOaRNQMBZhHJsBA+za0OVE2DoLqavlYcuKbB6Nep+Kqgfh8/1N eq3LUwg== X-Gm-Gg: Acq92OEymBSyRof3yV/gqUoFUp7KvydeV9XmK69QssQOiIt5Eat7pmEx6lg5+QAYTcb jn1gvSxl3op1uEfszuCMgD30vS/XWodxA3s+ojmbTNQJm2kgQ4gSK7RmHKLu8q2MpiHa+OAL3AL Ch2PoNEt/F6pJOichE6JF1EIKiOXocfW8LwrbeTLt99yuM1YIZsWEUj3bPsmqZg+2R9e0vpSQ0W xNhs7gYyNRWjKtgSUBqDJ7aBrdrLt3IFBE9wUy/0RehJ6w3TqSMcam2uK9BxjOjJhoGkoRcEDOH MjJLbYZ5yGmA0d+mmG1uWow2owV2/YPAvqxMsqQmS8pcNytqkQ58hW5VnDqbzg8hRigmFGnuZwf K51/pCDDWLjZVzhhI7hhnjfSvaDbbZ+t29vwxBzLs8PM7l4a63cfm7F012oQYOx7ObOj6wol/cn iEfU9mHh9IDyR6uf9juucRRAaoQFxKYrUXeg== X-Received: by 2002:a5d:5d01:0:b0:460:6731:6165 with SMTP id ffacd0b85a97d-4606dba3ec9mr4872103f8f.22.1781274408148; Fri, 12 Jun 2026 07:26:48 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:47 -0700 (PDT) From: Jeremy Rosen <jeremy.rosen@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][scarthgap 15/21] go: patch CVE-2026-39825 Date: Fri, 12 Jun 2026 16:26:05 +0200 Message-ID: <12a32ea67f2f2b81e67d2b1d6fbb00c6a1ab7da6.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: <cover.1781270474.git.jeremy.rosen@smile.fr> References: <cover.1781270474.git.jeremy.rosen@smile.fr> MIME-Version: 1.0 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 14:27:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238637 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/770541 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39825.patch | 104 ++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39825.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 002d443059..952c0e4638 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -49,6 +49,7 @@ SRC_URI += "\ file://CVE-2026-39817.patch \ file://CVE-2026-39819.patch \ file://CVE-2026-39820.patch \ + file://CVE-2026-39825.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39825.patch b/meta/recipes-devtools/go/go/CVE-2026-39825.patch new file mode 100644 index 0000000000..6082f5fc37 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39825.patch @@ -0,0 +1,104 @@ +From 96b1a3f872971fc38d9f2c0ed4a3d1f3ceeb517f Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Fri, 24 Apr 2026 14:10:47 -0700 +Subject: [PATCH] net/http/httputil: reencode queries with many parameters in + proxy + +When ReverseProxy forwards a request containing more than +urlmaxqueryparams (GODEBUG) query parameters, reencode the +outbound query parameters. + +Avoids potential smuggling of query parameters, where the +sender sends many query parameters, the user's Rewrite hook +fails to observe those parameters due to the limit being +exceeded, and the request is forwarded with the full set +of parameters. + +Fixes #78948 +Fixes CVE-2026-39825 + +Change-Id: I691be7899c4b6208bf61f6b78dacfdf56a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/770541 +Reviewed-by: Nicholas Husin <nsh@golang.org> +Reviewed-by: Nicholas Husin <husin@google.com> +Auto-Submit: Damien Neil <dneil@google.com> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-39825 +Upstream-Status: Backport [https://github.com/golang/go/commit/6795bb331782b33691f772d30c810b4c3a317aeb] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/http/httputil/reverseproxy.go | 14 ++++++++++++++ + src/net/http/httputil/reverseproxy_test.go | 6 ++++++ + src/net/url/url.go | 1 + + 3 files changed, 21 insertions(+) + +diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go +index 5c70f0d27b..37b0eab6b0 100644 +--- a/src/net/http/httputil/reverseproxy.go ++++ b/src/net/http/httputil/reverseproxy.go +@@ -10,6 +10,7 @@ import ( + "context" + "errors" + "fmt" ++ "internal/godebug" + "io" + "log" + "mime" +@@ -797,11 +798,24 @@ func (c switchProtocolCopier) copyToBackend(errc chan<- error) { + errc <- err + } + ++var urlmaxqueryparams = godebug.New("urlmaxqueryparams") ++ ++// Keep this in sync with net/url. ++const defaultMaxParams = 10000 ++ + func cleanQueryParams(s string) string { + reencode := func(s string) string { + v, _ := url.ParseQuery(s) + return v.Encode() + } ++ if urlmaxqueryparams.Value() != "" { ++ // Always reencode when a non-default urlmaxqueryparams is set. ++ return reencode(s) ++ } ++ if numParams := strings.Count(s, "&") + 1; numParams > defaultMaxParams { ++ // Too many query parameters. ++ return reencode(s) ++ } + for i := 0; i < len(s); { + switch s[i] { + case ';': +diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go +index dd3330b615..deb1ab9ce2 100644 +--- a/src/net/http/httputil/reverseproxy_test.go ++++ b/src/net/http/httputil/reverseproxy_test.go +@@ -1845,6 +1845,12 @@ func testReverseProxyQueryParameterSmuggling(t *testing.T, wantCleanQuery bool, + }, { + rawQuery: "a=1&a=%zz&b=3", + cleanQuery: "a=1&b=3", ++ }, { ++ rawQuery: "a=%zz", ++ cleanQuery: "", ++ }, { ++ rawQuery: strings.Repeat("a=1&", 10000) + "a=1", ++ cleanQuery: "", + }} { + res, err := frontend.Client().Get(frontend.URL + "?" + test.rawQuery) + if err != nil { +diff --git a/src/net/url/url.go b/src/net/url/url.go +index 5219e3c130..41f3bef1ee 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -961,6 +961,7 @@ func ParseQuery(query string) (Values, error) { + + var urlmaxqueryparams = godebug.New("urlmaxqueryparams") + ++// Keep this in sync with net/http/httputil. + const defaultMaxParams = 10000 + + func urlParamsWithinMax(params int) bool { +-- +2.43.0 + From patchwork Fri Jun 12 14:26:06 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr> X-Patchwork-Id: 89949 Return-Path: <jeremy.rosen@smile.fr> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8E54ECD98DD for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:27:00 +0000 (UTC) Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71895.1781274410380702586 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=SVx72xN/; spf=pass (domain: smile.fr, ip: 209.85.221.51, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-45e9f4a3510so640994f8f.1 