Line directives ("//line") can be used to bypass the restrictions on
"//go:cgo_" directives, allowing blocked linker and compiler flags to
be passed during compilation. This can result in unexpected execution
of arbitrary code when running "go build". The line directive requires
the absolute path of the file in which the directive lives, which makes
exploiting this issue significantly more complex.
Made below changes for Go 1.17 backport:
- drop the modifications of test codes
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39323
Upstream-patch:
e7c142a19d
(From OE-Core rev: 62f4c3aec8f80a259472ce19104596d08741c101)
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If the PATH environment variable contains paths which are executables
(rather than just directories), passing certain strings to LookPath
("", ".", and ".."), can result in the binaries listed in the PATH
being unexpectedly returned.
(From OE-Core rev: c4d81e32ee3fb7d05db2cfbfaaa8081841bc16ce)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Cancelling a query (e.g. by cancelling the context passed to one of
the query methods) during a call to the Scan method of the returned
Rows can result in unexpected results if other queries are being made
in parallel. This can result in a race condition that may overwrite
the expected results with those of another query, causing the call to
Scan to return either unexpected results from the other query or an
error.
Made below changes for Go 1.17 backport:
- Replaced `atomic.Pointer[error]` with `atomic.Value`, since
atomic pointers are not supported in Go 1.17.
- Used errp.(*error) to retrieve and dereference
the stored *error, Without this, build fails with:
invalid indirect of errp (type interface{}).
- Replaced Go 1.18 `any` keyword with `interface{}` for backward
compatibility with Go 1.17.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47907
Upstream-patch:
8a924caaf3298fe517a9c23579f031
(From OE-Core rev: af9c43c39764ce9ce37785c44dfb83e25cb24703)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The HTTP client drops sensitive headers after following a cross-domain redirect.
For example, a request to a.com/ containing an Authorization header which is redirected to
b.com/ will not send that header to b.com. In the event that the client received a subsequent
same-domain redirect, however, the sensitive headers would be restored. For example, a chain
of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the
Authorization header to b.com/2.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-45336
Upstream-patch:
b72d56f98d
(From OE-Core rev: 63e84b64f055ad7c91de67194e6739c96fb95496)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The archive/zip package's handling of certain types of invalid zip files
differs from the behavior of most zip implementations. This misalignment
could be exploited to create an zip file with contents that vary depending
on the implementation reading the file. The archive/zip package now rejects
files containing these errors.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-24789
Upstream-patch:
c8e40338cf
(From OE-Core rev: f198fdc392c6e3b99431383ab6577749e83f1cb3)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
