Re: [OE-core][scarthgap][PATCH] go: Fix CVE-2025-61726.patch variable ordering

["Yoann Congal" <yoann.congal@smile.fr>]

On Thu Mar 12, 2026 at 2:54 PM CET, Eduardo Ferreira Barbosa via lists.openembedded.org wrote:
> Hi, is this patch submission OK for review, or did I miss something with this new version?

This submission is fine, I have it in my review branch[0].

You should see it it my patch review request or have an answer in the
next few days.

Thanks!

[0]: https://git.yoctoproject.org/poky-contrib/log/?h=stable/scarthgap-nut

>
> Thanks,
> Eduardo
> ________________________________
> From: Eduardo Ferreira <eduardo.f120@yahoo.com>
> Sent: Monday, March 9, 2026 1:53 PM
> To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
> Cc: Eduardo Ferreira Barbosa <eduardo.barbosa@toradex.com>
> Subject: [OE-core][scarthgap][PATCH] go: Fix CVE-2025-61726.patch variable ordering
>
> This message originated from outside your organization
>
> From: Eduardo Ferreira <eduardo.barbosa@toradex.com>
>
> Commit 6a1ae4e792 (go 1.22.12: Fix CVE-2025-61726, 2026-02-11)
> introduced a patch backporting a fix for CVE-2025-61726, but
> this patch also introduced a bug.
>
> From Go's source code[1], they say that the 'All' table from 'godebugs'
> should be populated alphabetically by Name. And 'Lookup'[2] function uses
> binary search to try and find the variable.
>
> Here's the trace:
> Mar 06 11:33:33 toradex-smarc-imx95-12594035 systemd[1]: Started Docker Application Container Engine.
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 2026/03/06 11:34:53 http: panic serving @: godebug: Value of name not listed in godeb
> ugs.All: urlmaxqueryparams
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: goroutine 78 [running]:
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*conn).serve.func1()
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http/server.go:1903 +0xb0
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?})
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: runtime/panic.go:770 +0x124
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.deferwrap1()<http://go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.deferwrap1()>
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:383<http://go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:383> +0x2c
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End<http://go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End>(0x40011b4a80, {0x0, 0x0, 0x40
> 006441c0?})
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:421<http://go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:421> +0x898
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?})
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: runtime/panic.go:770 +0x124
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value.func1()
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug/godebug.go:141 +0xd8
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).doSlow(0x22?, 0x55748a9b60?)
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:74 +0x100
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).Do(...)
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:65
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value(0x5575b21be0)
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug/godebug.go:138 +0x50
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.urlParamsWithinMax(0x1)
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:968 +0x3c
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.parseQuery(0x400069a630, {0x0, 0x0})
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:985 +0xdc
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.ParseQuery(...)
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:958
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*Request).ParseForm(0x4000bdab40)
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http/request.go:1317 +0x33c
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils.ParseForm(0x0?)<http://github.com/docker/docker/api/server/httputils.ParseForm(0x0?)>
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils/httputils.go:104<http://github.com/docker/docker/api/server/httputils/httputils.go:104> +0x20
>
> The 'Lookup' function was failing due to the wrong ordering and returning 'nil',
