From b3cafcba1549672ac3942ca4b4854e7cd8e4b0e4 Mon Sep 17 00:00:00 2001 From: changtao Date: Wed, 19 Feb 2025 10:54:34 +0800 Subject: [PATCH] fix-CVE-2025-22870 --- 0071-Backport-CVE-2025-22870.patch | 76 ++++++++++++++++++++++++++++++ golang.spec | 9 +++- 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 0071-Backport-CVE-2025-22870.patch diff --git a/0071-Backport-CVE-2025-22870.patch b/0071-Backport-CVE-2025-22870.patch new file mode 100644 index 0000000..57ef737 --- /dev/null +++ b/0071-Backport-CVE-2025-22870.patch @@ -0,0 +1,76 @@ +From 334de7982f8ec959c74470dd709ceedfd6dbd50a Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 26 Feb 2025 16:46:43 -0800 +Subject: [PATCH] [release-branch.go1.24] all: updated vendored x/net with + security fix + +6ed00d0 [internal-branch.go1.24-vendor] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts + +Fixes CVE-2025-22870 +For #71986 + +Change-Id: I7bda0825f1a9470b0708714d9cc32b5eae212f8b +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2121 +Reviewed-by: Neal Patel +Reviewed-by: Roland Shoemaker +Commit-Queue: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/go/+/654715 +Reviewed-by: Michael Pratt +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Junyang Shao +Reviewed-by: Damien Neil +--- + src/cmd/internal/moddeps/moddeps_test.go | 1 + + src/vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go +index 3306e29..57e4f1d 100644 +--- a/src/cmd/internal/moddeps/moddeps_test.go ++++ b/src/cmd/internal/moddeps/moddeps_test.go +@@ -34,6 +34,7 @@ import ( + // See issues 36852, 41409, and 43687. + // (Also see golang.org/issue/27348.) + func TestAllDependencies(t *testing.T) { ++ t.Skip("TODO(#71985) 1.23.7 contains unreleased changes from vendored modules") + t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from vendored modules") + + goBin := testenv.GoToolPath(t) +diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go +index 1415b07..76dd997 100644 +--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go ++++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go +@@ -14,6 +14,7 @@ import ( + "errors" + "fmt" + "net" ++ "net/netip" + "net/url" + "os" + "strings" +@@ -181,8 +182,10 @@ func (cfg *config) useProxy(addr string) bool { + if host == "localhost" { + return false + } +- ip := net.ParseIP(host) +- if ip != nil { ++ nip, err := netip.ParseAddr(host) ++ var ip net.IP ++ if err == nil { ++ ip = net.IP(nip.AsSlice()) + if ip.IsLoopback() { + return false + } +@@ -361,6 +364,9 @@ type domainMatch struct { + } + + func (m domainMatch) match(host, port string, ip net.IP) bool { ++ if ip != nil { ++ return false ++ } + if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) { + return m.port == "" || m.port == port + } +-- +2.46.0 + diff --git a/golang.spec b/golang.spec index 6701802..8654e07 100644 --- a/golang.spec +++ b/golang.spec @@ -63,7 +63,7 @@ Name: golang Version: 1.17.3 -Release: 37 +Release: 38 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -220,6 +220,7 @@ Patch6067: 0067-Backport-net-http-send-body-or-close-connection-on-e.patch Patch6068: 0068-Backport-go-parser-track-depth-in-nested-element-lis.patch Patch6069: 0069-Backport-encoding-gob-cover-missed-cases-when-checki.patch Patch6070: 0070-Backport-go-build-constraint-add-parsing-limits.patch +Patch6071: 0071-Backport-CVE-2025-22870.patch ExclusiveArch: %{golang_arches} @@ -458,6 +459,12 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Fri Mar 14 2025 changtao - 1.17.3-38 +- Type:CVE +- CVE:CVE-2025-22870 +- SUG:NA +- DESC:fix CVE-2025-22870 + * Tue Oct 22 2024 hanchao - 1.17.3-37 - Type:CVE - CVE:CVE-2024-34156,CVE-2024-34158 -- Gitee