From c0c1f78e4786077715304b20457e6db6b3796bb6 Mon Sep 17 00:00:00 2001 From: changtao Date: Wed, 19 Feb 2025 10:43:10 +0800 Subject: [PATCH] fix CVE-2025-22870 --- 0074-backport-CVE-2025-22870.patch | 76 ++++++++++++++++++++++++++++++ golang.spec | 9 +++- 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 0074-backport-CVE-2025-22870.patch diff --git a/0074-backport-CVE-2025-22870.patch b/0074-backport-CVE-2025-22870.patch new file mode 100644 index 0000000..7595da6 --- /dev/null +++ b/0074-backport-CVE-2025-22870.patch @@ -0,0 +1,76 @@ +From 334de7982f8ec959c74470dd709ceedfd6dbd50a Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 26 Feb 2025 16:46:43 -0800 +Subject: [PATCH] [release-branch.go1.24] all: updated vendored x/net with + security fix + +6ed00d0 [internal-branch.go1.24-vendor] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts + +Fixes CVE-2025-22870 +For #71986 + +Change-Id: I7bda0825f1a9470b0708714d9cc32b5eae212f8b +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2121 +Reviewed-by: Neal Patel +Reviewed-by: Roland Shoemaker +Commit-Queue: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/go/+/654715 +Reviewed-by: Michael Pratt +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Junyang Shao +Reviewed-by: Damien Neil +--- + src/cmd/internal/moddeps/moddeps_test.go | 1 + + src/vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go +index 3306e29..57e4f1d 100644 +--- a/src/cmd/internal/moddeps/moddeps_test.go ++++ b/src/cmd/internal/moddeps/moddeps_test.go +@@ -34,6 +34,7 @@ import ( + // See issues 36852, 41409, and 43687. + // (Also see golang.org/issue/27348.) + func TestAllDependencies(t *testing.T) { ++ t.Skip("TODO(#71985) 1.23.7 contains unreleased changes from vendored modules") + t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from vendored modules") + + goBin := testenv.GoToolPath(t) +diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go +index 1415b07..76dd997 100644 +--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go ++++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go +@@ -14,6 +14,7 @@ import ( + "errors" + "fmt" + "net" ++ "inet.af/netip" + "net/url" + "os" + "strings" +@@ -181,8 +182,10 @@ func (cfg *config) useProxy(addr string) bool { + if host == "localhost" { + return false + } +- ip := net.ParseIP(host) +- if ip != nil { ++ nip, err := netip.ParseAddr(host) ++ var ip net.IP ++ if err == nil { ++ ip = net.IP(nip.AsSlice()) + if ip.IsLoopback() { + return false + } +@@ -361,6 +364,9 @@ type domainMatch struct { + } + + func (m domainMatch) match(host, port string, ip net.IP) bool { ++ if ip != nil { ++ return false ++ } + if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) { + return m.port == "" || m.port == port + } +-- +2.46.0 + diff --git a/golang.spec b/golang.spec index bcddb79..f9928f0 100644 --- a/golang.spec +++ b/golang.spec @@ -63,7 +63,7 @@ Name: golang Version: 1.17.3 -Release: 38 +Release: 39 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -223,6 +223,7 @@ Patch6070: 0070-Backport-go-build-constraint-add-parsing-limits.patch Patch6071: 0071-CVE-2024-45341-crypto-x509-properly-check-for-IPv6-h.patch Patch6072: 0072-CVE-2024-45336-net-http-persist-header-stripping-acr.patch Patch6073: 0073-crypto-tls-fix-Config.Time-in-tests-using-expir.patch +Patch6074: 0074-backport-CVE-2025-22870.patch ExclusiveArch: %{golang_arches} @@ -461,6 +462,12 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Fri Mar 14 2025 changtao - 1.17.3-39 +- Type:CVE +- CVE:CVE-2025-22870 +- SUG:NA +- DESC:fix CVE-2025-22870 + * Fri Feb 21 2025 wujichao - 1.17.3-38 - Type:CVE - CVE:CVE-2024-45341 CVE-2024-45336 -- Gitee