go: fix CVE-2025-47906

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. (From OE-Core rev: c4d81e32ee3fb7d05db2cfbfaaa8081841bc16ce) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2025-10-09 14:27:24 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-10-14 07:20:36 -0700
commit: f63f49bdead2591f2fbbf9a732fbfdef5272bdfa (patch)
tree: b5fd3fc6156ea553e95b2eb1e6031b4a44e4e87a
parent: 7a5c6b3e18171c4488fa56a20846a64bb15c966d (diff)
download: poky-f63f49bdead2591f2fbbf9a732fbfdef5272bdfa.tar.gz
2 files changed, 172 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 2052f4adbc..aab8e85c22 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -67,6 +67,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \
           file://CVE-2025-47907-pre-0001.patch \
           file://CVE-2025-47907-pre-0002.patch \
           file://CVE-2025-47907.patch \
+           file://CVE-2025-47906.patch \
           "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2025-47906.patch b/meta/recipes-devtools/go/go-1.21/CVE-2025-47906.patch
new file mode 100644
index 0000000000..272d1ed985
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.21/CVE-2025-47906.patch
@@ -0,0 +1,171 @@
+From 8fa31a2d7d9e60c50a3a94080c097b6e65773f4b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Olivier=20Mengu=C3=A9?= <olivier.mengue@gmail.com>
+Date: Mon, 30 Jun 2025 16:58:59 +0200
+Subject: [PATCH] [release-branch.go1.23] os/exec: fix incorrect expansion of
+ "", "." and ".." in LookPath Fix incorrect expansion of "" and "." when $PATH
+ contains an executable file or, on Windows, a parent directory of a %PATH%
+ element contains an file with the same name as the %PATH% element but with
+ one of the %PATHEXT% extension (ex: C:\utils\bin is in PATH, and
+ C:\utils\bin.exe exists).
+Fix incorrect expansion of ".." when $PATH contains an element which is
+an the concatenation of the path to an executable file (or on Windows
+a path that can be expanded to an executable by appending a %PATHEXT%
+extension), a path separator and a name.
+"", "." and ".." are now rejected early with ErrNotFound.
+Fixes CVE-2025-47906
+Fixes #74803
+Change-Id: Ie50cc0a660fce8fbdc952a7f2e05c36062dcb50e
+Reviewed-on: https://go-review.googlesource.com/c/go/+/685755
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit e0b07dc)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/691855
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+CVE: CVE-2025-47906
+Upstream-Status: Backport [https://github.com/golang/go/commit/8fa31a2d7d9e60c50a3a94080c097b6e65773f4b]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/internal/execabs/execabs_test.go | 55 ++++++++++++++++++++++++++++
+ src/os/exec/exec.go                  |  9 +++++
+ src/os/exec/lp_plan9.go              |  4 ++
+ src/os/exec/lp_unix.go               |  4 ++
+ src/os/exec/lp_windows.go            |  4 ++
+ 5 files changed, 76 insertions(+)
+diff --git a/src/internal/execabs/execabs_test.go b/src/internal/execabs/execabs_test.go
+index 97a3f39..99fd64b 100644
+--- a/src/internal/execabs/execabs_test.go
+++ b/src/internal/execabs/execabs_test.go
+@@ -100,4 +100,59 @@ func TestLookPath(t *testing.T) {
+        } else if err.Error() != expectedErr {
+                t.Errorf("LookPath returned unexpected error: want %q, got %q", expectedErr, err.Error())
+        }
+       checker := func(test string) func(t *testing.T) {
+               return func(t *testing.T) {
+                       t.Helper()
+                       t.Logf("PATH=%s", os.Getenv("PATH"))
+                       p, err := LookPath(test)
+                       if err == nil {
+                               t.Errorf("%q: error expected, got nil", test)
+                       }
+                       if p != "" {
+                               t.Errorf("%q: path returned should be \"\". Got %q", test, p)
+                       }
+               }
+       }
+
+       // Reference behavior for the next test
+       t.Run(pathVar+"=$OTHER2", func(t *testing.T) {
+               t.Run("empty", checker(""))
+               t.Run("dot", checker("."))
+               t.Run("dotdot1", checker("abc/.."))
+               t.Run("dotdot2", checker(".."))
+       })
+
+       // Test the behavior when PATH contains an executable file which is not a directory
+       t.Run(pathVar+"=exe", func(t *testing.T) {
+               // Inject an executable file (not a directory) in PATH.
+               // Use our own binary os.Args[0].
