From be346906fca5fa6d62e78acf181b1275dd3f3648 Mon Sep 17 00:00:00 2001 From: huzhangying Date: Thu, 20 Nov 2025 18:47:20 +0800 Subject: [PATCH] [backport]fix CVE-2025-47912,CVE-2025-58186 --- ...912-net-url-enforce-stricter-parsing.patch | 224 ++++++++++++++++++ ...-58186-net-http-add-httpcookiemaxnum.patch | 194 +++++++++++++++ golang.spec | 10 +- 3 files changed, 427 insertions(+), 1 deletion(-) create mode 100644 backport-0045-CVE-2025-47912-net-url-enforce-stricter-parsing.patch create mode 100644 backport-0046-CVE-2025-58186-net-http-add-httpcookiemaxnum.patch diff --git a/backport-0045-CVE-2025-47912-net-url-enforce-stricter-parsing.patch b/backport-0045-CVE-2025-47912-net-url-enforce-stricter-parsing.patch new file mode 100644 index 0000000..ab7b76d --- /dev/null +++ b/backport-0045-CVE-2025-47912-net-url-enforce-stricter-parsing.patch @@ -0,0 +1,224 @@ +From f6f4e8b3ef21299db1ea3a343c3e55e91365a7fd Mon Sep 17 00:00:00 2001 +From: Ethan Lee +Date: Fri, 29 Aug 2025 17:35:55 +0000 +Subject: [PATCH] net/url: enforce stricter parsing of + bracketed IPv6 hostnames + +- Previously, url.Parse did not enforce validation of hostnames within + square brackets. +- RFC 3986 stipulates that only IPv6 hostnames can be embedded within + square brackets in a URL. +- Now, the parsing logic should strictly enforce that only IPv6 + hostnames can be resolved when in square brackets. IPv4, IPv4-mapped + addresses and other input will be rejected. +- Update url_test to add test cases that cover the above scenarios. + +Reference: https://go-review.googlesource.com/c/go/+/709857 +Conflict: src/go/build/deps_test.go + +Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua +University for reporting this issue. + +Fixes CVE-2025-47912 +Fixes #75678 + +Change-Id: Iaa41432bf0ee86de95a39a03adae5729e4deb46c +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2680 +Reviewed-by: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/go/+/709857 +TryBot-Bypass: Michael Pratt +Reviewed-by: Carlos Amedee +Auto-Submit: Michael Pratt +--- + src/go/build/deps_test.go | 10 ++++++---- + src/net/url/url.go | 42 +++++++++++++++++++++++++++++---------- + src/net/url/url_test.go | 39 ++++++++++++++++++++++++++++++++++++ + 3 files changed, 77 insertions(+), 14 deletions(-) + +diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go +index 36b3a38..8f9c304 100644 +--- a/src/go/build/deps_test.go ++++ b/src/go/build/deps_test.go +@@ -193,7 +193,6 @@ var depsRules = ` + internal/types/errors, + mime/quotedprintable, + net/internal/socktest, +- net/url, + runtime/trace, + text/scanner, + text/tabwriter; +@@ -241,6 +240,12 @@ var depsRules = ` + FMT + < text/template/parse; + ++ internal/bytealg, internal/intern, internal/itoa, math/bits, sort, strconv ++ < net/netip; ++ ++ FMT, net/netip ++ < net/url; ++ + net/url, text/template/parse + < text/template + < internal/lazytemplate; +@@ -354,9 +359,6 @@ var depsRules = ` + internal/godebug + < internal/intern; + +- internal/bytealg, internal/intern, internal/itoa, math/bits, sort, strconv +- < net/netip; +- + # net is unavoidable when doing any networking, + # so large dependencies must be kept out. + # This is a long-looking list but most of these +diff --git a/src/net/url/url.go b/src/net/url/url.go +index 501b263..302b5ed 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -14,6 +14,7 @@ import ( + "errors" + "fmt" + "path" ++ "net/netip" + "sort" + "strconv" + "strings" +@@ -614,40 +615,61 @@ func parseAuthority(authority string) (user *Userinfo, host string, err error) { + // parseHost parses host as an authority without user + // information. That is, as host[:port]. + func parseHost(host string) (string, error) { +- if strings.HasPrefix(host, "[") { ++ if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx != -1 { + // Parse an IP-Literal in RFC 3986 and RFC 6874. + // E.g., "[fe80::1]", "[fe80::1%25en0]", "[fe80::1]:80". +- i := strings.LastIndex(host, "]") +- if i < 0 { ++ closeBracketIdx := strings.LastIndex(host, "]") ++ if closeBracketIdx < 0 { + return "", errors.New("missing ']' in host") + } +- colonPort := host[i+1:] ++ ++ colonPort := host[closeBracketIdx+1:] + if !validOptionalPort(colonPort) { + return "", fmt.Errorf("invalid port %q after host", colonPort) + } ++ unescapedColonPort, err := unescape(colonPort, encodeHost) ++ if err != nil { ++ return "", err ++ } + ++ hostname := host[openBracketIdx+1 : closeBracketIdx] ++ var unescapedHostname string + // RFC 6874 defines that %25 (%-encoded percent) introduces + // the zone identifier, and the zone identifier can use basically + // any %-encoding it likes. That's different from the host, which + // can only %-encode non-ASCII bytes. + // We do impose some restrictions on the zone, to avoid stupidity + // like newlines. +- zone := strings.Index(host[:i], "%25") +- if zone >= 0 { +- host1, err := unescape(host[:zone], encodeHost) ++ zoneIdx := strings.Index(hostname, "%25") ++ if zoneIdx >= 0 { ++ hostPart, err := unescape(hostname[:zoneIdx], encodeHost) + if err != nil { + return "", err + } +- host2, err := unescape(host[zone:i], encodeZone) ++ zonePart, err := unescape(hostname[zoneIdx:], encodeZone) + if err != nil { + return "", err + } +- host3, err := unescape(host[i:], encodeHost) ++ unescapedHostname = hostPart + zonePart ++ } else { ++ var err error ++ unescapedHostname, err = unescape(hostname, encodeHost) + if err != nil { + return "", err + } +- return host1 + host2 + host3, nil + } ++ ++ // Per RFC 3986, only a host identified by a valid ++ // IPv6 address can be enclosed by square brackets. ++ // This excludes any IPv4 or IPv4-mapped addresses. ++ addr, err := netip.ParseAddr(unescapedHostname) ++ if err != nil { ++ return "", fmt.Errorf("invalid host: %w", err) ++ } ++ if addr.Is4() || addr.Is4In6() { ++ return "", errors.New("invalid IPv6 host") ++ } ++ return "[" + unescapedHostname + "]" + unescapedColonPort, nil + } else if i := strings.LastIndex(host, ":"); i != -1 { + colonPort := host[i:] + if !validOptionalPort(colonPort) { +diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go +index 23c5c58..d0042c9 100644 +--- a/src/net/url/url_test.go ++++ b/src/net/url/url_test.go +@@ -383,6 +383,16 @@ var urltests = []URLTest{ + }, + "", + }, ++ // valid IPv6 host with port and path ++ { ++ "https://[2001:db8::1]:8443/test/path", ++ &URL{ ++ Scheme: "https", ++ Host: "[2001:db8::1]:8443", ++ Path: "/test/path", ++ }, ++ "", ++ }, + // host subcomponent; IPv6 address with zone identifier in RFC 6874 + { + "http://[fe80::1%25en0]/", // alphanum zone identifier +@@ -707,6 +717,24 @@ var parseRequestURLTests = []struct { + // RFC 6874. + {"http://[fe80::1%en0]/", false}, + {"http://[fe80::1%en0]:8080/", false}, ++ ++ // Tests exercising RFC 3986 compliance ++ {"https://[1:2:3:4:5:6:7:8]", true}, // full IPv6 address ++ {"https://[2001:db8::a:b:c:d]", true}, // compressed IPv6 address ++ {"https://[fe80::1%25eth0]", true}, // link-local address with zone ID (interface name) ++ {"https://[fe80::abc:def%254]", true}, // link-local address with zone ID (interface index) ++ {"https://[2001:db8::1]/path", true}, // compressed IPv6 address with path ++ {"https://[fe80::1%25eth0]/path?query=1", true}, // link-local with zone, path, and query ++ ++ {"https://[::ffff:192.0.2.1]", false}, ++ {"https://[:1] ", false}, ++ {"https://[1:2:3:4:5:6:7:8:9]", false}, ++ {"https://[1::1::1]", false}, ++ {"https://[1:2:3:]", false}, ++ {"https://[ffff::127.0.0.4000]", false}, ++ {"https://[0:0::test.com]:80", false}, ++ {"https://[2001:db8::test.com]", false}, ++ {"https://[test.com]", false}, + } + + func TestParseRequestURI(t *testing.T) { +@@ -1634,6 +1662,17 @@ func TestParseErrors(t *testing.T) { + {"cache_object:foo", true}, + {"cache_object:foo/bar", true}, + {"cache_object/:foo/bar", false}, ++ ++ {"http://[192.168.0.1]/", true}, // IPv4 in brackets ++ {"http://[192.168.0.1]:8080/", true}, // IPv4 in brackets with port ++ {"http://[::ffff:192.168.0.1]/", true}, // IPv4-mapped IPv6 in brackets ++ {"http://[::ffff:192.168.0.1]:8080/", true}, // IPv4-mapped IPv6 in brackets with port ++ {"http://[::ffff:c0a8:1]/", true}, // IPv4-mapped IPv6 in brackets (hex) ++ {"http://[not-an-ip]/", true}, // invalid IP string in brackets ++ {"http://[fe80::1%foo]/", true}, // invalid zone format in brackets ++ {"http://[fe80::1", true}, // missing closing bracket ++ {"http://fe80::1]/", true}, // missing opening bracket ++ {"http://[test.com]/", true}, // domain name in brackets + } + for _, tt := range tests { + u, err := Parse(tt.in) +-- +2.43.0 + diff --git a/backport-0046-CVE-2025-58186-net-http-add-httpcookiemaxnum.patch b/backport-0046-CVE-2025-58186-net-http-add-httpcookiemaxnum.patch new file mode 100644 index 0000000..3d2e45b --- /dev/null +++ b/backport-0046-CVE-2025-58186-net-http-add-httpcookiemaxnum.patch @@ -0,0 +1,194 @@ +From 9b9d02c5a015910ce57024788de2ff254c6cfca6 Mon Sep 17 00:00:00 2001 +From: Nicholas Husin +Date: Tue, 30 Sep 2025 14:02:38 -0400 +Subject: [PATCH] net/http: add httpcookiemaxnum GODEBUG option + to limit number of cookies parsed + +Reference: https://go-review.googlesource.com/c/go/+/709855 +Conflict: no + +When handling HTTP headers, net/http does not currently limit the number +of cookies that can be parsed. The only limitation that exists is for +the size of the entire HTTP header, which is controlled by +MaxHeaderBytes (defaults to 1 MB). + +Unfortunately, this allows a malicious actor to send HTTP headers which +contain a massive amount of small cookies, such that as much cookies as +possible can be fitted within the MaxHeaderBytes limitation. Internally, +this causes us to allocate a massive number of Cookie struct. + +For example, a 1 MB HTTP header with cookies that repeats "a=;" will +cause an allocation of ~66 MB in the heap. This can serve as a way for +malicious actors to induce memory exhaustion. + +To fix this, we will now limit the number of cookies we are willing to +parse to 3000 by default. This behavior can be changed by setting a new +GODEBUG option: GODEBUG=httpcookiemaxnum. httpcookiemaxnum can be set to +allow a higher or lower cookie limit. Setting it to 0 will also allow an +infinite number of cookies to be parsed. + +Thanks to jub0bs for reporting this issue. + +For #75672 +Fixes CVE-2025-58186 + +Change-Id: Ied58b3bc8acf5d11c880f881f36ecbf1d5d52622 