From: Sudhir Dumbhare <[email protected]> This patch applies the upstream fix [1], as referenced in [2], to address insufficient validation in `url.Parse`.
Debian marks older Go branches as not affected because the vulnerable parseHost surface was introduced by the earlier CVE-2025-47912 fix. This Scarthgap recipe already carries CVE-2025-47912.patch, so the fix is applicable to the patched Go 1.22.12 source used here. [1] https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803 [2] https://security-tracker.debian.org/tracker/CVE-2026-25679 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-25679 Signed-off-by: Sudhir Dumbhare <[email protected]> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-25679.patch | 74 +++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-25679.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 5bd3e98938..7dd1c021cb 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -42,6 +42,7 @@ SRC_URI += "\ file://CVE-2025-68121_p2.patch \ file://CVE-2025-68121_p3.patch \ file://CVE-2025-58183.patch \ + file://CVE-2026-25679.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-25679.patch b/meta/recipes-devtools/go/go/CVE-2026-25679.patch new file mode 100644 index 0000000000..6bd22a49ad --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-25679.patch @@ -0,0 +1,74 @@ +From c8f96fce4d34123a920558a1a3f5c0ddf2bf678e Mon Sep 17 00:00:00 2001 +From: Ian Alexander <[email protected]> +Date: Wed, 28 Jan 2026 15:29:52 -0500 +Subject: [PATCH] [release-branch.go1.25] net/url: reject IPv6 literal not + at start of host + +This change rejects IPv6 literals that do not appear at the start of the +host subcomponent of a URL. + +For example: + http://example.com[::1] -> rejects + http://[::1] -> accepts + +Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly. + +Updates #77578 +Fixes #77969 +Fixes CVE-2026-25679 + +CVE: CVE-2026-25679 +Upstream-Status: Backport [https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803] + +Change-Id: I7109031880758f7c1eb4eca513323328feace33c +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3400 +Reviewed-by: Neal Patel <[email protected]> +Reviewed-by: Roland Shoemaker <[email protected]> +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3642 +Reviewed-on: https://go-review.googlesource.com/c/go/+/752100 +Reviewed-by: Cherry Mui <[email protected]> +Auto-Submit: Gopher Robot <[email protected]> +TryBot-Bypass: Gopher Robot <[email protected]> +Reviewed-by: Dmitri Shuralyov <[email protected]> +(cherry picked from commit d8174a9500d53784594b198f6195d1fae8dfe803) +Signed-off-by: Sudhir Dumbhare <[email protected]> +--- + src/net/url/url.go | 4 +++- + src/net/url/url_test.go | 6 ++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/net/url/url.go b/src/net/url/url.go +index 5219e3c130b..ab59c63adfa 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -623,7 +623,9 @@ func parseAuthority(authority string) (user *Userinfo, host string, err error) { + // parseHost parses host as an authority without user + // information. That is, as host[:port]. + func parseHost(host string) (string, error) { +- if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx != -1 { ++ if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx > 0 { ++ return "", errors.New("invalid IP-literal") ++ } else if openBracketIdx == 0 { + // Parse an IP-Literal in RFC 3986 and RFC 6874. + // E.g., "[fe80::1]", "[fe80::1%25en0]", "[fe80::1]:80". + closeBracketIdx := strings.LastIndex(host, "]") +diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go +index b2f8bd95fcf..8ffbf075cb8 100644 +--- a/src/net/url/url_test.go ++++ b/src/net/url/url_test.go +@@ -1722,6 +1722,12 @@ func TestParseErrors(t *testing.T) { + {"http://[fe80::1";, true}, // missing closing bracket + {"http://fe80::1]/";, true}, // missing opening bracket + {"http://[test.com]/";, true}, // domain name in brackets ++ {"http://example.com[::1]";, true}, // IPv6 literal doesn't start with '[' ++ {"http://example.com[::1";, true}, ++ {"http://[::1";, true}, ++ {"http://.[::1]";, true}, ++ {"http:// [::1]", true}, ++ {"hxxp://mathepqo[.]serveftp(.)com:9059", true}, + } + for _, tt := range tests { + u, err := Parse(tt.in) +-- +2.35.6 + -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238619): https://lists.openembedded.org/g/openembedded-core/message/238619 Mute This Topic: https://lists.openembedded.org/mt/119773239/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
