1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-15 15:37:03 +00:00

go: fix CVE-2026-25679

This patch applies the upstream fix [1], as referenced in [2],
to address insufficient validation in `url.Parse`.

Debian marks older Go branches as not affected because the vulnerable
parseHost surface was introduced by the earlier CVE-2025-47912 fix.
This Scarthgap recipe already carries CVE-2025-47912.patch, so the
fix is applicable to the patched Go 1.22.12 source used here.

[1] https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803
[2] https://security-tracker.debian.org/tracker/CVE-2026-25679

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-25679

(From OE-Core rev: 913b9dc19ea14edbbaf4b7a677507949e454e685)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Sudhir Dumbhare
2026-06-12 06:16:18 -07:00
committed by Paul Barker
parent b1af4c89b0
commit 3401fba731
2 changed files with 75 additions and 0 deletions
+1
View File
@@ -59,6 +59,7 @@ SRC_URI += "\
file://CVE-2026-42504.patch \
file://CVE-2026-42507.patch \
file://CVE-2025-58183.patch \
file://CVE-2026-25679.patch \
"
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
@@ -0,0 +1,74 @@
From c8f96fce4d34123a920558a1a3f5c0ddf2bf678e Mon Sep 17 00:00:00 2001
From: Ian Alexander <jitsu@google.com>
Date: Wed, 28 Jan 2026 15:29:52 -0500
Subject: [PATCH] [release-branch.go1.25] net/url: reject IPv6 literal not
at start of host
This change rejects IPv6 literals that do not appear at the start of the
host subcomponent of a URL.
For example:
http://example.com[::1] -> rejects
http://[::1] -> accepts
Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly.
Updates #77578
Fixes #77969
Fixes CVE-2026-25679
CVE: CVE-2026-25679
Upstream-Status: Backport [https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803]
Change-Id: I7109031880758f7c1eb4eca513323328feace33c
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3400
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3642
Reviewed-on: https://go-review.googlesource.com/c/go/+/752100
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
(cherry picked from commit d8174a9500d53784594b198f6195d1fae8dfe803)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
---
src/net/url/url.go | 4 +++-
src/net/url/url_test.go | 6 ++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/net/url/url.go b/src/net/url/url.go
index 5219e3c130b..ab59c63adfa 100644
--- a/src/net/url/url.go
+++ b/src/net/url/url.go
@@ -623,7 +623,9 @@ func parseAuthority(authority string) (user *Userinfo, host string, err error) {
// parseHost parses host as an authority without user
// information. That is, as host[:port].
func parseHost(host string) (string, error) {
- if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx != -1 {
+ if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx > 0 {
+ return "", errors.New("invalid IP-literal")
+ } else if openBracketIdx == 0 {
// Parse an IP-Literal in RFC 3986 and RFC 6874.
// E.g., "[fe80::1]", "[fe80::1%25en0]", "[fe80::1]:80".
closeBracketIdx := strings.LastIndex(host, "]")
diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
index b2f8bd95fcf..8ffbf075cb8 100644
--- a/src/net/url/url_test.go
+++ b/src/net/url/url_test.go
@@ -1722,6 +1722,12 @@ func TestParseErrors(t *testing.T) {
{"http://[fe80::1", true}, // missing closing bracket
{"http://fe80::1]/", true}, // missing opening bracket
{"http://[test.com]/", true}, // domain name in brackets
+ {"http://example.com[::1]", true}, // IPv6 literal doesn't start with '['
+ {"http://example.com[::1", true},
+ {"http://[::1", true},
+ {"http://.[::1]", true},
+ {"http:// [::1]", true},
+ {"hxxp://mathepqo[.]serveftp(.)com:9059", true},
}
for _, tt := range tests {
u, err := Parse(tt.in)
--
2.35.6