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274409; x=1781879209; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=M//vCLIYhnCNQa3cdRUpWAbqO+Y8EY5iQ6r/7Rcj9D8=; b=SVx72xN/Aq4WVz9R5mIKubEa5WAn0+h38wOdZn+o6e0SctNNO6SlCZbv0LVD77cAls iG+VCn8vpGtZNX3mfc1HpKcfBdkirN/HzIMlzwpBigUNHDW+r0rubyvHNCFVlHBJ81sF ZZkKxAqSS7n/187gOVwpyD1QLf/VN0g8Abql4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274409; x=1781879209; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=M//vCLIYhnCNQa3cdRUpWAbqO+Y8EY5iQ6r/7Rcj9D8=; b=g976K29QiyL+mdGlNe3i+osuBFZD9ORk9zns3udcdCLMD7rReMsvSarDYplMDEO78a tNVAEuJE0+E8b5agTQYEf+70pYyrKn9+6gCKuCG7BSL9jv3yOjir2w9uNoa0ZzGhSWWd Emft8rFZlWx7syShRCwwVY+f3DPbgF4CdZtTo4VVRbGjCvuayWNvv80pibN2eKpAeMdh 6PMPYBjupo1GWzdJoZQH5CMJemQbSuO/orZiMhGd0BufXD7KhAaCXHx3yLkILZnDt93n OuGe+BN/UWszBnMbHf2VrX429NqhdkpecZscZfeXVYWM+WpkUFUF1h7pyf7t2KLlDfjY lpEg== X-Gm-Message-State: AOJu0YxHFYy4IByDNM2q8s/Jd6RZxEWPpIO2l1QBW6JrXIPNx3rPXIya UpzXFMNVI8XQKQF2jQ22p984OVIJ3cIjoN/zl2aRPzlqFq01R3dq7qMn9/ApLcqiw1+sGDpJLIm N5BOd1g== X-Gm-Gg: Acq92OHnvly/oG8+AVveydkqesKuGSz9Vn9hqk0Nz/grhpzic+IYdq8B2m07f/AA7HU oiLupGwg6+VvbdZgwHGNSQ5ZDHPMzXYMxsjCSVgvog1XAt0LUy2a7YXGqeaW1yXqIqD5GZ3miO9 ifKEj/RgBXZFxJJ1/yDBbnjg8fXy7MRBGHUWZR0csYDKBcBzU8COjcM5Fmyf50VSwZ7tNrrxrno dw0o5MLKTHh3AByu/7N6uYRsqLImmJ09Sqr5u8SOm4clmMN3RtIm1W2tCS18PoDochj0Q6+iWtW bNevZNxi13ufP7vFhA4bUnW6/C1LHSWS5EZCACezpSE/cXQNkbOTLds74CEce77q6qAd60DOwHB BkTOAgeqnJzBjV35BRw3CKvDJiwra8PUh6UR5yJ1doOKJaaQHisI6kfirMEGnAHVUTEX6pfKcrc 3hEdpwLzooHhM07CJj4z68Rug= X-Received: by 2002:a05:6000:220d:b0:43d:733f:aee6 with SMTP id ffacd0b85a97d-4606da665e6mr4799990f8f.10.1781274408745; Fri, 12 Jun 2026 07:26:48 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:48 -0700 (PDT) From: Jeremy Rosen <jeremy.rosen@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][scarthgap 16/21] go: patch CVE-2026-39826 Date: Fri, 12 Jun 2026 16:26:06 +0200 Message-ID: <3398ab7d66e68a36eea2f230aacbace7f9d8461a.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: <cover.1781270474.git.jeremy.rosen@smile.fr> References: <cover.1781270474.git.jeremy.rosen@smile.fr> MIME-Version: 1.0 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 14:27:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238638 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/771180 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39826.patch | 65 +++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39826.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 952c0e4638..77e6bcd59d 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -50,6 +50,7 @@ SRC_URI += "\ file://CVE-2026-39819.patch \ file://CVE-2026-39820.patch \ file://CVE-2026-39825.patch \ + file://CVE-2026-39826.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39826.patch b/meta/recipes-devtools/go/go/CVE-2026-39826.patch new file mode 100644 index 0000000000..d9fa751adc --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39826.patch @@ -0,0 +1,65 @@ +From 0d41a827f4d691be89c0285cd136cc45640341d4 Mon Sep 17 00:00:00 2001 +From: Neal Patel <nealpatel@google.com> +Date: Mon, 27 Apr 2026 17:34:58 -0400 +Subject: [PATCH] html/template: fix escaper bypass by treating empty script + type as JavaScript + +Thank you to Mundur (https://github.com/M0nd0R) for reporting this issue. + +Fixes #78981 +Fixes CVE-2026-39826 + +Change-Id: I3f2e06496020ece655d156fb099ff556af8cc836 +Reviewed-on: https://go-review.googlesource.com/c/go/+/771180 +Reviewed-by: Roland Shoemaker <roland@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-39826 +Upstream-Status: Backport [https://github.com/golang/go/commit/a63b23ffb2eebc9ca3a14c369b615ca623bb20f7] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/html/template/escape_test.go | 15 +++++++++++++++ + src/html/template/js.go | 1 + + 2 files changed, 16 insertions(+) + +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index 435c83378f..ce06440738 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -231,6 +231,21 @@ func TestEscape(t *testing.T) { + "<script>alert({{.A}})</script>", + `<script>alert(["\u003ca\u003e","\u003cb\u003e"])</script>`, + }, ++ { ++ "scriptTypeSpace", ++ "<script type=\" \">{{.H}}</script>", ++ "<script type=\" \">\"\\u003cHello\\u003e\"</script>", ++ }, ++ { ++ "scriptTypeTab", ++ "<script type=\"\t\">{{.H}}</script>", ++ "<script type=\"\t\">\"\\u003cHello\\u003e\"</script>", ++ }, ++ { ++ "scriptTypeEmpty", ++ "<script type=\"\">{{.H}}</script>", ++ "<script type=\"\">\"\\u003cHello\\u003e\"</script>", ++ }, + { + "jsObjValueNotOverEscaped", + "<button onclick='alert({{.A | html}})'>", +diff --git a/src/html/template/js.go b/src/html/template/js.go +index d911ada26d..90cf2dc982 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -459,6 +459,7 @@ func isJSType(mimeType string) bool { + mimeType = strings.TrimSpace(mimeType) + switch mimeType { + case ++ "", + "application/ecmascript", + "application/javascript", + "application/json", +-- +2.43.0 + From patchwork Fri Jun 12 14:26:07 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr> X-Patchwork-Id: 89943 Return-Path: <jeremy.rosen@smile.fr> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 20450CD98CE for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:27:00 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.71826.1781274411187886582 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=ETypZIho; spf=pass (domain: smile.fr, ip: 209.85.128.41, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-490b1bbcf3aso8550045e9.1 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274410; x=1781879210; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1Iov+40IxO8DDzBkZiRrKnyt6Zu5hJE6cGTCPKWtcUM=; b=ETypZIhorfXwoIsbN6T363f8nLN86i7WL+MlsIx5aArkSSzfNnE1M6UYrAJ3Kis44k AbHUIxdjAbrMkoB4wOOMrc01wS/31xPopKXPXq5A1u57MBS8ZztrA4RMYGnpy2V5uayB