+               testenv.MustHaveExec(t)
+               exe, err := os.Executable()
+               if err != nil {
+                       t.Fatal(err)
+               }
+
+               t.Setenv(pathVar, exe)
+               t.Run("empty", checker(""))
+               t.Run("dot", checker("."))
+               t.Run("dotdot1", checker("abc/.."))
+               t.Run("dotdot2", checker(".."))
+       })
+
+       // Test the behavior when PATH contains an executable file which is not a directory
+       t.Run(pathVar+"=exe/xx", func(t *testing.T) {
+               // Inject an executable file (not a directory) in PATH.
+               // Use our own binary os.Args[0].
+               testenv.MustHaveExec(t)
+               exe, err := os.Executable()
+               if err != nil {
+                       t.Fatal(err)
+               }
+
+               t.Setenv(pathVar, filepath.Join(exe, "xx"))
+               t.Run("empty", checker(""))
+               t.Run("dot", checker("."))
+               t.Run("dotdot1", checker("abc/.."))
+               t.Run("dotdot2", checker(".."))
+       })
+ }
+diff --git a/src/os/exec/exec.go b/src/os/exec/exec.go
+index 505de58..84fd82f 100644
+--- a/src/os/exec/exec.go
+++ b/src/os/exec/exec.go
+@@ -790,3 +790,12 @@ func addCriticalEnv(env []string) []string {
+        }
+        return append(env, "SYSTEMROOT="+os.Getenv("SYSTEMROOT"))
+ }
+// validateLookPath excludes paths that can't be valid
+// executable names. See issue #74466 and CVE-2025-47906.
+func validateLookPath(s string) error {
+       switch s {
+       case "", ".", "..":
+               return ErrNotFound
+       }
+       return nil
+}
+diff --git a/src/os/exec/lp_plan9.go b/src/os/exec/lp_plan9.go
+index e8826a5..ed9f6e3 100644
+--- a/src/os/exec/lp_plan9.go
+++ b/src/os/exec/lp_plan9.go
+@@ -33,6 +33,10 @@ func findExecutable(file string) error {
+ // The result may be an absolute path or a path relative to the current directory.
+ func LookPath(file string) (string, error) {
+        // skip the path lookup for these prefixes
+       if err := validateLookPath(file); err != nil {
+               return "", &Error{file, err}
+       }
+
+        skip := []string{"/", "#", "./", "../"}
+        for _, p := range skip {
+diff --git a/src/os/exec/lp_unix.go b/src/os/exec/lp_unix.go
+index d1d246a..1b27f2b 100644
+--- a/src/os/exec/lp_unix.go
+++ b/src/os/exec/lp_unix.go
+@@ -38,6 +38,10 @@ func LookPath(file string) (string, error) {
+        // (only bypass the path if file begins with / or ./ or ../)
+        // but that would not match all the Unix shells.
+       if err := validateLookPath(file); err != nil {
+               return "", &Error{file, err}
+       }
+
+        if strings.Contains(file, "/") {
+                err := findExecutable(file)
+                if err == nil {
+diff --git a/src/os/exec/lp_windows.go b/src/os/exec/lp_windows.go
+index e7a2cdf..7a1d6fb 100644
+--- a/src/os/exec/lp_windows.go
+++ b/src/os/exec/lp_windows.go
+@@ -58,6 +58,10 @@ func findExecutable(file string, exts []string) (string, error) {
+ // a suitable candidate.
+ // The result may be an absolute path or a path relative to the current directory.
