diff --git a/0045-Fix-CVE-2025-22871.patch b/0045-Fix-CVE-2025-22871.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc0017f31800a5600848f62d076a65a7cb1300e0 --- /dev/null +++ b/0045-Fix-CVE-2025-22871.patch @@ -0,0 +1,168 @@ +From ac1f5aa3d62efe21e65ce4dc30e6996d59acfbd0 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 26 Feb 2025 13:40:00 -0800 +Subject: [PATCH] [release-branch.go1.24] net/http: reject newlines in + chunk-size lines + +Unlike request headers, where we are allowed to leniently accept +a bare LF in place of a CRLF, chunked bodies must always use CRLF +line terminators. We were already enforcing this for chunk-data lines; +do so for chunk-size lines as well. Also reject bare CRs anywhere +other than as part of the CRLF terminator. + +Fixes CVE-2025-22871 +Fixes #72011 +For #71988 + +Change-Id: Ib0e21af5a8ba28c2a1ca52b72af8e2265ec79e4a +Reviewed-on: https://go-review.googlesource.com/c/go/+/652998 +Reviewed-by: Jonathan Amsterdam +LUCI-TryBot-Result: Go LUCI +(cherry picked from commit d31c805535f3fde95646ee4d87636aaaea66847b) +Reviewed-on: https://go-review.googlesource.com/c/go/+/657056 +--- + src/net/http/internal/chunked.go | 19 +++++++++-- + src/net/http/internal/chunked_test.go | 27 +++++++++++++++ + src/net/http/serve_test.go | 49 +++++++++++++++++++++++++++ + 3 files changed, 92 insertions(+), 3 deletions(-) + +diff --git a/src/net/http/internal/chunked.go b/src/net/http/internal/chunked.go +index 196b5d8..0b08a97 100644 +--- a/src/net/http/internal/chunked.go ++++ b/src/net/http/internal/chunked.go +@@ -164,6 +164,19 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) { + } + return nil, err + } ++ ++ // RFC 9112 permits parsers to accept a bare \n as a line ending in headers, ++ // but not in chunked encoding lines. See https://www.rfc-editor.org/errata/eid7633, ++ // which explicitly rejects a clarification permitting \n as a chunk terminator. ++ // ++ // Verify that the line ends in a CRLF, and that no CRs appear before the end. ++ if idx := bytes.IndexByte(p, '\r'); idx == -1 { ++ return nil, errors.New("chunked line ends with bare LF") ++ } else if idx != len(p)-2 { ++ return nil, errors.New("invalid CR in chunked line") ++ } ++ p = p[:len(p)-2] // trim CRLF ++ + if len(p) >= maxLineLength { + return nil, ErrLineTooLong + } +@@ -171,14 +184,14 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) { + } + + func trimTrailingWhitespace(b []byte) []byte { +- for len(b) > 0 && isASCIISpace(b[len(b)-1]) { ++ for len(b) > 0 && isOWS(b[len(b)-1]) { + b = b[:len(b)-1] + } + return b + } + +-func isASCIISpace(b byte) bool { +- return b == ' ' || b == '\t' || b == '\n' || b == '\r' ++func isOWS(b byte) bool { ++ return b == ' ' || b == '\t' + } + + var semi = []byte(";") +diff --git a/src/net/http/internal/chunked_test.go b/src/net/http/internal/chunked_test.go +index af79711..25f5555 100644 +--- a/src/net/http/internal/chunked_test.go ++++ b/src/net/http/internal/chunked_test.go +@@ -280,6 +280,33 @@ func TestChunkReaderByteAtATime(t *testing.T) { + } + } + ++func TestChunkInvalidInputs(t *testing.T) { ++ for _, test := range []struct { ++ name string ++ b string ++ }{{ ++ name: "bare LF in chunk size", ++ b: "1\na\r\n0\r\n", ++ }, { ++ name: "extra LF in chunk size", ++ b: "1\r\r\na\r\n0\r\n", ++ }, { ++ name: "bare LF in chunk data", ++ b: "1\r\na\n0\r\n", ++ }, { ++ name: "bare LF in chunk extension", ++ b: "1;\na\r\n0\r\n", ++ }} { ++ t.Run(test.name, func(t *testing.T) { ++ r := NewChunkedReader(strings.NewReader(test.b)) ++ got, err := io.ReadAll(r) ++ if err == nil { ++ t.Fatalf("unexpectedly parsed invalid chunked data:\n%q", got) ++ } ++ }) ++ } ++} ++ + type funcReader