mirror of
https://git.yoctoproject.org/poky
synced 2026-07-15 15:37:03 +00:00
go: patch CVE-2026-42501
Backport patch from [1] [1] https://go.dev/cl/775321 (From OE-Core rev: c9cc7872b9ecb426e9cd5921e0bbc175f600964a) Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
d896bb9ee4
commit
33b725d19b
@@ -52,6 +52,7 @@ SRC_URI += "\
|
||||
file://CVE-2026-39825.patch \
|
||||
file://CVE-2026-39826.patch \
|
||||
file://CVE-2026-42499.patch \
|
||||
file://CVE-2026-42501.patch \
|
||||
"
|
||||
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
|
||||
|
||||
|
||||
@@ -0,0 +1,127 @@
|
||||
From 52d8958ce7e102a5ebd3b4748aa03989b5469084 Mon Sep 17 00:00:00 2001
|
||||
From: Damien Neil <dneil@google.com>
|
||||
Date: Thu, 30 Apr 2026 13:10:49 -0700
|
||||
Subject: [PATCH] cmd/go: reject sumdb response lacking module hash
|
||||
|
||||
Report an error when a sumdb /lookup/ request does not
|
||||
include a hash for the requested module, rather than
|
||||
silently proceeding.
|
||||
|
||||
Previously, we would verify that a returned sum matched
|
||||
the expected module hash, but did not verify that the
|
||||
response contained a sum. This permits a malicous
|
||||
proxy to serve a corrupted module along with a
|
||||
valid-but-irrelevant sumdb response for some other
|
||||
module. We now ensure that the sumdb response contains
|
||||
a valid hash for the module we are validating.
|
||||
|
||||
Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue.
|
||||
|
||||
Fixes CVE-2026-42501
|
||||
Fixes #79070
|
||||
|
||||
Change-Id: I7d9a367deb237aa70cade2434495998f6a6a6964
|
||||
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4340
|
||||
Reviewed-by: Nicholas Husin <husin@google.com>
|
||||
Reviewed-by: Neal Patel <nealpatel@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/775321
|
||||
Reviewed-by: Michael Pratt <mpratt@google.com>
|
||||
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
||||
|
||||
CVE: CVE-2026-42501
|
||||
Upstream-Status: Backport [https://github.com/golang/go/commit/1a9af07120312d368815712a4dce2dd2070342e5]
|
||||
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
|
||||
---
|
||||
src/cmd/go/internal/modfetch/fetch.go | 15 ++++++++++++++-
|
||||
src/cmd/go/proxy_test.go | 17 +++++++++++++++++
|
||||
src/cmd/go/testdata/script/mod_sum_absent.txt | 17 +++++++++++++++++
|
||||
3 files changed, 48 insertions(+), 1 deletion(-)
|
||||
create mode 100644 src/cmd/go/testdata/script/mod_sum_absent.txt
|
||||
|
||||
diff --git a/src/cmd/go/internal/modfetch/fetch.go b/src/cmd/go/internal/modfetch/fetch.go
|
||||
index eeab6da62a..75769d7c61 100644
|
||||
--- a/src/cmd/go/internal/modfetch/fetch.go
|
||||
+++ b/src/cmd/go/internal/modfetch/fetch.go
|
||||
@@ -740,7 +740,7 @@ func checkSumDB(mod module.Version, h string) error {
|
||||
return module.VersionError(modWithoutSuffix, fmt.Errorf("verifying %s: checksum mismatch\n\tdownloaded: %v\n\t%s: %v"+sumdbMismatch, noun, h, db, line[len(prefix)-len("h1:"):]))
|
||||
}
|
||||
}
|
||||
- return nil
|
||||
+ return module.VersionError(modWithoutSuffix, fmt.Errorf("verifying %s: checksum missing from sumdb response"+sumdbAbsent, noun))
|
||||
}
|
||||
|
||||
// Sum returns the checksum for the downloaded copy of the given module,
|
||||
@@ -931,6 +931,19 @@ have intercepted the download attempt.
|
||||
For more information, see 'go help module-auth'.
|
||||
`
|
||||
|
||||
+const sumdbAbsent = `
|
||||
+
|
||||
+SECURITY ERROR
|
||||
+This download does NOT match one reported by the checksum server.
|
||||
+The checksum server has provided checksums, but the checksums do
|
||||
+not contain an entry for the download.
|
||||
+The checksum server may be malfunctioning, or an attacker may have
|
||||
+intercepted the checksum request.
|
||||
+The download cannot be verified.
|
||||
+
|
||||
+For more information, see 'go help module-auth'.
|
||||
+`
|
||||
+
|
||||
const hashVersionMismatch = `
|
||||
|
||||
SECURITY WARNING
|
||||
diff --git a/src/cmd/go/proxy_test.go b/src/cmd/go/proxy_test.go
|
||||
index cb3d9f92f1..88e5052b89 100644
|
||||
--- a/src/cmd/go/proxy_test.go
|
||||
+++ b/src/cmd/go/proxy_test.go
|
||||
@@ -172,6 +172,23 @@ func proxyHandler(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
+ // Request for $GOPROXY/sumdb-redirect/module@version:/lookup/...
|
||||
+ // performs a lookup for module@version rather than the requested module.
|
||||
+ if strings.HasPrefix(path, "sumdb-redirect/") {
|
||||
+ redirect, rest, ok := strings.Cut(path[len("sumdb-redirect"):], ":")
|
||||
+ if !ok {
|
||||
+ w.WriteHeader(500)
|
||||
+ return
|
||||
+ }
|
||||
+ if strings.HasPrefix(rest, "/lookup/") {
|
||||
+ r.URL.Path = "/lookup" + redirect
|
||||
+ } else {
|
||||
+ r.URL.Path = rest
|
||||
+ }
|
||||
+ sumdbServer.ServeHTTP(w, r)
|
||||
+ return
|
||||
+ }
|
||||
+
|
||||
// Request for $GOPROXY/redirect/<count>/... goes to redirects.
|
||||
if strings.HasPrefix(path, "redirect/") {
|
||||
path = path[len("redirect/"):]
|
||||
diff --git a/src/cmd/go/testdata/script/mod_sum_absent.txt b/src/cmd/go/testdata/script/mod_sum_absent.txt
|
||||
new file mode 100644
|
||||
index 0000000000..c2dd814542
|
||||
--- /dev/null
|
||||
+++ b/src/cmd/go/testdata/script/mod_sum_absent.txt
|
||||
@@ -0,0 +1,17 @@
|
||||
+# When the sumdb returns a response which does not
|
||||
+# include a sum for the requested module,
|
||||
+# we should report an error.
|
||||
+# Verifies CVE-2026-42501.
|
||||
+env sumdb=$GOSUMDB
|
||||
+env proxy=$GOPROXY
|
||||
+env GOPROXY GONOPROXY GOSUMDB GONOSUMDB
|
||||
+
|
||||
+# /sumdb-redirect/ causes the sumdb to return /lookup/ responses
|
||||
+# for rsc.io/quote@v1.0.0, not for the requested module.
|
||||
+env GOSUMDB=$sumdb' '$proxy/sumdb-redirect/rsc.io/quote@v1.0.0:
|
||||
+
|
||||
+! go get rsc.io/fortune@v1.0.0
|
||||
+stderr 'SECURITY ERROR'
|
||||
+! grep rsc.io go.sum
|
||||
+-- go.mod --
|
||||
+module m
|
||||
--
|
||||
2.43.0
|
||||
|
||||
Reference in New Issue
Block a user