go 1.22.12: Fix CVE-2025-61731

Upstream Repository: https://github.com/golang/go.git Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61731 Type: Security Fix CVE: CVE-2025-61731 Score: 7.8 Patch: https://github.com/golang/go/commit/00b7309387a1 (From OE-Core rev: a7d8ad20525ee6c74a0e149dfd54c7e5c9e1f740) Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-03-09 16:59:40 +01:00 · 2026-02-11 21:01:25 -08:00
parent e333b43a69
commit a231c49abc
2 changed files with 71 additions and 0 deletions
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -34,6 +34,7 @@ SRC_URI += "\
    file://CVE-2025-61730.patch \
    file://CVE-2025-61726.patch \
    file://CVE-2025-61728.patch \
+    file://CVE-2025-61731.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"

--- a/meta/recipes-devtools/go/go/CVE-2025-61731.patch
+++ b/meta/recipes-devtools/go/go/CVE-2025-61731.patch
@@ -0,0 +1,70 @@
+From ab266ccbc19789c52dcb1dc6e8e71d2f4fd545ff Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Thu, 4 Dec 2025 12:30:39 -0500
+Subject: [PATCH] [release-branch.go1.24] cmd/go/internal/work: sanitize flags
+ before invoking 'pkg-config'
+
+The addition of CgoPkgConfig allowed execution with flags not
+matching the safelist. In order to prevent potential arbitrary
+code execution at build time, ensure that flags are validated
+prior to invoking the 'pkg-config' binary.
+
+Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
+for reporting this issue.
+
+Fixes CVE-2025-61731
+Fixes #77100
+
+CVE: CVE-2025-61731
+Upstream-Status: Backport [https://github.com/golang/go/commit/00b7309387a1]
+
+Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3240
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3344
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/736701
+Auto-Submit: Michael Pratt <mpratt@google.com>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+Reviewed-by: Junyang Shao <shaojunyang@google.com>
+(cherry picked from commit 00b7309387a171bcba37382e7ed96b473df04917)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ src/cmd/go/internal/work/exec.go     | 8 ++++++++
+ src/cmd/go/internal/work/security.go | 1 +
+ 2 files changed, 9 insertions(+)
+
+diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
+index c8f297cbe9..815942a703 100644
+--- a/src/cmd/go/internal/work/exec.go
+++ b/src/cmd/go/internal/work/exec.go
+@@ -1684,6 +1684,14 @@ func (b *Builder) getPkgConfigFlags(a *Action) (cflags, ldflags []string, err er
+				return nil, nil, fmt.Errorf("invalid pkg-config package name: %s", pkg)
+			}
+		}
+
+		// Running 'pkg-config' can cause execution of
+		// arbitrary code using flags that are not in
+		// the safelist.
+		if err := checkCompilerFlags("CFLAGS", "pkg-config --cflags", pcflags); err != nil {
+			return nil, nil, err
+		}
+
+		var out []byte
+		out, err = sh.runOut(p.Dir, nil, b.PkgconfigCmd(), "--cflags", pcflags, "--", pkgs)
+		if err != nil {
+diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
+index 568eecd325..79724ed04a 100644
+--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
+@@ -122,6 +122,7 @@ var validCompilerFlags = []*lazyregexp.Regexp{
+	re(`-pedantic(-errors)?`),
+	re(`-pipe`),
+	re(`-pthread`),
+	re(`--static`),
+	re(`-?-std=([^@\-].*)`),
+	re(`-?-stdlib=([^@\-].*)`),
+	re(`--sysroot=([^@\-].*)`),
+--
+2.35.6