From: Archana Polampalli <[email protected]> When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
Signed-off-by: Archana Polampalli <[email protected]> Signed-off-by: Steve Sakoman <[email protected]> --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.18/CVE-2025-58189.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index c5aa3f9786..61fee12cf9 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -70,6 +70,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ file://CVE-2025-47906.patch \ file://CVE-2024-24783.patch \ file://CVE-2025-58187.patch \ + file://CVE-2025-58189.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch b/meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch new file mode 100644 index 0000000000..835f071733 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch @@ -0,0 +1,51 @@ +From 2e1e356e33b9c792a9643749a7626a1789197bb9 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <[email protected]> +Date: Mon, 29 Sep 2025 10:11:56 -0700 +Subject: [PATCH] crypto/tls: quote protocols in ALPN error message + +Quote the protocols sent by the client when returning the ALPN +negotiation error message. + +Fixes CVE-2025-58189 +Updates #75652 +Fixes #75660 + +Change-Id: Ie7b3a1ed0b6efcc1705b71f0f1e8417126661330 +Reviewed-on: https://go-review.googlesource.com/c/go/+/707776 +Auto-Submit: Roland Shoemaker <[email protected]> +Reviewed-by: Neal Patel <[email protected]> +Reviewed-by: Nicholas Husin <[email protected]> +Auto-Submit: Nicholas Husin <[email protected]> +Reviewed-by: Nicholas Husin <[email protected]> +TryBot-Bypass: Roland Shoemaker <[email protected]> +Reviewed-by: Daniel McCarney <[email protected]> +(cherry picked from commit 4e9006a716533fe1c7ee08df02dfc73078f7dc19) +Reviewed-on: https://go-review.googlesource.com/c/go/+/708096 +LUCI-TryBot-Result: Go LUCI <[email protected]> +Reviewed-by: Carlos Amedee <[email protected]> + +CVE: CVE-2025-58189 + +Upstream-Status: Backport [https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9] + +Signed-off-by: Archana Polampalli <[email protected]> +--- + src/crypto/tls/handshake_server.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go +index 4e84aa9..17b6891 100644 +--- a/src/crypto/tls/handshake_server.go ++++ b/src/crypto/tls/handshake_server.go +@@ -312,7 +312,7 @@ func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, erro + if http11fallback { + return "", nil + } +- return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos) ++ return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos) + } + + // supportsECDHE returns whether ECDHE key exchanges can be used with this +-- +2.40.0 + -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#227166): https://lists.openembedded.org/g/openembedded-core/message/227166 Mute This Topic: https://lists.openembedded.org/mt/116577541/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