struct { + f func(iteration int) ([]byte, error) + i int +diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go +index 0c46b1e..21c456a 100644 +--- a/src/net/http/serve_test.go ++++ b/src/net/http/serve_test.go +@@ -7303,3 +7303,52 @@ func testServerReadAfterHandlerAbort100Continue(t *testing.T, mode testMode) { + readyc <- struct{}{} // server starts reading from the request body + readyc <- struct{}{} // server finishes reading from the request body + } ++ ++func TestInvalidChunkedBodies(t *testing.T) { ++ for _, test := range []struct { ++ name string ++ b string ++ }{{ ++ name: "bare LF in chunk size", ++ b: "1\na\r\n0\r\n\r\n", ++ }, { ++ name: "bare LF at body end", ++ b: "1\r\na\r\n0\r\n\n", ++ }} { ++ t.Run(test.name, func(t *testing.T) { ++ reqc := make(chan error) ++ ts := newClientServerTest(t, http1Mode, HandlerFunc(func(w ResponseWriter, r *Request) { ++ got, err := io.ReadAll(r.Body) ++ if err == nil { ++ t.Logf("read body: %q", got) ++ } ++ reqc <- err ++ })).ts ++ ++ serverURL, err := url.Parse(ts.URL) ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ conn, err := net.Dial("tcp", serverURL.Host) ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ if _, err := conn.Write([]byte( ++ "POST / HTTP/1.1\r\n" + ++ "Host: localhost\r\n" + ++ "Transfer-Encoding: chunked\r\n" + ++ "Connection: close\r\n" + ++ "\r\n" + ++ test.b)); err != nil { ++ t.Fatal(err) ++ } ++ conn.(*net.TCPConn).CloseWrite() ++ ++ if err := <-reqc; err == nil { ++ t.Errorf("server handler: io.ReadAll(r.Body) succeeded, want error") ++ } ++ }) ++ } ++} +-- +2.43.5 + diff --git a/0046-Fix-CVE-2025-22874.patch b/0046-Fix-CVE-2025-22874.patch new file mode 100644 index 0000000000000000000000000000000000000000..68530042581b27e3dd4740190d4ee2bd0182e0e3 --- /dev/null +++ b/0046-Fix-CVE-2025-22874.patch @@ -0,0 +1,138 @@ +From 03811ab1b31525e8d779997db169c6fedab7c505 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 6 May 2025 09:27:10 -0700 +Subject: [PATCH] [release-branch.go1.24] crypto/x509: decouple key usage and + policy validation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Disabling key usage validation (by passing ExtKeyUsageAny) +unintentionally disabled policy validation. This change decouples these +two checks, preventing the user from unintentionally disabling policy +validation. + +Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this +issue. + +Updates #73612 +Fixes #73700 +Fixes CVE-2025-22874 + +Change-Id: Iec8f080a8879a3dd44cb3da30352fa3e7f539d40 +Reviewed-on: https://go-review.googlesource.com/c/go/+/670375 +Reviewed-by: Daniel McCarney +Reviewed-by: Cherry Mui +Reviewed-by: Ian Stapleton Cordasco +LUCI-TryBot-Result: Go LUCI +(cherry picked from commit 9bba799955e68972041c4f340ee4ea2d267e5c0e) +Reviewed-on: https://go-review.googlesource.com/c/go/+/672316 +Reviewed-by: Michael Knyszek +--- + src/crypto/x509/verify.go | 32 +++++++++++++++++++++--------- + src/crypto/x509/verify_test.go | 36 ++++++++++++++++++++++++++++++++++ + 2 files changed, 59 insertions(+), 9 deletions(-) + +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 5fe93c6124a989..7cc0fb2e3e0385 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -841,31 +841,45 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e + } + } + +- if len(opts.KeyUsages) == 0 { +- opts.KeyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth} ++ chains = make([][]*Certificate, 0, len(candidateChains)) ++ ++ var invalidPoliciesChains int ++ for _, candidate := range candidateChains { ++ if !policiesValid(candidate, opts) { ++ invalidPoliciesChains++ ++ continue ++ } ++ chains = append(chains, candidate) ++ } ++ ++ if len(chains) == 0 { ++ return