> which was not being checked properly and caused this issue.
>
> The fix was to just reorder the line where 'urlmaxqueryparams' is being
> added to respect the alphabetical ordering. And for that the whole CVE
> patch was generated again.
>
> This change was validated with docker-moby (original issue), where a container
> run successfully and no traces in the logs.
>
> [1] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20<https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20>
> [2] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100<https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100>
>
> Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com>
> ---
> .../go/go/CVE-2025-61726.patch | 21 ++++++++++---------
> 1 file changed, 11 insertions(+), 10 deletions(-)
>
> diff --git a/meta/recipes-devtools/go/go/CVE-2025-61726.patch b/meta/recipes-devtools/go/go/CVE-2025-61726.patch
> index ab053ff55c..bdd10bc933 100644
> --- a/meta/recipes-devtools/go/go/CVE-2025-61726.patch
> +++ b/meta/recipes-devtools/go/go/CVE-2025-61726.patch
> @@ -1,4 +1,4 @@
> -From 85050ca6146f3edb50ded0a352ab9edbd635effc Mon Sep 17 00:00:00 2001
> +From bf06767a9ac737387eee77c7eedd67c65e853ac2 Mon Sep 17 00:00:00 2001
> From: Damien Neil <dneil@google.com>
> Date: Mon, 3 Nov 2025 14:28:47 -0800
> Subject: [PATCH] [release-branch.go1.24] net/url: add urlmaxqueryparams
> @@ -36,6 +36,7 @@ Reviewed-by: Junyang Shao <shaojunyang@google.com>
> TryBot-Bypass: Michael Pratt <mpratt@google.com>
> (cherry picked from commit 85c794ddce26a092b0ea68d0fca79028b5069d5a)
> Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> +Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com>
> ---
> doc/godebug.md | 7 +++++
> src/internal/godebugs/table.go | 1 +
> @@ -45,7 +46,7 @@ Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> 5 files changed, 85 insertions(+)
>
> diff --git a/doc/godebug.md b/doc/godebug.md
> -index ae4f0576b4..635597ea42 100644
> +index ae4f057..635597e 100644
> --- a/doc/godebug.md
> +++ b/doc/godebug.md
> @@ -126,6 +126,13 @@ for example,
> @@ -63,19 +64,19 @@ index ae4f0576b4..635597ea42 100644
> to concerns around VCS injection attacks. This behavior can be renabled with the
> setting `allowmultiplevcs=1`.
> diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go
> -index 33dcd81fc3..4ae043053c 100644
> +index 33dcd81..7178df6 100644
> --- a/src/internal/godebugs/table.go
> +++ b/src/internal/godebugs/table.go
> -@@ -52,6 +52,7 @@ var All = []Info{
> +@@ -51,6 +51,7 @@ var All = []Info{
> + {Name: "tlsmaxrsasize", Package: "crypto/tls"},
> {Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"},
> {Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"},
> - {Name: "x509sha1", Package: "crypto/x509"},
> + {Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"},
> + {Name: "x509sha1", Package: "crypto/x509"},
> {Name: "x509usefallbackroots", Package: "crypto/x509"},
> {Name: "x509usepolicies", Package: "crypto/x509"},
> - {Name: "zipinsecurepath", Package: "archive/zip"},
> diff --git a/src/net/url/url.go b/src/net/url/url.go
> -index d2ae03232f..5219e3c130 100644
> +index d2ae032..cdca468 100644
> --- a/src/net/url/url.go
> +++ b/src/net/url/url.go
> @@ -13,6 +13,7 @@ package url
> @@ -118,7 +119,7 @@ index d2ae03232f..5219e3c130 100644
> var key string
> key, query, _ = strings.Cut(query, "&")
> diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
> -index fef236e40a..b2f8bd95fc 100644
> +index fef236e..b2f8bd9 100644
> --- a/src/net/url/url_test.go
> +++ b/src/net/url/url_test.go
> @@ -1488,6 +1488,54 @@ func TestParseQuery(t *testing.T) {
> @@ -177,7 +178,7 @@ index fef236e40a..b2f8bd95fc 100644
> url *URL
> out string
> diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go
> -index 517ec0e0a4..335f7873b3 100644
> +index 517ec0e..88d6d8c 100644
> --- a/src/runtime/metrics/doc.go
> +++ b/src/runtime/metrics/doc.go
> @@ -328,6 +328,11 @@ Below is the full list of supported metrics, ordered lexicographically.
> @@ -193,4 +194,4 @@ index 517ec0e0a4..335f7873b3 100644
> The number of non-default behaviors executed by the crypto/x509
> package due to a non-default GODEBUG=x509sha1=... setting.
> --
> -2.35.6
> +2.34.1
> --
> 2.34.1


-- 
Yoann Congal
Smile ECS