go 1.22.12: Fix CVE-2025-61726

Upstream Repository: https://github.com/golang/go.git Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61726 Type: Security Fix CVE: CVE-2025-61726 Score: 7.5 Patch: https://github.com/golang/go/commit/85c794ddce26 (From OE-Core rev: 6a1ae4e79252f9a896faa702e4a8b3e27529a474) Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Deepak Rathore <deeratho@cisco.com> 2026-02-11 20:59:00 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-27 17:45:06 +0000
commit: 242963f4cd1597d31a3efae2422016bf888c6e25 (patch)
tree: 5db15ef67a5102604878445c9bb26dafff8aa7e7 /meta
parent: dde29170e37afe550fecc5da53eebeaa05e3f790 (diff)
download: poky-242963f4cd1597d31a3efae2422016bf888c6e25.tar.gz
2 files changed, 197 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index e9a1803252..46f6ef5d8f 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -32,6 +32,7 @@ SRC_URI += "\
    file://CVE-2025-61727.patch \
    file://CVE-2025-61729.patch \
    file://CVE-2025-61730.patch \
+    file://CVE-2025-61726.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
diff --git a/meta/recipes-devtools/go/go/CVE-2025-61726.patch b/meta/recipes-devtools/go/go/CVE-2025-61726.patch
new file mode 100644
index 0000000000..ab053ff55c
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-61726.patch
@@ -0,0 +1,196 @@
+From 85050ca6146f3edb50ded0a352ab9edbd635effc Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Mon, 3 Nov 2025 14:28:47 -0800
+Subject: [PATCH] [release-branch.go1.24] net/url: add urlmaxqueryparams
+ GODEBUG to limit the number of query parameters
+net/url does not currently limit the number of query parameters parsed by
+url.ParseQuery or URL.Query.
+When parsing a application/x-www-form-urlencoded form,
+net/http.Request.ParseForm will parse up to 10 MB of query parameters.
+An input consisting of a large number of small, unique parameters can
+cause excessive memory consumption.
+We now limit the number of query parameters parsed to 10000 by default.
+The limit can be adjusted by setting GODEBUG=urlmaxqueryparams=<n>.
+Setting urlmaxqueryparams to 0 disables the limit.
+Thanks to jub0bs for reporting this issue.
+Fixes #77101
+Fixes CVE-2025-61726
+CVE: CVE-2025-61726
+Upstream-Status: Backport [https://github.com/golang/go/commit/85c794ddce26]
+Change-Id: Iee3374c7ee2d8586dbf158536d3ade424203ff66
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3020
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3326
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/736702
+Auto-Submit: Michael Pratt <mpratt@google.com>
+Reviewed-by: Junyang Shao <shaojunyang@google.com>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+(cherry picked from commit 85c794ddce26a092b0ea68d0fca79028b5069d5a)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ doc/godebug.md                 |  7 +++++
+ src/internal/godebugs/table.go |  1 +
+ src/net/url/url.go             | 24 +++++++++++++++++
+ src/net/url/url_test.go        | 48 ++++++++++++++++++++++++++++++++++
+ src/runtime/metrics/doc.go     |  5 ++++
+ 5 files changed, 85 insertions(+)
+diff --git a/doc/godebug.md b/doc/godebug.md
+index ae4f0576b4..635597ea42 100644
+--- a/doc/godebug.md
+++ b/doc/godebug.md
+@@ -126,6 +126,13 @@ for example,
+ see the [runtime documentation](/pkg/runtime#hdr-Environment_Variables)
+ and the [go command documentation](/cmd/go#hdr-Build_and_test_caching).
+Go 1.26 added a new `urlmaxqueryparams` setting that controls the maximum number
+of query parameters that net/url will accept when parsing a URL-encoded query string.
+If the number of parameters exceeds the number set in `urlmaxqueryparams`,
+parsing will fail early. The default value is `urlmaxqueryparams=10000`.
