1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-15 15:37:03 +00:00

go: patch CVE-2026-42501

Backport patch from [1]

[1] https://go.dev/cl/775321

(From OE-Core rev: c9cc7872b9ecb426e9cd5921e0bbc175f600964a)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Theo Gaige (Schneider Electric)
2026-05-21 12:09:45 +02:00
committed by Paul Barker
parent d896bb9ee4
commit 33b725d19b
2 changed files with 128 additions and 0 deletions
+1
View File
@@ -52,6 +52,7 @@ SRC_URI += "\
file://CVE-2026-39825.patch \
file://CVE-2026-39826.patch \
file://CVE-2026-42499.patch \
file://CVE-2026-42501.patch \
"
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
@@ -0,0 +1,127 @@
From 52d8958ce7e102a5ebd3b4748aa03989b5469084 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Thu, 30 Apr 2026 13:10:49 -0700
Subject: [PATCH] cmd/go: reject sumdb response lacking module hash
Report an error when a sumdb /lookup/ request does not
include a hash for the requested module, rather than
silently proceeding.
Previously, we would verify that a returned sum matched
the expected module hash, but did not verify that the
response contained a sum. This permits a malicous
proxy to serve a corrupted module along with a
valid-but-irrelevant sumdb response for some other
module. We now ensure that the sumdb response contains
a valid hash for the module we are validating.
Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue.
Fixes CVE-2026-42501
Fixes #79070
Change-Id: I7d9a367deb237aa70cade2434495998f6a6a6964
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4340
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/775321
Reviewed-by: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
CVE: CVE-2026-42501
Upstream-Status: Backport [https://github.com/golang/go/commit/1a9af07120312d368815712a4dce2dd2070342e5]
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
---
src/cmd/go/internal/modfetch/fetch.go | 15 ++++++++++++++-
src/cmd/go/proxy_test.go | 17 +++++++++++++++++
src/cmd/go/testdata/script/mod_sum_absent.txt | 17 +++++++++++++++++
3 files changed, 48 insertions(+), 1 deletion(-)
create mode 100644 src/cmd/go/testdata/script/mod_sum_absent.txt
diff --git a/src/cmd/go/internal/modfetch/fetch.go b/src/cmd/go/internal/modfetch/fetch.go
index eeab6da62a..75769d7c61 100644
--- a/src/cmd/go/internal/modfetch/fetch.go
+++ b/src/cmd/go/internal/modfetch/fetch.go
@@ -740,7 +740,7 @@ func checkSumDB(mod module.Version, h string) error {
return module.VersionError(modWithoutSuffix, fmt.Errorf("verifying %s: checksum mismatch\n\tdownloaded: %v\n\t%s: %v"+sumdbMismatch, noun, h, db, line[len(prefix)-len("h1:"):]))
}
}
- return nil
+ return module.VersionError(modWithoutSuffix, fmt.Errorf("verifying %s: checksum missing from sumdb response"+sumdbAbsent, noun))
}
// Sum returns the checksum for the downloaded copy of the given module,
@@ -931,6 +931,19 @@ have intercepted the download attempt.
For more information, see 'go help module-auth'.
`
+const sumdbAbsent = `
+
+SECURITY ERROR
+This download does NOT match one reported by the checksum server.
+The checksum server has provided checksums, but the checksums do
+not contain an entry for the download.
+The checksum server may be malfunctioning, or an attacker may have
+intercepted the checksum request.
+The download cannot be verified.
+
+For more information, see 'go help module-auth'.
+`
+
const hashVersionMismatch = `
SECURITY WARNING
diff --git a/src/cmd/go/proxy_test.go b/src/cmd/go/proxy_test.go
index cb3d9f92f1..88e5052b89 100644
--- a/src/cmd/go/proxy_test.go
+++ b/src/cmd/go/proxy_test.go
@@ -172,6 +172,23 @@ func proxyHandler(w http.ResponseWriter, r *http.Request) {
return
}
+ // Request for $GOPROXY/sumdb-redirect/module@version:/lookup/...
+ // performs a lookup for module@version rather than the requested module.
+ if strings.HasPrefix(path, "sumdb-redirect/") {
+ redirect, rest, ok := strings.Cut(path[len("sumdb-redirect"):], ":")
+ if !ok {
+ w.WriteHeader(500)
+ return
+ }
+ if strings.HasPrefix(rest, "/lookup/") {
+ r.URL.Path = "/lookup" + redirect
+ } else {
+ r.URL.Path = rest
+ }
+ sumdbServer.ServeHTTP(w, r)
+ return
+ }
+
// Request for $GOPROXY/redirect/<count>/... goes to redirects.
if strings.HasPrefix(path, "redirect/") {
path = path[len("redirect/"):]
diff --git a/src/cmd/go/testdata/script/mod_sum_absent.txt b/src/cmd/go/testdata/script/mod_sum_absent.txt
new file mode 100644
index 0000000000..c2dd814542
--- /dev/null
+++ b/src/cmd/go/testdata/script/mod_sum_absent.txt
@@ -0,0 +1,17 @@
+# When the sumdb returns a response which does not
+# include a sum for the requested module,
+# we should report an error.
+# Verifies CVE-2026-42501.
+env sumdb=$GOSUMDB
+env proxy=$GOPROXY
+env GOPROXY GONOPROXY GOSUMDB GONOSUMDB
+
+# /sumdb-redirect/ causes the sumdb to return /lookup/ responses
+# for rsc.io/quote@v1.0.0, not for the requested module.
+env GOSUMDB=$sumdb' '$proxy/sumdb-redirect/rsc.io/quote@v1.0.0:
+
+! go get rsc.io/fortune@v1.0.0
+stderr 'SECURITY ERROR'
+! grep rsc.io go.sum
+-- go.mod --
+module m
--
2.43.0