mirror of
https://git.yoctoproject.org/poky
synced 2026-07-15 15:37:03 +00:00
go: fix CVE-2026-25679
This patch applies the upstream fix [1], as referenced in [2], to address insufficient validation in `url.Parse`. Debian marks older Go branches as not affected because the vulnerable parseHost surface was introduced by the earlier CVE-2025-47912 fix. This Scarthgap recipe already carries CVE-2025-47912.patch, so the fix is applicable to the patched Go 1.22.12 source used here. [1] https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803 [2] https://security-tracker.debian.org/tracker/CVE-2026-25679 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-25679 (From OE-Core rev: 913b9dc19ea14edbbaf4b7a677507949e454e685) Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
b1af4c89b0
commit
3401fba731
@@ -59,6 +59,7 @@ SRC_URI += "\
|
||||
file://CVE-2026-42504.patch \
|
||||
file://CVE-2026-42507.patch \
|
||||
file://CVE-2025-58183.patch \
|
||||
file://CVE-2026-25679.patch \
|
||||
"
|
||||
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
|
||||
|
||||
|
||||
@@ -0,0 +1,74 @@
|
||||
From c8f96fce4d34123a920558a1a3f5c0ddf2bf678e Mon Sep 17 00:00:00 2001
|
||||
From: Ian Alexander <jitsu@google.com>
|
||||
Date: Wed, 28 Jan 2026 15:29:52 -0500
|
||||
Subject: [PATCH] [release-branch.go1.25] net/url: reject IPv6 literal not
|
||||
at start of host
|
||||
|
||||
This change rejects IPv6 literals that do not appear at the start of the
|
||||
host subcomponent of a URL.
|
||||
|
||||
For example:
|
||||
http://example.com[::1] -> rejects
|
||||
http://[::1] -> accepts
|
||||
|
||||
Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly.
|
||||
|
||||
Updates #77578
|
||||
Fixes #77969
|
||||
Fixes CVE-2026-25679
|
||||
|
||||
CVE: CVE-2026-25679
|
||||
Upstream-Status: Backport [https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803]
|
||||
|
||||
Change-Id: I7109031880758f7c1eb4eca513323328feace33c
|
||||
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3400
|
||||
Reviewed-by: Neal Patel <nealpatel@google.com>
|
||||
Reviewed-by: Roland Shoemaker <bracewell@google.com>
|
||||
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3642
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/752100
|
||||
Reviewed-by: Cherry Mui <cherryyz@google.com>
|
||||
Auto-Submit: Gopher Robot <gobot@golang.org>
|
||||
TryBot-Bypass: Gopher Robot <gobot@golang.org>
|
||||
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
||||
(cherry picked from commit d8174a9500d53784594b198f6195d1fae8dfe803)
|
||||
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
|
||||
---
|
||||
src/net/url/url.go | 4 +++-
|
||||
src/net/url/url_test.go | 6 ++++++
|
||||
2 files changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/net/url/url.go b/src/net/url/url.go
|
||||
index 5219e3c130b..ab59c63adfa 100644
|
||||
--- a/src/net/url/url.go
|
||||
+++ b/src/net/url/url.go
|
||||
@@ -623,7 +623,9 @@ func parseAuthority(authority string) (user *Userinfo, host string, err error) {
|
||||
// parseHost parses host as an authority without user
|
||||
// information. That is, as host[:port].
|
||||
func parseHost(host string) (string, error) {
|
||||
- if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx != -1 {
|
||||
+ if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx > 0 {
|
||||
+ return "", errors.New("invalid IP-literal")
|
||||
+ } else if openBracketIdx == 0 {
|
||||
// Parse an IP-Literal in RFC 3986 and RFC 6874.
|
||||
// E.g., "[fe80::1]", "[fe80::1%25en0]", "[fe80::1]:80".
|
||||
closeBracketIdx := strings.LastIndex(host, "]")
|
||||
diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
|
||||
index b2f8bd95fcf..8ffbf075cb8 100644
|
||||
--- a/src/net/url/url_test.go
|
||||
+++ b/src/net/url/url_test.go
|
||||
@@ -1722,6 +1722,12 @@ func TestParseErrors(t *testing.T) {
|
||||
{"http://[fe80::1", true}, // missing closing bracket
|
||||
{"http://fe80::1]/", true}, // missing opening bracket
|
||||
{"http://[test.com]/", true}, // domain name in brackets
|
||||
+ {"http://example.com[::1]", true}, // IPv6 literal doesn't start with '['
|
||||
+ {"http://example.com[::1", true},
|
||||
+ {"http://[::1", true},
|
||||
+ {"http://.[::1]", true},
|
||||
+ {"http:// [::1]", true},
|
||||
+ {"hxxp://mathepqo[.]serveftp(.)com:9059", true},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
u, err := Parse(tt.in)
|
||||
--
|
||||
2.35.6
|
||||
|
||||
Reference in New Issue
Block a user