From fbe7c2f4b33f3f901098ae3b41ae7ba1c929fffa Mon Sep 17 00:00:00 2001 From: huzhangying Date: Thu, 20 Nov 2025 19:27:55 +0800 Subject: [PATCH] [backport]fix CVE-2025-47912,CVE-2025-58186 --- ...-net-url-enforce-stricter-parsing-of.patch | 930 ++++++++++++++++++ ...net-http-add-httpcookiemaxnum-option.patch | 130 +++ golang.spec | 16 +- 3 files changed, 1069 insertions(+), 7 deletions(-) create mode 100644 0086-CVE-2025-47912-net-url-enforce-stricter-parsing-of.patch create mode 100644 0087-CVE-2025-58186-net-http-add-httpcookiemaxnum-option.patch diff --git a/0086-CVE-2025-47912-net-url-enforce-stricter-parsing-of.patch b/0086-CVE-2025-47912-net-url-enforce-stricter-parsing-of.patch new file mode 100644 index 0000000..80b37be --- /dev/null +++ b/0086-CVE-2025-47912-net-url-enforce-stricter-parsing-of.patch @@ -0,0 +1,930 @@ +From f6f4e8b3ef21299db1ea3a343c3e55e91365a7fd Mon Sep 17 00:00:00 2001 +From: Ethan Lee +Date: Fri, 29 Aug 2025 17:35:55 +0000 +Subject: [PATCH] net/url: enforce stricter parsing of + bracketed IPv6 hostnames + +- Previously, url.Parse did not enforce validation of hostnames within + square brackets. +- RFC 3986 stipulates that only IPv6 hostnames can be embedded within + square brackets in a URL. +- Now, the parsing logic should strictly enforce that only IPv6 + hostnames can be resolved when in square brackets. IPv4, IPv4-mapped + addresses and other input will be rejected. +- Update url_test to add test cases that cover the above scenarios. + +Reference: https://go-review.googlesource.com/c/go/+/709857 +Conflict: add src/net/netip + +Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua +University for reporting this issue. + +Fixes CVE-2025-47912 +Fixes #75678 + +Change-Id: Iaa41432bf0ee86de95a39a03adae5729e4deb46c +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2680 +Reviewed-by: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/go/+/709857 +TryBot-Bypass: Michael Pratt +Reviewed-by: Carlos Amedee +Auto-Submit: Michael Pratt +--- + src/net/netip/netip.go | 545 ++++++++++++++++++++++++++++++++++ + src/net/netip/uint128.go | 81 +++++ + src/net/netip/uint128_test.go | 89 ++++++ + src/net/url/url.go | 44 ++- + src/net/url/url_test.go | 40 +++ + 5 files changed, 788 insertions(+), 11 deletions(-) + create mode 100644 src/net/netip/netip.go + create mode 100644 src/net/netip/uint128.go + create mode 100644 src/net/netip/uint128_test.go + +diff --git a/src/net/netip/netip.go b/src/net/netip/netip.go +new file mode 100644 +index 0000000..51e2bd6 +--- /dev/null ++++ b/src/net/netip/netip.go +@@ -0,0 +1,545 @@ ++package netip ++ ++import ( ++ "math" ++ "strconv" ++ ++ "internal/bytealg" ++) ++ ++// Sizes: (64-bit) ++// net.IP: 24 byte slice header + {4, 16} = 28 to 40 bytes ++// net.IPAddr: 40 byte slice header + {4, 16} = 44 to 56 bytes + zone length ++// netip.Addr: 24 bytes (zone is per-name singleton, shared across all users) ++ ++// Addr represents an IPv4 or IPv6 address (with or without a scoped ++// addressing zone), similar to [net.IP] or [net.IPAddr]. ++// ++// Unlike [net.IP] or [net.IPAddr], Addr is a comparable value ++// type (it supports == and can be a map key) and is immutable. ++// ++// The zero Addr is not a valid IP address. ++// Addr{} is distinct from both 0.0.0.0 and ::. ++type Addr struct { ++ // addr is the hi and lo bits of an IPv6 address. If z==z4, ++ // hi and lo contain the IPv4-mapped IPv6 address. ++ // ++ // hi and lo are constructed by interpreting a 16-byte IPv6 ++ // address as a big-endian 128-bit number. The most significant ++ // bits of that number go into hi, the rest into lo. ++ // ++ // For example, 0011:2233:4455:6677:8899:aabb:ccdd:eeff is stored as: ++ // addr.hi = 0x0011223344556677 ++ // addr.lo = 0x8899aabbccddeeff ++ // ++ // We store IPs like this, rather than as [16]byte, because it ++ // turns most operations on IPs into arithmetic and bit-twiddling ++ // operations on 64-bit registers, which is much faster than ++ // bytewise processing. ++ addr uint128 ++ ++ // z is a combination of the address family and the IPv6 zone. ++ // ++ // nil means invalid IP address (for a zero Addr). ++ // z4 means an IPv4 address. ++ // z6noz means an IPv6 address without a zone. ++ // ++ // Otherwise it's the interned zone name string. ++ z string ++} ++ ++// z0, z4, and z6noz are sentinel Addr.z values. ++// See the Addr type's field