LVFuMoihgJ/X9IiaQUp5pYndAF3CKeQLJxD6M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274410; x=1781879210; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=1Iov+40IxO8DDzBkZiRrKnyt6Zu5hJE6cGTCPKWtcUM=; b=Y3/vamjdG2A8U4hfL8z0QuDUxT2AvVxiJO9xYmmNzyZnb+fURyedW2nbbbnFuqdFnT B6R3VnqJ68iA0M1P5XzJKdLe1k/bcbKiryj3mEJBViXGjyOL0/h9rtULpPRK/8o/Ut7e Au0dBhWalu7Nru9Pd6oxt5O08o9kn8qEpmcI+2LiXPTgp0bXzTW1sV3oHEhe2gaF7ka2 wiBswgiOxOZWKTZ1ubCqrRqltMJ6ciK7Nz7EvaJ5koDBMWeJUHwSNkEdAzL2QwjeVbj3 RysZaA1HRipMZjGZM+RVRwUMQXOARzsOyyEWRrN8Gknp1+fAIiIgSotZnLl+bqQ+PJa/ yXiw== X-Gm-Message-State: AOJu0YyOKT8dk+CcfPECput9S0wVZ5p5RXwQdDJ7hBwuOHJA5OD4u2u9 +EjXOxETR9W13Ohf4Jhg4pyC551pap7thGd1PfwhCcgnF0mWlVNWHUxH3Ql+8Lf0UUHgd59q+Vq xuHhCSw== X-Gm-Gg: Acq92OGpOP507rFO3HmE/thFDFIW3uYMBZ1kHcudISeDQqueuRHYysWiW5kuW+z58PG 5hpeJCYSBC2cz4Q+zUhcnoyB/PrtnEfIS2EHx1upPnAoGAcy4+tETh+GLNcacaJ6iYVZlc0pj1x gN5OJkWL7P051hySoks/8ydubpHF/PUXkOhnhQFZmjDoXV9T7GP1/TKFDyqSXs6K4inn1zVBeX8 PZEx70bejIvNh2xQA1oFUSn/v2AzuxuZDDupR3EL2mgWQbglgjKBElXl0XhC7YiNjs1rg4cUdXj IdSPVbwV3Ft6bFiUROLv5DzItWXK2cSuiF5fDv+3YodcWOiLtGA+axEwCQWi9RP2HDPVlYHGFtf fagnHyP8eaDbLy0LBgajySyYJuETpsRRoB5vsT064SeKy2ODXDNua2u3lN+q5DYFdWriDXS7zDW UZYT/xDR7ROQmeNZqryIVZQhjS0W1vXv9LZw== X-Received: by 2002:a05:600c:8b09:b0:490:b446:fb8 with SMTP id 5b1f17b1804b1-490ec4d9298mr39748885e9.11.1781274409387; Fri, 12 Jun 2026 07:26:49 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:48 -0700 (PDT) From: Jeremy Rosen <jeremy.rosen@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][scarthgap 17/21] go: patch CVE-2026-42499 Date: Fri, 12 Jun 2026 16:26:07 +0200 Message-ID: <b0982ba6ae2de7bd57c6562015ec3386ed437f39.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: <cover.1781270474.git.jeremy.rosen@smile.fr> References: <cover.1781270474.git.jeremy.rosen@smile.fr> MIME-Version: 1.0 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 14:27:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238639 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/771520 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-42499.patch | 91 +++++++++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-42499.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 77e6bcd59d..85f75f0d89 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -51,6 +51,7 @@ SRC_URI += "\ file://CVE-2026-39820.patch \ file://CVE-2026-39825.patch \ file://CVE-2026-39826.patch \ + file://CVE-2026-42499.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-42499.patch b/meta/recipes-devtools/go/go/CVE-2026-42499.patch new file mode 100644 index 0000000000..d4ac9b3823 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-42499.patch @@ -0,0 +1,91 @@ +From dd339e72189d59f249786afd4021b9fb391f3562 Mon Sep 17 00:00:00 2001 +From: Neal Patel <nealpatel@google.com> +Date: Tue, 28 Apr 2026 12:10:24 -0400 +Subject: [PATCH] net/mail: fix quadratic consumePhrase behavior + +Updates #78987 +Fixes CVE-2026-42499 + +Change-Id: I8438e5dee7e6433573d4161baf8fb2151e7fbc2f +Reviewed-on: https://go-review.googlesource.com/c/go/+/771520 +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-42499 +Upstream-Status: Backport [https://github.com/golang/go/commit/2c59389fcc5194aeae742fb413e55b656c22343f] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/mail/message.go | 23 +++++++++++++++++------ + src/net/mail/message_test.go | 11 +++++++++++ + 2 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/src/net/mail/message.go b/src/net/mail/message.go +index 37d7ff5df1..f57742068e 100644 +--- a/src/net/mail/message.go ++++ b/src/net/mail/message.go +@@ -567,8 +567,10 @@ func (p *addrParser) consumeAddrSpec() (spec string, err error) { + func (p *addrParser) consumePhrase() (phrase string, err error) { + debug.Printf("consumePhrase: [%s]", p.s) + // phrase = 1*word +- var words []string +- var isPrevEncoded bool ++ var ( ++ words []string ++ sb strings.Builder ++ ) + for { + // obs-phrase allows CFWS after one word + if len(words) > 0 { +@@ -600,13 +602,22 @@ func (p *addrParser) consumePhrase() (phrase string, err error) { + break + } + debug.Printf("consumePhrase: consumed %q", word) +- if isPrevEncoded && isEncoded { +- words[len(words)-1] += word +- } else { ++ switch { ++ case isEncoded: ++ sb.WriteString(word) ++ case !isEncoded && sb.Len() > 0: ++ words = append(words, sb.String()) ++ sb.Reset() ++ words = append(words, word) ++ default: + words = append(words, word) + } +- isPrevEncoded = isEncoded + } ++ ++ if sb.Len() > 0 { ++ words = append(words, sb.String()) ++ } ++ + // Ignore any error if we got at least one word. + if err != nil && len(words) == 0 { + debug.Printf("consumePhrase: hit err: %v", err) +diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go +index 1b165317f9..27837a9cbd 100644 +--- a/src/net/mail/message_test.go ++++ b/src/net/mail/message_test.go +@@ -1219,6 +1219,17 @@ func TestEmptyAddress(t *testing.T) { + } + } + ++func BenchmarkConsumePhrase(b *testing.B) { ++ for _, n := range []int{10, 100, 1000, 10000} { ++ b.Run(fmt.Sprintf("words-%d", n), func(b *testing.B) { ++ input := strings.Repeat("=?utf-8?q?hello?