Pick patch from [1] also mentioned at Debian report in [2] [1] https://github.com/golang/go/commit/abaa0cbb259e059ee60c33a7507eddc1fe7d20fa [2] https://security-tracker.debian.org/tracker/CVE-2026-27140 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-27140
Signed-off-by: Hitendra Prajapati <[email protected]> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-27140.patch | 58 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-27140.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 3fa421e223..7ece9095ff 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -41,6 +41,7 @@ SRC_URI += "\ file://CVE-2025-68121_p1.patch \ file://CVE-2025-68121_p2.patch \ file://CVE-2025-68121_p3.patch \ + file://CVE-2026-27140.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-27140.patch b/meta/recipes-devtools/go/go/CVE-2026-27140.patch new file mode 100644 index 0000000000..5c9fb31c23 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-27140.patch @@ -0,0 +1,58 @@ +From abaa0cbb259e059ee60c33a7507eddc1fe7d20fa Mon Sep 17 00:00:00 2001 +From: Neal Patel <[email protected]> +Date: Tue, 24 Feb 2026 23:05:34 +0000 +Subject: [PATCH] [release-branch.go1.25] cmd/go: disallow cgo trust boundary + bypass +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The cgo compiler implicitly trusts generated files +with 'cgo' prefixes; thus, SWIG files containing 'cgo' +in their names will cause bypass of the trust boundary, +leading to code smuggling or arbitrary code execution. + +The cgo compiler will now produce an error if it +encounters any SWIG files containing this prefix. + +Thanks to Juho Forsén of Mattermost for reporting this issue. + +Fixes #78335 +Fixes CVE-2026-27140 + +Change-Id: I44185a84e07739b3b347efdb86be7d8fa560b030 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3520 +Reviewed-by: Nicholas Husin <[email protected]> +Reviewed-by: Damien Neil <[email protected]> +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3989 +Reviewed-on: https://go-review.googlesource.com/c/go/+/763556 +Reviewed-by: David Chase <[email protected]> +TryBot-Bypass: Gopher Robot <[email protected]> +Reviewed-by: Junyang Shao <[email protected]> +Auto-Submit: Gopher Robot <[email protected]> + +CVE: CVE-2026-27140 +Upstream-Status: Backport [https://github.com/golang/go/commit/abaa0cbb259e059ee60c33a7507eddc1fe7d20fa] +Signed-off-by: Hitendra Prajapati <[email protected]> +--- + src/cmd/go/internal/work/exec.go | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go +index 815942a..520c478 100644 +--- a/src/cmd/go/internal/work/exec.go ++++ b/src/cmd/go/internal/work/exec.go +@@ -3347,6 +3347,10 @@ func (b *Builder) swigIntSize(objdir string) (intsize string, err error) { + + // Run SWIG on one SWIG input file. + func (b *Builder) swigOne(a *Action, file, objdir string, pcCFLAGS []string, cxx bool, intgosize string) (outGo, outC string, err error) { ++ if strings.HasPrefix(file, "cgo") { ++ return "", "", errors.New("SWIG file must not use prefix 'cgo'") ++ } ++ + p := a.Package + sh := b.Shell(a) + +-- +2.50.1 + -- 2.50.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#236852): https://lists.openembedded.org/g/openembedded-core/message/236852 Mute This Topic: https://lists.openembedded.org/mt/119271028/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
