mirror of
https://git.yoctoproject.org/poky
synced 2026-06-17 10:53:49 +02:00
go: patch CVE-2026-39817
Backport patch from [1] mentionned in [2] [1] https://go.dev/cl/767520 [2] https://security-tracker.debian.org/tracker/CVE-2026-39817 (From OE-Core rev: f88c0ff79cf5838f8d0c31ecacc35faf56059d03) Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Theo Gaige (Schneider Electric)
committed by
Paul Barker
Paul Barker
parent
d5108e0975
commit
6394046b02
@@ -46,6 +46,7 @@ SRC_URI += "\
|
||||
file://CVE-2026-32283.patch \
|
||||
file://CVE-2026-32289.patch \
|
||||
file://CVE-2026-33811.patch \
|
||||
file://CVE-2026-39817.patch \
|
||||
"
|
||||
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
|
||||
|
||||
|
||||
105
meta/recipes-devtools/go/go/CVE-2026-39817.patch
Normal file
105
meta/recipes-devtools/go/go/CVE-2026-39817.patch
Normal file
@@ -0,0 +1,105 @@
|
||||
From 7d35508ad684c808ec11fb6ef3ab27f9258a9418 Mon Sep 17 00:00:00 2001
|
||||
From: Damien Neil <dneil@google.com>
|
||||
Date: Wed, 15 Apr 2026 16:27:23 -0400
|
||||
Subject: [PATCH] cmd/pack: refuse to extract files with directory components
|
||||
|
||||
Do not write to /etc/passwd when running "go tool pack x evil.a"
|
||||
on an archive containing a file named /etc/passwd.
|
||||
|
||||
Fixes #78778
|
||||
|
||||
Change-Id: I4cf69b81af62321ffbb41ace679672a86a6a6964
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/767520
|
||||
Reviewed-by: Nicholas Husin <nsh@golang.org>
|
||||
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
||||
Reviewed-by: Nicholas Husin <husin@google.com>
|
||||
|
||||
CVE: CVE-2026-39817
|
||||
Upstream-Status: Backport [https://github.com/golang/go/commit/7409ada33f99c0d74db2b0389c51a15de116e48d]
|
||||
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
|
||||
---
|
||||
src/cmd/pack/pack.go | 5 +++++
|
||||
src/cmd/pack/pack_test.go | 44 +++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 49 insertions(+)
|
||||
|
||||
diff --git a/src/cmd/pack/pack.go b/src/cmd/pack/pack.go
|
||||
index 412ea36d60..2fe0258f01 100644
|
||||
--- a/src/cmd/pack/pack.go
|
||||
+++ b/src/cmd/pack/pack.go
|
||||
@@ -135,6 +135,11 @@ func openArchive(name string, mode int, files []string) *Archive {
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
+ for _, f := range a.Entries {
|
||||
+ if !filepath.IsLocal(f.Name) || filepath.Base(f.Name) != f.Name {
|
||||
+ log.Fatalf("%q: invalid name", f.Name)
|
||||
+ }
|
||||
+ }
|
||||
return &Archive{
|
||||
a: a,
|
||||
files: files,
|
||||
diff --git a/src/cmd/pack/pack_test.go b/src/cmd/pack/pack_test.go
|
||||
index c3a63424dd..c4a8c78cbf 100644
|
||||
--- a/src/cmd/pack/pack_test.go
|
||||
+++ b/src/cmd/pack/pack_test.go
|
||||
@@ -6,6 +6,7 @@ package main
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
+ "bytes"
|
||||
"cmd/internal/archive"
|
||||
"fmt"
|
||||
"internal/testenv"
|
||||
@@ -409,6 +410,49 @@ func TestRWithNonexistentFile(t *testing.T) {
|
||||
run(packPath(t), "r", "p.a", "p.o") // should succeed
|
||||
}
|
||||
|
||||
+func TestOutputPathSanitization(t *testing.T) {
|
||||
+ dir := t.TempDir()
|
||||
+
|
||||
+ // Create pack.a containing a file named "longpathname".
|
||||
+ // Note that "go tool pack" requires that all files be at least 8 bytes long.
|
||||
+ const validPathName = "longpathname"
|
||||
+ if err := os.WriteFile(dir+"/"+validPathName, make([]byte, 8), 0o666); err != nil {
|
||||
+ t.Fatal(err)
|
||||
+ }
|
||||
+ doRun(t, dir, packPath(t), "grc", "pack.a", validPathName)
|
||||
+
|
||||
+ // Create evil.a from pack.a, replacing "longpathname" with "out/pathname".
|
||||
+ b, err := os.ReadFile(dir + "/pack.a")
|
||||
+ if err != nil {
|
||||
+ t.Fatal(err)
|
||||
+ }
|
||||
+ idx := bytes.Index(b, []byte(validPathName))
|
||||
+ if idx < 0 {
|
||||
+ t.Fatalf("%v not found in pack.a", validPathName)
|
||||
+ }
|
||||
+ copy(b[idx:], "out/")
|
||||
+ os.WriteFile(dir+"/evil.a", b, 0o666)
|
||||
+
|
||||
+ // Extract evil.a. It should fail and not extract a file to /out.
|
||||
+ os.Mkdir(dir+"/out", 0o777)
|
||||
+
|
||||
+ cmd := testenv.Command(t, packPath(t), "x", "evil.a")
|
||||
+ cmd.Dir = dir
|
||||
+ _, err = cmd.CombinedOutput()
|
||||
+ if err == nil {
|
||||
+ t.Errorf("pack x evil.a: unexpected success")
|
||||
+ }
|
||||
+
|
||||
+ ents, err := os.ReadDir(dir + "/out")
|
||||
+ if err != nil {
|
||||
+ t.Error(err)
|
||||
+ }
|
||||
+ for _, e := range ents {
|
||||
+ t.Errorf("unexpected file in /out: %q", e.Name())
|
||||
+ }
|
||||
+
|
||||
+}
|
||||
+
|
||||
// doRun runs a program in a directory and returns the output.
|
||||
func doRun(t *testing.T, dir string, args ...string) string {
|
||||
cmd := testenv.Command(t, args[0], args[1:]...)
|
||||
--
|
||||
2.43.0
|
||||
|
||||
Reference in New Issue
Block a user