From e600efca32215d872cb1b0c5e78ba089930d1ecb Mon Sep 17 00:00:00 2001 From: sa-buc Date: Thu, 20 Nov 2025 10:18:50 +0800 Subject: [PATCH] update to fix cves --- 0045-Fix-CVE-2025-22871.patch | 168 ------------------ 0046-Fix-CVE-2025-22874.patch | 138 -------------- 0047-Fix-CVE-2025-47906.patch | 166 ----------------- 0048-Fix-CVE-2025-22870.patch | 74 -------- 0049-Fix-CVE-2025-58189.patch | 43 ----- ...ix-CVE-2025-58185-and-CVE-2025-61723.patch | 115 ------------ download | 2 +- golang.spec | 22 +-- 8 files changed, 8 insertions(+), 720 deletions(-) delete mode 100644 0045-Fix-CVE-2025-22871.patch delete mode 100644 0046-Fix-CVE-2025-22874.patch delete mode 100644 0047-Fix-CVE-2025-47906.patch delete mode 100644 0048-Fix-CVE-2025-22870.patch delete mode 100644 0049-Fix-CVE-2025-58189.patch delete mode 100644 1001-add-patch-to-fix-CVE-2025-58185-and-CVE-2025-61723.patch diff --git a/0045-Fix-CVE-2025-22871.patch b/0045-Fix-CVE-2025-22871.patch deleted file mode 100644 index fc0017f..0000000 --- a/0045-Fix-CVE-2025-22871.patch +++ /dev/null @@ -1,168 +0,0 @@ -From ac1f5aa3d62efe21e65ce4dc30e6996d59acfbd0 Mon Sep 17 00:00:00 2001 -From: Damien Neil -Date: Wed, 26 Feb 2025 13:40:00 -0800 -Subject: [PATCH] [release-branch.go1.24] net/http: reject newlines in - chunk-size lines - -Unlike request headers, where we are allowed to leniently accept -a bare LF in place of a CRLF, chunked bodies must always use CRLF -line terminators. We were already enforcing this for chunk-data lines; -do so for chunk-size lines as well. Also reject bare CRs anywhere -other than as part of the CRLF terminator. - -Fixes CVE-2025-22871 -Fixes #72011 -For #71988 - -Change-Id: Ib0e21af5a8ba28c2a1ca52b72af8e2265ec79e4a -Reviewed-on: https://go-review.googlesource.com/c/go/+/652998 -Reviewed-by: Jonathan Amsterdam -LUCI-TryBot-Result: Go LUCI -(cherry picked from commit d31c805535f3fde95646ee4d87636aaaea66847b) -Reviewed-on: https://go-review.googlesource.com/c/go/+/657056 ---- - src/net/http/internal/chunked.go | 19 +++++++++-- - src/net/http/internal/chunked_test.go | 27 +++++++++++++++ - src/net/http/serve_test.go | 49 +++++++++++++++++++++++++++ - 3 files changed, 92 insertions(+), 3 deletions(-) - -diff --git a/src/net/http/internal/chunked.go b/src/net/http/internal/chunked.go -index 196b5d8..0b08a97 100644 ---- a/src/net/http/internal/chunked.go -+++ b/src/net/http/internal/chunked.go -@@ -164,6 +164,19 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) { - } - return nil, err - } -+ -+ // RFC 9112 permits parsers to accept a bare \n as a line ending in headers, -+ // but not in chunked encoding lines. See https://www.rfc-editor.org/errata/eid7633, -+ // which explicitly rejects a clarification permitting \n as a chunk terminator. -+ // -+ // Verify that the line ends in a CRLF, and that no CRs appear before the end. -+ if idx := bytes.IndexByte(p, '\r'); idx == -1 { -+ return nil, errors.New("chunked line ends with bare LF") -+ } else if idx != len(p)-2 { -+ return nil, errors.New("invalid CR in chunked line") -+ } -+ p = p[:len(p)-2] // trim CRLF -+ - if len(p) >= maxLineLength { - return nil, ErrLineTooLong - } -@@ -171,14 +184,14 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) { - } - - func trimTrailingWhitespace(b []byte) []byte { -- for len(b) > 0 && isASCIISpace(b[len(b)-1]) { -+ for len(b) > 0 && isOWS(b[len(b)-1]) { - b = b[:len(b)-1] - } - return b - } - --func isASCIISpace(b byte) bool { -- return b == ' ' || b == '\t' || b == '\n' || b == '\r' -+func isOWS(b byte) bool { -+ return b == ' ' || b == '\t' - } - - var semi = []byte(";") -diff --git a/src/net/http/internal/chunked_test.go b/src/net/http/internal/chunked_test.go -index af79711..25f5555 