+ func LookPath(file string) (string, error) {
+       if err := validateLookPath(file); err != nil {
+               return "", &Error{file, err}
+       }
+
+        var exts []string
+        x := os.Getenv(`PATHEXT`)
+        if x != "" {
+--
+2.40.0
author	Archana Polampalli <archana.polampalli@windriver.com>	2025-10-09 14:27:24 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-10-14 07:20:36 -0700
commit	f63f49bdead2591f2fbbf9a732fbfdef5272bdfa (patch)
tree	b5fd3fc6156ea553e95b2eb1e6031b4a44e4e87a
parent	7a5c6b3e18171c4488fa56a20846a64bb15c966d (diff)
download	poky-f63f49bdead2591f2fbbf9a732fbfdef5272bdfa.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 2052f4adbc..aab8e85c22 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -67,6 +67,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \
67	file://CVE-2025-47907-pre-0001.patch \	67	file://CVE-2025-47907-pre-0001.patch \
68	file://CVE-2025-47907-pre-0002.patch \	68	file://CVE-2025-47907-pre-0002.patch \
69	file://CVE-2025-47907.patch \	69	file://CVE-2025-47907.patch \
		70	file://CVE-2025-47906.patch \
70	"	71	"
71	SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"	72	SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
72		73


diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2025-47906.patch b/meta/recipes-devtools/go/go-1.21/CVE-2025-47906.patch new file mode 100644 index 0000000000..272d1ed985 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2025-47906.patch
@@ -0,0 +1,171 @@
		1	From 8fa31a2d7d9e60c50a3a94080c097b6e65773f4b Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Olivier=20Mengu=C3=A9?= <olivier.mengue@gmail.com>
		3	Date: Mon, 30 Jun 2025 16:58:59 +0200
		4	Subject: [PATCH] [release-branch.go1.23] os/exec: fix incorrect expansion of
		5	"", "." and ".." in LookPath Fix incorrect expansion of "" and "." when $PATH
		6	contains an executable file or, on Windows, a parent directory of a %PATH%
		7	element contains an file with the same name as the %PATH% element but with
		8	one of the %PATHEXT% extension (ex: C:\utils\bin is in PATH, and
		9	C:\utils\bin.exe exists).
		10
		11	Fix incorrect expansion of ".." when $PATH contains an element which is
		12	an the concatenation of the path to an executable file (or on Windows
		13	a path that can be expanded to an executable by appending a %PATHEXT%
		14	extension), a path separator and a name.
		15
		16	"", "." and ".." are now rejected early with ErrNotFound.
		17
		18	Fixes CVE-2025-47906
		19	Fixes #74803
		20
		21	Change-Id: Ie50cc0a660fce8fbdc952a7f2e05c36062dcb50e
		22	Reviewed-on: https://go-review.googlesource.com/c/go/+/685755
		23	LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
		24	Auto-Submit: Damien Neil <dneil@google.com>
		25	Reviewed-by: Roland Shoemaker <roland@golang.org>
		26	Reviewed-by: Damien Neil <dneil@google.com>
		27	(cherry picked from commit e0b07dc)
		28	Reviewed-on: https://go-review.googlesource.com/c/go/+/691855
		29	Reviewed-by: Michael Knyszek <mknyszek@google.com>
		30
		31	CVE: CVE-2025-47906
		32
		33	Upstream-Status: Backport [https://github.com/golang/go/commit/8fa31a2d7d9e60c50a3a94080c097b6e65773f4b]
		34
		35	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		36	---
		37	src/internal/execabs/execabs_test.go \| 55 ++++++++++++++++++++++++++++
		38	src/os/exec/exec.go \| 9 +++++
		39	src/os/exec/lp_plan9.go \| 4 ++
		40	src/os/exec/lp_unix.go \| 4 ++
		41	src/os/exec/lp_windows.go \| 4 ++
		42	5 files changed, 76 insertions(+)
		43
		44	diff --git a/src/internal/execabs/execabs_test.go b/src/internal/execabs/execabs_test.go
		45	index 97a3f39..99fd64b 100644
		46	--- a/src/internal/execabs/execabs_test.go
		47	+++ b/src/internal/execabs/execabs_test.go
		48	@@ -100,4 +100,59 @@ func TestLookPath(t *testing.T) {
		49	} else if err.Error() != expectedErr {
		50	t.Errorf("LookPath returned unexpected error: want %q, got %q", expectedErr, err.Error())
		51	}
		52	+ checker := func(test string) func(t *testing.T) {
		53	+ return func(t *testing.T) {
		54	+ t.Helper()
		55	+ t.Logf("PATH=%s", os.Getenv("PATH"))
		56	+ p, err := LookPath(test)
		57	+ if err == nil {
		58	+ t.Errorf("%q: error expected, got nil", test)
		59	+ }
		60	+ if p != "" {
		61	+ t.Errorf("%q: path returned should be \"\". Got %q", test, p)
		62	+ }
		63	+ }
		64	+ }
		65	+
		66	+ // Reference behavior for the next test
		67	+ t.Run(pathVar+"=$OTHER2", func(t *testing.T) {
		68	+ t.Run("empty", checker(""))
		69	+ t.Run("dot", checker("."))
		70	+ t.Run("dotdot1", checker("abc/.."))
		71	+ t.Run("dotdot2", checker(".."))