+Setting `urlmaxqueryparams=0`bles the limit. To avoid denial of service attacks,
+this setting and default was backported to Go 1.25.4 and Go 1.24.10.
+
+ Go 1.23.11 disabled build information stamping when multiple VCS are detected due
+ to concerns around VCS injection attacks. This behavior can be renabled with the
+ setting `allowmultiplevcs=1`.
+diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go
+index 33dcd81fc3..4ae043053c 100644
+--- a/src/internal/godebugs/table.go
+++ b/src/internal/godebugs/table.go
+@@ -52,6 +52,7 @@ var All = []Info{
+        {Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"},
+        {Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"},
+        {Name: "x509sha1", Package: "crypto/x509"},
+       {Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"},
+        {Name: "x509usefallbackroots", Package: "crypto/x509"},
+        {Name: "x509usepolicies", Package: "crypto/x509"},
+        {Name: "zipinsecurepath", Package: "archive/zip"},
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index d2ae03232f..5219e3c130 100644
+--- a/src/net/url/url.go
+++ b/src/net/url/url.go
+@@ -13,6 +13,7 @@ package url
+ import (
+        "errors"
+        "fmt"
+       "internal/godebug"
+        "net/netip"
+        "path"
+        "sort"
+@@ -958,7 +959,30 @@ func ParseQuery(query string) (Values, error) {
+        return m, err
+ }
+var urlmaxqueryparams = godebug.New("urlmaxqueryparams")
+
+const defaultMaxParams = 10000
+
+func urlParamsWithinMax(params int) bool {
+       withinDefaultMax := params <= defaultMaxParams
+       if urlmaxqueryparams.Value() == "" {
+               return withinDefaultMax
+       }
+       customMax, err := strconv.Atoi(urlmaxqueryparams.Value())
+       if err != nil {
+               return withinDefaultMax
+       }
+       withinCustomMax := customMax == 0 || params < customMax
+       if withinDefaultMax != withinCustomMax {
+               urlmaxqueryparams.IncNonDefault()
+       }
+       return withinCustomMax
+}
+
+ func parseQuery(m Values, query string) (err error) {
+       if !urlParamsWithinMax(strings.Count(query, "&") + 1) {
+               return errors.New("number of URL query parameters exceeded limit")
+       }
+        for query != "" {
+                var key string
+                key, query, _ = strings.Cut(query, "&")
+diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
+index fef236e40a..b2f8bd95fc 100644
+--- a/src/net/url/url_test.go
+++ b/src/net/url/url_test.go
+@@ -1488,6 +1488,54 @@ func TestParseQuery(t *testing.T) {
+        }
+ }
+func TestParseQueryLimits(t *testing.T) {
+       for _, test := range []struct {
+               params  int
+               godebug string
+               wantErr bool
+       }{{
+               params:  10,
+               wantErr: false,
+       }, {
+               params:  defaultMaxParams,
+               wantErr: false,
+       }, {
+               params:  defaultMaxParams + 1,
+               wantErr: true,
+       }, {
+               params:  10,
+               godebug: "urlmaxqueryparams=9",
+               wantErr: true,
+       }, {
+               params:  defaultMaxParams + 1,
+               godebug: "urlmaxqueryparams=0",
+               wantErr: false,
+       }} {
+               t.Setenv("GODEBUG", test.godebug)
+               want := Values{}
+               var b strings.Builder
+               for i := range test.params {
+                       if i > 0 {
+                               b.WriteString("&")
+                       }
+                       p := fmt.Sprintf("p%v", i)
+                       b.WriteString(p)
+                       want[p] = []string{""}
+               }
+               query := b.String()
+               got, err := ParseQuery(query)
+               if gotErr, wantErr := err != nil, test.wantErr; gotErr != wantErr {
+                       t.Errorf("GODEBUG=%v ParseQuery(%v params) = %v, want error: %v", test.godebug, test.params, err, wantErr)
+               }
+               if err != nil {
+                       continue
+               }
+               if got, want := len(got), test.params; got != want {
+                       t.Errorf("GODEBUG=%v ParseQuery(%v params): got %v params, want %v", test.godebug, test.params, got, want)
+               }
+       }
+}
+
+ type RequestURITest struct {
+        url *URL
+        out string
+diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go
+index 517ec0e0a4..335f7873b3 100644
+--- a/src/runtime/metrics/doc.go
+++ b/src/runtime/metrics/doc.go
+@@ -328,6 +328,11 @@ Below is the full list of supported metrics, ordered lexicographically.
