From 2abc87a0060914c3daa39bc2fa03e139451f3767 Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati Date: Tue, 12 May 2026 12:49:32 +0530 Subject: [PATCH] go 1.22.12: fix CVE-2026-27140 Pick patch from [1] also mentioned at Debian report in [2] [1] https://github.com/golang/go/commit/abaa0cbb259e059ee60c33a7507eddc1fe7d20fa [2] https://security-tracker.debian.org/tracker/CVE-2026-27140 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-27140 (From OE-Core rev: b0048d8bc8134c445a3352bfb631d41319a75331) Signed-off-by: Hitendra Prajapati Signed-off-by: Yoann Congal Signed-off-by: Paul Barker --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-27140.patch | 58 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-27140.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index f67da3e078..46d75d13b2 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -41,6 +41,7 @@ SRC_URI += "\ file://CVE-2025-68121_p1.patch \ file://CVE-2025-68121_p2.patch \ file://CVE-2025-68121_p3.patch \ + file://CVE-2026-27140.patch \ file://CVE-2026-27142.patch \ file://CVE-2026-32280.patch \ file://CVE-2026-32283.patch \ diff --git a/meta/recipes-devtools/go/go/CVE-2026-27140.patch b/meta/recipes-devtools/go/go/CVE-2026-27140.patch new file mode 100644 index 0000000000..5c9fb31c23 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-27140.patch @@ -0,0 +1,58 @@ +From abaa0cbb259e059ee60c33a7507eddc1fe7d20fa Mon Sep 17 00:00:00 2001 +From: Neal Patel +Date: Tue, 24 Feb 2026 23:05:34 +0000 +Subject: [PATCH] [release-branch.go1.25] cmd/go: disallow cgo trust boundary + bypass +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The cgo compiler implicitly trusts generated files +with 'cgo' prefixes; thus, SWIG files containing 'cgo' +in their names will cause bypass of the trust boundary, +leading to code smuggling or arbitrary code execution. + +The cgo compiler will now produce an error if it +encounters any SWIG files containing this prefix. + +Thanks to Juho Forsén of Mattermost for reporting this issue. + +Fixes #78335 +Fixes CVE-2026-27140 + +Change-Id: I44185a84e07739b3b347efdb86be7d8fa560b030 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3520 +Reviewed-by: Nicholas Husin +Reviewed-by: Damien Neil +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3989 +Reviewed-on: https://go-review.googlesource.com/c/go/+/763556 +Reviewed-by: David Chase +TryBot-Bypass: Gopher Robot +Reviewed-by: Junyang Shao +Auto-Submit: Gopher Robot + +CVE: CVE-2026-27140 +Upstream-Status: Backport [https://github.com/golang/go/commit/abaa0cbb259e059ee60c33a7507eddc1fe7d20fa] +Signed-off-by: Hitendra Prajapati +--- + src/cmd/go/internal/work/exec.go | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go +index 815942a..520c478 100644 +--- a/src/cmd/go/internal/work/exec.go ++++ b/src/cmd/go/internal/work/exec.go +@@ -3347,6 +3347,10 @@ func (b *Builder) swigIntSize(objdir string) (intsize string, err error) { + + // Run SWIG on one SWIG input file. + func (b *Builder) swigOne(a *Action, file, objdir string, pcCFLAGS []string, cxx bool, intgosize string) (outGo, outC string, err error) { ++ if strings.HasPrefix(file, "cgo") { ++ return "", "", errors.New("SWIG file must not use prefix 'cgo'") ++ } ++ + p := a.Package + sh := b.Shell(a) + +-- +2.50.1 +