go 1.22.12: Fix CVE-2025-61731

Upstream Repository: https://github.com/golang/go.git Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61731 Type: Security Fix CVE: CVE-2025-61731 Score: 7.8 Patch: https://github.com/golang/go/commit/00b7309387a1 (From OE-Core rev: a7d8ad20525ee6c74a0e149dfd54c7e5c9e1f740) Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Deepak Rathore <deeratho@cisco.com> 2026-02-11 21:01:25 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-27 17:45:06 +0000
commit: a231c49abc399af64185f7bc8ca1cded0191dd8b (patch)
tree: c2eac66b6798bd895418a2ddcae2678a20810f5e /meta
parent: e333b43a692acd58d42c5bdb8ac54b41c07e8a0d (diff)
download: poky-a231c49abc399af64185f7bc8ca1cded0191dd8b.tar.gz
2 files changed, 71 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index 04e380c821..82019f25dd 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -34,6 +34,7 @@ SRC_URI += "\
    file://CVE-2025-61730.patch \
    file://CVE-2025-61726.patch \
    file://CVE-2025-61728.patch \
+    file://CVE-2025-61731.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
diff --git a/meta/recipes-devtools/go/go/CVE-2025-61731.patch b/meta/recipes-devtools/go/go/CVE-2025-61731.patch
new file mode 100644
index 0000000000..a4589daade
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-61731.patch
@@ -0,0 +1,70 @@
+From ab266ccbc19789c52dcb1dc6e8e71d2f4fd545ff Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Thu, 4 Dec 2025 12:30:39 -0500
+Subject: [PATCH] [release-branch.go1.24] cmd/go/internal/work: sanitize flags
+ before invoking 'pkg-config'
+The addition of CgoPkgConfig allowed execution with flags not
+matching the safelist. In order to prevent potential arbitrary
+code execution at build time, ensure that flags are validated
+prior to invoking the 'pkg-config' binary.
+Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
+for reporting this issue.
+Fixes CVE-2025-61731
+Fixes #77100
+CVE: CVE-2025-61731
+Upstream-Status: Backport [https://github.com/golang/go/commit/00b7309387a1]
+Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3240
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3344
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/736701
+Auto-Submit: Michael Pratt <mpratt@google.com>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+Reviewed-by: Junyang Shao <shaojunyang@google.com>
+(cherry picked from commit 00b7309387a171bcba37382e7ed96b473df04917)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ src/cmd/go/internal/work/exec.go     | 8 ++++++++
+ src/cmd/go/internal/work/security.go | 1 +
+ 2 files changed, 9 insertions(+)
+diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
+index c8f297cbe9..815942a703 100644
+--- a/src/cmd/go/internal/work/exec.go
+++ b/src/cmd/go/internal/work/exec.go
+@@ -1684,6 +1684,14 @@ func (b *Builder) getPkgConfigFlags(a *Action) (cflags, ldflags []string, err er
+                                return nil, nil, fmt.Errorf("invalid pkg-config package name: %s", pkg)
+                        }
+                }
+
+               // Running 'pkg-config' can cause execution of
+               // arbitrary code using flags that are not in
+               // the safelist.