+                The number of non-default behaviors executed by the crypto/tls
+                package due to a non-default GODEBUG=tlsunsafeekm=... setting.
+       /godebug/non-default-behavior/urlmaxqueryparams:events
+               The number of non-default behaviors executed by the net/url
+               package due to a non-default GODEBUG=urlmaxqueryparams=...
+               setting.
+
+        /godebug/non-default-behavior/x509sha1:events
+                The number of non-default behaviors executed by the crypto/x509
+                package due to a non-default GODEBUG=x509sha1=... setting.
+--
+2.35.6
author	Deepak Rathore <deeratho@cisco.com>	2026-02-11 20:59:00 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-02-27 17:45:06 +0000
commit	242963f4cd1597d31a3efae2422016bf888c6e25 (patch)
tree	5db15ef67a5102604878445c9bb26dafff8aa7e7 /meta
parent	dde29170e37afe550fecc5da53eebeaa05e3f790 (diff)
download	poky-242963f4cd1597d31a3efae2422016bf888c6e25.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index e9a1803252..46f6ef5d8f 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -32,6 +32,7 @@ SRC_URI += "\
32	file://CVE-2025-61727.patch \	32	file://CVE-2025-61727.patch \
33	file://CVE-2025-61729.patch \	33	file://CVE-2025-61729.patch \
34	file://CVE-2025-61730.patch \	34	file://CVE-2025-61730.patch \
		35	file://CVE-2025-61726.patch \
35	"	36	"
36	SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"	37	SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
37		38


diff --git a/meta/recipes-devtools/go/go/CVE-2025-61726.patch b/meta/recipes-devtools/go/go/CVE-2025-61726.patch new file mode 100644 index 0000000000..ab053ff55c --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-61726.patch
@@ -0,0 +1,196 @@
		1	From 85050ca6146f3edb50ded0a352ab9edbd635effc Mon Sep 17 00:00:00 2001
		2	From: Damien Neil <dneil@google.com>
		3	Date: Mon, 3 Nov 2025 14:28:47 -0800
		4	Subject: [PATCH] [release-branch.go1.24] net/url: add urlmaxqueryparams
		5	GODEBUG to limit the number of query parameters
		6
		7	net/url does not currently limit the number of query parameters parsed by
		8	url.ParseQuery or URL.Query.
		9
		10	When parsing a application/x-www-form-urlencoded form,
		11	net/http.Request.ParseForm will parse up to 10 MB of query parameters.
		12	An input consisting of a large number of small, unique parameters can
		13	cause excessive memory consumption.
