From: "Theo Gaige (Schneider Electric)" <[email protected]>
Backport patch from [1] [1] https://go.dev/cl/771180 Signed-off-by: Theo Gaige (Schneider Electric) <[email protected]> Reviewed-by: Bruno Vernay <[email protected]> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-39826.patch | 65 +++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-39826.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 952c0e4638..77e6bcd59d 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -50,6 +50,7 @@ SRC_URI += "\ file://CVE-2026-39819.patch \ file://CVE-2026-39820.patch \ file://CVE-2026-39825.patch \ + file://CVE-2026-39826.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-39826.patch b/meta/recipes-devtools/go/go/CVE-2026-39826.patch new file mode 100644 index 0000000000..d9fa751adc --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-39826.patch @@ -0,0 +1,65 @@ +From 0d41a827f4d691be89c0285cd136cc45640341d4 Mon Sep 17 00:00:00 2001 +From: Neal Patel <[email protected]> +Date: Mon, 27 Apr 2026 17:34:58 -0400 +Subject: [PATCH] html/template: fix escaper bypass by treating empty script + type as JavaScript + +Thank you to Mundur (https://github.com/M0nd0R) for reporting this issue. + +Fixes #78981 +Fixes CVE-2026-39826 + +Change-Id: I3f2e06496020ece655d156fb099ff556af8cc836 +Reviewed-on: https://go-review.googlesource.com/c/go/+/771180 +Reviewed-by: Roland Shoemaker <[email protected]> +LUCI-TryBot-Result: [email protected] <[email protected]> + +CVE: CVE-2026-39826 +Upstream-Status: Backport [https://github.com/golang/go/commit/a63b23ffb2eebc9ca3a14c369b615ca623bb20f7] +Signed-off-by: Theo Gaige (Schneider Electric) <[email protected]> +--- + src/html/template/escape_test.go | 15 +++++++++++++++ + src/html/template/js.go | 1 + + 2 files changed, 16 insertions(+) + +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index 435c83378f..ce06440738 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -231,6 +231,21 @@ func TestEscape(t *testing.T) { + "<script>alert({{.A}})</script>", + `<script>alert(["\u003ca\u003e","\u003cb\u003e"])</script>`, + }, ++ { ++ "scriptTypeSpace", ++ "<script type=\" \">{{.H}}</script>", ++ "<script type=\" \">\"\\u003cHello\\u003e\"</script>", ++ }, ++ { ++ "scriptTypeTab", ++ "<script type=\"\t\">{{.H}}</script>", ++ "<script type=\"\t\">\"\\u003cHello\\u003e\"</script>", ++ }, ++ { ++ "scriptTypeEmpty", ++ "<script type=\"\">{{.H}}</script>", ++ "<script type=\"\">\"\\u003cHello\\u003e\"</script>", ++ }, + { + "jsObjValueNotOverEscaped", + "<button onclick='alert({{.A | html}})'>", +diff --git a/src/html/template/js.go b/src/html/template/js.go +index d911ada26d..90cf2dc982 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -459,6 +459,7 @@ func isJSType(mimeType string) bool { + mimeType = strings.TrimSpace(mimeType) + switch mimeType { + case ++ "", + "application/ecmascript", + "application/javascript", + "application/json", +-- +2.43.0 + -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237492): https://lists.openembedded.org/g/openembedded-core/message/237492 Mute This Topic: https://lists.openembedded.org/mt/119422296/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
