From: Deepak Rathore <[email protected]> Upstream Repository: https://github.com/golang/go.git
Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61732 Type: Security Fix CVE: CVE-2025-61732 Score: 8.6 Patch: https://github.com/golang/go/commit/14d0bb39c1c4 Signed-off-by: Deepak Rathore <[email protected]> diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index ca0f05f7c8..cc4f98a8fe 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -37,6 +37,7 @@ SRC_URI += "\ file://CVE-2025-61731.patch \ file://CVE-2025-68119-dependent.patch \ file://CVE-2025-68119.patch \ + file://CVE-2025-61732.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2025-61732.patch b/meta/recipes-devtools/go/go/CVE-2025-61732.patch new file mode 100644 index 0000000000..523660def2 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-61732.patch @@ -0,0 +1,53 @@ +From fe8c665f1608126e7b644ab07bb0698ad1c0b4b6 Mon Sep 17 00:00:00 2001 +From: Neal Patel <[email protected]> +Date: Tue, 6 Jan 2026 16:09:19 -0500 +Subject: [PATCH] [release-branch.go1.24] cmd/go: remove user-content from doc + strings in cgo ASTs. + +Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. + +Updates #76697 +Fixes #77128 +Fixes CVE-2025-61732 + +CVE: CVE-2025-61732 +Upstream-Status: Backport [https://github.com/golang/go/commit/14d0bb39c1c4] + +Change-Id: Ie2a96b79a813e362cbf8e6cb0e3c2d0c022bcb29 +Reviewed-on: https://go-review.googlesource.com/c/go/+/740001 +LUCI-TryBot-Result: Go LUCI <[email protected]> +Auto-Submit: Dmitri Shuralyov <[email protected]> +Reviewed-by: Roland Shoemaker <[email protected]> +(cherry picked from commit 14d0bb39c1c4093bd02740d14b1a2ca720ced97c) +Signed-off-by: Deepak Rathore <[email protected]> +--- + src/cmd/cgo/ast.go | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/src/cmd/cgo/ast.go b/src/cmd/cgo/ast.go +index 3cbbeafdca..eb373bdefa 100644 +--- a/src/cmd/cgo/ast.go ++++ b/src/cmd/cgo/ast.go +@@ -301,17 +301,12 @@ func (f *File) saveExport(x interface{}, context astContext) { + error_(c.Pos(), "export comment has wrong name %q, want %q", name, n.Name.Name) + } + +- doc := "" +- for _, c1 := range n.Doc.List { +- if c1 != c { +- doc += c1.Text + "\n" +- } +- } +- + f.ExpFunc = append(f.ExpFunc, &ExpFunc{ + Func: n, + ExpName: name, +- Doc: doc, ++ // Caution: Do not set the Doc field on purpose ++ // to ensure that there are no unintended artifacts ++ // in the binary. See https://go.dev/issue/76697. + }) + break + } +-- +2.35.6 -- 2.44.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231417): https://lists.openembedded.org/g/openembedded-core/message/231417 Mute This Topic: https://lists.openembedded.org/mt/117889010/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
