go 1.22.12: Fix CVE-2025-61726

Upstream Repository: https://github.com/golang/go.git

Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61726
Type: Security Fix
CVE: CVE-2025-61726
Score: 7.5
Patch: https://github.com/golang/go/commit/85c794ddce26

(From OE-Core rev: 6a1ae4e79252f9a896faa702e4a8b3e27529a474)

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-devtools/go/go-1.22.12.inc

@@ -32,6 +32,7 @@ SRC_URI += "\
     file://CVE-2025-61727.patch \
     file://CVE-2025-61729.patch \
     file://CVE-2025-61730.patch \
+    file://CVE-2025-61726.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
 

meta/recipes-devtools/go/go/CVE-2025-61726.patch

@@ -0,0 +1,196 @@
+From 85050ca6146f3edb50ded0a352ab9edbd635effc Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Mon, 3 Nov 2025 14:28:47 -0800
+Subject: [PATCH] [release-branch.go1.24] net/url: add urlmaxqueryparams
+ GODEBUG to limit the number of query parameters
+
+net/url does not currently limit the number of query parameters parsed by
+url.ParseQuery or URL.Query.
+
+When parsing a application/x-www-form-urlencoded form,
+net/http.Request.ParseForm will parse up to 10 MB of query parameters.
+An input consisting of a large number of small, unique parameters can
+cause excessive memory consumption.
+
+We now limit the number of query parameters parsed to 10000 by default.
+The limit can be adjusted by setting GODEBUG=urlmaxqueryparams=<n>.
+Setting urlmaxqueryparams to 0 disables the limit.
+
+Thanks to jub0bs for reporting this issue.
+
+Fixes #77101
+Fixes CVE-2025-61726
+
+CVE: CVE-2025-61726
+Upstream-Status: Backport [https://github.com/golang/go/commit/85c794ddce26]
+
+Change-Id: Iee3374c7ee2d8586dbf158536d3ade424203ff66
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3020
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3326
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/736702
+Auto-Submit: Michael Pratt <mpratt@google.com>
+Reviewed-by: Junyang Shao <shaojunyang@google.com>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+(cherry picked from commit 85c794ddce26a092b0ea68d0fca79028b5069d5a)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ doc/godebug.md                 |  7 +++++
+ src/internal/godebugs/table.go |  1 +
+ src/net/url/url.go             | 24 +++++++++++++++++
+ src/net/url/url_test.go        | 48 ++++++++++++++++++++++++++++++++++
+ src/runtime/metrics/doc.go     |  5 ++++
+ 5 files changed, 85 insertions(+)
+
+diff --git a/doc/godebug.md b/doc/godebug.md
+index ae4f0576b4..635597ea42 100644
+--- a/doc/godebug.md
++++ b/doc/godebug.md
+@@ -126,6 +126,13 @@ for example,
+ see the [runtime documentation](/pkg/runtime#hdr-Environment_Variables)
+ and the [go command documentation](/cmd/go#hdr-Build_and_test_caching).
+
++Go 1.26 added a new `urlmaxqueryparams` setting that controls the maximum number
++of query parameters that net/url will accept when parsing a URL-encoded query string.
++If the number of parameters exceeds the number set in `urlmaxqueryparams`,
++parsing will fail early. The default value is `urlmaxqueryparams=10000`.
++Setting `urlmaxqueryparams=0`bles the limit. To avoid denial of service attacks,
++this setting and default was backported to Go 1.25.4 and Go 1.24.10.
++
+ Go 1.23.11 disabled build information stamping when multiple VCS are detected due
+ to concerns around VCS injection attacks. This behavior can be renabled with the
+ setting `allowmultiplevcs=1`.
+diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go
+index 33dcd81fc3..4ae043053c 100644
+--- a/src/internal/godebugs/table.go
++++ b/src/internal/godebugs/table.go
+@@ -52,6 +52,7 @@ var All = []Info{
+	{Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"},