nil, CertificateInvalidError{c, NoValidChains, "all candidate chains have invalid policies"} + } + + for _, eku := range opts.KeyUsages { + if eku == ExtKeyUsageAny { + // If any key usage is acceptable, no need to check the chain for + // key usages. +- return candidateChains, nil ++ return chains, nil + } + } + +- chains = make([][]*Certificate, 0, len(candidateChains)) +- var incompatibleKeyUsageChains, invalidPoliciesChains int ++ if len(opts.KeyUsages) == 0 { ++ opts.KeyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth} ++ } ++ ++ candidateChains = chains ++ chains = chains[:0] ++ ++ var incompatibleKeyUsageChains int + for _, candidate := range candidateChains { + if !checkChainForKeyUsage(candidate, opts.KeyUsages) { + incompatibleKeyUsageChains++ + continue + } +- if !policiesValid(candidate, opts) { +- invalidPoliciesChains++ +- continue +- } + chains = append(chains, candidate) + } ++ + if len(chains) == 0 { + var details []string + if incompatibleKeyUsageChains > 0 { +diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go +index 1175e7d80850d2..7991f49946d587 100644 +--- a/src/crypto/x509/verify_test.go ++++ b/src/crypto/x509/verify_test.go +@@ -3012,3 +3012,39 @@ func TestPoliciesValid(t *testing.T) { + }) + } + } ++ ++func TestInvalidPolicyWithAnyKeyUsage(t *testing.T) { ++ loadTestCert := func(t *testing.T, path string) *Certificate { ++ b, err := os.ReadFile(path) ++ if err != nil { ++ t.Fatal(err) ++ } ++ p, _ := pem.Decode(b) ++ c, err := ParseCertificate(p.Bytes) ++ if err != nil { ++ t.Fatal(err) ++ } ++ return c ++ } ++ ++ testOID3 := mustNewOIDFromInts([]uint64{1, 2, 840, 113554, 4, 1, 72585, 2, 3}) ++ root, intermediate, leaf := loadTestCert(t, "testdata/policy_root.pem"), loadTestCert(t, "testdata/policy_intermediate_require.pem"), loadTestCert(t, "testdata/policy_leaf.pem") ++ ++ expectedErr := "x509: no valid chains built: all candidate chains have invalid policies" ++ ++ roots, intermediates := NewCertPool(), NewCertPool() ++ roots.AddCert(root) ++ intermediates.AddCert(intermediate) ++ ++ _, err := leaf.Verify(VerifyOptions{ ++ Roots: roots, ++ Intermediates: intermediates, ++ KeyUsages: []ExtKeyUsage{ExtKeyUsageAny}, ++ CertificatePolicies: []OID{testOID3}, ++ }) ++ if err == nil { ++ t.Fatal("unexpected success, invalid policy shouldn't be bypassed by passing VerifyOptions.KeyUsages with ExtKeyUsageAny") ++ } else if err.Error() != expectedErr { ++ t.Fatalf("unexpected error, got %q, want %q", err, expectedErr) ++ } ++} diff --git a/golang.spec b/golang.spec index 5d06ed0bacb2424a80336ba147a1cf0baf584815..8e45db3aef84e79839994cde45c8162ed741d481 100644 --- a/golang.spec +++ b/golang.spec @@ -1,4 +1,4 @@ -%define anolis_release 4 +%define anolis_release 5 # Disable debuginfo packages %global debug_package %{nil} @@ -124,6 +124,10 @@ Patch41: 0041-cmd-internal-obj-loong64-add-F-MAXA-MINA-.-S-D-instr.patch Patch42: 0042-math-implement-func-archExp-and-archExp2-in-assembly.patch Patch43: 0043-math-implement-func-archLog-in-assembly-on-loong64.patch Patch44: 0044-cmd-go-internal-work-allow-a-bunch-of-loong64-specif.patch +# https://github.com/golang/go/commit/ac1f5aa3d62efe21e65ce4dc30e6996d59acfbd0 +Patch45: 0045-Fix-CVE-2025-22871.patch +# https://github.com/golang/go/commit/03811ab1b31525e8d779997db169c6fedab7c505 +Patch46: 0046-Fix-CVE-2025-22874.patch # The compiler is written in Go. Needs go(1.4+) compiler for build. %if %{with bootstrap} @@ -594,6 +598,9 @@ fi %files docs -f go-docs.list %changelog +* Thu Jun 19 2025 Cheng Yang - 1.24.0-5 +- add patch to Fix CVE-2025-22871 and CVE-2025-22874 + * Tue Jun 3 2025 zhoujiajia111 - 1.24.0-4 - Provide tar package using download file