		14
		15	We now limit the number of query parameters parsed to 10000 by default.
		16	The limit can be adjusted by setting GODEBUG=urlmaxqueryparams=<n>.
		17	Setting urlmaxqueryparams to 0 disables the limit.
		18
		19	Thanks to jub0bs for reporting this issue.
		20
		21	Fixes #77101
		22	Fixes CVE-2025-61726
		23
		24	CVE: CVE-2025-61726
		25	Upstream-Status: Backport [https://github.com/golang/go/commit/85c794ddce26]
		26
		27	Change-Id: Iee3374c7ee2d8586dbf158536d3ade424203ff66
		28	Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3020
		29	Reviewed-by: Nicholas Husin <husin@google.com>
		30	Reviewed-by: Neal Patel <nealpatel@google.com>
		31	Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3326
		32	Reviewed-by: Roland Shoemaker <bracewell@google.com>
		33	Reviewed-on: https://go-review.googlesource.com/c/go/+/736702
		34	Auto-Submit: Michael Pratt <mpratt@google.com>
		35	Reviewed-by: Junyang Shao <shaojunyang@google.com>
		36	TryBot-Bypass: Michael Pratt <mpratt@google.com>
		37	(cherry picked from commit 85c794ddce26a092b0ea68d0fca79028b5069d5a)
		38	Signed-off-by: Deepak Rathore <deeratho@cisco.com>
		39	---
		40	doc/godebug.md \| 7 +++++
		41	src/internal/godebugs/table.go \| 1 +
		42	src/net/url/url.go \| 24 +++++++++++++++++
		43	src/net/url/url_test.go \| 48 ++++++++++++++++++++++++++++++++++
		44	src/runtime/metrics/doc.go \| 5 ++++
		45	5 files changed, 85 insertions(+)
		46
		47	diff --git a/doc/godebug.md b/doc/godebug.md
		48	index ae4f0576b4..635597ea42 100644
		49	--- a/doc/godebug.md
		50	+++ b/doc/godebug.md
		51	@@ -126,6 +126,13 @@ for example,
		52	see the [runtime documentation](/pkg/runtime#hdr-Environment_Variables)
		53	and the [go command documentation](/cmd/go#hdr-Build_and_test_caching).
		54
		55	+Go 1.26 added a new `urlmaxqueryparams` setting that controls the maximum number
		56	+of query parameters that net/url will accept when parsing a URL-encoded query string.
		57	+If the number of parameters exceeds the number set in `urlmaxqueryparams`,
		58	+parsing will fail early. The default value is `urlmaxqueryparams=10000`.
		59	+Setting `urlmaxqueryparams=0`bles the limit. To avoid denial of service attacks,
		60	+this setting and default was backported to Go 1.25.4 and Go 1.24.10.
		61	+
		62	Go 1.23.11 disabled build information stamping when multiple VCS are detected due
		63	to concerns around VCS injection attacks. This behavior can be renabled with the
		64	setting `allowmultiplevcs=1`.
		65	diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go
		66	index 33dcd81fc3..4ae043053c 100644
		67	--- a/src/internal/godebugs/table.go
		68	+++ b/src/internal/godebugs/table.go
		69	@@ -52,6 +52,7 @@ var All = []Info{
		70	{Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"},
		71	{Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"},
		72	{Name: "x509sha1", Package: "crypto/x509"},
		73	+ {Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"},
		74	{Name: "x509usefallbackroots", Package: "crypto/x509"},
		75	{Name: "x509usepolicies", Package: "crypto/x509"},
		76	{Name: "zipinsecurepath", Package: "archive/zip"},
		77	diff --git a/src/net/url/url.go b/src/net/url/url.go
		78	index d2ae03232f..5219e3c130 100644
		79	--- a/src/net/url/url.go
		80	+++ b/src/net/url/url.go
		81	@@ -13,6 +13,7 @@ package url
		82	import (
		83	"errors"
		84	"fmt"
		85	+ "internal/godebug"
		86	"net/netip"
		87	"path"
		88	"sort"
		89	@@ -958,7 +959,30 @@ func ParseQuery(query string) (Values, error) {
		90	return m, err
		91	}
		92