= ", n) + "<user@example.com>" ++ for b.Loop() { ++ (&addrParser{s: input}).consumePhrase() ++ } ++ }) ++ } ++} ++ + func BenchmarkConsumeComment(b *testing.B) { + for _, n := range []int{10, 100, 1000, 10000} { + b.Run(fmt.Sprintf("depth-%d", n), func(b *testing.B) { +-- +2.43.0 + From patchwork Fri Jun 12 14:26:08 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr> X-Patchwork-Id: 89946 Return-Path: <jeremy.rosen@smile.fr> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 467A6CD98D9 for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:27:00 +0000 (UTC) Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.71827.1781274412055020920 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=zYNoZiZa; spf=pass (domain: smile.fr, ip: 209.85.221.42, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-45ef5146b56so1388195f8f.0 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274410; x=1781879210; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4jDlfinNwsUs/H21qX+ht4dsLL0Enh2f1WxdyRrdygM=; b=zYNoZiZa0/mUPCgNZu/LoYgX70JnXoyr9+l9+PNrYra23kk2Vp4g5FNUDlImI44li+ r0+fEbTY0z0ywdnGpS5vX8NuS/cKgsKx9kBKNwPv8xZMSrNUeWJvw9+r7PLOi2y9wntT IY1QUaQcCcIznYh97dLkLAcyIvtP7POrZkuWA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274410; x=1781879210; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=4jDlfinNwsUs/H21qX+ht4dsLL0Enh2f1WxdyRrdygM=; b=biuyN2pRNdIkJ+sDH9xhRNW0BP0082+MkdInWx/BdAhH6qsRbj/iXokWnMj79IlgYC BnLItT0Gf3CYC0ktzw0K7+F0BH5em61N41XPqFAsxDW1tXXBYB6k/WGQMsy5rhhR52PU 7hqZyO8j/dR+OMuyEstNMbYhqOfraRjGVeN6uvVPIdG0xA7bJ/qhXmrZgnouKZgqqSeu pBpT6XdDRbQWDoqrAPbEOHHDo68ymmzPJVuwwKb3MT9KxZOyUkY6VH1u8NKL19SOAWhJ q3/tDJNo/VsdlXNzijuoO2gWc2s7Yadok7xlBFLmCfR8AvZzvO2LfGF+B9v934QU+5p8 CuPA== X-Gm-Message-State: AOJu0YwZyX0UmTLZecZ9HCas1e2uS9zt/n6hTp/HfOh/zVDOexjNpdz5 lPgz7URkWePPk3QupWiUYDSS7SY2YEvF7PkjtB4DT1asE4aDxxI3NUGNiMoJhay0oVMYK4KaaqP eCsdtJw== X-Gm-Gg: Acq92OGLyyRUJmbhvk6ZFZwPaldCdAA11cX7VI5vRKMs3W/ZFFOGrq3A+blZrNTXZ4P uKgs1Dd7svQS0PgPW0jQzNfB2J2QMA7pHjlMTES2POi9C5j9S0uAI9WRCRqU2FzARhwiqR6Wunk wtiee6/a4rx/QEzlZWbPjorjjr7zmT2Y895wqk96A/IwVtNa1cFd/n60Jh40lAuVgI7t3F7ua+I SQ9PB9cU+wsf2cEnbEaechFxSk/TijAVgiJVhYViAkwJXumRGJqwP/G3SFJ3oJXfWnjlVwRN/UR CzvYDtyZ1Ack/AxB687FbuqGLlcS1XgO1YIBl6VBJz/dimnfocboBMHI6WpyTSRKTiVBQSvhR9P wjndplVrIr7yiutJG0MDTkYYrUpdTeECltOrS2BXnBA9XUE3ZPEjnfQ1fMvkVo+hj7/8xz9/93m Y04ex2N0xIcRjK5Ob7v5Bcwpc= X-Received: by 2002:a5d:64e4:0:b0:45e:f387:77a0 with SMTP id ffacd0b85a97d-4606d143d7cmr4617744f8f.31.1781274410180; Fri, 12 Jun 2026 07:26:50 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:49 -0700 (PDT) From: Jeremy Rosen <jeremy.rosen@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][scarthgap 18/21] go: patch CVE-2026-42501 Date: Fri, 12 Jun 2026 16:26:08 +0200 Message-ID: <679a95d6aaaef526ca2905a8cbf4a16aff600d7b.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: <cover.1781270474.git.jeremy.rosen@smile.fr> References: <cover.1781270474.git.jeremy.rosen@smile.fr> MIME-Version: 1.0 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 14:27:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238640 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/775321 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-42501.patch | 127 ++++++++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-42501.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 85f75f0d89..03a1a81fc3 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -52,6 +52,7 @@ SRC_URI += "\ file://CVE-2026-39825.patch \ file://CVE-2026-39826.patch \ file://CVE-2026-42499.patch \ + file://CVE-2026-42501.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-42501.patch b/meta/recipes-devtools/go/go/CVE-2026-42501.patch new file mode 100644 index 0000000000..82b2fa02a1 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-42501.patch @@ -0,0 +1,127 @@ +From 52d8958ce7e102a5ebd3b4748aa03989b5469084 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 30 Apr 2026 13:10:49 -0700 +Subject: [PATCH] cmd/go: reject sumdb response lacking module hash + +Report an error when a sumdb /lookup/ request does not +include a hash for the requested module, rather than +silently proceeding. + +Previously, we would verify that a returned sum matched +the expected module hash, but did not verify that the +response contained a sum. This permits a malicous +proxy to serve a corrupted module along with a +valid-but-irrelevant sumdb response for some other +module. We now ensure that the sumdb response contains +a valid hash for the module we are validating. + +Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue. + +Fixes CVE-2026-42501 +Fixes #79070 + +Change-Id: I7d9a367deb237aa70cade2434495998f6a6a6964 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4340 +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-by: Neal Patel <nealpatel@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/775321 +Reviewed-by: Michael Pratt <mpratt@google.com> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2026-42501 +Upstream-Status: Backport [https://github.com/golang/go/commit/1a9af07120312d368815712a4dce2dd2070342e5] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/cmd/go/internal/modfetch/fetch.go | 15 ++++++++++++++- + src/cmd/go/proxy_test.go | 17 +++++++++++++++++ + src/cmd/go/testdata/script/mod_sum_absent.txt | 17 +++++++++++++++++ + 3 files changed, 48 insertions(+), 1 deletion(-) + create mode 100644 src/cmd/go/testdata/script/mod_sum_absent.txt + +diff --git a/src/cmd/go/internal/modfetch/fetch.go b/src/cmd/go/internal/modfetch/fetch.go +index eeab6da62a..75769d7c61 100644 +--- a/src/cmd/go/internal/modfetch/fetch.go ++++ b/src/cmd/go/internal/modfetch/fetch.go +@@ -740,7 +740,7 @@ func checkSumDB(mod module.Version, h string) error { + return module.VersionError(modWithoutSuffix, fmt.Errorf("verifying %s: checksum mismatch\n\tdownloaded: %v\n\t%s: %v"+sumdbMismatch, noun, h, db, line[len(prefix)-len("h1:"):])) + } + } +- return nil ++ return module.VersionError(modWithoutSuffix, fmt.Errorf("verifying %s: checksum missing from sumdb response"+sumdbAbsent, noun)) + } + + // Sum returns the checksum for the downloaded copy of the given module, +@@ -931,6 +931,19 @@ have intercepted the download attempt. + For more information, see 'go help module-auth'. + ` + ++const sumdbAbsent = ` ++ ++SECURITY ERROR ++This download does NOT match one reported by the checksum server. ++The checksum server has provided checksums, but the checksums do ++not contain an entry for the download. ++The checksum server may