diff --git a/0047-Fix-CVE-2025-22870.patch b/0047-Fix-CVE-2025-22870.patch new file mode 100644 index 0000000000000000000000000000000000000000..f40aca187a954e622ffe01f6b8d87a54f4c53e07 --- /dev/null +++ b/0047-Fix-CVE-2025-22870.patch @@ -0,0 +1,73 @@ +From 334de7982f8ec959c74470dd709ceedfd6dbd50a Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 26 Feb 2025 16:46:43 -0800 +Subject: [PATCH] [release-branch.go1.24] all: updated vendored x/net with + security fix + +6ed00d0 [internal-branch.go1.24-vendor] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts + +Fixes CVE-2025-22870 +For #71986 + +Change-Id: I7bda0825f1a9470b0708714d9cc32b5eae212f8b +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2121 +Reviewed-by: Neal Patel +Reviewed-by: Roland Shoemaker +Commit-Queue: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/go/+/654715 +Reviewed-by: Michael Pratt +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Junyang Shao +Reviewed-by: Damien Neil +--- + src/cmd/internal/moddeps/moddeps_test.go | 1 + + src/vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go +index 2def029325be55..0b43b20b3c19fa 100644 +--- a/src/cmd/internal/moddeps/moddeps_test.go ++++ b/src/cmd/internal/moddeps/moddeps_test.go +@@ -33,6 +33,7 @@ import ( + // See issues 36852, 41409, and 43687. + // (Also see golang.org/issue/27348.) + func TestAllDependencies(t *testing.T) { ++ t.Skip("TODO(#71986): 1.24.1 contains unreleased changes from vendored modules") + goBin := testenv.GoToolPath(t) + + // Ensure that all packages imported within GOROOT +diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go +index 6404aaf157d6ad..d89c257ae72314 100644 +--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go ++++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go +@@ -14,6 +14,7 @@ import ( + "errors" + "fmt" + "net" ++ "net/netip" + "net/url" + "os" + "strings" +@@ -177,8 +178,10 @@ func (cfg *config) useProxy(addr string) bool { + if host == "localhost" { + return false + } +- ip := net.ParseIP(host) +- if ip != nil { ++ nip, err := netip.ParseAddr(host) ++ var ip net.IP ++ if err == nil { ++ ip = net.IP(nip.AsSlice()) + if ip.IsLoopback() { + return false + } +@@ -360,6 +363,9 @@ type domainMatch struct { + } + + func (m domainMatch) match(host, port string, ip net.IP) bool { ++ if ip != nil { ++ return false ++ } + if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) { + return m.port == "" || m.port == port + } diff --git a/golang.spec b/golang.spec index 1651a56cbf13a1f39583df16e97856233d8009b2..d07d4f390ed54c1a79d69ca85045818fd5f17bff 100644 --- a/golang.spec +++ b/golang.spec @@ -1,4 +1,4 @@ -%define anolis_release 6 +%define anolis_release 7 # Disable debuginfo packages %global debug_package %{nil} @@ -128,6 +128,8 @@ Patch44: 0044-cmd-go-internal-work-allow-a-bunch-of-loong64-specif.patch Patch45: 0045-Fix-CVE-2025-22871.patch # https://github.com/golang/go/commit/03811ab1b31525e8d779997db169c6fedab7c505 Patch46: 0046-Fix-CVE-2025-22874.patch +# https://github.com/golang/go/commit/334de7982f8ec959c74470dd709ceedfd6dbd50a +Patch47: 0047-Fix-CVE-2025-22870.patch # The compiler is written in Go. Needs go(1.4+) compiler for build. %if %{with bootstrap} @@ -506,6 +508,8 @@ cp -av %{SOURCE100} %{buildroot}%{_sysconfdir}/gdbinit.d/golang.gdb echo "== END OF INSTALL ==" %check +export GOMAXPROCS=2 +echo "GOMAXPROCS set to: $GOMAXPROCS" export GOROOT=$(pwd -P) export PATH="$GOROOT"/bin:"$PATH" cd src @@ -603,6 +607,9 @@ fi %files docs -f go-docs.list %changelog +* Fri Aug 29 2025 wenxin - 1.24.0-7 +- Add patch to fix CVE-2025-22870 + * Wed Jul 23 2025 Cheng Yang - 1.24.0-6 - add patch to Fix CVE-2025-22871 and CVE-2025-22874