[OE-core] [scarthgap][PATCH 12/14] go: patch CVE-2026-42501

Thu, 21 May 2026 03:10:41 -0700 

From: "Theo Gaige (Schneider Electric)" <[email protected]>

Backport patch from [1]

[1] https://go.dev/cl/775321

Signed-off-by: Theo Gaige (Schneider Electric) <[email protected]>
Reviewed-by: Bruno Vernay <[email protected]>
---
 meta/recipes-devtools/go/go-1.22.12.inc       |   1 +
 .../go/go/CVE-2026-42501.patch                | 127 ++++++++++++++++++
 2 files changed, 128 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go/CVE-2026-42501.patch

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc 
b/meta/recipes-devtools/go/go-1.22.12.inc
index 85f75f0d89..03a1a81fc3 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -52,6 +52,7 @@ SRC_URI += "\
     file://CVE-2026-39825.patch \
     file://CVE-2026-39826.patch \
     file://CVE-2026-42499.patch \
+    file://CVE-2026-42501.patch \
 "
 SRC_URI[main.sha256sum] = 
"012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
 
diff --git a/meta/recipes-devtools/go/go/CVE-2026-42501.patch 
b/meta/recipes-devtools/go/go/CVE-2026-42501.patch
new file mode 100644
index 0000000000..82b2fa02a1
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2026-42501.patch
@@ -0,0 +1,127 @@
+From 52d8958ce7e102a5ebd3b4748aa03989b5469084 Mon Sep 17 00:00:00 2001
+From: Damien Neil <[email protected]>
+Date: Thu, 30 Apr 2026 13:10:49 -0700
+Subject: [PATCH] cmd/go: reject sumdb response lacking module hash
+
+Report an error when a sumdb /lookup/ request does not
+include a hash for the requested module, rather than
+silently proceeding.
+
+Previously, we would verify that a returned sum matched
+the expected module hash, but did not verify that the
+response contained a sum. This permits a malicous
+proxy to serve a corrupted module along with a
+valid-but-irrelevant sumdb response for some other
+module. We now ensure that the sumdb response contains
+a valid hash for the module we are validating.
+
+Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue.
+
+Fixes CVE-2026-42501
+Fixes #79070
+
+Change-Id: I7d9a367deb237aa70cade2434495998f6a6a6964
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4340
+Reviewed-by: Nicholas Husin <[email protected]>
+Reviewed-by: Neal Patel <[email protected]>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/775321
+Reviewed-by: Michael Pratt <[email protected]>
+LUCI-TryBot-Result: 
[email protected] 
<[email protected]>
+
+CVE: CVE-2026-42501
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/1a9af07120312d368815712a4dce2dd2070342e5]
+Signed-off-by: Theo Gaige (Schneider Electric) <[email protected]>
+---
+ src/cmd/go/internal/modfetch/fetch.go         | 15 ++++++++++++++-
+ src/cmd/go/proxy_test.go                      | 17 +++++++++++++++++
+ src/cmd/go/testdata/script/mod_sum_absent.txt | 17 +++++++++++++++++
+ 3 files changed, 48 insertions(+), 1 deletion(-)
+ create mode 100644 src/cmd/go/testdata/script/mod_sum_absent.txt
+
+diff --git a/src/cmd/go/internal/modfetch/fetch.go 
b/src/cmd/go/internal/modfetch/fetch.go
+index eeab6da62a..75769d7c61 100644
+--- a/src/cmd/go/internal/modfetch/fetch.go
++++ b/src/cmd/go/internal/modfetch/fetch.go
+@@ -740,7 +740,7 @@ func checkSumDB(mod module.Version, h string) error {
+                       return module.VersionError(modWithoutSuffix, 
fmt.Errorf("verifying %s: checksum mismatch\n\tdownloaded: %v\n\t%s: 
%v"+sumdbMismatch, noun, h, db, line[len(prefix)-len("h1:"):]))
+               }
+       }
+-      return nil
++      return module.VersionError(modWithoutSuffix, fmt.Errorf("verifying %s: 
checksum missing from sumdb response"+sumdbAbsent, noun))
+ }
+ 
+ // Sum returns the checksum for the downloaded copy of the given module,
+@@ -931,6 +931,19 @@ have intercepted the download attempt.
+ For more information, see 'go help module-auth'.
+ `
+ 
++const sumdbAbsent = `
++
++SECURITY ERROR
++This download does NOT match one reported by the checksum server.
++The checksum server has provided checksums, but the checksums do
++not contain an entry for the download.
++The checksum server may be malfunctioning, or an attacker may have
++intercepted the checksum request.
++The download cannot be verified.
++
++For more information, see 'go help module-auth'.
++`
++
+ const hashVersionMismatch = `
+ 
+ SECURITY WARNING
+diff --git a/src/cmd/go/proxy_test.go b/src/cmd/go/proxy_test.go
+index cb3d9f92f1..88e5052b89 100644
+--- a/src/cmd/go/proxy_test.go
++++ b/src/cmd/go/proxy_test.go
+@@ -172,6 +172,23 @@ func proxyHandler(w http.ResponseWriter, r *http.Request) 
{
+               return
+       }
+ 
++      // Request for $GOPROXY/sumdb-redirect/module@version:/lookup/...
++      // performs a lookup for module@version rather than the requested 
module.
++      if strings.HasPrefix(path, "sumdb-redirect/") {
++              redirect, rest, ok := strings.Cut(path[len("sumdb-redirect"):], 
":")
++              if !ok {
++                      w.WriteHeader(500)
++                      return
++              }
++              if strings.HasPrefix(rest, "/lookup/") {
++                      r.URL.Path = "/lookup" + redirect
++              } else {
++                      r.URL.Path = rest
++              }
++              sumdbServer.ServeHTTP(w, r)
++              return
++      }
++
+       // Request for $GOPROXY/redirect/<count>/... goes to redirects.
+       if strings.HasPrefix(path, "redirect/") {
+               path = path[len("redirect/"):]
+diff --git a/src/cmd/go/testdata/script/mod_sum_absent.txt 
b/src/cmd/go/testdata/script/mod_sum_absent.txt
+new file mode 100644
+index 0000000000..c2dd814542
+--- /dev/null
++++ b/src/cmd/go/testdata/script/mod_sum_absent.txt
+@@ -0,0 +1,17 @@
++# When the sumdb returns a response which does not
++# include a sum for the requested module,
++# we should report an error.
++# Verifies CVE-2026-42501.
++env sumdb=$GOSUMDB
++env proxy=$GOPROXY
++env GOPROXY GONOPROXY GOSUMDB GONOSUMDB
++
++# /sumdb-redirect/ causes the sumdb to return /lookup/ responses
++# for rsc.io/[email protected], not for the requested module.
++env GOSUMDB=$sumdb' '$proxy/sumdb-redirect/rsc.io/[email protected]:
++
++! go get rsc.io/[email protected]
++stderr 'SECURITY ERROR'
++! grep rsc.io go.sum
++-- go.mod --
++module m
+-- 
+2.43.0
+
-- 
2.43.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#237494): 
https://lists.openembedded.org/g/openembedded-core/message/237494
Mute This Topic: https://lists.openembedded.org/mt/119422298/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to