diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 77e6bcd59d..85f75f0d89 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -51,6 +51,7 @@ SRC_URI += "\ file://CVE-2026-39820.patch \ file://CVE-2026-39825.patch \ file://CVE-2026-39826.patch \ + file://CVE-2026-42499.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-42499.patch b/meta/recipes-devtools/go/go/CVE-2026-42499.patch new file mode 100644 index 0000000000..d4ac9b3823 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-42499.patch @@ -0,0 +1,91 @@ +From dd339e72189d59f249786afd4021b9fb391f3562 Mon Sep 17 00:00:00 2001 +From: Neal Patel +Date: Tue, 28 Apr 2026 12:10:24 -0400 +Subject: [PATCH] net/mail: fix quadratic consumePhrase behavior + +Updates #78987 +Fixes CVE-2026-42499 + +Change-Id: I8438e5dee7e6433573d4161baf8fb2151e7fbc2f +Reviewed-on: https://go-review.googlesource.com/c/go/+/771520 +Reviewed-by: Nicholas Husin +Reviewed-by: Nicholas Husin +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com + +CVE: CVE-2026-42499 +Upstream-Status: Backport [https://github.com/golang/go/commit/2c59389fcc5194aeae742fb413e55b656c22343f] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + src/net/mail/message.go | 23 +++++++++++++++++------ + src/net/mail/message_test.go | 11 +++++++++++ + 2 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/src/net/mail/message.go b/src/net/mail/message.go +index 37d7ff5df1..f57742068e 100644 +--- a/src/net/mail/message.go ++++ b/src/net/mail/message.go +@@ -567,8 +567,10 @@ func (p *addrParser) consumeAddrSpec() (spec string, err error) { + func (p *addrParser) consumePhrase() (phrase string, err error) { + debug.Printf("consumePhrase: [%s]", p.s) + // phrase = 1*word +- var words []string +- var isPrevEncoded bool ++ var ( ++ words []string ++ sb strings.Builder ++ ) + for { + // obs-phrase allows CFWS after one word + if len(words) > 0 { +@@ -600,13 +602,22 @@ func (p *addrParser) consumePhrase() (phrase string, err error) { + break + } + debug.Printf("consumePhrase: consumed %q", word) +- if isPrevEncoded && isEncoded { +- words[len(words)-1] += word +- } else { ++ switch { ++ case isEncoded: ++ sb.WriteString(word) ++ case !isEncoded && sb.Len() > 0: ++ words = append(words, sb.String()) ++ sb.Reset() ++ words = append(words, word) ++ default: + words = append(words, word) + } +- isPrevEncoded = isEncoded + } ++ ++ if sb.Len() > 0 { ++ words = append(words, sb.String()) ++ } ++ + // Ignore any error if we got at least one word. + if err != nil && len(words) == 0 { + debug.Printf("consumePhrase: hit err: %v", err) +diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go +index 1b165317f9..27837a9cbd 100644 +--- a/src/net/mail/message_test.go ++++ b/src/net/mail/message_test.go +@@ -1219,6 +1219,17 @@ func TestEmptyAddress(t *testing.T) { + } + } + ++func BenchmarkConsumePhrase(b *testing.B) { ++ for _, n := range []int{10, 100, 1000, 10000} { ++ b.Run(fmt.Sprintf("words-%d", n), func(b *testing.B) { ++ input := strings.Repeat("=?utf-8?q?hello?= ", n) + "" ++ for b.Loop() { ++ (&addrParser{s: input}).consumePhrase() ++ } ++ }) ++ } ++} ++ + func BenchmarkConsumeComment(b *testing.B) { + for _, n := range []int{10, 100, 1000, 10000} { + b.Run(fmt.Sprintf("depth-%d", n), func(b *testing.B) { +-- +2.43.0 +