diff --git a/backport-0037-CVE-2025-58183-archive-tar-set-a-limit-on-the.patch b/backport-0037-CVE-2025-58183-archive-tar-set-a-limit-on-the.patch new file mode 100644 index 0000000000000000000000000000000000000000..c9a1285adaaa196d25c9db6e7bb8a84a5ae38b56 --- /dev/null +++ b/backport-0037-CVE-2025-58183-archive-tar-set-a-limit-on-the.patch @@ -0,0 +1,90 @@ +From f7a68d3804efabd271f0338391858bc1e7e57422 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Thu, 11 Sep 2025 13:32:10 -0700 +Subject: [PATCH] archive/tar: set a limit on the size of GNU + sparse file 1.0 regions + +Sparse files in tar archives contain only the non-zero components +of the file. There are several different encodings for sparse +files. When reading GNU tar pax 1.0 sparse files, archive/tar did +not set a limit on the size of the sparse region data. A malicious +archive containing a large number of sparse blocks could cause +archive/tar to read an unbounded amount of data from the archive +into memory. + +Reference: https://go-review.googlesource.com/c/go/+/709861 +Conflict: no + +Since a malicious input can be highly compressable, a small +compressed input could cause very large allocations. + +Cap the size of the sparse block data to the same limit used +for PAX headers (1 MiB). + +Thanks to Harshit Gupta (Mr HAX) (https://www.linkedin.com/in/iam-harshit-gupta/) +for reporting this issue. + +Fixes CVE-2025-58183 +Fixes #75677 + +Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2800 +Reviewed-by: Roland Shoemaker +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-review.googlesource.com/c/go/+/709861 +Auto-Submit: Michael Pratt +TryBot-Bypass: Michael Pratt +Reviewed-by: Carlos Amedee +--- + src/archive/tar/common.go | 1 + + src/archive/tar/reader.go | 9 +++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/archive/tar/common.go b/src/archive/tar/common.go +index dc9d350..da1511b 100644 +--- a/src/archive/tar/common.go ++++ b/src/archive/tar/common.go +@@ -38,6 +38,7 @@ var ( + errMissData = errors.New("archive/tar: sparse file references non-existent data") + errUnrefData = errors.New("archive/tar: sparse file contains unreferenced data") + errWriteHole = errors.New("archive/tar: write non-NUL byte in sparse hole") ++ errSparseTooLong = errors.New("archive/tar: sparse map too long") + ) + + type headerError []string +diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go +index cfa5044..7ab9c3a 100644 +--- a/src/archive/tar/reader.go ++++ b/src/archive/tar/reader.go +@@ -531,12 +531,17 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + cntNewline int64 + buf bytes.Buffer + blk block ++ totalSize int + ) + + // feedTokens copies data in blocks from r into buf until there are + // at least cnt newlines in buf. It will not read more blocks than needed. + feedTokens := func(n int64) error { + for cntNewline < n { ++ totalSize += len(blk) ++ if totalSize > maxSpecialFileSize { ++ return errSparseTooLong ++ } + if _, err := mustReadFull(r, blk[:]); err != nil { + return err + } +@@ -569,8 +574,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + } + + // Parse for all member entries. +- // numEntries is trusted after this since a potential attacker must have +- // committed resources proportional to what this library used. ++ // numEntries is trusted after this since feedTokens limits the number of ++ // tokens based on maxSpecialFileSize. + if err := feedTokens(2 * numEntries); err != nil { + return nil, err + } +-- +2.43.0 + diff --git a/backport-0038-CVE-2025-58189-crypto-tls-quote-protocols-in.patch b/backport-0038-CVE-2025-58189-crypto-tls-quote-protocols-in.patch new file mode 100644 index 0000000000000000000000000000000000000000..28a88a03f5acd589046bf7428eb7f98ec5fc2c64 --- /dev/null +++ b/backport-0038-CVE-2025-58189-crypto-tls-quote-protocols-in.patch @@ -0,0 +1,44 @@ +From 4e9006a716533fe1c7ee08df02dfc73078f7dc19 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Mon, 29 Sep 2025 10:11:56 -0700 +Subject: [PATCH] crypto/tls: quote protocols in ALPN + error message + +Quote the protocols sent by the client when returning the ALPN +negotiation error message. + +Reference: https://go-review.googlesource.com/c/go/+/707776 +Conclict: no + +Fixes CVE-2025-58189 +Fixes #75652 + +Change-Id: Ie7b3a1ed0b6efcc1705b71f0f1e8417126661330 +Reviewed-on: https://go-review.googlesource.com/c/go/+/707776 +Auto-Submit: Roland Shoemaker +Reviewed-by: Neal Patel +Reviewed-by: Nicholas Husin +Auto-Submit: Nicholas Husin +Reviewed-by: Nicholas Husin +TryBot-Bypass: Roland Shoemaker +Reviewed-by: Daniel McCarney +--- + src/crypto/tls/handshake_server.