go 1.22.12: fix CVE-2026-27140

Pick patch from [1] also mentioned at Debian report in [2] [1] abaa0cbb25 [2] https://security-tracker.debian.org/tracker/CVE-2026-27140 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-27140 (From OE-Core rev: b0048d8bc8134c445a3352bfb631d41319a75331) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-21 04:53:48 +02:00 · 2026-05-12 12:49:32 +05:30
parent 752ee7c108
commit 2abc87a006
2 changed files with 59 additions and 0 deletions
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -41,6 +41,7 @@ SRC_URI += "\
    file://CVE-2025-68121_p1.patch \
    file://CVE-2025-68121_p2.patch \
    file://CVE-2025-68121_p3.patch \
+    file://CVE-2026-27140.patch \
    file://CVE-2026-27142.patch \
    file://CVE-2026-32280.patch \
    file://CVE-2026-32283.patch \
--- a/meta/recipes-devtools/go/go/CVE-2026-27140.patch
+++ b/meta/recipes-devtools/go/go/CVE-2026-27140.patch
@@ -0,0 +1,58 @@
+From abaa0cbb259e059ee60c33a7507eddc1fe7d20fa Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Tue, 24 Feb 2026 23:05:34 +0000
+Subject: [PATCH] [release-branch.go1.25] cmd/go: disallow cgo trust boundary
+ bypass
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The cgo compiler implicitly trusts generated files
+with 'cgo' prefixes; thus, SWIG files containing 'cgo'
+in their names will cause bypass of the trust boundary,
+leading to code smuggling or arbitrary code execution.
+
+The cgo compiler will now produce an error if it
+encounters any SWIG files containing this prefix.
+
+Thanks to Juho Forsén of Mattermost for reporting this issue.
+
+Fixes #78335
+Fixes CVE-2026-27140
+
+Change-Id: I44185a84e07739b3b347efdb86be7d8fa560b030
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3520
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3989
+Reviewed-on: https://go-review.googlesource.com/c/go/+/763556
+Reviewed-by: David Chase <drchase@google.com>
+TryBot-Bypass: Gopher Robot <gobot@golang.org>
+Reviewed-by: Junyang Shao <shaojunyang@google.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+
+CVE: CVE-2026-27140
+Upstream-Status: Backport [https://github.com/golang/go/commit/abaa0cbb259e059ee60c33a7507eddc1fe7d20fa]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/cmd/go/internal/work/exec.go | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
+index 815942a..520c478 100644
+--- a/src/cmd/go/internal/work/exec.go
+++ b/src/cmd/go/internal/work/exec.go
+@@ -3347,6 +3347,10 @@ func (b *Builder) swigIntSize(objdir string) (intsize string, err error) {
+ 
+ // Run SWIG on one SWIG input file.
+ func (b *Builder) swigOne(a *Action, file, objdir string, pcCFLAGS []string, cxx bool, intgosize string) (outGo, outC string, err error) {
+	if strings.HasPrefix(file, "cgo") {
+		return "", "", errors.New("SWIG file must not use prefix 'cgo'")
+	}
+
+ 	p := a.Package
+ 	sh := b.Shell(a)
+ 
+-- 
+2.50.1
+