diff options
| author | Praveen Kumar <praveen.kumar@windriver.com> | 2025-09-18 21:00:40 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-10-03 09:51:17 -0700 |
| commit | 9ae3736eb488e5ad694a63d7cd92b9d6d090fabd (patch) | |
| tree | c6d752479a34c67d9dbb6681eed0876c17c26908 /meta/recipes-bsp/grub/grub2.inc | |
| parent | 51dc9c464de0703bfbc6f1ee71ac9bea20933a45 (diff) | |
| download | poky-9ae3736eb488e5ad694a63d7cd92b9d6d090fabd.tar.gz | |
go: fix CVE-2025-47907
Cancelling a query (e.g. by cancelling the context passed to one of
the query methods) during a call to the Scan method of the returned
Rows can result in unexpected results if other queries are being made
in parallel. This can result in a race condition that may overwrite
the expected results with those of another query, causing the call to
Scan to return either unexpected results from the other query or an
error.
Made below changes for Go 1.17 backport:
- Replaced `atomic.Pointer[error]` with `atomic.Value`, since
atomic pointers are not supported in Go 1.17.
- Used errp.(*error) to retrieve and dereference
the stored *error, Without this, build fails with:
invalid indirect of errp (type interface{}).
- Replaced Go 1.18 `any` keyword with `interface{}` for backward
compatibility with Go 1.17.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47907
Upstream-patch:
https://github.com/golang/go/commit/8a924caaf348fdc366bab906424616b2974ad4e9
https://github.com/golang/go/commit/298fe517a9333c05143a8a8e1f9d5499f0c6e59b
https://github.com/golang/go/commit/c23579f031ecd09bf37c644723b33736dffa8b92
(From OE-Core rev: af9c43c39764ce9ce37785c44dfb83e25cb24703)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-bsp/grub/grub2.inc')
0 files changed, 0 insertions, 0 deletions