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go +index 7c75977..6aebb74 100644 +--- a/src/crypto/tls/handshake_server.go ++++ b/src/crypto/tls/handshake_server.go +@@ -338,7 +338,7 @@ func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, erro + if http11fallback { + return "", nil + } +- return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos) ++ return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos) + } + + // supportsECDHE returns whether ECDHE key exchanges can be used with this +-- +2.43.0 + diff --git a/backport-0039-CVE-2025-61724-net-textproto-avoid-quadratic.patch b/backport-0039-CVE-2025-61724-net-textproto-avoid-quadratic.patch new file mode 100644 index 0000000000000000000000000000000000000000..35021ccd55ee952e28deec7af5c884e8700da2df --- /dev/null +++ b/backport-0039-CVE-2025-61724-net-textproto-avoid-quadratic.patch @@ -0,0 +1,70 @@ +From 5ede095649db7783726c28390812bca9ce2c684a Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Tue, 30 Sep 2025 15:11:16 -0700 +Subject: [PATCH] net/textproto: avoid quadratic complexity in + Reader.ReadResponse + +Reader.ReadResponse constructed a response string from repeated +string concatenation, permitting a malicious sender to cause excessive +memory allocation and CPU consumption by sending a response consisting +of many short lines. + +Reference: https://go-review.googlesource.com/c/go/+/709859 +Conclict: no + +Use a strings.Builder to construct the string instead. + +Thanks to Jakub Ciolek for reporting this issue. + +Fixes CVE-2025-61724 +Fixes #75716 + +Change-Id: I1a98ce85a21b830cb25799f9ac9333a67400d736 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2940 +Reviewed-by: Roland Shoemaker +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-review.googlesource.com/c/go/+/709859 +TryBot-Bypass: Michael Pratt +Auto-Submit: Michael Pratt +Reviewed-by: Carlos Amedee +--- + src/net/textproto/reader.go | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index f98e05b..2c926ca 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -284,8 +284,10 @@ func (r *Reader) ReadCodeLine(expectCode int) (code int, message string, err err + // + // An expectCode <= 0 disables the check of the status code. + func (r *Reader) ReadResponse(expectCode int) (code int, message string, err error) { +- code, continued, message, err := r.readCodeLine(expectCode) ++ code, continued, first, err := r.readCodeLine(expectCode) + multi := continued ++ var messageBuilder strings.Builder ++ messageBuilder.WriteString(first) + for continued { + line, err := r.ReadLine() + if err != nil { +@@ -296,12 +298,15 @@ func (r *Reader) ReadResponse(expectCode int) (code int, message string, err err + var moreMessage string + code2, continued, moreMessage, err = parseCodeLine(line, 0) + if err != nil || code2 != code { +- message += "\n" + strings.TrimRight(line, "\r\n") ++ messageBuilder.WriteByte('\n') ++ messageBuilder.WriteString(strings.TrimRight(line, "\r\n")) + continued = true + continue + } +- message += "\n" + moreMessage ++ messageBuilder.WriteByte('\n') ++ messageBuilder.WriteString(moreMessage) + } ++ message = messageBuilder.String() + if err != nil && multi && message != "" { + // replace one line error message with all lines (full message) + err = &Error{code, message} +-- +2.43.0 + diff --git a/golang.spec b/golang.spec index cc5072409955e7028ee340142d932de32d85120f..0ada76e5cb4cc1c6d75c5ad205ab3306a712bd62 100644 --- a/golang.spec +++ b/golang.spec @@ -66,7 +66,7 @@ Name: golang Version: 1.21.4 -Release: 37 +Release: 38 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -157,6 +157,9 @@ Patch6033: backport-0033-CVE-2025-47907-database-sql-avoid-closing-Rows-while-sc Patch6034: backport-0034-CVE-2025-47906-os-exec-fix-incorrect-expansion-of-.-and-.-in-LookPa.patch Patch6035: backport-0035-CVE-2025-4674-disable-support-for-multiple-vcs-in-one-module.patch Patch6036: backport-0036-CVE-2025-22871-net-http-reject-newlines-in-.patch +Patch6037: backport-0037-CVE-2025-58183-archive-tar-set-a-limit-on-the.patch +Patch6038: backport-0038-CVE-2025-58189-crypto-tls-quote-protocols-in.patch +Patch6039: backport-0039-CVE-2025-61724-net-textproto-avoid-quadratic.patch # Part 8001 ~ 8999 # Developed optimization features @@ -402,6 +405,12 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Sat Nov 8 2025 huzhangying - 1.21.4-38 +- Type:CVE +- CVE:CVE-2025-58183,CVE-2025-58189, CVE-2025-61724 +- SUG:NA +- DESC:fix CVE-2025-58183, CVE-2025-58189, CVE-2025-61724 + * Mon Sep 15 2025 songliyang - 1.21.4-37 - Type:CVE - CVE:CVE-2025-22871