100644 ---- a/src/net/http/internal/chunked_test.go -+++ b/src/net/http/internal/chunked_test.go -@@ -280,6 +280,33 @@ func TestChunkReaderByteAtATime(t *testing.T) { - } - } - -+func TestChunkInvalidInputs(t *testing.T) { -+ for _, test := range []struct { -+ name string -+ b string -+ }{{ -+ name: "bare LF in chunk size", -+ b: "1\na\r\n0\r\n", -+ }, { -+ name: "extra LF in chunk size", -+ b: "1\r\r\na\r\n0\r\n", -+ }, { -+ name: "bare LF in chunk data", -+ b: "1\r\na\n0\r\n", -+ }, { -+ name: "bare LF in chunk extension", -+ b: "1;\na\r\n0\r\n", -+ }} { -+ t.Run(test.name, func(t *testing.T) { -+ r := NewChunkedReader(strings.NewReader(test.b)) -+ got, err := io.ReadAll(r) -+ if err == nil { -+ t.Fatalf("unexpectedly parsed invalid chunked data:\n%q", got) -+ } -+ }) -+ } -+} -+ - type funcReader struct { - f func(iteration int) ([]byte, error) - i int -diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go -index 0c46b1e..21c456a 100644 ---- a/src/net/http/serve_test.go -+++ b/src/net/http/serve_test.go -@@ -7303,3 +7303,52 @@ func testServerReadAfterHandlerAbort100Continue(t *testing.T, mode testMode) { - readyc <- struct{}{} // server starts reading from the request body - readyc <- struct{}{} // server finishes reading from the request body - } -+ -+func TestInvalidChunkedBodies(t *testing.T) { -+ for _, test := range []struct { -+ name string -+ b string -+ }{{ -+ name: "bare LF in chunk size", -+ b: "1\na\r\n0\r\n\r\n", -+ }, { -+ name: "bare LF at body end", -+ b: "1\r\na\r\n0\r\n\n", -+ }} { -+ t.Run(test.name, func(t *testing.T) { -+ reqc := make(chan error) -+ ts := newClientServerTest(t, http1Mode, HandlerFunc(func(w ResponseWriter, r *Request) { -+ got, err := io.ReadAll(r.Body) -+ if err == nil { -+ t.Logf("read body: %q", got) -+ } -+ reqc <- err -+ })).ts -+ -+ serverURL, err := url.Parse(ts.URL) -+ if err != nil { -+ t.Fatal(err) -+ } -+ -+ conn, err := net.Dial("tcp", serverURL.Host) -+ if err != nil { -+ t.Fatal(err) -+ } -+ -+ if _, err := conn.Write([]byte( -+ "POST / HTTP/1.1\r\n" + -+ "Host: localhost\r\n" + -+ "Transfer-Encoding: chunked\r\n" + -+ "Connection: close\r\n" + -+ "\r\n" + -+ test.b)); err != nil { -+ t.Fatal(err) -+ } -+ conn.(*net.TCPConn).CloseWrite() -+ -+ if err := <-reqc; err == nil { -+ t.Errorf("server handler: io.ReadAll(r.Body) succeeded, want error") -+ } -+ }) -+ } -+} --- -2.43.5 - diff --git a/0046-Fix-CVE-2025-22874.patch b/0046-Fix-CVE-2025-22874.patch deleted file mode 100644 index 6853004..0000000 --- a/0046-Fix-CVE-2025-22874.patch +++ /dev/null @@ -1,138 +0,0 @@ -From 03811ab1b31525e8d779997db169c6fedab7c505 Mon Sep 17 00:00:00 2001 -From: Roland Shoemaker -Date: Tue, 6 May 2025 09:27:10 -0700 -Subject: [PATCH] [release-branch.go1.24] crypto/x509: decouple key usage and - policy validation -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Disabling key usage validation (by passing ExtKeyUsageAny) -unintentionally disabled policy validation. This change decouples these -two checks, preventing the user from unintentionally disabling policy -validation. - -Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this -issue. - -Updates #73612 -Fixes #73700 -Fixes CVE-2025-22874 - -Change-Id: Iec8f080a8879a3dd44cb3da30352fa3e7f539d40 -Reviewed-on: https://go-review.googlesource.com/c/go/+/670375 -Reviewed-by: Daniel McCarney -Reviewed-by: Cherry Mui -Reviewed-by: Ian Stapleton Cordasco -LUCI-TryBot-Result: Go LUCI -(cherry picked from commit 9bba799955e68972041c4f340ee4ea2d267e5c0e) -Reviewed-on: https://go-review.googlesource.com/c/go/+/672316 -Reviewed-by: Michael Knyszek ---- - src/crypto/x509/verify.go | 32 +++++++++++++++++++++--------- - src/crypto/x509/verify_test.go | 36 ++++++++++++++++++++++++++++++++++ - 2 files changed, 59 insertions(+), 9 deletions(-) - -diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go -index 5fe93c6124a989..7cc0fb2e3e0385 100644 ---- a/src/crypto/x509/verify.go -+++ b/src/crypto/x509/verify.go -@@ -841,31 +841,45 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e - } - } - -- if len(opts.KeyUsages) == 0 { -- opts.KeyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth} -+ chains = make([][]*Certificate, 0, len(candidateChains)) -+ -+ var invalidPoliciesChains int -+ for _, candidate := range candidateChains { -+ if !policiesValid(candidate, opts) { -+ invalidPoliciesChains++ -+ continue -+ } -+ chains = append(chains, candidate) -+ } -+ -+ if len(chains) == 0 { -+ return nil, CertificateInvalidError{c, NoValidChains, "all candidate chains have invalid policies"} - } - - for _, eku := range opts.KeyUsages { - if eku == ExtKeyUsageAny { - // If any key usage is acceptable, no need to check the chain for - // key usages. -- return candidateChains, nil -+ return chains, nil - } - } - -- chains = make([][]*Certificate, 0, len(candidateChains)) -- var incompatibleKeyUsageChains, invalidPoliciesChains int -+ if len(opts.KeyUsages) == 0 { -+ opts.KeyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth} -+ } -+ -+ candidateChains = chains -+ chains = chains[:0] -+ -+ var incompatibleKeyUsageChains int - for _, candidate := range candidateChains { - if !checkChainForKeyUsage(candidate, opts.KeyUsages) { - incompatibleKeyUsageChains++ - continue - } -- if !policiesValid(candidate, opts) { -- invalidPoliciesChains++ -- continue -- } - chains = append(chains, candidate) - } -+ - if len(chains) == 0 { - var details []string - if incompatibleKeyUsageChains > 0 { -diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go -index 1175e7d80850d2..7991f49946d587 100644 ---- a/src/crypto/x509/verify_test.go -+++ b/src/crypto/x509/verify_test.go -@@ -3012,3 +3012,39 @@ func TestPoliciesValid(t *testing.T) { - }) - } - } -+ -+func TestInvalidPolicyWithAnyKeyUsage(t *testing.T) { -+ loadTestCert := func(t *testing.T, path string) *Certificate { -+ b, err := os.ReadFile(path) -+ if err != nil { -+ t.Fatal(err) -+ } -+ p, _ := pem.Decode(b) -+ c, err := ParseCertificate(p.Bytes) -+ if err != nil { -+ t.Fatal(err) -+ } -+ return c -+ } -+ -+ testOID3 := mustNewOIDFromInts([]uint64{1, 2, 840, 113554, 4, 1, 72585, 2, 3}) -+ root, intermediate, leaf := loadTestCert(t, "testdata/policy_root.pem"), loadTestCert(t, "testdata/policy_intermediate_require.pem"), loadTestCert(t, "testdata/policy_leaf.pem") -+ -+ expectedErr := "x509: no valid chains built: all candidate chains have invalid policies" -+ -+ roots, intermediates := NewCertPool(), NewCertPool() -+ roots.AddCert(root) -+ intermediates.AddCert(intermediate) -+ -+ _, err := leaf.Verify(VerifyOptions{ -+ Roots: roots, -+ Intermediates: intermediates, -+ KeyUsages: []ExtKeyUsage{ExtKeyUsageAny}, -+ CertificatePolicies: []OID{testOID3}, -+ }) -+ if err == nil { -+ t.Fatal("unexpected success, invalid policy shouldn't be bypassed by passing VerifyOptions.KeyUsages with ExtKeyUsageAny") -+ } else if err.Error() != expectedErr { -+ t.Fatalf("unexpected error, got %q, want %q", err, expectedErr) -+ } -+} diff --git a/0047-Fix-CVE-2025-47906.patch b/0047-Fix-CVE-2025-47906.patch deleted file mode 100644 index 3f0d715..0000000 --- a/0047-Fix-CVE-2025-47906.patch +++ /dev/null @@ -1,166 +0,0 @@ -From 0f5133b742bf61cda6c98b4cd1d313a330f13f32 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Olivier=20Mengu=C3=A9?