+	{Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"},
+	{Name: "x509sha1", Package: "crypto/x509"},
++	{Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"},
+	{Name: "x509usefallbackroots", Package: "crypto/x509"},
+	{Name: "x509usepolicies", Package: "crypto/x509"},
+	{Name: "zipinsecurepath", Package: "archive/zip"},
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index d2ae03232f..5219e3c130 100644
+--- a/src/net/url/url.go
++++ b/src/net/url/url.go
+@@ -13,6 +13,7 @@ package url
+ import (
+	"errors"
+	"fmt"
++	"internal/godebug"
+	"net/netip"
+	"path"
+	"sort"
+@@ -958,7 +959,30 @@ func ParseQuery(query string) (Values, error) {
+	return m, err
+ }
+
++var urlmaxqueryparams = godebug.New("urlmaxqueryparams")
++
++const defaultMaxParams = 10000
++
++func urlParamsWithinMax(params int) bool {
++	withinDefaultMax := params <= defaultMaxParams
++	if urlmaxqueryparams.Value() == "" {
++		return withinDefaultMax
++	}
++	customMax, err := strconv.Atoi(urlmaxqueryparams.Value())
++	if err != nil {
++		return withinDefaultMax
++	}
++	withinCustomMax := customMax == 0 || params < customMax
++	if withinDefaultMax != withinCustomMax {
++		urlmaxqueryparams.IncNonDefault()
++	}
++	return withinCustomMax
++}
++
+ func parseQuery(m Values, query string) (err error) {
++	if !urlParamsWithinMax(strings.Count(query, "&") + 1) {
++		return errors.New("number of URL query parameters exceeded limit")
++	}
+	for query != "" {
+		var key string
+		key, query, _ = strings.Cut(query, "&")
+diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
+index fef236e40a..b2f8bd95fc 100644
+--- a/src/net/url/url_test.go
++++ b/src/net/url/url_test.go
+@@ -1488,6 +1488,54 @@ func TestParseQuery(t *testing.T) {
+	}
+ }
+
++func TestParseQueryLimits(t *testing.T) {
++	for _, test := range []struct {
++		params  int
++		godebug string
++		wantErr bool
++	}{{
++		params:  10,
++		wantErr: false,
++	}, {
++		params:  defaultMaxParams,
++		wantErr: false,
++	}, {
++		params:  defaultMaxParams + 1,
++		wantErr: true,
++	}, {
++		params:  10,
++		godebug: "urlmaxqueryparams=9",
++		wantErr: true,
++	}, {
++		params:  defaultMaxParams + 1,
++		godebug: "urlmaxqueryparams=0",
++		wantErr: false,
++	}} {
++		t.Setenv("GODEBUG", test.godebug)
++		want := Values{}
++		var b strings.Builder
++		for i := range test.params {
++			if i > 0 {
++				b.WriteString("&")
++			}
++			p := fmt.Sprintf("p%v", i)
++			b.WriteString(p)
++			want[p] = []string{""}
++		}
++		query := b.String()
++		got, err := ParseQuery(query)
++		if gotErr, wantErr := err != nil, test.wantErr; gotErr != wantErr {
++			t.Errorf("GODEBUG=%v ParseQuery(%v params) = %v, want error: %v", test.godebug, test.params, err, wantErr)
++		}
++		if err != nil {
++			continue
++		}
++		if got, want := len(got), test.params; got != want {
++			t.Errorf("GODEBUG=%v ParseQuery(%v params): got %v params, want %v", test.godebug, test.params, got, want)
++		}
++	}
++}
++
+ type RequestURITest struct {
+	url *URL
+	out string
+diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go
+index 517ec0e0a4..335f7873b3 100644
+--- a/src/runtime/metrics/doc.go
++++ b/src/runtime/metrics/doc.go
+@@ -328,6 +328,11 @@ Below is the full list of supported metrics, ordered lexicographically.
+		The number of non-default behaviors executed by the crypto/tls
+		package due to a non-default GODEBUG=tlsunsafeekm=... setting.
+
++	/godebug/non-default-behavior/urlmaxqueryparams:events
++		The number of non-default behaviors executed by the net/url
++		package due to a non-default GODEBUG=urlmaxqueryparams=...
++		setting.
++
+	/godebug/non-default-behavior/x509sha1:events
+		The number of non-default behaviors executed by the crypto/x509
+		package due to a non-default GODEBUG=x509sha1=... setting.
+--
+2.35.6