From: Deepak Rathore <[email protected]> Upstream Repository: https://github.com/golang/go.git
Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61731 Type: Security Fix CVE: CVE-2025-61731 Score: 7.8 Patch: https://github.com/golang/go/commit/00b7309387a1 Signed-off-by: Deepak Rathore <[email protected]> diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 04e380c821..82019f25dd 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -34,6 +34,7 @@ SRC_URI += "\ file://CVE-2025-61730.patch \ file://CVE-2025-61726.patch \ file://CVE-2025-61728.patch \ + file://CVE-2025-61731.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2025-61731.patch b/meta/recipes-devtools/go/go/CVE-2025-61731.patch new file mode 100644 index 0000000000..a4589daade --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-61731.patch @@ -0,0 +1,70 @@ +From ab266ccbc19789c52dcb1dc6e8e71d2f4fd545ff Mon Sep 17 00:00:00 2001 +From: Neal Patel <[email protected]> +Date: Thu, 4 Dec 2025 12:30:39 -0500 +Subject: [PATCH] [release-branch.go1.24] cmd/go/internal/work: sanitize flags + before invoking 'pkg-config' + +The addition of CgoPkgConfig allowed execution with flags not +matching the safelist. In order to prevent potential arbitrary +code execution at build time, ensure that flags are validated +prior to invoking the 'pkg-config' binary. + +Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. +for reporting this issue. + +Fixes CVE-2025-61731 +Fixes #77100 + +CVE: CVE-2025-61731 +Upstream-Status: Backport [https://github.com/golang/go/commit/00b7309387a1] + +Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3240 +Reviewed-by: Nicholas Husin <[email protected]> +Reviewed-by: Damien Neil <[email protected]> +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3344 +Reviewed-by: Neal Patel <[email protected]> +Reviewed-on: https://go-review.googlesource.com/c/go/+/736701 +Auto-Submit: Michael Pratt <[email protected]> +TryBot-Bypass: Michael Pratt <[email protected]> +Reviewed-by: Junyang Shao <[email protected]> +(cherry picked from commit 00b7309387a171bcba37382e7ed96b473df04917) +Signed-off-by: Deepak Rathore <[email protected]> +--- + src/cmd/go/internal/work/exec.go | 8 ++++++++ + src/cmd/go/internal/work/security.go | 1 + + 2 files changed, 9 insertions(+) + +diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go +index c8f297cbe9..815942a703 100644 +--- a/src/cmd/go/internal/work/exec.go ++++ b/src/cmd/go/internal/work/exec.go +@@ -1684,6 +1684,14 @@ func (b *Builder) getPkgConfigFlags(a *Action) (cflags, ldflags []string, err er + return nil, nil, fmt.Errorf("invalid pkg-config package name: %s", pkg) + } + } ++ ++ // Running 'pkg-config' can cause execution of ++ // arbitrary code using flags that are not in ++ // the safelist. ++ if err := checkCompilerFlags("CFLAGS", "pkg-config --cflags", pcflags); err != nil { ++ return nil, nil, err ++ } ++ + var out []byte + out, err = sh.runOut(p.Dir, nil, b.PkgconfigCmd(), "--cflags", pcflags, "--", pkgs) + if err != nil { +diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go +index 568eecd325..79724ed04a 100644 +--- a/src/cmd/go/internal/work/security.go ++++ b/src/cmd/go/internal/work/security.go +@@ -122,6 +122,7 @@ var validCompilerFlags = []*lazyregexp.Regexp{ + re(`-pedantic(-errors)?`), + re(`-pipe`), + re(`-pthread`), ++ re(`--static`), + re(`-?-std=([^@\-].*)`), + re(`-?-stdlib=([^@\-].*)`), + re(`--sysroot=([^@\-].*)`), +-- +2.35.6 -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231008): https://lists.openembedded.org/g/openembedded-core/message/231008 Mute This Topic: https://lists.openembedded.org/mt/117770214/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