be malfunctioning, or an attacker may have ++intercepted the checksum request. ++The download cannot be verified. ++ ++For more information, see 'go help module-auth'. ++` ++ + const hashVersionMismatch = ` + + SECURITY WARNING +diff --git a/src/cmd/go/proxy_test.go b/src/cmd/go/proxy_test.go +index cb3d9f92f1..88e5052b89 100644 +--- a/src/cmd/go/proxy_test.go ++++ b/src/cmd/go/proxy_test.go +@@ -172,6 +172,23 @@ func proxyHandler(w http.ResponseWriter, r *http.Request) { + return + } + ++ // Request for $GOPROXY/sumdb-redirect/module@version:/lookup/... ++ // performs a lookup for module@version rather than the requested module. ++ if strings.HasPrefix(path, "sumdb-redirect/") { ++ redirect, rest, ok := strings.Cut(path[len("sumdb-redirect"):], ":") ++ if !ok { ++ w.WriteHeader(500) ++ return ++ } ++ if strings.HasPrefix(rest, "/lookup/") { ++ r.URL.Path = "/lookup" + redirect ++ } else { ++ r.URL.Path = rest ++ } ++ sumdbServer.ServeHTTP(w, r) ++ return ++ } ++ + // Request for $GOPROXY/redirect/<count>/... goes to redirects. + if strings.HasPrefix(path, "redirect/") { + path = path[len("redirect/"):] +diff --git a/src/cmd/go/testdata/script/mod_sum_absent.txt b/src/cmd/go/testdata/script/mod_sum_absent.txt +new file mode 100644 +index 0000000000..c2dd814542 +--- /dev/null ++++ b/src/cmd/go/testdata/script/mod_sum_absent.txt +@@ -0,0 +1,17 @@ ++# When the sumdb returns a response which does not ++# include a sum for the requested module, ++# we should report an error. ++# Verifies CVE-2026-42501. ++env sumdb=$GOSUMDB ++env proxy=$GOPROXY ++env GOPROXY GONOPROXY GOSUMDB GONOSUMDB ++ ++# /sumdb-redirect/ causes the sumdb to return /lookup/ responses ++# for rsc.io/quote@v1.0.0, not for the requested module. ++env GOSUMDB=$sumdb' '$proxy/sumdb-redirect/rsc.io/quote@v1.0.0: ++ ++! go get rsc.io/fortune@v1.0.0 ++stderr 'SECURITY ERROR' ++! grep rsc.io go.sum ++-- go.mod -- ++module m +-- +2.43.0 + From patchwork Fri Jun 12 14:26:09 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr> X-Patchwork-Id: 89947 Return-Path: <jeremy.rosen@smile.fr> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66488CD98DB for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:27:00 +0000 (UTC) Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71896.1781274412938399772 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=rqs5579N; spf=pass (domain: smile.fr, ip: 209.85.221.46, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-4602e2a0372so797628f8f.3 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274411; x=1781879211; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JM88nTCaEEH/SjpA203cRsZ/dy04dnI6IYh3PQI6Bk0=; b=rqs5579NsZNUmo8YtmhYsq0EQ5yxYC4Jxk5WyuKyU/XDBZkCK53tdRAnJnViSVJYu2 2gwjOXEuMhbES/xCQBS5ZKyoIx24OnLuQnpJfOdCjmVEPXP9TpX7jAy4KhKNTJPe+yi2 0yKZ+u2mgYCQbGuG0o7hsCJBzgBK+5J2CLxyg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274411; x=1781879211; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=JM88nTCaEEH/SjpA203cRsZ/dy04dnI6IYh3PQI6Bk0=; b=hOysumRE4DSRfl91qHa/FIHvPv+PeZUD8Ix8PlrPc4aprZuDH1/WlEDEkGet2AGu6l Qw7pQLQcxOQ6EIIkDRNpYm3GhZzM3lw7zKGgYYU3LoC+EHaUrvfAU6+of0MRbonNDr/n +i0uinmo5PQqJXzW5qGnXsrYFJG178mJ/D0TNO/EyFsXx+6r8JIcBUx4xCYtpFVyterW LFog8w6DcQ/8MntaGjNWmRwWZRNTN6Jyrz5UrmzwT5mD8Yvkz0Jz+tVbjrDIK6C3zBF5 LFsEAR/Il9cpuGZSky2HDvqb2FgVqE180HsXwg9kLJcTO7j+GEVKK3k7R4kmMz/XTaWo hxGA== X-Gm-Message-State: AOJu0YzjlGGNHqYJA5Ifk1rj7kwUoIYzn5UH4tHYv4HV7AyWE4Ww3iok tY3paqx4k6DDK9LvWCsVsTB/erOgs83S0GWOfYMuNqhsvXtNOD0UEeWdtXic/4R9eZArDv1DWrH U7WvEkw== X-Gm-Gg: Acq92OFmUhZIPt0Xr8Jms5XQEnYOP9mojNIXIfEVPWAyU1QwgJAm3SvrpBpk2kfXY7T 4qySOF86GDVEdP9DI4jRBHE+HZ0TpR+Ai1trpZZ5IFOXZxu77lcDlvQMDpK+NtMVclSfXkKoamU skodCMtfQZ1uY9ZY4XiNMB9cQQMO945AvcU4yDjEdxsTMvSyGlJ7heO+z9ROtDpZTOizC02evFo tRKPhDE4eyU8eIHy8DzntRacg586WTxSfSXkh18+wfoW+QzLnXH4Unl6UNfNxJ6w9KRLP6jTxpM OeUE8gIJLuUUCDXMcpBd2959SnwVGK/EohLii1NQC5EGS5SK2KhMSllwNvaqfRNw6SYzFJeZpwo ArosT+J8FRqhpVo5mAZNPHMxz1tvcF87BquJdT5gFpVQbeSydcBvuZSSdc8QDT/c2nuAvKcNEqh +MX62IsFSuh3uXhYYy+dXcGnY= X-Received: by 2002:a05:6000:2384:b0:45d:7bf0:c7d3 with SMTP id ffacd0b85a97d-4606dba9c0bmr4729371f8f.19.1781274411042; Fri, 12 Jun 2026 07:26:51 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:50 -0700 (PDT) From: Jeremy Rosen <jeremy.rosen@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][scarthgap 19/21] go: patch CVE-2026-42504 Date: Fri, 12 Jun 2026 16:26:09 +0200 Message-ID: <9af7a3c0808380058979b6cf0a3c62395ecff396.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: <cover.1781270474.git.jeremy.rosen@smile.fr> References: <cover.1781270474.git.jeremy.rosen@smile.fr> MIME-Version: 1.0 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 14:27:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238641 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/774481 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-42504.patch | 58 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-42504.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 03a1a81fc3..ba4fe9a734 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -53,6 +53,7 @@ SRC_URI += "\ file://CVE-2026-39826.patch \ file://CVE-2026-42499.patch \ file://CVE-2026-42501.patch \ + file://CVE-2026-42504.