From bc6a64df2b449c94b4d88e4e09761f05fefc3e99 Mon Sep 17 00:00:00 2001
From: wujichao <wujichao1@huawei.com>
Date: Tue, 8 Apr 2025 15:14:39 +0800
Subject: [PATCH] [backport]fix CVE-2025-22870

Note:In the modification of the original CVE, the net/netip package was used. However, this package is not available in current version.Therefore, the parseIPZone function in the net package is used instead for the fix.
---
 ...870-do-not-mismatch-IPv6-zone-ids-ag.patch | 80 +++++++++++++++++++
 golang.spec                                   |  9 ++-
 2 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 0074-CVE-2025-22870-do-not-mismatch-IPv6-zone-ids-ag.patch

diff --git a/0074-CVE-2025-22870-do-not-mismatch-IPv6-zone-ids-ag.patch b/0074-CVE-2025-22870-do-not-mismatch-IPv6-zone-ids-ag.patch
new file mode 100644
index 0000000..0dbaafd
--- /dev/null
+++ b/0074-CVE-2025-22870-do-not-mismatch-IPv6-zone-ids-ag.patch
@@ -0,0 +1,80 @@
+From 334de7982f8ec959c74470dd709ceedfd6dbd50a Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 26 Feb 2025 16:46:43 -0800
+Subject: [PATCH] [release-branch.go1.24] all: updated vendored x/net with security fix
+
+6ed00d0 [internal-branch.go1.24-vendor] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts
+
+Fixes CVE-2025-22870
+For #71986
+
+Change-Id: I7bda0825f1a9470b0708714d9cc32b5eae212f8b
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2121
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Commit-Queue: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/654715
+Reviewed-by: Michael Pratt <mpratt@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Junyang Shao <shaojunyang@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+
+Conflict:NA
+Reference:https://go-review.googlesource.com/c/go/+/654715
+
+Note:In the modification of the original CVE, the net/netip package was used. However, this package is not available in current version.Therefore, the parseIPZone function in the net package is used instead for the fix.
+Edited-by: wujichao wujichao1@hauwei.com
+---
+ .../golang.org/x/net/http/httpproxy/proxy.go      | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+index 1415b07..148c62f 100644
+--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
++++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+@@ -18,6 +18,7 @@ import (
+ 	"os"
+ 	"strings"
+ 	"unicode/utf8"
++	_ "unsafe"
+ 
+ 	"golang.org/x/net/idna"
+ )
+@@ -181,11 +182,9 @@ func (cfg *config) useProxy(addr string) bool {
+ 	if host == "localhost" {
+ 		return false
+ 	}
+-	ip := net.ParseIP(host)
+-	if ip != nil {
+-		if ip.IsLoopback() {
+-			return false
+-		}
++	ip, _ := parseIPZone(host)
++	if ip != nil && ip.IsLoopback() {
++		return false
+ 	}
+ 
+ 	addr = strings.ToLower(strings.TrimSpace(host))
+@@ -205,6 +204,9 @@ func (cfg *config) useProxy(addr string) bool {
+ 	return true
+ }
+ 
++//go:linkname parseIPZone net.parseIPZone
++func parseIPZone(s string) (net.IP, string)
++
+ func (c *config) init() {
+ 	if parsed, err := parseProxy(c.HTTPProxy); err == nil {
+ 		c.httpProxy = parsed
+@@ -361,6 +363,9 @@ type domainMatch struct {
+ }
+ 
+ func (m domainMatch) match(host, port string, ip net.IP) bool {
++	if ip != nil {
++		return false
++	}
+ 	if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) {
+ 		return m.port == "" || m.port == port
+ 	}
+-- 
+2.33.0
+
diff --git a/golang.spec b/golang.spec
index bcddb79..aa1163b 100644
--- a/golang.spec
+++ b/golang.spec
@@ -63,7 +63,7 @@
 
 Name:           golang
 Version:        1.17.3
-Release:        38
+Release:        39
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -223,6 +223,7 @@ Patch6070:	0070-Backport-go-build-constraint-add-parsing-limits.patch
 Patch6071:	0071-CVE-2024-45341-crypto-x509-properly-check-for-IPv6-h.patch
 Patch6072:	0072-CVE-2024-45336-net-http-persist-header-stripping-acr.patch
 Patch6073:	0073-crypto-tls-fix-Config.Time-in-tests-using-expir.patch
+Patch6074: 	0074-CVE-2025-22870-do-not-mismatch-IPv6-zone-ids-ag.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -461,6 +462,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Tue Apr 08 2025 wujichao <wujichao1@huawei.com> - 1.17.3-39
+- Type:CVE
+- CVE:CVE-2025-22870
+- SUG:NA
+- DESC:fix CVE-2025-22870
+
 * Fri Feb 21 2025 wujichao <wujichao1@huawei.com> - 1.17.3-38
 - Type:CVE
 - CVE:CVE-2024-45341 CVE-2024-45336
-- 
Gitee