docs. ++var ( ++ z0 = "" ++ z4 = "ipv4" ++ z6noz = "ipv6" ++) ++ ++// IPv6Unspecified returns the IPv6 unspecified address "::". ++func IPv6Unspecified() Addr { return Addr{z: z6noz} } ++ ++// AddrFrom4 returns the address of the IPv4 address given by the bytes in addr. ++func AddrFrom4(addr [4]byte) Addr { ++ return Addr{ ++ addr: uint128{0, 0xffff00000000 | uint64(addr[0])<<24 | uint64(addr[1])<<16 | uint64(addr[2])<<8 | uint64(addr[3])}, ++ z: z4, ++ } ++} ++ ++// AddrFrom16 returns the IPv6 address given by the bytes in addr. ++// An IPv4-mapped IPv6 address is left as an IPv6 address. ++// (Use Unmap to convert them if needed.) ++func AddrFrom16(addr [16]byte) Addr { ++ return Addr{ ++ addr: uint128{ ++ beUint64(addr[:8]), ++ beUint64(addr[8:]), ++ }, ++ z: z6noz, ++ } ++} ++ ++func beUint64(b []byte) uint64 { ++ _ = b[7] // bounds check hint to compiler; see golang.org/issue/14808 ++ return uint64(b[7]) | uint64(b[6])<<8 | uint64(b[5])<<16 | uint64(b[4])<<24 | ++ uint64(b[3])<<32 | uint64(b[2])<<40 | uint64(b[1])<<48 | uint64(b[0])<<56 ++} ++ ++// ParseAddr parses s as an IP address, returning the result. The string ++// s can be in dotted decimal ("192.0.2.1"), IPv6 ("2001:db8::68"), ++// or IPv6 with a scoped addressing zone ("fe80::1cc0:3e8c:119f:c2e1%ens18"). ++func ParseAddr(s string) (Addr, error) { ++ for i := 0; i < len(s); i++ { ++ switch s[i] { ++ case '.': ++ return parseIPv4(s) ++ case ':': ++ return parseIPv6(s) ++ case '%': ++ // Assume that this was trying to be an IPv6 address with ++ // a zone specifier, but the address is missing. ++ return Addr{}, parseAddrError{in: s, msg: "missing IPv6 address"} ++ } ++ } ++ return Addr{}, parseAddrError{in: s, msg: "unable to parse IP"} ++} ++ ++type parseAddrError struct { ++ in string // the string given to ParseAddr ++ msg string // an explanation of the parse failure ++ at string // optionally, the unparsed portion of in at which the error occurred. ++} ++ ++// MustParseAddr calls ParseAddr(s) and panics on error. ++// It is intended for use in tests with hard-coded strings. ++func MustParseAddr(s string) Addr { ++ ip, err := ParseAddr(s) ++ if err != nil { ++ panic(err) ++ } ++ return ip ++} ++ ++func (err parseAddrError) Error() string { ++ q := strconv.Quote ++ if err.at != "" { ++ return "ParseAddr(" + q(err.in) + "): " + err.msg + " (at " + q(err.at) + ")" ++ } ++ return "ParseAddr(" + q(err.in) + "): " + err.msg ++} ++ ++// parseIPv4 parses s as an IPv4 address (in form "192.168.0.1"). ++func parseIPv4(s string) (ip Addr, err error) { ++ var fields [4]uint8 ++ var val, pos int ++ var digLen int // number of digits in current octet ++ for i := 0; i < len(s); i++ { ++ if s[i] >= '0' && s[i] <= '9' { ++ if digLen == 1 && val == 0 { ++ return Addr{}, parseAddrError{in: s, msg: "IPv4 field has octet with leading zero"} ++ } ++ val = val*10 + int(s[i]) - '0' ++ digLen++ ++ if val > 255 { ++ return Addr{}, parseAddrError{in: s, msg: "IPv4 field has value >255"} ++ } ++ } else if s[i] == '.' { ++ // .1.2.3 ++ // 1.2.3. ++ // 1..2.3 ++ if i == 0 || i == len(s)-1 || s[i-1] == '.' { ++ return Addr{}, parseAddrError{in: s, msg: "IPv4 field must have at least one digit", at: s[i:]} ++ } ++ // 1.2.3.4.5 ++ if pos == 3 { ++ return Addr{}, parseAddrError{in: s, msg: "IPv4 address too long"} ++ } ++ fields[pos] = uint8(val) ++ pos++ ++ val = 0 ++ digLen = 0 ++ } else { ++ return Addr{}, parseAddrError{in: s, msg: "unexpected character", at: s[i:]} ++ } ++ } ++ if pos < 3 { ++ return Addr{}, parseAddrError{in: s, msg: "IPv4 address too short"} ++ } ++ fields[3] = uint8(val) ++ return AddrFrom4(fields), nil ++} ++ ++// parseIPv6 parses s as an IPv6 address (in form "2001:db8::68"). ++func parseIPv6(in string) (Addr, error) { ++ s := in ++ ++ // Split off the zone right from the start. Yes it's a second scan ++ // of the string, but trying to handle it inline makes a bunch of ++ // other inner loop conditionals more expensive, and it ends up ++ // being slower. ++ zone := "" ++ i := bytealg.IndexByteString(s, '%') ++ if i != -1 { ++ s, zone = s[:i], s[i+1:] ++ if zone == "" { ++ // Not allowed to have an empty zone if explicitly specified. ++ return Addr{}, parseAddrError{in: in, msg: "zone must be a non-empty string"} ++ } ++ } ++ ++ var ip [16]byte ++ ellipsis := -1 // position of ellipsis in ip ++ ++ // Might have leading ellipsis ++ if len(s) >= 2 && s[0] == ':' && s[1] == ':' { ++ ellipsis = 0 ++ s = s[2:] ++ // Might be only ellipsis ++ if len(s) == 0 { ++ return IPv6Unspecified().WithZone(zone), nil ++ } ++ } ++ ++ // Loop, parsing hex numbers followed by colon. ++ i = 0 ++ for i < 16 { ++ // Hex number. Similar to parseIPv4, inlining the hex number ++ // parsing yields a significant performance increase. ++ off := 0 ++ acc := uint32(0) ++ for ; off < len(s); off++ { ++ c := s[off] ++ if c >= '0' && c <= '9' { ++ acc = (acc << 4) + uint32(c-'0') ++ } else if c >= 'a' && c <= 'f' { ++ acc = (acc << 4) + uint32(c-'a'+10) ++ } else if c >= 'A' && c <= 'F' { ++ acc = (acc << 4) + uint32(c-'A'+10) ++ } else { ++ break ++ } ++ if acc > math.MaxUint16 { ++ // Overflow, fail. ++ return Addr{}, parseAddrError{in: in, msg: "IPv6 field has value >=2^16", at: s} ++ } ++ } ++ if off == 0 { ++ // No digits found, fail. ++ return Addr{}, parseAddrError{in: in, msg: "each colon-separated field must have at least one digit", at: s} ++ } ++ ++ // If followed by dot, might be in trailing IPv4. ++ if off < len(s) && s[off] == '.' { ++ if ellipsis < 0 && i != 12 { ++ // Not the right place. ++ return Addr{}, parseAddrError{in: in, msg: "embedded IPv4 address must replace the final 2 fields of the address", at: s} ++ } ++ if i+4 > 16 { ++ // Not enough room. ++ return Addr{}, parseAddrError{in: in, msg: "too many hex fields to fit an embedded IPv4 at the end of the address", at: s} ++ } ++ // TODO: could make this a bit faster by having a helper ++ // that parses to a [4]byte, and have both parseIPv4 and ++ // parseIPv6 use it. ++ ip4, err := parseIPv4(s) ++ if err != nil { ++ return Addr{}, parseAddrError{in: in, msg: err.Error(), at: s} ++ } ++ ip[i] = ip4.v4(0) ++ ip[i+1] = ip4.v4(1) ++ ip[i+2] = ip4.v4(2) ++ ip[i+3] = ip4.v4(3) ++ s = "" ++ i += 4 ++ break ++ } ++ ++ // Save this 16-bit chunk. ++ ip[i] = byte(acc >> 8) ++ ip[i+1] = byte(acc) ++ i += 2 ++ ++ // Stop at end of string. ++ s = s[off:] ++ if len(s) == 0 { ++ break ++ } ++ ++ // Otherwise must be followed by colon and more. ++ if s[0] != ':' { ++ return Addr{}, parseAddrError{in: in, msg: "unexpected character, want colon", at: s} ++ } else if len(s) == 1 { ++ return Addr{}, parseAddrError{in: in, msg: "colon must be followed by more characters", at: s} ++ } ++ s = s[1:] ++ ++ // Look for ellipsis. ++ if s[0] == ':' { ++ if ellipsis >= 0 { // already have one ++ return Addr{}, parseAddrError{in: in, msg: "multiple :: in address", at: s} ++ } ++ ellipsis = i ++ s = s[1:] ++ if len(s) == 0 { // can be at end ++ break ++ } ++ } ++ } ++ ++ // Must have used entire string. ++ if len(s) != 0 { ++ return Addr{}, parseAddrError{in: in, msg: "trailing garbage after address", at: s} ++ } ++ ++ // If didn't parse enough, expand ellipsis. ++ if i < 16 { ++ if ellipsis < 0 { ++ return Addr{}, parseAddrError{in: in, msg: "address string too short"} ++ } ++ n := 16 - i ++ for j := i - 1; j >= ellipsis; j-- { ++ ip[j+n] = ip[j] ++ } ++ for j := ellipsis + n - 1; j >= ellipsis; j-- { ++ ip[j] = 0 ++ } ++ } else if ellipsis >= 0 { ++ // Ellipsis must represent at least one 0 group. ++ return Addr{}, parseAddrError{in: in, msg: "the :: must expand to at least one field of zeros"} ++ } ++ return AddrFrom16(ip).WithZone(zone), nil ++} ++ ++// Zone returns ip's IPv6 scoped addressing zone, if any. ++func (ip Addr) Zone() string { ++ if ip.z == z0 || ip.z == z4 || ip.z == z6noz { ++ return "" ++ } ++ return ip.z ++} ++ ++// v4 returns the i'th byte of ip. If ip is not an IPv4, v4 returns ++// unspecified garbage. ++func (ip Addr) v4(i uint8) uint8 { ++ return uint8(ip.addr.lo >> ((3 - i) * 8)) ++} ++ ++// v6u16 returns the i'th 16-bit word of ip. If ip is an IPv4 address, ++// this accesses the IPv4-mapped IPv6 address form of the IP. ++func (ip Addr) v6u16(i uint8) uint16 { ++ return uint16(*(ip.addr.halves()[(i/4)%2]) >> ((3 - i%4) * 16)) ++} ++ ++// Is4 reports whether ip is an IPv4 address. ++// ++// It returns false for IPv4-mapped IPv6 addresses. See Addr.Unmap. ++func (ip Addr) Is4() bool { ++ return ip.z == z4 ++} ++ ++// Is4In6 reports whether ip is an IPv4-mapped IPv6 address. ++func (ip Addr) Is4In6() bool { ++ return ip.Is6() && ip.addr.hi == 0 && ip.addr.lo>>32 == 0xffff ++} ++ ++// Is6 reports whether ip is an IPv6 address, including IPv4-mapped ++// IPv6 addresses. ++func (ip Addr) Is6() bool { ++ return ip.z != z0 && ip.z != z4 ++} ++ ++// Unmap returns ip with any IPv4-mapped IPv6 address prefix removed. ++// ++// That is, if ip is an IPv6 address wrapping an IPv4 address, it ++// returns the wrapped IPv4 address. Otherwise it returns ip unmodified. ++func (ip Addr) Unmap() Addr { ++ if ip.Is4In6() { ++ ip.z = z4 ++ } ++ return ip ++} ++ ++// WithZone returns an IP that's the same as ip but with the provided ++// zone. If zone is empty, the zone is removed. If ip is an IPv4 ++// address, WithZone is a no-op and returns ip unchanged. ++func (ip Addr) WithZone(zone string) Addr { ++ if !ip.Is6() { ++ return ip ++ } ++ if zone == "" { ++ ip.z = z6noz ++ return ip ++ } ++ ip.z = zone ++ return ip ++} ++ ++// withoutZone unconditionally strips the zone from ip. ++// It's similar to WithZone, but small enough to be inlinable. ++func (ip Addr) withoutZone() Addr { ++ if !ip.Is6() { ++ return ip ++ } ++ ip.z = z6noz ++ return ip ++} ++ ++// String returns the string form of the IP address ip. ++// It returns one of 5 forms: ++// ++// - "invalid IP", if ip is the zero Addr ++// - IPv4 dotted decimal ("192.0.2.1") ++// - IPv6 ("2001:db8::1") ++// - "::ffff:1.2.3.4" (if Is4In6) ++// - IPv6 with zone ("fe80:db8::1%eth0") ++// ++// Note that unlike package net's IP.String method, ++// IPv4-mapped IPv6 addresses format with a "::ffff:" ++// prefix before the dotted quad. ++func (ip Addr) String() string { ++ switch ip.z { ++ case z0: ++ return "invalid IP" ++ case z4: ++ return ip.string4() ++ default: ++ if ip.Is4In6() { ++ if z := ip.Zone(); z != "" { ++ return "::ffff:" + ip.Unmap().string4() + "%" + z ++ } else { ++ return "::ffff:" + ip.Unmap().string4() ++ } ++ } ++ return ip.string6() ++ } ++} ++ ++// AppendTo appends a text encoding of ip, ++// as generated by MarshalText, ++// to b and returns the extended buffer. ++func (ip Addr) AppendTo(b []byte) []byte { ++ switch ip.z { ++ case z0: ++ return b ++ case z4: ++ return ip.appendTo4(b) ++ default: ++ if ip.Is4In6() { ++ b = append(b, "::ffff:"...) ++ b = ip.Unmap().appendTo4(b) ++ if z := ip.Zone(); z != "" { ++ b = append(b, '%') ++ b = append(b, z...) ++ } ++ return b ++ } ++ return ip.appendTo6(b) ++ } ++} ++ ++// digits is a string of the hex digits from 0 to f. It's used in ++// appendDecimal and appendHex to format IP addresses. ++const digits = "0123456789abcdef" ++ ++// appendDecimal appends the decimal string representation of x to b. ++func appendDecimal(b []byte, x uint8) []byte { ++ // Using this function rather than strconv.AppendUint makes IPv4 ++ // string building 2x faster. ++ ++ if x >= 100 { ++ b = append(b, digits[x/100]) ++ } ++ if x >= 10 { ++ b = append(b, digits[x/10%10]) ++ } ++ return append(b, digits[x%10]) ++} ++ ++// appendHex appends the hex string representation of x to b. ++func appendHex(b []byte, x uint16) []byte { ++ // Using this function rather than strconv.AppendUint makes IPv6 ++ // string building 2x faster. ++ ++ if x >= 0x1000 { ++ b = append(b, digits[x>>12]) ++ } ++ if x >= 0x100 { ++ b = append(b, digits[x>>8&0xf]) ++ } ++ if x >= 0x10 { ++ b = append(b, digits[x>>4&0xf]) ++ } ++ return append(b, digits[x&0xf]) ++} ++ ++func (ip Addr) string4() string { ++ const max = len("255.255.255.255") ++ ret := make([]byte, 0, max) ++ ret = ip.appendTo4(ret) ++ return string(ret) ++} ++ ++func (ip Addr) appendTo4(ret []byte) []byte { ++ ret = appendDecimal(ret, ip.v4(0)) ++ ret = append(ret, '.') ++ ret = appendDecimal(ret, ip.v4(1)) ++ ret = append(ret, '.') ++ ret = appendDecimal(ret, ip.v4(2)) ++ ret = append(ret, '.') ++ ret = appendDecimal(ret, ip.v4(3)) ++ return ret ++} ++ ++// string6 formats ip in IPv6 textual representation. It follows the ++// guidelines in section 4 of RFC 5952 ++// (https://tools.ietf.org/html/rfc5952#section-4): no unnecessary ++// zeros, use :: to elide the longest run of zeros, and don't use :: ++// to compact a single zero field. ++func (ip Addr) string6() string { ++ // Use a zone with a "plausibly long" name, so that most zone-ful ++ // IP addresses won't require additional allocation. ++ // ++ // The compiler does a cool optimization here, where ret ends up ++ // stack-allocated and so the only allocation this function does ++ // is to construct the returned string. As such, it's okay to be a ++ // bit greedy here, size-wise. ++ const max = len("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%enp5s0") ++ ret := make([]byte, 0, max) ++ ret = ip.appendTo6(ret) ++ return string(ret) ++} ++ ++func (ip Addr) appendTo6(ret []byte) []byte { ++ zeroStart, zeroEnd := uint8(255), uint8(255) ++ for i := uint8(0); i < 8; i++ { ++ j := i ++ for j < 8 && ip.v6u16(j) == 0 { ++ j++ ++ } ++ if l := j - i; l >= 2 && l > zeroEnd-zeroStart { ++ zeroStart, zeroEnd = i, j ++ } ++ } ++ ++ for i := uint8(0); i < 8; i++ { ++ if i == zeroStart { ++ ret = append(ret, ':', ':') ++ i = zeroEnd ++ if i >= 8 { ++ break ++ } ++ } else if i > 0 { ++ ret = append(ret, ':') ++ } ++ ++ ret = appendHex(ret, ip.v6u16(i)) ++ } ++ ++ if ip.z != z6noz { ++ ret = append(ret, '%') ++ ret = append(ret, ip.Zone()...) ++ } ++ return ret ++} ++ +diff --git a/src/net/netip/uint128.go b/src/net/netip/uint128.go +new file mode 100644 +index 0000000..b1605af +--- /dev/null ++++ b/src/net/netip/uint128.go +@@ -0,0 +1,81 @@ ++// Copyright 2020 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package netip ++ ++import "math/bits" ++ ++// uint128 represents a uint128 using two uint64s. ++// ++// When the methods below mention a bit number, bit 0 is the most ++// significant bit (in hi) and bit 127 is the lowest (lo&1). ++type uint128 struct { ++ hi uint64 ++ lo uint64 ++} ++ ++// mask6 returns a uint128 bitmask with the topmost n bits of a ++// 128-bit number. ++func mask6(n int) uint128 { ++ return uint128{^(^uint64(0) >> n), ^uint64(0) << (128 - n)} ++} ++ ++// isZero reports whether u == 0. ++// ++// It's faster than u == (uint128{}) because the compiler (as of Go ++// 1.15/1.16b1) doesn't do this trick and instead inserts a branch in ++// its eq alg's generated code. ++func (u uint128) isZero() bool { return u.hi|u.lo == 0 } ++ ++// and returns the bitwise AND of u and m (u&m). ++func (u uint128) and(m uint128) uint128 { ++ return uint128{u.hi & m.hi, u.lo & m.lo} ++} ++ ++// xor returns the bitwise XOR of u and m (u^m). ++func (u uint128) xor(m uint128) uint128 { ++ return uint128{u.hi ^ m.hi, u.lo ^ m.lo} ++} ++ ++// or returns the bitwise OR of u and m (u|m). ++func (u uint128) or(m uint128) uint128 { ++ return uint128{u.hi | m.hi, u.lo | m.lo} ++} ++ ++// not returns the bitwise NOT of u. ++func (u uint128) not() uint128 { ++ return uint128{^u.hi, ^u.lo} ++} ++ ++// subOne returns u - 1. ++func (u uint128) subOne() uint128 { ++ lo, borrow := bits.Sub64(u.lo, 1, 0) ++ return uint128{u.hi - borrow, lo} ++} ++ ++// addOne returns u + 1. ++func (u uint128) addOne() uint128 { ++ lo, carry := bits.Add64(u.lo, 1, 0) ++ return uint128{u.hi + carry, lo} ++} ++ ++// halves returns the two uint64 halves of the uint128. ++// ++// Logically, think of it as returning two uint64s. ++// It only returns pointers for inlining reasons on 32-bit platforms. ++func (u *uint128) halves() [2]*uint64 { ++ return [2]*uint64{&u.hi, &u.lo} ++} ++ ++// bitsSetFrom returns a copy of u with the given bit ++// and all subsequent ones set. ++func (u uint128) bitsSetFrom(bit uint8) uint128 { ++ return u.or(mask6(int(bit)).not()) ++} ++ ++// bitsClearedFrom returns a copy of u with the given bit ++// and all subsequent ones cleared. ++func (u uint128) bitsClearedFrom(bit uint8) uint128 { ++ return u.and(mask6(int(bit))) ++} +diff --git a/src/net/netip/uint128_test.go b/src/net/netip/uint128_test.go +new file mode 100644 +index 0000000..dd1ae0e +--- /dev/null ++++ b/src/net/netip/uint128_test.go +@@ -0,0 +1,89 @@ ++// Copyright 2020 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package netip ++ ++import ( ++ "testing" ++) ++ ++func TestUint128AddSub(t *testing.T) { ++ const add1 = 1 ++ const sub1 = -1 ++ tests := []struct { ++ in uint128 ++ op int // +1 or -1 to add vs subtract ++ want uint128 ++ }{ ++ {uint128{0, 0}, add1, uint128{0, 1}}, ++ {uint128{0, 1}, add1, uint128{0, 2}}, ++ {uint128{1, 0}, add1, uint128{1, 1}}, ++ {uint128{0, ^uint64(0)}, add1, uint128{1, 0}}, ++ {uint128{^uint64(0), ^uint64(0)}, add1, uint128{0, 0}}, ++ ++ {uint128{0, 0}, sub1, uint128{^uint64(0), ^uint64(0)}}, ++ {uint128{0, 1}, sub1, uint128{0, 0}}, ++ {uint128{0, 2}, sub1, uint128{0, 1}}, ++ {uint128{1, 0}, sub1, uint128{0, ^uint64(0)}}, ++ {uint128{1, 1}, sub1, uint128{1, 0}}, ++ } ++ for _, tt := range tests { ++ var got uint128 ++ switch tt.op { ++ case add1: ++ got = tt.in.addOne() ++ case sub1: ++ got = tt.in.subOne() ++ default: ++ panic("bogus op") ++ } ++ if got != tt.want { ++ t.Errorf("%v add %d = %v; want %v", tt.in, tt.op, got, tt.want) ++ } ++ } ++} ++ ++func TestBitsSetFrom(t *testing.T) { ++ tests := []struct { ++ bit uint8 ++ want uint128 ++ }{ ++ {0, uint128{^uint64(0), ^uint64(0)}}, ++ {1, uint128{^uint64(0) >> 1, ^uint64(0)}}, ++ {63, uint128{1, ^uint64(0)}}, ++ {64, uint128{0, ^uint64(0)}}, ++ {65, uint128{0, ^uint64(0) >> 1}}, ++ {127, uint128{0, 1}}, ++ {128, uint128{0, 0}}, ++ } ++ for _, tt := range tests { ++ var zero uint128 ++ got := zero.bitsSetFrom(tt.bit) ++ if got != tt.want { ++ t.Errorf("0.bitsSetFrom(%d) = %064b want %064b", tt.bit, got, tt.want) ++ } ++ } ++} ++ ++func TestBitsClearedFrom(t *testing.T) { ++ tests := []struct { ++ bit uint8 ++ want uint128 ++ }{ ++ {0, uint128{0, 0}}, ++ {1, uint128{1 << 63, 0}}, ++ {63, uint128{^uint64(0) &^ 1, 0}}, ++ {64, uint128{^uint64(0), 0}}, ++ {65, uint128{^uint64(0), 1 << 63}}, ++ {127, uint128{^uint64(0), ^uint64(0) &^ 1}}, ++ {128, uint128{^uint64(0), ^uint64(0)}}, ++ } ++ for _, tt := range tests { ++ ones := uint128{^uint64(0), ^uint64(0)} ++ got := ones.bitsClearedFrom(tt.bit) ++ if got != tt.want { ++ t.Errorf("ones.bitsClearedFrom(%d) = %064b want %064b", tt.bit, got, tt.want) ++ } ++ } ++} +diff --git a/src/net/url/url.go b/src/net/url/url.go +index 20de0f6..4b3bacf 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -14,6 +14,7 @@ import ( + "errors" + "fmt" + "sort" ++ "net/netip" + "strconv" + "strings" + ) +@@ -617,41 +618,62 @@ func parseAuthority(authority string) (user *Userinfo, host string, err error) { + // parseHost parses host as an authority without user + // information. That is, as host[:port]. + func parseHost(host string) (string, error) { +- if strings.HasPrefix(host, "[") { ++ if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx != -1 { + // Parse an IP-Literal in RFC 3986 and RFC 6874. + // E.g., "[fe80::1]", "[fe80::1%25en0]", "[fe80::1]:80". +- i := strings.LastIndex(host, "]") +- if i < 0 { ++ closeBracketIdx := strings.LastIndex(host, "]") ++ if closeBracketIdx < 0 { + return "", errors.New("missing ']' in host") + } +- colonPort := host[i+1:] ++ ++ colonPort := host[closeBracketIdx+1:] + if !validOptionalPort(colonPort) { + return "", fmt.Errorf("invalid port %q after host", colonPort) + } ++ unescapedColonPort, err := unescape(colonPort, encodeHost) ++ if err != nil { ++ return "", err ++ } + ++ hostname := host[openBracketIdx+1 : closeBracketIdx] ++ var unescapedHostname string + // RFC 6874 defines that %25 (%-encoded percent) introduces + // the zone identifier, and the zone identifier can use basically + // any %-encoding it likes. That's different from the host, which + // can only %-encode non-ASCII bytes. + // We do impose some restrictions on the zone, to avoid stupidity + // like newlines. +- zone := strings.Index(host[:i], "%25") +- if zone >= 0 { +- host1, err := unescape(host[:zone], encodeHost) ++ zoneIdx := strings.Index(hostname, "%25") ++ if zoneIdx >= 0 { ++ hostPart, err := unescape(hostname[:zoneIdx], encodeHost) + if err != nil { + return "", err + } +- host2, err := unescape(host[zone:i], encodeZone) ++ zonePart, err := unescape(hostname[zoneIdx:], encodeZone) + if err != nil { + return "", err + } +- host3, err := unescape(host[i:], encodeHost) ++ unescapedHostname = hostPart + zonePart ++ } else { ++ var err error ++ unescapedHostname, err = unescape(hostname, encodeHost) + if err != nil { + return "", err + } +- return host1 + host2 + host3, nil + } +- } else if i := strings.LastIndex(host, ":"); i != -1 { ++ ++ // Per RFC 3986, only a host identified by a valid ++ // IPv6 address can be enclosed by square brackets. ++ // This excludes any IPv4 or IPv4-mapped addresses. ++ addr, err := netip.ParseAddr(unescapedHostname) ++ if err != nil { ++ return "", fmt.Errorf("invalid host: %w", err) ++ } ++ if addr.Is4() || addr.Is4In6() { ++ return "", errors.New("invalid IPv6 host") ++ } ++ return "[" + unescapedHostname + "]" + unescapedColonPort, nil ++ } else if i := strings.LastIndex(host, ":"); i != -1 { + colonPort := host[i:] + if !validOptionalPort(colonPort) { + return "", fmt.Errorf("invalid port %q after host", colonPort) +diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go +index 63c8e69..d9de9fb 100644 +--- a/src/net/url/url_test.go ++++ b/src/net/url/url_test.go +@@ -382,6 +382,16 @@ var urltests = []URLTest{ + }, + "", + }, ++ // valid IPv6 host with port and path ++ { ++ "https://[2001:db8::1]:8443/test/path", ++ &URL{ ++ Scheme: "https", ++ Host: "[2001:db8::1]:8443", ++ Path: "/test/path", ++ }, ++ "", ++ }, + // host subcomponent; IPv6 address with zone identifier in RFC 6874 + { + "http://[fe80::1%25en0]/", // alphanum zone identifier +@@ -706,6 +716,24 @@ var parseRequestURLTests = []struct { + // RFC 6874. + {"http://[fe80::1%en0]/", false}, + {"http://[fe80::1%en0]:8080/", false}, ++ ++ // Tests exercising RFC 3986 compliance ++ {"https://[1:2:3:4:5:6:7:8]", true}, // full IPv6 address ++ {"https://[2001:db8::a:b:c:d]", true}, // compressed IPv6 address ++ {"https://[fe80::1%25eth0]", true}, // link-local address with zone ID (interface name) ++ {"https://[fe80::abc:def%254]", true}, // link-local address with zone ID (interface index) ++ {"https://[2001:db8::1]/path", true}, // compressed IPv6 address with path ++ {"https://[fe80::1%25eth0]/path?query=1", true}, // link-local with zone, path, and qu ery ++ ++ {"https://[::ffff:192.0.2.1]", false}, ++ {"https://[:1] ", false}, ++ {"https://[1:2:3:4:5:6:7:8:9]", false}, ++ {"https://[1::1::1]", false}, ++ {"https://[1:2:3:]", false}, ++ {"https://[ffff::127.0.0.4000]", false}, ++ {"https://[0:0::test.com]:80", false}, ++ {"https://[2001:db8::test.com]", false}, ++ {"https://[test.com]", false}, + } + + func TestParseRequestURI(t *testing.T) { +@@ -1631,6 +1659,18 @@ func TestParseErrors(t *testing.T) { + {"cache_object:foo", true}, + {"cache_object:foo/bar", true}, + {"cache_object/:foo/bar", false}, ++ ++ ++ {"http://[192.168.0.1]/", true}, // IPv4 in brackets ++ {"http://[192.168.0.1]:8080/", true}, // IPv4 in brackets with port ++ {"http://[::ffff:192.168.0.1]/", true}, // IPv4-mapped IPv6 in brackets ++ {"http://[::ffff:192.168.0.1]:8080/", true}, // IPv4-mapped IPv6 in brackets with port ++ {"http://[::ffff:c0a8:1]/", true}, // IPv4-mapped IPv6 in brackets (hex) ++ {"http://[not-an-ip]/", true}, // invalid IP string in brackets ++ {"http://[fe80::1%foo]/", true}, // invalid zone format in brackets ++ {"http://[fe80::1", true}, // missing closing bracket ++ {"http://fe80::1]/", true}, // missing opening bracket ++ {"http://[test.com]/", true}, // domain name in brackets + } + for _, tt := range tests { + u, err := Parse(tt.in) +-- +2.43.0 + diff --git a/0087-CVE-2025-58186-net-http-add-httpcookiemaxnum-option.patch b/0087-CVE-2025-58186-net-http-add-httpcookiemaxnum-option.patch new file mode 100644 index 0000000..9dcfefd --- /dev/null +++ b/0087-CVE-2025-58186-net-http-add-httpcookiemaxnum-option.patch @@ -0,0 +1,130 @@ + +m b2a2b78fc6e60170e30de0b282c176112b524cc6 Mon Sep 17 00:00:00 2001 +From: huzhangying <14160380+hu-zhangying@user.noreply.gitee.com> +Date: Thu, 20 Nov 2025 19:17:25 +0800 +Subject: [PATCH] net/http: add httpcookiemaxnum env option to limit number of cookies parsed (compatible with Go 1.15+) + +Reference: https://go-review.googlesource.com/c/go/+/709855 +Conflict: src/net/http/cookie.go + +When handling HTTP headers, net/http does not currently limit the number +of cookies that can be parsed. The only limitation that exists is for +the size of the entire HTTP header, which is controlled by +MaxHeaderBytes (defaults to 1 MB). + +Unfortunately, this allows a malicious actor to send HTTP headers which +contain a massive amount of small cookies, such that as much cookies as +possible can be fitted within the MaxHeaderBytes limitation. Internally, +this causes us to allocate a massive number of Cookie struct. + +For example, a 1 MB HTTP header with cookies that repeats "a=;" will +cause an allocation of ~66 MB in the heap. This can serve as a way for +malicious actors to induce memory exhaustion. + +To fix this, we will now limit the number of cookies we are willing to +parse to 3000 by default. This behavior can be changed by setting a new +environment variable: httpcookiemaxnum. httpcookiemaxnum can be set to +allow a higher or lower cookie limit. Setting it to 0 will also allow an +infinite number of cookies to be parsed. + +Thanks to jub0bs for reporting this issue. + +For #75672 +Fixes CVE-2025-58186 + +Change-Id: Ied58b3bc8acf5d11c880f881f36ecbf1d5d52622 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2720 +Reviewed-by: Roland Shoemaker +Reviewed-by: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/go/+/709855 +Reviewed-by: Carlos