		93	+var urlmaxqueryparams = godebug.New("urlmaxqueryparams")
		94	+
		95	+const defaultMaxParams = 10000
		96	+
		97	+func urlParamsWithinMax(params int) bool {
		98	+ withinDefaultMax := params <= defaultMaxParams
		99	+ if urlmaxqueryparams.Value() == "" {
		100	+ return withinDefaultMax
		101	+ }
		102	+ customMax, err := strconv.Atoi(urlmaxqueryparams.Value())
		103	+ if err != nil {
		104	+ return withinDefaultMax
		105	+ }
		106	+ withinCustomMax := customMax == 0 \|\| params < customMax
		107	+ if withinDefaultMax != withinCustomMax {
		108	+ urlmaxqueryparams.IncNonDefault()
		109	+ }
		110	+ return withinCustomMax
		111	+}
		112	+
		113	func parseQuery(m Values, query string) (err error) {
		114	+ if !urlParamsWithinMax(strings.Count(query, "&") + 1) {
		115	+ return errors.New("number of URL query parameters exceeded limit")
		116	+ }
		117	for query != "" {
		118	var key string
		119	key, query, _ = strings.Cut(query, "&")
		120	diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
		121	index fef236e40a..b2f8bd95fc 100644
		122	--- a/src/net/url/url_test.go
		123	+++ b/src/net/url/url_test.go
		124	@@ -1488,6 +1488,54 @@ func TestParseQuery(t *testing.T) {
		125	}
		126	}
		127
		128	+func TestParseQueryLimits(t *testing.T) {
		129	+ for _, test := range []struct {
		130	+ params int
		131	+ godebug string
		132	+ wantErr bool
		133	+ }{{
		134	+ params: 10,
		135	+ wantErr: false,
		136	+ }, {
		137	+ params: defaultMaxParams,
		138	+ wantErr: false,
		139	+ }, {
		140	+ params: defaultMaxParams + 1,
		141	+ wantErr: true,
		142	+ }, {
		143	+ params: 10,
		144	+ godebug: "urlmaxqueryparams=9",
		145	+ wantErr: true,
		146	+ }, {
		147	+ params: defaultMaxParams + 1,
		148	+ godebug: "urlmaxqueryparams=0",
		149	+ wantErr: false,
		150	+ }} {
		151	+ t.Setenv("GODEBUG", test.godebug)
		152	+ want := Values{}
		153	+ var b strings.Builder
		154	+ for i := range test.params {
		155	+ if i > 0 {
		156	+ b.WriteString("&")
		157	+ }
		158	+ p := fmt.Sprintf("p%v", i)
		159	+ b.WriteString(p)
		160	+ want[p] = []string{""}
		161	+ }
		162	+ query := b.String()
		163	+ got, err := ParseQuery(query)
		164	+ if gotErr, wantErr := err != nil, test.wantErr; gotErr != wantErr {
		165	+ t.Errorf("GODEBUG=%v ParseQuery(%v params) = %v, want error: %v", test.godebug, test.params, err, wantErr)
		166	+ }
		167	+ if err != nil {
		168	+ continue
		169	+ }
		170	+ if got, want := len(got), test.params; got != want {
		171	+ t.Errorf("GODEBUG=%v ParseQuery(%v params): got %v params, want %v", test.godebug, test.params, got, want)
		172	+ }
		173	+ }
		174	+}
		175	+
		176	type RequestURITest struct {
		177	url *URL
		178	out string
		179	diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go
		180	index 517ec0e0a4..335f7873b3 100644
		181	--- a/src/runtime/metrics/doc.go
		182	+++ b/src/runtime/metrics/doc.go
		183	@@ -328,6 +328,11 @@ Below is the full list of supported metrics, ordered lexicographically.
		184	The number of non-default behaviors executed by the crypto/tls
		185	package due to a non-default GODEBUG=tlsunsafeekm=... setting.
		186
		187	+ /godebug/non-default-behavior/urlmaxqueryparams:events
		188	+ The number of non-default behaviors executed by the net/url
		189	+ package due to a non-default GODEBUG=urlmaxqueryparams=...
		190	+ setting.
		191	+
		192	/godebug/non-default-behavior/x509sha1:events
		193	The number of non-default behaviors executed by the crypto/x509
		194	package due to a non-default GODEBUG=x509sha1=... setting.
		195	--
		196	2.35.6