From 5d682c1dade500675f1921d0a7fa57d980a78c65 Mon Sep 17 00:00:00 2001 From: wh02252983 Date: Sat, 11 Oct 2025 11:05:14 +0800 Subject: [PATCH] [CVE] add patch to fix CVE-2025-47906 To # N/A add patch to fix CVE-2025-47906 Project: TC2024080204 Signed-off-by: wh02252983 --- 0047-Fix-CVE-2025-47906.patch | 166 ++++++++++++++++++++++++++++++++++ golang.spec | 7 +- 2 files changed, 172 insertions(+), 1 deletion(-) create mode 100644 0047-Fix-CVE-2025-47906.patch diff --git a/0047-Fix-CVE-2025-47906.patch b/0047-Fix-CVE-2025-47906.patch new file mode 100644 index 0000000..3f0d715 --- /dev/null +++ b/0047-Fix-CVE-2025-47906.patch @@ -0,0 +1,166 @@ +From 0f5133b742bf61cda6c98b4cd1d313a330f13f32 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Olivier=20Mengu=C3=A9?= +Date: Mon, 30 Jun 2025 16:58:59 +0200 +Subject: [PATCH] [release-branch.go1.24] os/exec: fix incorrect expansion of + "", "." and ".." in LookPath + +Fix incorrect expansion of "" and "." when $PATH contains an executable +file or, on Windows, a parent directory of a %PATH% element contains an +file with the same name as the %PATH% element but with one of the +%PATHEXT% extension (ex: C:\utils\bin is in PATH, and C:\utils\bin.exe +exists). + +Fix incorrect expansion of ".." when $PATH contains an element which is +an the concatenation of the path to an executable file (or on Windows +a path that can be expanded to an executable by appending a %PATHEXT% +extension), a path separator and a name. + +"", "." and ".." are now rejected early with ErrNotFound. + +Fixes CVE-2025-47906 +Fixes #74804 + +Change-Id: Ie50cc0a660fce8fbdc952a7f2e05c36062dcb50e +Reviewed-on: https://go-review.googlesource.com/c/go/+/685755 +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-by: Damien Neil +(cherry picked from commit e0b07dc22eaab1b003d98ad6d63cdfacc76c5c70) +Reviewed-on: https://go-review.googlesource.com/c/go/+/691875 +Reviewed-by: Michael Knyszek +--- + src/os/exec/dot_test.go | 44 +++++++++++++++++++++++++++++++++++++++ + src/os/exec/exec.go | 10 +++++++++ + src/os/exec/lp_plan9.go | 4 ++++ + src/os/exec/lp_unix.go | 4 ++++ + src/os/exec/lp_windows.go | 8 +++++++ + 5 files changed, 70 insertions(+) + +diff --git a/src/os/exec/dot_test.go b/src/os/exec/dot_test.go +index 1bf0d9c760bfd0..b95639e6c82068 100644 +--- a/src/os/exec/dot_test.go ++++ b/src/os/exec/dot_test.go +@@ -177,4 +177,48 @@ func TestLookPath(t *testing.T) { + } + } + }) ++ ++ checker := func(test string) func(t *testing.T) { ++ return func(t *testing.T) { ++ t.Helper() ++ t.Logf("PATH=%s", os.Getenv("PATH")) ++ p, err := LookPath(test) ++ if err == nil { ++ t.Errorf("%q: error expected, got nil", test) ++ } ++ if p != "" { ++ t.Errorf("%q: path returned should be \"\". Got %q", test, p) ++ } ++ } ++ } ++ ++ // Reference behavior for the next test ++ t.Run(pathVar+"=$OTHER2", func(t *testing.T) { ++ t.Run("empty", checker("")) ++ t.Run("dot", checker(".")) ++ t.Run("dotdot1", checker("abc/..")) ++ t.Run("dotdot2", checker("..")) ++ }) ++ ++ // Test the behavior when PATH contains an executable file which is not a directory ++ t.Run(pathVar+"=exe", func(t *testing.T) { ++ // Inject an executable file (not a directory) in PATH. ++ // Use our own binary os.Args[0]. ++ t.Setenv(pathVar, testenv.Executable(t)) ++ t.Run("empty", checker("")) ++ t.Run("dot", checker(".")) ++ t.Run("dotdot1", checker("abc/..")) ++ t.Run("dotdot2", checker("..")) ++ }) ++ ++ // Test the behavior when PATH contains an executable file which is not a directory ++ t.Run(pathVar+"=exe/xx", func(t *testing.T) { ++ // Inject an executable file (not a directory) in PATH. ++ // Use our own binary os.Args[0]. ++ t.Setenv(pathVar, filepath.Join(testenv.Executable(t), "xx")) ++ t.Run("empty", checker("")) ++ t.Run("dot", checker(".")) ++ t.Run("dotdot1", checker("abc/..")) ++ t.Run("dotdot2", checker("..")) ++ }) + } +diff --git a/src/os/exec/exec.go b/src/os/exec/exec.go +index fecfc97d13855a..3decdc75955610 100644 +--- a/src/os/exec/exec.go ++++ b/src/os/exec/exec.go +@@ -1328,3 +1328,13 @@ func addCriticalEnv(env []string) []string { + // Code should use errors.Is(err, ErrDot), not err == ErrDot, + // to test whether a returned error err is due to this condition. + var ErrDot = errors.New("cannot run executable found relative to current directory") ++ ++// validateLookPath excludes paths that can't be valid ++// executable names. See issue #74466 and CVE-2025-47906. ++func validateLookPath(s string) error { ++ switch s { ++ case "", ".", "..": ++ return ErrNotFound ++ } ++ return nil ++} +diff --git a/src/os/exec/lp_plan9.go b/src/os/exec/lp_plan9.go +index 87359b3551d32f..0430af9eefeb42 100644 +--- a/src/os/exec/lp_plan9.go ++++ b/src/os/exec/lp_plan9.go +@@ -36,6 +36,10 @@ func findExecutable(file string) error { + // As of Go 1.19, LookPath will instead return that path along with an error satisfying + // [errors.Is](err, [ErrDot]). See the package documentation for more details. + func LookPath(file string) (string, error) { ++ if err := validateLookPath(file); err != nil { ++ return "", &Error{file, err} ++ } ++ + // skip the path lookup for these prefixes + skip := []string{"/", "#", "./", "../"} + +diff --git a/src/os/exec/lp_unix.go b/src/os/exec/lp_unix.go +index 8617d45e983e6e..e5fddbafe21b94 100644 +--- a/src/os/exec/lp_unix.go ++++ b/src/os/exec/lp_unix.go +@@ -54,6 +54,10 @@ func LookPath(file string) (string, error) { + // (only bypass the path if file begins with / or ./ or ../) + // but that would not match all the Unix shells. + ++ if err := validateLookPath(file); err != nil { ++ return "", &Error{file, err} ++ } ++ + if strings.Contains(file, "/") { + err := findExecutable(file) + if err == nil { +diff --git a/src/os/exec/lp_windows.go b/src/os/exec/lp_windows.go +index 12256743064585..e01e7bbbbabde0 100644 +--- a/src/os/exec/lp_windows.go ++++ b/src/os/exec/lp_windows.go +@@ -67,6 +67,10 @@ func findExecutable(file string, exts []string) (string, error) { + // As of Go 1.19, LookPath will instead return that path along with an error satisfying + // [errors.Is](err, [ErrDot]). See the package documentation for more details. + func LookPath(file string) (string, error) { ++ if err := validateLookPath(file); err != nil { ++ return "", &Error{file, err} ++ } ++ + return lookPath(file, pathExt()) + } + +@@ -80,6 +84,10 @@ func LookPath(file string) (string, error) { + // "C:\foo\example.com" would be returned as-is even if the + // program is actually "C:\foo\example.com.exe". + func lookExtensions(path, dir string) (string, error) { ++ if err := validateLookPath(path); err != nil { ++ return "", &Error{path, err} ++ } ++ + if filepath.Base(path) == path { + path = "." + string(filepath.Separator) + path + } diff --git a/golang.spec b/golang.spec index 861a9f4..435df75 100644 --- a/golang.spec +++ b/golang.spec @@ -1,4 +1,4 @@ -%define anolis_release 8 +%define anolis_release 9 # Disable debuginfo packages %global debug_package %{nil} @@ -131,6 +131,8 @@ Patch44: 0044-cmd-go-internal-work-allow-a-bunch-of-loong64-specif.patch Patch45: 0045-Fix-CVE-2025-22871.patch # https://github.com/golang/go/commit/03811ab1b31525e8d779997db169c6fedab7c505 Patch46: 0046-Fix-CVE-2025-22874.patch +# https://github.com/golang/go/commit/0f5133b742bf61cda6c98b4cd1d313a330f13f32 +Patch47: 0047-Fix-CVE-2025-47906.patch # Part 1001-1999 for sw_64 Patch1001: 0001-cmd-comile-Add-sw64-port.patch @@ -624,6 +626,9 @@ fi %files docs -f go-docs.list %changelog +* Sat Oct 10 2025 wh02252983 - 1.24.0-9 +- Add patch to fix CVE-2025-47906 + * Thu Aug 15 2025 Yang Cheng - 1.24.0-8 - fix sw_64 build error -- Gitee