Amedee +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Michael Pratt +--- + src/net/http/cookie.go | 44 +++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 43 insertions(+), 1 deletion(-) + +diff --git a/src/net/http/cookie.go b/src/net/http/cookie.go +index ca2c1c2..af77606 100644 +--- a/src/net/http/cookie.go ++++ b/src/net/http/cookie.go +@@ -9,6 +9,7 @@ import ( + "net" + "net/http/internal/ascii" + "net/textproto" ++ "os" + "strconv" + "strings" + "time" +@@ -53,13 +54,39 @@ const ( + SameSiteNoneMode + ) + ++const defaultCookieMaxNum = 3000 ++ ++func cookieNumWithinMax(cookieNum int) bool { ++ withinDefaultMax := cookieNum <= defaultCookieMaxNum ++ envVal := os.Getenv("httpcookiemaxnum") ++ if envVal == "" { ++ return withinDefaultMax ++ } ++ ++ if customMax, err := strconv.Atoi(envVal); err == nil { ++ withinCustomMax := customMax == 0 || cookieNum <= customMax ++ return withinCustomMax ++ } ++ return withinDefaultMax ++} ++ + // readSetCookies parses all "Set-Cookie" values from + // the header h and returns the successfully parsed Cookies. ++// ++// If the amount of cookies exceeds CookieNumLimit, and httpcookielimitnum ++// GODEBUG option is not explicitly turned off, this function will silently ++// fail and return an empty slice. + func readSetCookies(h Header) []*Cookie { + cookieCount := len(h["Set-Cookie"]) + if cookieCount == 0 { + return []*Cookie{} + } ++ // Cookie limit was unfortunately introduced at a later point in time. ++ // As such, we can only fail by returning an empty slice rather than ++ // explicit error. ++ if !cookieNumWithinMax(cookieCount) { ++ return []*Cookie{} ++ } + cookies := make([]*Cookie, 0, cookieCount) + for _, line := range h["Set-Cookie"] { + parts := strings.Split(textproto.TrimString(line), ";") +@@ -243,13 +270,28 @@ func (c *Cookie) String() string { + // readCookies parses all "Cookie" values from the header h and + // returns the successfully parsed Cookies. + // +-// if filter isn't empty, only cookies of that name are returned ++// If filter isn't empty, only cookies of that name are returned. ++// ++// If the amount of cookies exceeds CookieNumLimit, and httpcookielimitnum ++// GODEBUG option is not explicitly turned off, this function will silently ++// fail and return an empty slice. + func readCookies(h Header, filter string) []*Cookie { + lines := h["Cookie"] + if len(lines) == 0 { + return []*Cookie{} + } + ++ // Cookie limit was unfortunately introduced at a later point in time. ++ // As such, we can only fail by returning an empty slice rather than ++ // explicit error. ++ cookieCount := 0 ++ for _, line := range lines { ++ cookieCount += strings.Count(line, ";") + 1 ++ } ++ if !cookieNumWithinMax(cookieCount) { ++ return []*Cookie{} ++ } ++ + cookies := make([]*Cookie, 0, len(lines)+strings.Count(lines[0], ";")) + for _, line := range lines { + line = textproto.TrimString(line) +-- +2.43.0 diff --git a/golang.spec b/golang.spec index 1465e23..0b43c81 100644 --- a/golang.spec +++ b/golang.spec @@ -63,7 +63,7 @@ Name: golang Version: 1.17.3 -Release: 44 +Release: 45 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -235,6 +235,8 @@ Patch6082: 0082-CVE-2025-58185-encoding-asn1-prevent-memory-exhaustion.patch Patch6083: 0083-CVE-2025-58187-crypto-x509-improve-domain-name-verification.patch Patch6084: 0084-CVE-2025-58187-crypto-x509-rework-fix-for-CVE-2025-58187.patch Patch6085: 0085-CVE-2025-61723-encoding-pem-make-Decode-complexity-linear.patch +Patch6086: 0086-CVE-2025-47912-net-url-enforce-stricter-parsing-of.patch +Patch6087: 0087-CVE-2025-58186-net-http-add-httpcookiemaxnum-option.patch ExclusiveArch: %{golang_arches} @@ -473,17 +475,17 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog -* Fri Nov 14 2025 zhaoyifan - 1.17.3-44 +* Thu Nov 20 2025 huzhangying - 1.17.3-45 - Type:CVE -- CVE:CVE-2025-58187,CVE-2025-61723 +- CVE:CVE-2025-47912,CVE-2025-58186 - SUG:NA -- DESC:fix CVE-2025-58187,CVE-2025-61723 +- DESC:fix CVE-2025-47912,CVE-2025-58186 -* Sat Nov 8 2025 huzhangying - 1.17.3-43 +* Fri Nov 14 2025 zhaoyifan - 1.17.3-44 - Type:CVE -- CVE:CVE-2025-58183,CVE-2025-58185,CVE-2025-58189,CVE-2025-61724 +- CVE:CVE-2025-58187,CVE-2025-61723 - SUG:NA -- DESC:fix CVE-2025-58183,CVE-2025-58185,CVE-2025-58189,CVE-2025-61724 +- DESC:fix CVE-2025-58187,CVE-2025-61723 * Sat Nov 8 2025 huzhangying - 1.17.3-43 - Type:CVE -- Gitee