git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commit

author	Praveen Kumar <praveen.kumar@windriver.com>
	Thu, 18 Sep 2025 15:30:40 +0000 (21:00 +0530)
committer	Steve Sakoman <steve@sakoman.com>
	Fri, 26 Sep 2025 14:04:59 +0000 (07:04 -0700)
commit	af9c43c39764ce9ce37785c44dfb83e25cb24703
tree	613e99eab61f4b7a10aeeb31ba36f66ac817379e	tree \| snapshot
parent	d381eeb5e70bd0ce9e78032c909e4a23564f4dd7	commit \| diff

go: fix CVE-2025-47907

Cancelling a query (e.g. by cancelling the context passed to one of
the query methods) during a call to the Scan method of the returned
Rows can result in unexpected results if other queries are being made
in parallel. This can result in a race condition that may overwrite
the expected results with those of another query, causing the call to
Scan to return either unexpected results from the other query or an
error.

Made below changes for Go 1.17 backport:
- Replaced `atomic.Pointer[error]` with `atomic.Value`, since
  atomic pointers are not supported in Go 1.17.
- Used errp.(*error) to retrieve and dereference
  the stored *error, Without this, build fails with:
  invalid indirect of errp (type interface{}).
- Replaced Go 1.18 `any` keyword with `interface{}` for backward
  compatibility with Go 1.17.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47907

Upstream-patch:
https://github.com/golang/go/commit/8a924caaf348fdc366bab906424616b2974ad4e9
https://github.com/golang/go/commit/298fe517a9333c05143a8a8e1f9d5499f0c6e59b
https://github.com/golang/go/commit/c23579f031ecd09bf37c644723b33736dffa8b92

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-devtools/go/go-1.17.13.inc		diff \| blob \| blame \| history
meta/recipes-devtools/go/go-1.21/CVE-2025-47907-pre-0001.patch	[new file with mode: 0644]	blob
meta/recipes-devtools/go/go-1.21/CVE-2025-47907-pre-0002.patch	[new file with mode: 0644]	blob
meta/recipes-devtools/go/go-1.21/CVE-2025-47907.patch	[new file with mode: 0644]	blob