Re: [OE-core] [PATCH] go 1.22.12: Fix CVE-2025-61726.patch variable ordering

Mon, 09 Mar 2026 07:00:41 -0700 

Hello,

Reviewing for scarthgap:

On Fri Mar 6, 2026 at 7:06 PM CET, eduardo.f120 via lists.openembedded.org 
wrote:
> From: Eduardo Ferreira <[email protected]>
> Subject: [PATCH] go 1.22.12: Fix CVE-2025-61726.patch variable ordering

The tag in the subject does not usualy contain the version (I missed
that in the last go patches :( ). Just "go: Fix CVE-2025-61726.patch
variable ordering" is fine.
>
> Commit 6a1ae4e79252f9a896faa702e4a8b3e27529a474 introduced a patch

When referencing a patch, I suggest to add the title for context. The
kernel has a nice rule about it and that look like:
commit 6a1ae4e79252 ("go 1.22.12: Fix CVE-2025-61726")

git also has a nice option built-in:
 $ git log -1 --format=reference 6a1ae4e79252f9a896faa702e4a8b3e27529a474
6a1ae4e792 (go 1.22.12: Fix CVE-2025-61726, 2026-02-11)

> backporting a fix for CVE-2025-61726, but this patch also introduced
> a bug.
>
> From Go's source code[1], they say that the 'All' table from 'godebugs'
> should be populated alphabetically by Name. And 'Lookup'[2] function uses
> binary search to try and find the variable.
>
> Here's the trace:
> Mar 06 11:33:33 toradex-smarc-imx95-12594035 systemd[1]: Started Docker 
> Application Container Engine.
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 2026/03/06 
> 11:34:53 http: panic serving @: godebug: Value of name not listed in godeb
> ugs.All: urlmaxqueryparams
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: goroutine 78 
> [running]:
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 
> net/http.(*conn).serve.func1()
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         
> net/http/server.go:1903 +0xb0
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 
> panic({0x55743e8740?, 0x4000b526c0?})
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         
> runtime/panic.go:770 +0x124
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 
> go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.deferwrap1()
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         
> go.opentelemetry.io/otel/[email protected]/trace/span.go:383 +0x2c
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 
> go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End(0x40011b4a80, {0x0, 
> 0x0, 0x40
> 006441c0?})
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         
> go.opentelemetry.io/otel/[email protected]/trace/span.go:421 +0x898
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 
> panic({0x55743e8740?, 0x4000b526c0?})
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         
> runtime/panic.go:770 +0x124
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 
> internal/godebug.(*Setting).Value.func1()
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         
> internal/godebug/godebug.go:141 +0xd8
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 
> sync.(*Once).doSlow(0x22?, 0x55748a9b60?)
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         
> sync/once.go:74 +0x100
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 
> sync.(*Once).Do(...)
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         
> sync/once.go:65
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 
> internal/godebug.(*Setting).Value(0x5575b21be0)
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         
> internal/godebug/godebug.go:138 +0x50
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 
> net/url.urlParamsWithinMax(0x1)
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         
> net/url/url.go:968 +0x3c
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 
> net/url.parseQuery(0x400069a630, {0x0, 0x0})
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         
> net/url/url.go:985 +0xdc
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 
> net/url.ParseQuery(...)
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         
> net/url/url.go:958
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 
> net/http.(*Request).ParseForm(0x4000bdab40)
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         
> net/http/request.go:1317 +0x33c
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 
> github.com/docker/docker/api/server/httputils.ParseForm(0x0?)
> Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         
> github.com/docker/docker/api/server/httputils/httputils.go:104 +0x20
>
> The 'Lookup' function was failing due to the wrong ordering and returning 
> 'nil',
> which was not being checked properly and caused this issue.
>
> The fix was to just reorder the line where 'urlmaxqueryparams' is being
> added to respect the alphabetical ordering. And for that the whole CVE
> patch was generated again.
>
> This change was validated with docker-moby (original issue), where a container
> run successfully and no traces in the logs.
>
> Fixes: 6a1ae4e792 ("go 1.22.12: Fix CVE-2025-61726.patch variable ordering")
^ Is this commit fixing itself?
FYI, I don't know any Yocto Project tooling that uses this line. You
might just remove it...