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-42504.patch b/meta/recipes-devtools/go/go/CVE-2026-42504.patch new file mode 100644 index 0000000000..1ae104ae19 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-42504.patch @@ -0,0 +1,58 @@ +From 41ca50d68cd74e0a68f3917cd902885c84fedbf7 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Tue, 5 May 2026 15:20:34 -0700 +Subject: [PATCH] mime: avoid quadratic complexity in WordDecoder.DecodeHeader + +When encountering an undecodable encoded-word, +skip over the entire word rather than just the initial "=?". + +Fixes #79217 +Fixes CVE-2026-42504 + +Change-Id: I28605faa235459d2ba71bd0f3ae3dce96a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/774481 +Reviewed-by: Nicholas Husin <nsh@golang.org> +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Nicholas Husin <husin@google.com> + +CVE: CVE-2026-42504 +Upstream-Status: Backport [https://github.com/golang/go/commit/f230dd8a1d0a63d73e92685e378dcd725f7aac00] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/mime/encodedword.go | 4 ++-- + src/mime/encodedword_test.go | 4 ++++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/mime/encodedword.go b/src/mime/encodedword.go +index e6b470b1fb..a7059f3bc4 100644 +--- a/src/mime/encodedword.go ++++ b/src/mime/encodedword.go +@@ -275,8 +275,8 @@ func (d *WordDecoder) DecodeHeader(header string) (string, error) { + content, err := decode(encoding, text) + if err != nil { + betweenWords = false +- buf.WriteString(header[:start+2]) +- header = header[start+2:] ++ buf.WriteString(header[:end]) ++ header = header[end:] + continue + } + +diff --git a/src/mime/encodedword_test.go b/src/mime/encodedword_test.go +index 2a98794380..befc3cd996 100644 +--- a/src/mime/encodedword_test.go ++++ b/src/mime/encodedword_test.go +@@ -140,6 +140,10 @@ func TestDecodeHeader(t *testing.T) { + {"=?ISO-8859-1?Q?a?= =?ISO-8859-1?Q?b?=", "ab"}, + {"=?ISO-8859-1?Q?a?= \r\n\t =?ISO-8859-1?Q?b?=", "ab"}, + {"=?ISO-8859-1?Q?a_b?=", "a b"}, ++ // Undecodable words ++ {"=?UTF-8?b?garbage?= =?UTF-8?b?QW5kcsOp?= =?UTF-8?b?garbage?=", "=?UTF-8?b?garbage?= André =?UTF-8?b?garbage?="}, ++ {"=?UTF-8?b?QW5kcsOp", "=?UTF-8?b?QW5kcsOp"}, ++ {"=?UTF-8?x?y?=?UTF-8?x?y=?", "=?UTF-8?x?y?=?UTF-8?x?y=?"}, + } + + for _, test := range tests { +-- +2.43.0 + From patchwork Fri Jun 12 14:26:10 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr> X-Patchwork-Id: 89948 Return-Path: <jeremy.rosen@smile.fr> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 24ABECD98D6 for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:27:00 +0000 (UTC) Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71898.1781274413981239465 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=Lq7Jqqa3; spf=pass (domain: smile.fr, ip: 209.85.221.50, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-45ee5cdbd28so1342454f8f.1 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274412; x=1781879212; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=tFGJ+cg6FZKQVOc1mQZ9C+zp0fsqq239ESKjVGZcS1M=; b=Lq7Jqqa3PmmrLvw2bP+R3N8gABD8Ng+wud39a6rQVez56t2m3FkgvJFAGQYmRcYfHB CuMbGE8iCkCaXeP2cApe9Xwm1lXEoEL2bFGKmRBQr+8TgtlIDfJZvvlX7cBudsPkM4Tl q3ABWhSYQb5/X0yiKysr5hQ+WCZTRw41yHPeA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274412; x=1781879212; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=tFGJ+cg6FZKQVOc1mQZ9C+zp0fsqq239ESKjVGZcS1M=; b=F3r7LGqSg6QeC6ZlLbO8ppKuWdN78O5uDUUjp3Vt7hnaCEuDbrnDP/xxqR2n8h5I55 +Bh05RhbAqrCnBpu1DqnK5AkhXuJItYvvTNoOjcIsF5IHRAzziIp84wkKDZlkv3tqwn2 Ffd/z3MDhnUlCU3AGLwgRoBtd3A6s02Ay+QclijOKNu3KJDhPOSzTvaB3i7AEtO+/1D6 Ur5BOHlvKlNJKBQCLYQcL0MEIDgj/KFYZ5EdT0ymXxt8pQOOd+SRFi63Qni12xBJVYIe MgArdaUplfp70TS6INdtiNiwQQ3ylAdzDJlqGawC0t9+dIPZhZ9ktruorRFlYDSbm8gX qgIA== X-Gm-Message-State: AOJu0YxLS9zSjn6olST/pICjZzIcq29hkCnaA3zpogZScOb43ALEAKcy onYZ2XA4TBC44TeCQIHhGMH6YsZPlVunIvNVvcvEguAwMrv1OiEBw+gNmiqO9dIHTa3iMtX9Cx1 c4Ib8ew== X-Gm-Gg: Acq92OHftWPIcyVHbrE3RWq7c1tEZ9/Kty48vEWFHy2qMeJ8Z2pOaanormAtcqapCyD FisnlSB6lXpFJbIkFIrpt6chAIw+t+zH6jNt1YPwxkTr4jxWnUPKn+bqKPmeYjlTylpTfs2G8hC YYOpSmQeNyOvJ31sHld8zt0xEp/i3ctcnTpQGi1ZFxjJF4MtWtv48FMQxMT6AZSK7mJz4JJ1Vb6 X0NnO8eQ3wIJlitu+v3ADFJOJIsRQsZZlmUA6O4hH4GYccFBjwsMlIvyqupD7js2F+5ib8PhK0v nmb3MmBKRDmexNyVQyAtR4GFnjczoBggO3OY0R/yw5VzGZD+1Ezf0ydNdKzU500CvAkRkVadJ6r dNlmtJA9kQyKEULVuVn6vN2Yg2VVKhd9VJT0s8G1i094dX8QmGkGIMfoQwviN8twr2KyidjRYYR lBMPO9fP8cMmfYHxHW5S/dL8g= X-Received: by 2002:a5d:5d10:0:b0:45e:9304:a4c3 with SMTP id ffacd0b85a97d-4606f25dc7bmr3771526f8f.19.1781274412276; Fri, 12 Jun 2026 07:26:52 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:51 -0700 (PDT) From: Jeremy Rosen <jeremy.rosen@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][scarthgap 20/21] go: patch CVE-2026-42507 Date: Fri, 12 Jun 2026 16:26:10 +0200 Message-ID: <6eedc9b05adf40fe635e7cfac767a123a365f57a.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: <cover.1781270474.git.jeremy.rosen@smile.fr> References: <cover.1781270474.git.jeremy.rosen@smile.fr> MIME-Version: 1.0 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 14:27:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238642 From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com> Backport patch from [1] [1] https://go.dev/cl/777060 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-42507.patch | 160 ++++++++++++++++++ 2 files changed, 161 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-42507.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index ba4fe9a734..f67da3e078 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -54,6 +54,7 @@ SRC_URI += "\ file://CVE-2026-42499.patch \ file://CVE-2026-42501.patch \ file://CVE-2026-42504.patch \ + file://CVE-2026-42507.