+               if err := checkCompilerFlags("CFLAGS", "pkg-config --cflags", pcflags); err != nil {
+                       return nil, nil, err
+               }
+
+                var out []byte
+                out, err = sh.runOut(p.Dir, nil, b.PkgconfigCmd(), "--cflags", pcflags, "--", pkgs)
+                if err != nil {
+diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
+index 568eecd325..79724ed04a 100644
+--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
+@@ -122,6 +122,7 @@ var validCompilerFlags = []*lazyregexp.Regexp{
+        re(`-pedantic(-errors)?`),
+        re(`-pipe`),
+        re(`-pthread`),
+       re(`--static`),
+        re(`-?-std=([^@\-].*)`),
+        re(`-?-stdlib=([^@\-].*)`),
+        re(`--sysroot=([^@\-].*)`),
+--
+2.35.6
author	Deepak Rathore <deeratho@cisco.com>	2026-02-11 21:01:25 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-02-27 17:45:06 +0000
commit	a231c49abc399af64185f7bc8ca1cded0191dd8b (patch)
tree	c2eac66b6798bd895418a2ddcae2678a20810f5e /meta
parent	e333b43a692acd58d42c5bdb8ac54b41c07e8a0d (diff)
download	poky-a231c49abc399af64185f7bc8ca1cded0191dd8b.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 04e380c821..82019f25dd 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -34,6 +34,7 @@ SRC_URI += "\
34	file://CVE-2025-61730.patch \	34	file://CVE-2025-61730.patch \
35	file://CVE-2025-61726.patch \	35	file://CVE-2025-61726.patch \
36	file://CVE-2025-61728.patch \	36	file://CVE-2025-61728.patch \
		37	file://CVE-2025-61731.patch \
37	"	38	"
38	SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"	39	SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
39		40


diff --git a/meta/recipes-devtools/go/go/CVE-2025-61731.patch b/meta/recipes-devtools/go/go/CVE-2025-61731.patch new file mode 100644 index 0000000000..a4589daade --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-61731.patch
@@ -0,0 +1,70 @@
		1	From ab266ccbc19789c52dcb1dc6e8e71d2f4fd545ff Mon Sep 17 00:00:00 2001
		2	From: Neal Patel <nealpatel@google.com>
		3	Date: Thu, 4 Dec 2025 12:30:39 -0500
		4	Subject: [PATCH] [release-branch.go1.24] cmd/go/internal/work: sanitize flags
		5	before invoking 'pkg-config'
		6
		7	The addition of CgoPkgConfig allowed execution with flags not
		8	matching the safelist. In order to prevent potential arbitrary
		9	code execution at build time, ensure that flags are validated
		10	prior to invoking the 'pkg-config' binary.
		11
		12	Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
		13	for reporting this issue.
		14
		15	Fixes CVE-2025-61731
		16	Fixes #77100
		17
		18	CVE: CVE-2025-61731
		19	Upstream-Status: Backport [https://github.com/golang/go/commit/00b7309387a1]
		20
		21	Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364
		22	Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3240
		23	Reviewed-by: Nicholas Husin <husin@google.com>
		24	Reviewed-by: Damien Neil <dneil@google.com>
		25	Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3344
		26	Reviewed-by: Neal Patel <nealpatel@google.com>
		27	Reviewed-on: https://go-review.googlesource.com/c/go/+/736701
		28	Auto-Submit: Michael Pratt <mpratt@google.com>
		29	TryBot-Bypass: Michael Pratt <mpratt@google.com>
		30	Reviewed-by: Junyang Shao <shaojunyang@google.com>
		31	(cherry picked from commit 00b7309387a171bcba37382e7ed96b473df04917)
		32	Signed-off-by: Deepak Rathore <deeratho@cisco.com>
		33	---
		34	src/cmd/go/internal/work/exec.go \| 8 ++++++++
		35	src/cmd/go/internal/work/security.go \| 1 +
		36	2 files changed, 9 insertions(+)
		37
		38	diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
		39	index c8f297cbe9..815942a703 100644
		40	--- a/src/cmd/go/internal/work/exec.go
		41	+++ b/src/cmd/go/internal/work/exec.go
		42	@@ -1684,6 +1684,14 @@ func (b Builder) getPkgConfigFlags(a Action) (cflags, ldflags []string, err er
		43	return nil, nil, fmt.Errorf("invalid pkg-config package name: %s", pkg)
		44	}
		45	}
		46	+
		47	+ // Running 'pkg-config' can cause execution of
		48	+ // arbitrary code using flags that are not in
		49	+ // the safelist.
		50	+ if err := checkCompilerFlags("CFLAGS", "pkg-config --cflags", pcflags); err != nil {
		51	+ return nil, nil, err
		52	+ }
		53	+
		54	var out []byte
		55	out, err = sh.runOut(p.Dir, nil, b.PkgconfigCmd(), "--cflags", pcflags, "--", pkgs)
		56	if err != nil {
		57	diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
		58	index 568eecd325..79724ed04a 100644
		59	--- a/src/cmd/go/internal/work/security.go
		60	+++ b/src/cmd/go/internal/work/security.go
		61	@@ -122,6 +122,7 @@ var validCompilerFlags = []*lazyregexp.Regexp{
		62	re(`-pedantic(-errors)?`),
		63	re(`-pipe`),
		64	re(`-pthread`),
		65	+ re(`--static`),
		66	re(`-?-std=([^@\-].*)`),
		67	re(`-?-stdlib=([^@\-].*)`),
		68	re(`--sysroot=([^@\-].*)`),
		69	--
		70	2.35.6