>
> [1] 
> https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20
> [2] 
> https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100
>
> Signed-off-by: Eduardo Ferreira <[email protected]>
> ---
>  .../go/go/CVE-2025-61726.patch                | 25 ++++++++++---------
>  1 file changed, 13 insertions(+), 12 deletions(-)
>
> diff --git a/meta/recipes-devtools/go/go/CVE-2025-61726.patch 
> b/meta/recipes-devtools/go/go/CVE-2025-61726.patch
> index ab053ff55c..65fe62a4da 100644
> --- a/meta/recipes-devtools/go/go/CVE-2025-61726.patch
> +++ b/meta/recipes-devtools/go/go/CVE-2025-61726.patch
> @@ -1,6 +1,6 @@
> -From 85050ca6146f3edb50ded0a352ab9edbd635effc Mon Sep 17 00:00:00 2001
> -From: Damien Neil <[email protected]>
> -Date: Mon, 3 Nov 2025 14:28:47 -0800
> +From a41ff6cac6acdb8a55708d9f1e40efd8c4f87421 Mon Sep 17 00:00:00 2001
> +From: Eduardo Ferreira <[email protected]>
> +Date: Fri, 6 Mar 2026 13:38:46 +0000
^ You can't really take ownership of the patch like that. Please keep
the original author.

>  Subject: [PATCH] [release-branch.go1.24] net/url: add urlmaxqueryparams
>   GODEBUG to limit the number of query parameters
>  
> @@ -36,6 +36,7 @@ Reviewed-by: Junyang Shao <[email protected]>
>  TryBot-Bypass: Michael Pratt <[email protected]>
>  (cherry picked from commit 85c794ddce26a092b0ea68d0fca79028b5069d5a)
>  Signed-off-by: Deepak Rathore <[email protected]>
> +Signed-off-by: Eduardo Ferreira <[email protected]>
>  ---
>   doc/godebug.md                 |  7 +++++
>   src/internal/godebugs/table.go |  1 +
> @@ -45,7 +46,7 @@ Signed-off-by: Deepak Rathore <[email protected]>
>   5 files changed, 85 insertions(+)
>  
>  diff --git a/doc/godebug.md b/doc/godebug.md
> -index ae4f0576b4..635597ea42 100644
> +index ae4f057..635597e 100644
>  --- a/doc/godebug.md
>  +++ b/doc/godebug.md
>  @@ -126,6 +126,13 @@ for example,
> @@ -63,19 +64,19 @@ index ae4f0576b4..635597ea42 100644
>   to concerns around VCS injection attacks. This behavior can be renabled 
> with the
>   setting `allowmultiplevcs=1`.
>  diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go
> -index 33dcd81fc3..4ae043053c 100644
> +index 33dcd81..7178df6 100644
>  --- a/src/internal/godebugs/table.go
>  +++ b/src/internal/godebugs/table.go
> -@@ -52,6 +52,7 @@ var All = []Info{
> +@@ -51,6 +51,7 @@ var All = []Info{
> +     {Name: "tlsmaxrsasize", Package: "crypto/tls"},
>       {Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"},
>       {Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"},
> -     {Name: "x509sha1", Package: "crypto/x509"},
>  +    {Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"},
> +     {Name: "x509sha1", Package: "crypto/x509"},
>       {Name: "x509usefallbackroots", Package: "crypto/x509"},
>       {Name: "x509usepolicies", Package: "crypto/x509"},
> -     {Name: "zipinsecurepath", Package: "archive/zip"},
>  diff --git a/src/net/url/url.go b/src/net/url/url.go
> -index d2ae03232f..5219e3c130 100644
> +index d2ae032..f796077 100644
>  --- a/src/net/url/url.go
>  +++ b/src/net/url/url.go
>  @@ -13,6 +13,7 @@ package url
> @@ -118,7 +119,7 @@ index d2ae03232f..5219e3c130 100644
>               var key string
>               key, query, _ = strings.Cut(query, "&")
>  diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
> -index fef236e40a..b2f8bd95fc 100644
> +index fef236e..b2f8bd9 100644
>  --- a/src/net/url/url_test.go
>  +++ b/src/net/url/url_test.go
>  @@ -1488,6 +1488,54 @@ func TestParseQuery(t *testing.T) {
> @@ -177,7 +178,7 @@ index fef236e40a..b2f8bd95fc 100644
>       url *URL
>       out string
>  diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go
> -index 517ec0e0a4..335f7873b3 100644
> +index 517ec0e..2efb13a 100644
>  --- a/src/runtime/metrics/doc.go
>  +++ b/src/runtime/metrics/doc.go
>  @@ -328,6 +328,11 @@ Below is the full list of supported metrics, ordered 
> lexicographically.
> @@ -193,4 +194,4 @@ index 517ec0e0a4..335f7873b3 100644
>               The number of non-default behaviors executed by the crypto/x509
>               package due to a non-default GODEBUG=x509sha1=... setting.
>  --
> -2.35.6
> +2.34.1

And, remember, when sending your next version to add the [scarthgap]
tag.

Thanks!
-- 
Yoann Congal
Smile ECS


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#232721): 
https://lists.openembedded.org/g/openembedded-core/message/232721
Mute This Topic: https://lists.openembedded.org/mt/118177496/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to