On Thu May 28, 2026 at 3:12 AM CEST, Himanshu Jadon -X (hjadon - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Himanshu Jadon <[email protected]> > > Restore the originally submitted CVE backport and carry the ordering > correction fix separately for internal/godebugs.All as a separate > regression patch. This keeps the security backport easier to audit and > makes the follow-up fix explicit. > > The ordering issue was introduced when the existing backport patch was > modified by commit [1]. The same change also dropped zipinsecurepath > from the patch hunk context. Restore the original hunk context and keep > the ordering correction as a separate follow-up patch. > > Keep the regression patch immediately after CVE-2025-61726.patch in > SRC_URI because it is a direct fixup for that patch in the same file and > hunk area. This is safe because no later Go patch in the current stack > modifies src/internal/godebugs/table.go, so placing the fixup here makes > the dependency explicit without interfering with later validated patches. > > [1] > https://git.openembedded.org/openembedded-core/commit/?id=b670b11ff4845b64f861041681ace9c21db16eed > > Signed-off-by: Himanshu Jadon <[email protected]>
Hello, Sorry but I really don't see the point of doing this split. The upstream commit did not have the regression bug. AFAIK, the regression was added during the backport and we can fix it in our patch (and we did in the commit you linked). Regards, > --- > meta/recipes-devtools/go/go-1.22.12.inc | 1 + > .../go/go/CVE-2025-61726-regression.patch | 49 +++++++++++++++++++ > .../go/go/CVE-2025-61726.patch | 21 ++++---- > 3 files changed, 60 insertions(+), 11 deletions(-) > create mode 100644 > meta/recipes-devtools/go/go/CVE-2025-61726-regression.patch > > diff --git a/meta/recipes-devtools/go/go-1.22.12.inc > b/meta/recipes-devtools/go/go-1.22.12.inc > index 3fa421e223..c095e54fbb 100644 > --- a/meta/recipes-devtools/go/go-1.22.12.inc > +++ b/meta/recipes-devtools/go/go-1.22.12.inc > @@ -33,6 +33,7 @@ SRC_URI += "\ > file://CVE-2025-61729.patch \ > file://CVE-2025-61730.patch \ > file://CVE-2025-61726.patch \ > + file://CVE-2025-61726-regression.patch \ > file://CVE-2025-61728.patch \ > file://CVE-2025-61731.patch \ > file://CVE-2025-68119-dependent.patch \ > diff --git a/meta/recipes-devtools/go/go/CVE-2025-61726-regression.patch > b/meta/recipes-devtools/go/go/CVE-2025-61726-regression.patch > new file mode 100644 > index 0000000000..bb2b5ac439 > --- /dev/null > +++ b/meta/recipes-devtools/go/go/CVE-2025-61726-regression.patch > @@ -0,0 +1,49 @@ > +From a92d36cef2c1838e58dd1ec51bd147bd94e916fc Mon Sep 17 00:00:00 2001 > +From: Himanshu Jadon <[email protected]> > +Date: Thu, 14 May 2026 05:40:12 -0700 > +Subject: [PATCH] go: Fix CVE-2025-61726.patch variable ordering > + > +The backported CVE-2025-61726 patch introduced a regression in > +src/internal/godebugs/table.go by adding urlmaxqueryparams out of > +alphabetical order. > + > +From Go's source code[1], the All table from godebugs must be populated > +alphabetically by Name, and Lookup[2] uses binary search to find the > +variable. > + > +The wrong ordering caused Lookup to return nil for urlmaxqueryparams, > +which triggered runtime failures. > + > +Fix this by moving urlmaxqueryparams before x509sha1. > + > +This change was validated with docker-moby (original issue), where a > +container ran successfully and no traces were observed in the logs. > + > +[1] > https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20 > +[2] > https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100 > + > +CVE: CVE-2025-61726 > +Upstream-Status: Inappropriate [OE-specific backport ordering fix] > + > +Signed-off-by: Eduardo Ferreira <[email protected]> > +Signed-off-by: Himanshu Jadon <[email protected]> > +--- > + src/internal/godebugs/table.go | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go > +index 4ae0430..7178df6 100644 > +--- a/src/internal/godebugs/table.go > ++++ b/src/internal/godebugs/table.go > +@@ -51,8 +51,8 @@ var All = []Info{ > + {Name: "tlsmaxrsasize", Package: "crypto/tls"}, > + {Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"}, > + {Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"}, > +- {Name: "x509sha1", Package: "crypto/x509"}, > + {Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"}, > ++ {Name: "x509sha1", Package: "crypto/x509"}, > + {Name: "x509usefallbackroots", Package: "crypto/x509"}, > + {Name: "x509usepolicies", Package: "crypto/x509"}, > + {Name: "zipinsecurepath", Package: "archive/zip"}, > +-- > +2.35.6 > diff --git a/meta/recipes-devtools/go/go/CVE-2025-61726.patch > b/meta/recipes-devtools/go/go/CVE-2025-61726.patch > index bdd10bc933..ab053ff55c 100644 > --- a/meta/recipes-devtools/go/go/CVE-2025-61726.patch > +++ b/meta/recipes-devtools/go/go/CVE-2025-61726.patch > @@ -1,4 +1,4 @@ > -From bf06767a9ac737387eee77c7eedd67c65e853ac2 Mon Sep 17 00:00:00 2001 > +From 85050ca6146f3edb50ded0a352ab9edbd635effc Mon Sep 17 00:00:00 2001 > From: Damien Neil <[email protected]> > Date: Mon, 3 Nov 2025 14:28:47 -0800 > Subject: [PATCH] [release-branch.go1.24] net/url: add urlmaxqueryparams > @@ -36,7 +36,6 @@ Reviewed-by: Junyang Shao <[email protected]> > TryBot-Bypass: Michael Pratt <[email protected]> > (cherry picked from commit 85c794ddce26a092b0ea68d0fca79028b5069d5a) > Signed-off-by: Deepak Rathore <[email protected]> > -Signed-off-by: Eduardo Ferreira <[email protected]> > --- > doc/godebug.md | 7 +++++ > src/internal/godebugs/table.go | 1 + > @@ -46,7 +45,7 @@ Signed-off-by: Eduardo Ferreira > <[email protected]> > 5 files changed, 85 insertions(+) > > diff --git a/doc/godebug.md b/doc/godebug.md > -index ae4f057..635597e 100644 > +index ae4f0576b4..635597ea42 100644 > --- a/doc/godebug.md > +++ b/doc/godebug.md > @@ -126,6 +126,13 @@ for example, > @@ -64,19 +63,19 @@ index ae4f057..635597e 100644 > to concerns around VCS injection attacks. This behavior can be renabled > with the > setting `allowmultiplevcs=1`. > diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go > -index 33dcd81..7178df6 100644 > +index 33dcd81fc3..4ae043053c 100644 > --- a/src/internal/godebugs/table.go > +++ b/src/internal/godebugs/table.go > -@@ -51,6 +51,7 @@ var All = []Info{ > - {Name: "tlsmaxrsasize", Package: "crypto/tls"}, > +@@ -52,6 +52,7 @@ var All = []Info{ > {Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"}, > {Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"}, > -+ {Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"}, > {Name: "x509sha1", Package: "crypto/x509"}, > ++ {Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"}, > {Name: "x509usefallbackroots", Package: "crypto/x509"}, > {Name: "x509usepolicies", Package: "crypto/x509"}, > + {Name: "zipinsecurepath", Package: "archive/zip"}, > diff --git a/src/net/url/url.go b/src/net/url/url.go > -index d2ae032..cdca468 100644 > +index d2ae03232f..5219e3c130 100644 > --- a/src/net/url/url.go > +++ b/src/net/url/url.go > @@ -13,6 +13,7 @@ package url > @@ -119,7 +118,7 @@ index d2ae032..cdca468 100644 > var key string > key, query, _ = strings.Cut(query, "&") > diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go > -index fef236e..b2f8bd9 100644 > +index fef236e40a..b2f8bd95fc 100644 > --- a/src/net/url/url_test.go > +++ b/src/net/url/url_test.go > @@ -1488,6 +1488,54 @@ func TestParseQuery(t *testing.T) { > @@ -178,7 +177,7 @@ index fef236e..b2f8bd9 100644 > url *URL > out string > diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go > -index 517ec0e..88d6d8c 100644 > +index 517ec0e0a4..335f7873b3 100644 > --- a/src/runtime/metrics/doc.go > +++ b/src/runtime/metrics/doc.go > @@ -328,6 +328,11 @@ Below is the full list of supported metrics, ordered > lexicographically. > @@ -194,4 +193,4 @@ index 517ec0e..88d6d8c 100644 > The number of non-default behaviors executed by the crypto/x509 > package due to a non-default GODEBUG=x509sha1=... setting. > -- > -2.34.1 > +2.35.6 -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237968): https://lists.openembedded.org/g/openembedded-core/message/237968 Mute This Topic: https://lists.openembedded.org/mt/119523709/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
