On Thu Mar 12, 2026 at 2:54 PM CET, Eduardo Ferreira Barbosa via lists.openembedded.org wrote: > Hi, is this patch submission OK for review, or did I miss something with this > new version?
This submission is fine, I have it in my review branch[0]. You should see it it my patch review request or have an answer in the next few days. Thanks! [0]: https://git.yoctoproject.org/poky-contrib/log/?h=stable/scarthgap-nut > > Thanks, > Eduardo > ________________________________ > From: Eduardo Ferreira <[email protected]> > Sent: Monday, March 9, 2026 1:53 PM > To: [email protected] > <[email protected]> > Cc: Eduardo Ferreira Barbosa <[email protected]> > Subject: [OE-core][scarthgap][PATCH] go: Fix CVE-2025-61726.patch variable > ordering > > This message originated from outside your organization > > From: Eduardo Ferreira <[email protected]> > > Commit 6a1ae4e792 (go 1.22.12: Fix CVE-2025-61726, 2026-02-11) > introduced a patch backporting a fix for CVE-2025-61726, but > this patch also introduced a bug. > > From Go's source code[1], they say that the 'All' table from 'godebugs' > should be populated alphabetically by Name. And 'Lookup'[2] function uses > binary search to try and find the variable. > > Here's the trace: > Mar 06 11:33:33 toradex-smarc-imx95-12594035 systemd[1]: Started Docker > Application Container Engine. > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 2026/03/06 > 11:34:53 http: panic serving @: godebug: Value of name not listed in godeb > ugs.All: urlmaxqueryparams > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: goroutine 78 > [running]: > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/http.(*conn).serve.func1() > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/http/server.go:1903 +0xb0 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > panic({0x55743e8740?, 0x4000b526c0?}) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > runtime/panic.go:770 +0x124 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.deferwrap1()<http://go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.deferwrap1()> > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > go.opentelemetry.io/otel/[email protected]/trace/span.go:383<http://go.opentelemetry.io/otel/[email protected]/trace/span.go:383> > +0x2c > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End<http://go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End>(0x40011b4a80, > {0x0, 0x0, 0x40 > 006441c0?}) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > go.opentelemetry.io/otel/[email protected]/trace/span.go:421<http://go.opentelemetry.io/otel/[email protected]/trace/span.go:421> > +0x898 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > panic({0x55743e8740?, 0x4000b526c0?}) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > runtime/panic.go:770 +0x124 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > internal/godebug.(*Setting).Value.func1() > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > internal/godebug/godebug.go:141 +0xd8 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > sync.(*Once).doSlow(0x22?, 0x55748a9b60?) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:74 > +0x100 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > sync.(*Once).Do(...) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:65 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > internal/godebug.(*Setting).Value(0x5575b21be0) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > internal/godebug/godebug.go:138 +0x50 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/url.urlParamsWithinMax(0x1) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:968 > +0x3c > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/url.parseQuery(0x400069a630, {0x0, 0x0}) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:985 > +0xdc > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/url.ParseQuery(...) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:958 > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/http.(*Request).ParseForm(0x4000bdab40) > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > net/http/request.go:1317 +0x33c > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > github.com/docker/docker/api/server/httputils.ParseForm(0x0?)<http://github.com/docker/docker/api/server/httputils.ParseForm(0x0?)> > Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: > github.com/docker/docker/api/server/httputils/httputils.go:104<http://github.com/docker/docker/api/server/httputils/httputils.go:104> > +0x20 > > The 'Lookup' function was failing due to the wrong ordering and returning > 'nil', > which was not being checked properly and caused this issue. > > The fix was to just reorder the line where 'urlmaxqueryparams' is being > added to respect the alphabetical ordering. And for that the whole CVE > patch was generated again. > > This change was validated with docker-moby (original issue), where a container > run successfully and no traces in the logs. > > [1] > https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20<https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20> > [2] > https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100<https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100> > > Signed-off-by: Eduardo Ferreira <[email protected]> > --- > .../go/go/CVE-2025-61726.patch | 21 ++++++++++--------- > 1 file changed, 11 insertions(+), 10 deletions(-) > > diff --git a/meta/recipes-devtools/go/go/CVE-2025-61726.patch > b/meta/recipes-devtools/go/go/CVE-2025-61726.patch > index ab053ff55c..bdd10bc933 100644 > --- a/meta/recipes-devtools/go/go/CVE-2025-61726.patch > +++ b/meta/recipes-devtools/go/go/CVE-2025-61726.patch > @@ -1,4 +1,4 @@ > -From 85050ca6146f3edb50ded0a352ab9edbd635effc Mon Sep 17 00:00:00 2001 > +From bf06767a9ac737387eee77c7eedd67c65e853ac2 Mon Sep 17 00:00:00 2001 > From: Damien Neil <[email protected]> > Date: Mon, 3 Nov 2025 14:28:47 -0800 > Subject: [PATCH] [release-branch.go1.24] net/url: add urlmaxqueryparams > @@ -36,6 +36,7 @@ Reviewed-by: Junyang Shao <[email protected]> > TryBot-Bypass: Michael Pratt <[email protected]> > (cherry picked from commit 85c794ddce26a092b0ea68d0fca79028b5069d5a) > Signed-off-by: Deepak Rathore <[email protected]> > +Signed-off-by: Eduardo Ferreira <[email protected]> > --- > doc/godebug.md | 7 +++++ > src/internal/godebugs/table.go | 1 + > @@ -45,7 +46,7 @@ Signed-off-by: Deepak Rathore <[email protected]> > 5 files changed, 85 insertions(+) > > diff --git a/doc/godebug.md b/doc/godebug.md > -index ae4f0576b4..635597ea42 100644 > +index ae4f057..635597e 100644 > --- a/doc/godebug.md > +++ b/doc/godebug.md > @@ -126,6 +126,13 @@ for example, > @@ -63,19 +64,19 @@ index ae4f0576b4..635597ea42 100644 > to concerns around VCS injection attacks. This behavior can be renabled with > the > setting `allowmultiplevcs=1`. > diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go > -index 33dcd81fc3..4ae043053c 100644 > +index 33dcd81..7178df6 100644 > --- a/src/internal/godebugs/table.go > +++ b/src/internal/godebugs/table.go > -@@ -52,6 +52,7 @@ var All = []Info{ > +@@ -51,6 +51,7 @@ var All = []Info{ > + {Name: "tlsmaxrsasize", Package: "crypto/tls"}, > {Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"}, > {Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"}, > - {Name: "x509sha1", Package: "crypto/x509"}, > + {Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"}, > + {Name: "x509sha1", Package: "crypto/x509"}, > {Name: "x509usefallbackroots", Package: "crypto/x509"}, > {Name: "x509usepolicies", Package: "crypto/x509"}, > - {Name: "zipinsecurepath", Package: "archive/zip"}, > diff --git a/src/net/url/url.go b/src/net/url/url.go > -index d2ae03232f..5219e3c130 100644 > +index d2ae032..cdca468 100644 > --- a/src/net/url/url.go > +++ b/src/net/url/url.go > @@ -13,6 +13,7 @@ package url > @@ -118,7 +119,7 @@ index d2ae03232f..5219e3c130 100644 > var key string > key, query, _ = strings.Cut(query, "&") > diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go > -index fef236e40a..b2f8bd95fc 100644 > +index fef236e..b2f8bd9 100644 > --- a/src/net/url/url_test.go > +++ b/src/net/url/url_test.go > @@ -1488,6 +1488,54 @@ func TestParseQuery(t *testing.T) { > @@ -177,7 +178,7 @@ index fef236e40a..b2f8bd95fc 100644 > url *URL > out string > diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go > -index 517ec0e0a4..335f7873b3 100644 > +index 517ec0e..88d6d8c 100644 > --- a/src/runtime/metrics/doc.go > +++ b/src/runtime/metrics/doc.go > @@ -328,6 +328,11 @@ Below is the full list of supported metrics, ordered > lexicographically. > @@ -193,4 +194,4 @@ index 517ec0e0a4..335f7873b3 100644 > The number of non-default behaviors executed by the crypto/x509 > package due to a non-default GODEBUG=x509sha1=... setting. > -- > -2.35.6 > +2.34.1 > -- > 2.34.1 -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232996): https://lists.openembedded.org/g/openembedded-core/message/232996 Mute This Topic: https://lists.openembedded.org/mt/118225430/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