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-42507.patch b/meta/recipes-devtools/go/go/CVE-2026-42507.patch new file mode 100644 index 0000000000..d48b2b53eb --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-42507.patch @@ -0,0 +1,160 @@ +From 943e53a7b667a1570648b5f1c4592b9d9d5b4aac Mon Sep 17 00:00:00 2001 +From: "Nicholas S. Husin" <nsh@golang.org> +Date: Mon, 11 May 2026 18:04:07 -0400 +Subject: [PATCH] net/textproto: escape arbitrary input when including them in + errors + +When returning errors, functions in the net/textproto package would +include its input as part of the error, without any escaping. Note that +said input is often controlled by external parties when using this +package naturally. For example, a net/http client uses ReadMIMEHeader +when parsing the headers it receive from a server. + +As a result, an attacker could inject arbitrary content into the error. +Practically, this can result in an attacker injecting misleading +content, terminal control bytes, etc. into a victim's output or logs. + +Fix this issue by making sure that ProtocolError usages within the +package are properly escaped, and that Error.String will escape its Msg. + +Fixes #79346 +Fixes CVE-2026-42507 + +Change-Id: Ide4c1005d8254f90d95d7a389b8ca3a26a6a6964 +Reviewed-on: https://go-review.googlesource.com/c/go/+/777060 +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Roland Shoemaker <roland@golang.org> +Reviewed-by: Nicholas Husin <husin@google.com> +Reviewed-by: Damien Neil <dneil@google.com> + +CVE: CVE-2026-42507 +Upstream-Status: Backport [https://github.com/golang/go/commit/1a7e601d07b67aec8d795c8182ee7257ba7d1960] +Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> +--- + src/net/smtp/smtp_test.go | 6 +++--- + src/net/textproto/reader.go | 14 +++++++------- + src/net/textproto/reader_test.go | 6 ++++-- + src/net/textproto/textproto.go | 2 +- + 4 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/src/net/smtp/smtp_test.go b/src/net/smtp/smtp_test.go +index 259b10b93d..3e03da5208 100644 +--- a/src/net/smtp/smtp_test.go ++++ b/src/net/smtp/smtp_test.go +@@ -664,7 +664,7 @@ func TestHello(t *testing.T) { + err = c.Hello("customhost") + case 1: + err = c.StartTLS(nil) +- if err.Error() == "502 Not implemented" { ++ if err.Error() == `502 "Not implemented"` { + err = nil + } + case 2: +@@ -922,8 +922,8 @@ func TestAuthFailed(t *testing.T) { + + if err == nil { + t.Error("Auth: expected error; got none") +- } else if err.Error() != "535 Invalid credentials\nplease see www.example.com" { +- t.Errorf("Auth: got error: %v, want: %s", err, "535 Invalid credentials\nplease see www.example.com") ++ } else if err.Error() != `535 "Invalid credentials\nplease see www.example.com"` { ++ t.Errorf("Auth: got error: %v, want: %s", err, `535 "Invalid credentials\nplease see www.example.com"`) + } + + bcmdbuf.Flush() +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index 0027efe3ca..b4cd22a6ed 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -213,13 +213,13 @@ func (r *Reader) readCodeLine(expectCode int) (code int, continued bool, message + + func parseCodeLine(line string, expectCode int) (code int, continued bool, message string, err error) { + if len(line) < 4 || line[3] != ' ' && line[3] != '-' { +- err = ProtocolError("short response: " + line) ++ err = ProtocolError(fmt.Sprintf("short response: %q", line)) + return + } + continued = line[3] == '-' + code, err = strconv.Atoi(line[0:3]) + if err != nil || code < 100 { +- err = ProtocolError("invalid response code: " + line) ++ err = ProtocolError(fmt.Sprintf("invalid response code: %q", line)) + return + } + message = line[4:] +@@ -251,7 +251,7 @@ func parseCodeLine(line string, expectCode int) (code int, continued bool, messa + func (r *Reader) ReadCodeLine(expectCode int) (code int, message string, err error) { + code, continued, message, err := r.readCodeLine(expectCode) + if err == nil && continued { +- err = ProtocolError("unexpected multi-line response: " + message) ++ err = ProtocolError(fmt.Sprintf("unexpected multi-line response: %q", message)) + } + return + } +@@ -536,7 +536,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + if err != nil { + return m, err + } +- return m, ProtocolError("malformed MIME header initial line: " + string(line)) ++ return m, ProtocolError(fmt.Sprintf("malformed MIME header initial line: %q", line)) + } + + for { +@@ -548,15 +548,15 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + // Key ends at first colon. + k, v, ok := bytes.Cut(kv, colon) + if !ok { +- return m, ProtocolError("malformed MIME header line: " + string(kv)) ++ return m, ProtocolError(fmt.Sprintf("malformed MIME header line: %q", kv)) + } + key, ok := canonicalMIMEHeaderKey(k) + if !ok { +- return m, ProtocolError("malformed MIME header line: " + string(kv)) ++ return m, ProtocolError(fmt.Sprintf("malformed MIME header line: %q", kv)) + } + for _, c := range v { + if !validHeaderValueByte(c) { +- return m, ProtocolError("malformed MIME header line: " + string(kv)) ++ return m, ProtocolError(fmt.Sprintf("malformed MIME header line: %q", kv)) + } + } + +diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go +index 26ff617470..844069a4ad 100644 +--- a/src/net/textproto/reader_test.go ++++ b/src/net/textproto/reader_test.go +@@ -409,6 +409,8 @@ func TestReadMultiLineError(t *testing.T) { + "Unexpected but legal text!\n" + + "5.1.1 https://support.google.com/mail/answer/6596 h20si25154304pfd.166 - gsmtp" + ++ wantError := `550 "5.1.1 The email account that you tried to reach does not exist. Please try\n5.1.1 double-checking the recipient's email address for typos or\n5.1.1 unnecessary spaces. Learn more at\nUnexpected but legal text!