From c265e4c36f0ad4ec4743df323d785a8279d14566 Mon Sep 17 00:00:00 2001 From: changtao Date: Wed, 19 Feb 2025 10:19:23 +0800 Subject: [PATCH] fix CVE-2025-22870 (cherry picked from commit b3ff55b1ee582a0009119a22143fb64cd4058043) --- backport-0031-CVE-2025-22870.patch | 76 ++++++++++++++++++++++++++++++ golang.spec | 9 +++- 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 backport-0031-CVE-2025-22870.patch diff --git a/backport-0031-CVE-2025-22870.patch b/backport-0031-CVE-2025-22870.patch new file mode 100644 index 0000000..bcfdc8c --- /dev/null +++ b/backport-0031-CVE-2025-22870.patch @@ -0,0 +1,76 @@ +From 334de7982f8ec959c74470dd709ceedfd6dbd50a Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 26 Feb 2025 16:46:43 -0800 +Subject: [PATCH] [release-branch.go1.24] all: updated vendored x/net with + security fix + +6ed00d0 [internal-branch.go1.24-vendor] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts + +Fixes CVE-2025-22870 +For #71986 + +Change-Id: I7bda0825f1a9470b0708714d9cc32b5eae212f8b +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2121 +Reviewed-by: Neal Patel +Reviewed-by: Roland Shoemaker +Commit-Queue: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/go/+/654715 +Reviewed-by: Michael Pratt +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Junyang Shao +Reviewed-by: Damien Neil +--- + src/cmd/internal/moddeps/moddeps_test.go | 1 + + src/vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go +index ae890b6..9dc4741 100644 +--- a/src/cmd/internal/moddeps/moddeps_test.go ++++ b/src/cmd/internal/moddeps/moddeps_test.go +@@ -33,6 +33,7 @@ import ( + // See issues 36852, 41409, and 43687. + // (Also see golang.org/issue/27348.) + func TestAllDependencies(t *testing.T) { ++ t.Skip("TODO(#71986): 1.24.1 contains unreleased changes from vendored modules") + goBin := testenv.GoToolPath(t) + + // Ensure that all packages imported within GOROOT +diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go +index c3bd9a1..334add3 100644 +--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go ++++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go +@@ -14,6 +14,7 @@ import ( + "errors" + "fmt" + "net" ++ "net/netip" + "net/url" + "os" + "strings" +@@ -180,8 +181,10 @@ func (cfg *config) useProxy(addr string) bool { + if host == "localhost" { + return false + } +- ip := net.ParseIP(host) +- if ip != nil { ++ nip, err := netip.ParseAddr(host) ++ var ip net.IP ++ if err == nil { ++ ip = net.IP(nip.AsSlice()) + if ip.IsLoopback() { + return false + } +@@ -363,6 +366,9 @@ type domainMatch struct { + } + + func (m domainMatch) match(host, port string, ip net.IP) bool { ++ if ip != nil { ++ return false ++ } + if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) { + return m.port == "" || m.port == port + } +-- +2.46.0 + diff --git a/golang.spec b/golang.spec index 5e216cb..0148137 100644 --- a/golang.spec +++ b/golang.spec @@ -66,7 +66,7 @@ Name: golang Version: 1.21.4 -Release: 31 +Release: 32 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -150,6 +150,7 @@ Patch6027: backport-0027-crypto-tls-fix-Config.Time-in-tests-using-expired-ce.pa Patch6028: backport-0028-release-branch.go1.21-runtime-allow-update-of-system.patch Patch6029: backport-0029-Backport-net-http-persist-header-stripping-across-re.patch Patch6030: backport-0030-Backport-crypto-x509-properly-check-for-IPv6-hosts-i.patch +Patch6031: backport-0031-CVE-2025-22870.patch Patch9001: 0001-fix-asan_test-test-case-failure.patch @@ -390,6 +391,12 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Fri Mar 14 2025 changtao - 1.21.4-32 +- Type:CVE +- CVE:CVE-2025-22870 +- SUG:NA +- DESC:fix CVE-2025-22870 + * Wed Feb 19 2025 hanchao - 1.21.4-31 - Type:CVE - CVE:CVE-2024-45336,CVE-2024-45341 -- Gitee