		72	+ })
		73	+
		74	+ // Test the behavior when PATH contains an executable file which is not a directory
		75	+ t.Run(pathVar+"=exe", func(t *testing.T) {
		76	+ // Inject an executable file (not a directory) in PATH.
		77	+ // Use our own binary os.Args[0].
		78	+ testenv.MustHaveExec(t)
		79	+ exe, err := os.Executable()
		80	+ if err != nil {
		81	+ t.Fatal(err)
		82	+ }
		83	+
		84	+ t.Setenv(pathVar, exe)
		85	+ t.Run("empty", checker(""))
		86	+ t.Run("dot", checker("."))
		87	+ t.Run("dotdot1", checker("abc/.."))
		88	+ t.Run("dotdot2", checker(".."))
		89	+ })
		90	+
		91	+ // Test the behavior when PATH contains an executable file which is not a directory
		92	+ t.Run(pathVar+"=exe/xx", func(t *testing.T) {
		93	+ // Inject an executable file (not a directory) in PATH.
		94	+ // Use our own binary os.Args[0].
		95	+ testenv.MustHaveExec(t)
		96	+ exe, err := os.Executable()
		97	+ if err != nil {
		98	+ t.Fatal(err)
		99	+ }
		100	+
		101	+ t.Setenv(pathVar, filepath.Join(exe, "xx"))
		102	+ t.Run("empty", checker(""))
		103	+ t.Run("dot", checker("."))
		104	+ t.Run("dotdot1", checker("abc/.."))
		105	+ t.Run("dotdot2", checker(".."))
		106	+ })
		107	}
		108	diff --git a/src/os/exec/exec.go b/src/os/exec/exec.go
		109	index 505de58..84fd82f 100644
		110	--- a/src/os/exec/exec.go
		111	+++ b/src/os/exec/exec.go
		112	@@ -790,3 +790,12 @@ func addCriticalEnv(env []string) []string {
		113	}
		114	return append(env, "SYSTEMROOT="+os.Getenv("SYSTEMROOT"))
		115	}
		116	+// validateLookPath excludes paths that can't be valid
		117	+// executable names. See issue #74466 and CVE-2025-47906.
		118	+func validateLookPath(s string) error {
		119	+ switch s {
		120	+ case "", ".", "..":
		121	+ return ErrNotFound
		122	+ }
		123	+ return nil
		124	+}
		125	diff --git a/src/os/exec/lp_plan9.go b/src/os/exec/lp_plan9.go
		126	index e8826a5..ed9f6e3 100644
		127	--- a/src/os/exec/lp_plan9.go
		128	+++ b/src/os/exec/lp_plan9.go
		129	@@ -33,6 +33,10 @@ func findExecutable(file string) error {
		130	// The result may be an absolute path or a path relative to the current directory.
		131	func LookPath(file string) (string, error) {
		132	// skip the path lookup for these prefixes
		133	+ if err := validateLookPath(file); err != nil {
		134	+ return "", &Error{file, err}
		135	+ }
		136	+
		137	skip := []string{"/", "#", "./", "../"}
		138
		139	for _, p := range skip {
		140	diff --git a/src/os/exec/lp_unix.go b/src/os/exec/lp_unix.go
		141	index d1d246a..1b27f2b 100644
		142	--- a/src/os/exec/lp_unix.go
		143	+++ b/src/os/exec/lp_unix.go
		144	@@ -38,6 +38,10 @@ func LookPath(file string) (string, error) {
		145	// (only bypass the path if file begins with / or ./ or ../)
		146	// but that would not match all the Unix shells.
		147
		148	+ if err := validateLookPath(file); err != nil {
		149	+ return "", &Error{file, err}
		150	+ }
		151	+
		152	if strings.Contains(file, "/") {
		153	err := findExecutable(file)
		154	if err == nil {
		155	diff --git a/src/os/exec/lp_windows.go b/src/os/exec/lp_windows.go
		156	index e7a2cdf..7a1d6fb 100644
		157	--- a/src/os/exec/lp_windows.go
		158	+++ b/src/os/exec/lp_windows.go
		159	@@ -58,6 +58,10 @@ func findExecutable(file string, exts []string) (string, error) {
		160	// a suitable candidate.
		161	// The result may be an absolute path or a path relative to the current directory.
		162	func LookPath(file string) (string, error) {
		163	+ if err := validateLookPath(file); err != nil {
		164	+ return "", &Error{file, err}
		165	+ }
		166	+
		167	var exts []string
		168	x := os.Getenv(`PATHEXT`)
		169	if x != "" {
		170	--
		171	2.40.0