\n5.1.1 https://support.google.com/mail/answer/6596 h20si25154304pfd.166 - gsmtp"` ++ + code, msg, err := r.ReadResponse(250) + if err == nil { + t.Errorf("ReadResponse: no error, want error") +@@ -419,8 +421,8 @@ func TestReadMultiLineError(t *testing.T) { + if msg != wantMsg { + t.Errorf("ReadResponse: msg=%q, want %q", msg, wantMsg) + } +- if err != nil && err.Error() != "550 "+wantMsg { +- t.Errorf("ReadResponse: error=%q, want %q", err.Error(), "550 "+wantMsg) ++ if err != nil && err.Error() != wantError { ++ t.Errorf("ReadResponse: error=%q, want %q", err.Error(), wantError) + } + } + +diff --git a/src/net/textproto/textproto.go b/src/net/textproto/textproto.go +index 4ae3ecff74..a2291eff2b 100644 +--- a/src/net/textproto/textproto.go ++++ b/src/net/textproto/textproto.go +@@ -38,7 +38,7 @@ type Error struct { + } + + func (e *Error) Error() string { +- return fmt.Sprintf("%03d %s", e.Code, e.Msg) ++ return fmt.Sprintf("%03d %q", e.Code, e.Msg) + } + + // A ProtocolError describes a protocol violation such +-- +2.43.0 + From patchwork Fri Jun 12 14:26:11 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jeremy Rosen <jeremy.rosen@smile.fr> X-Patchwork-Id: 89945 Return-Path: <jeremy.rosen@smile.fr> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 799E4CD98DC for <webhook@archiver.kernel.org>; Fri, 12 Jun 2026 14:27:00 +0000 (UTC) Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.71828.1781274414992030957 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=kBww+t7E; spf=pass (domain: smile.fr, ip: 209.85.221.50, mailfrom: jeremy.rosen@smile.fr) Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-45efa80e0afso829410f8f.2 for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 07:26:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1781274413; x=1781879213; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9F3wAFRo1SRqGcgUgCGz/wqTdLaoF3jUY4SrXQdOc/Q=; b=kBww+t7E5zuPtXfzQHQDc28pHNwfP9BdQ0y3QrheQvceqKenri6zUg2dyExvh8sY/4 Za6ubRJAYsc9H92+9OVjghUgu4LXlZV7BxmpkQ8HxJowuf0E0VEodfvTVSomv4IH7CrF LnUqgbSM3qtgdFu66ERk10HOZmp5s9cboVwPQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781274413; x=1781879213; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=9F3wAFRo1SRqGcgUgCGz/wqTdLaoF3jUY4SrXQdOc/Q=; b=r84BVevsEY+/lf0IlU2QVucSpZWnx/urIRx95KiqSCI042VEoZtbbIv/sv/VmiU83N aohpTxdO/vtxSFZEZhoan+9poEgkOTyuYc1tftCwJBxTw1fxbdUdTY9s8umlIj1nMeS9 DeFJWjJA/sCQITVl7yjEfXD/HR0f7TYVwDyToM4hqkxywVWiNeLCnDERAYXziksS3x+W fT/KG+eNNd+BJ3aVIG4nHqMzThVEfsJf48hV2gIiVDd2sG48OAF6djcACcnm9WR9XYAY NRUhNBjoOqrNjTgfBDyMpOKq+te24DEB+rZKaf217aEK9ZCJxXkDIPcb6U2iqCL33Iec wEOQ== X-Gm-Message-State: AOJu0YxFhR7laQC8fHt3JWDkl797Sg2mLC+vVYpwl3FSehCqMlF2802+ rqBwrH4QGfSxQUhueqWzCNjIoSie6gdoQgZled95xSJ7vGwdCWUfnaEdq8uvDxcIAMgTAajkM2h +1EdwRA== X-Gm-Gg: Acq92OEke3gkQZeYel9nc7alIvtAQbP8hzFtgDkNKMB1NX+h0CAmtgmfD8M2UlNbs92 k2r7oJh55Q8OB/XulPGfDagD9jZxi8+8+hAeQ7nLioWRxCV7tC1PDBo1DLAMLhH9xQUjOQLBArx hgm5q0VrXVDP6o2lEeBtbcSqlxgCKJ9lJyo/l9LeUgGj9POKMNCcChIbTVyCzSeOqiwSRQ3BRkz 8A0+yJ+85Ncku248aC7fkQraK1f3tirLfnZ5k5JzQ3WhdzcA6ZTgki7V53OGiqktMtvS2xi0wdn pg9X9OSKOqbNmp9ZmFoKxANhPKDelyaRByzSfQ+fqgVg7g/HDcfzOF5iZjUkKn31D9sWt5Abiw0 3Vi9N0Tnks+IR0Smw4CVw9vXtnoxgE0IkV131IHLePlBcfnDIhUr+m8az6QQVCuvGvLZ96DmotO z+yskY/gwWu0D/wtoQUQuwgaU= X-Received: by 2002:a5d:5f85:0:b0:43b:5097:6f62 with SMTP id ffacd0b85a97d-4606dbf1645mr4868029f8f.36.1781274413145; Fri, 12 Jun 2026 07:26:53 -0700 (PDT) Received: from Logrus.lan ([2001:861:560f:240:8dd0:2c2:7492:641b]) by smtp.googlemail.com with ESMTPSA id ffacd0b85a97d-4606f20e77asm6798747f8f.0.2026.06.12.07.26.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 07:26:52 -0700 (PDT) From: Jeremy Rosen <jeremy.rosen@smile.fr> To: openembedded-core@lists.openembedded.org Cc: Paul Barker <paul@pbarker.dev> Subject: [OE-core][scarthgap 21/21] meta/lib/oe/package.py: fix path to kernel sources in save_debugsources_info Date: Fri, 12 Jun 2026 16:26:11 +0200 Message-ID: <5e138a5cfb868b2b545161cb2cc706ccde307512.1781270474.git.jeremy.rosen@smile.fr> X-Mailer: git-send-email 2.53.0 In-Reply-To: <cover.1781270474.git.jeremy.rosen@smile.fr> References: <cover.1781270474.git.jeremy.rosen@smile.fr> MIME-Version: 1.0 List-Id: <openembedded-core.lists.openembedded.org> X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for <openembedded-core@lists.openembedded.org>; Fri, 12 Jun 2026 14:27:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/238643 From: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com> This is no more than a backport of the current (i.e., from 'master') version of this same chunk in save_debugsources_info(), where BP is used instead of PF to form the path to the kernel sources. This replacement in package.py is followed by a similar change in meta/classes/create-spdx-2.2.bbclass, so that 'BP' is also used in spdx_get_src() and we don't face any regressions in SPDX v2.2. As a matter of fact, SPDX3 also uses 'BP' in get_patched_src() (from spdx_common.py). Overall, this backport ensures a coherence between Scarthgap and master, namely regarding the how the kernel sources are provided by package.py and consumed by SPDX v2.2 and 3.0. Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com> Co-authored-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> --- meta/classes/create-spdx-2.2.bbclass | 2 +- meta/lib/oe/package.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 037193bb4b..61bad66ae0 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass @@ -933,7 +933,7 @@ def spdx_get_src(d): share_src = d.getVar('WORKDIR') d.setVar('WORKDIR', spdx_workdir) d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native) - src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR') + src_dir = spdx_workdir + "/" + d.getVar('BP') bb.utils.mkdirhier(src_dir) if bb.data.inherits_class('kernel',d): share_src = d.getVar('STAGING_KERNEL_DIR') diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py index ba0d326781..fc5185ced4 100644 --- a/meta/lib/oe/package.py +++ b/meta/lib/oe/package.py @@ -1055,13 +1055,13 @@ def save_debugsources_info(debugsrcdir, sources_raw, d): # we format the sources as expected by spdx by replacing /usr/src/kernel/ # into BP/ kernel_src = d.getVar('KERNEL_SRC_PATH') - pf = d.getVar('PF') + bp = d.getVar('BP') sources_dict = {} for file, src_files in sources_raw: file_clean = file.replace(f"{workdir}/package/","") sources_clean = [ src.replace(f"{debugsrcdir}/{pn}/", "") - if not kernel_src else src.replace(f"{kernel_src}/", f"{pf}/") + if not kernel_src else src.replace(f"{kernel_src}/", f"{bp}/") for src in src_files if not any(keyword in src for keyword in ("<internal>", "<built-in>")) and not src.endswith("/") ]