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2720 +Reviewed-by: Roland Shoemaker +Reviewed-by: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/go/+/709855 +Reviewed-by: Carlos Amedee +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Michael Pratt +--- + doc/godebug.md | 11 ++++++++ + src/internal/godebugs/table.go | 1 + + src/net/http/cookie.go | 47 +++++++++++++++++++++++++++++++++- + src/runtime/metrics/doc.go | 5 ++++ + 4 files changed, 63 insertions(+), 1 deletion(-) + +diff --git a/doc/godebug.md b/doc/godebug.md +index d7fbb27..10556f3 100644 +--- a/doc/godebug.md ++++ b/doc/godebug.md +@@ -126,6 +126,17 @@ for example, + see the [runtime documentation](/pkg/runtime#hdr-Environment_Variables) + and the [go command documentation](/cmd/go#hdr-Build_and_test_caching). + ++ ++### Go 1.26 ++ ++Go 1.26 added a new `httpcookiemaxnum` setting that controls the maximum number ++of cookies that net/http will accept when parsing HTTP headers. If the number of ++cookie in a header exceeds the number set in `httpcookiemaxnum`, cookie parsing ++will fail early. The default value is `httpcookiemaxnum=3000`. Setting ++`httpcookiemaxnum=0` will allow the cookie parsing to accept an indefinite ++number of cookies. To avoid denial of service attacks, this setting and default ++was backported to Go 1.25.2 and Go 1.24.8. ++ + ### Go 1.23 + + Go 1.23.11 disabled build information stamping when multiple VCS are detected due +diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go +index 16b6fb3..ecb38ff 100644 +--- a/src/internal/godebugs/table.go ++++ b/src/internal/godebugs/table.go +@@ -33,6 +33,7 @@ var All = []Info{ + {Name: "http2client", Package: "net/http"}, + {Name: "http2debug", Package: "net/http", Opaque: true}, + {Name: "http2server", Package: "net/http"}, ++ {Name: "httpcookiemaxnum", Package: "net/http", Changed: 24, Old: "0"}, + {Name: "installgoroot", Package: "go/build"}, + {Name: "jstmpllitinterp", Package: "html/template"}, + //{Name: "multipartfiles", Package: "mime/multipart"}, +diff --git a/src/net/http/cookie.go b/src/net/http/cookie.go +index 912fde6..9416c0d 100644 +--- a/src/net/http/cookie.go ++++ b/src/net/http/cookie.go +@@ -7,6 +7,7 @@ package http + import ( + "errors" + "fmt" ++ "internal/godebug" + "log" + "net" + "net/http/internal/ascii" +@@ -16,6 +17,8 @@ import ( + "time" + ) + ++var httpcookiemaxnum = godebug.New("httpcookiemaxnum") ++ + // A Cookie represents an HTTP cookie as sent in the Set-Cookie header of an + // HTTP response or the Cookie header of an HTTP request. + // +@@ -55,13 +58,40 @@ const ( + SameSiteNoneMode + ) + ++const defaultCookieMaxNum = 3000 ++ ++func cookieNumWithinMax(cookieNum int) bool { ++ withinDefaultMax := cookieNum <= defaultCookieMaxNum ++ if httpcookiemaxnum.Value() == "" { ++ return withinDefaultMax ++ } ++ if customMax, err := strconv.Atoi(httpcookiemaxnum.Value()); err == nil { ++ withinCustomMax := customMax == 0 || cookieNum <= customMax ++ if withinDefaultMax != withinCustomMax { ++ httpcookiemaxnum.IncNonDefault() ++ } ++ return withinCustomMax ++ } ++ return withinDefaultMax ++} ++ + // readSetCookies parses all "Set-Cookie" values from + // the header h and returns the successfully parsed Cookies. ++// ++// If the amount of cookies exceeds CookieNumLimit, and httpcookielimitnum ++// GODEBUG option is not explicitly turned off, this function will silently ++// fail and return an empty slice. + func readSetCookies(h Header) []*Cookie { + cookieCount := len(h["Set-Cookie"]) + if cookieCount == 0 { + return []*Cookie{} + } ++ // Cookie limit was unfortunately introduced at a later point in time. ++ // As such, we can only fail by returning an empty slice rather than ++ // explicit error. ++ if !cookieNumWithinMax(cookieCount) { ++ return []*Cookie{} ++ } + cookies := make([]*Cookie, 0, cookieCount) + for _, line := range h["Set-Cookie"] { + parts := strings.Split(textproto.TrimString(line), ";") +@@ -273,13 +303,28 @@ func (c *Cookie) Valid() error { + // readCookies parses all "Cookie" values from the header h and + // returns the successfully parsed Cookies. + // +-// if filter isn't empty, only cookies of that name are returned. ++// If filter isn't empty, only cookies of that name are returned. ++// ++// If the amount of cookies exceeds CookieNumLimit, and httpcookielimitnum ++// GODEBUG option is not explicitly turned off, this function will silently ++// fail and return an empty slice. + func readCookies(h Header, filter string) []*Cookie { + lines := h["Cookie"] + if len(lines) == 0 { + return []*Cookie{} + } + ++ // Cookie limit was unfortunately introduced at a later point in time. ++ // As such, we can only fail by returning an empty slice rather than ++ // explicit error. ++ cookieCount := 0 ++ for _, line := range lines { ++ cookieCount += strings.Count(line, ";") + 1 ++ } ++ if !cookieNumWithinMax(cookieCount) { ++ return []*Cookie{} ++ } ++ + cookies := make([]*Cookie, 0, len(lines)+strings.Count(lines[0], ";")) + for _, line := range lines { + line = textproto.TrimString(line) +diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go +index b144a70..87f5ca9 100644 +--- a/src/runtime/metrics/doc.go ++++ b/src/runtime/metrics/doc.go +@@ -259,6 +259,11 @@ Below is the full list of supported metrics, ordered lexicographically. + The number of non-default behaviors executed by the net/http + package due to a non-default GODEBUG=http2server=... setting. + ++ /godebug/non-default-behavior/httpcookiemaxnum:events ++ The number of non-default behaviors executed by the net/http ++ package due to a non-default GODEBUG=httpcookiemaxnum=... ++ setting. ++ + /godebug/non-default-behavior/installgoroot:events + The number of non-default behaviors executed by the go/build + package due to a non-default GODEBUG=installgoroot=... setting. +-- +2.43.0 + diff --git a/golang.spec b/golang.spec index 95de71f..f8e879d 100644 --- a/golang.spec +++ b/golang.spec @@ -66,7 +66,7 @@ Name: golang Version: 1.21.4 -Release: 39 +Release: 40 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -165,6 +165,8 @@ Patch6041: backport-0041-CVE-2025-58185-encoding-asn1-prevent-memory-exhaustion Patch6042: backport-0042-CVE-2025-58187-crypto-x509-improve-domain-name-verification.patch Patch6043: backport-0043-CVE-2025-58187-crypto-x509-rework-fix-for-CVE-2025-58187.patch Patch6044: backport-0044-CVE-2025-61723-encoding-pem-make-Decode-complexity-linear.patch +Patch6045: backport-0045-CVE-2025-47912-net-url-enforce-stricter-parsing.patch +Patch6046: backport-0046-CVE-2025-58186-net-http-add-httpcookiemaxnum.patch # Part 8001 ~ 8999 # Developed optimization features @@ -410,6 +412,12 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Thu Nov 20 2025 huzhangying - 1.21.4-40 +- Type:CVE +- CVE:CVE-2025-47912,CVE-2025-58186 +- SUG:NA +- DESC:fix CVE-2025-47912,CVE-2025-58186 + * Fri Nov 14 2025 zhaoyifan - 1.21.4-39 - Type:CVE - CVE:CVE-2025-58187,CVE-2025-61723 -- Gitee