= -Date: Mon, 30 Jun 2025 16:58:59 +0200 -Subject: [PATCH] [release-branch.go1.24] os/exec: fix incorrect expansion of - "", "." and ".." in LookPath - -Fix incorrect expansion of "" and "." when $PATH contains an executable -file or, on Windows, a parent directory of a %PATH% element contains an -file with the same name as the %PATH% element but with one of the -%PATHEXT% extension (ex: C:\utils\bin is in PATH, and C:\utils\bin.exe -exists). - -Fix incorrect expansion of ".." when $PATH contains an element which is -an the concatenation of the path to an executable file (or on Windows -a path that can be expanded to an executable by appending a %PATHEXT% -extension), a path separator and a name. - -"", "." and ".." are now rejected early with ErrNotFound. - -Fixes CVE-2025-47906 -Fixes #74804 - -Change-Id: Ie50cc0a660fce8fbdc952a7f2e05c36062dcb50e -Reviewed-on: https://go-review.googlesource.com/c/go/+/685755 -LUCI-TryBot-Result: Go LUCI -Auto-Submit: Damien Neil -Reviewed-by: Roland Shoemaker -Reviewed-by: Damien Neil -(cherry picked from commit e0b07dc22eaab1b003d98ad6d63cdfacc76c5c70) -Reviewed-on: https://go-review.googlesource.com/c/go/+/691875 -Reviewed-by: Michael Knyszek ---- - src/os/exec/dot_test.go | 44 +++++++++++++++++++++++++++++++++++++++ - src/os/exec/exec.go | 10 +++++++++ - src/os/exec/lp_plan9.go | 4 ++++ - src/os/exec/lp_unix.go | 4 ++++ - src/os/exec/lp_windows.go | 8 +++++++ - 5 files changed, 70 insertions(+) - -diff --git a/src/os/exec/dot_test.go b/src/os/exec/dot_test.go -index 1bf0d9c760bfd0..b95639e6c82068 100644 ---- a/src/os/exec/dot_test.go -+++ b/src/os/exec/dot_test.go -@@ -177,4 +177,48 @@ func TestLookPath(t *testing.T) { - } - } - }) -+ -+ checker := func(test string) func(t *testing.T) { -+ return func(t *testing.T) { -+ t.Helper() -+ t.Logf("PATH=%s", os.Getenv("PATH")) -+ p, err := LookPath(test) -+ if err == nil { -+ t.Errorf("%q: error expected, got nil", test) -+ } -+ if p != "" { -+ t.Errorf("%q: path returned should be \"\". Got %q", test, p) -+ } -+ } -+ } -+ -+ // Reference behavior for the next test -+ t.Run(pathVar+"=$OTHER2", func(t *testing.T) { -+ t.Run("empty", checker("")) -+ t.Run("dot", checker(".")) -+ t.Run("dotdot1", checker("abc/..")) -+ t.Run("dotdot2", checker("..")) -+ }) -+ -+ // Test the behavior when PATH contains an executable file which is not a directory -+ t.Run(pathVar+"=exe", func(t *testing.T) { -+ // Inject an executable file (not a directory) in PATH. -+ // Use our own binary os.Args[0]. -+ t.Setenv(pathVar, testenv.Executable(t)) -+ t.Run("empty", checker("")) -+ t.Run("dot", checker(".")) -+ t.Run("dotdot1", checker("abc/..")) -+ t.Run("dotdot2", checker("..")) -+ }) -+ -+ // Test the behavior when PATH contains an executable file which is not a directory -+ t.Run(pathVar+"=exe/xx", func(t *testing.T) { -+ // Inject an executable file (not a directory) in PATH. -+ // Use our own binary os.Args[0]. -+ t.Setenv(pathVar, filepath.Join(testenv.Executable(t), "xx")) -+ t.Run("empty", checker("")) -+ t.Run("dot", checker(".")) -+ t.Run("dotdot1", checker("abc/..")) -+ t.Run("dotdot2", checker("..")) -+ }) - } -diff --git a/src/os/exec/exec.go b/src/os/exec/exec.go -index fecfc97d13855a..3decdc75955610 100644 ---- a/src/os/exec/exec.go -+++ b/src/os/exec/exec.go -@@ -1328,3 +1328,13 @@ func addCriticalEnv(env []string) []string { - // Code should use errors.Is(err, ErrDot), not err == ErrDot, - // to test whether a returned error err is due to this condition. - var ErrDot = errors.New("cannot run executable found relative to current directory") -+ -+// validateLookPath excludes paths that can't be valid -+// executable names. See issue #74466 and CVE-2025-47906. -+func validateLookPath(s string) error { -+ switch s { -+ case "", ".", "..": -+ return ErrNotFound -+ } -+ return nil -+} -diff --git a/src/os/exec/lp_plan9.go b/src/os/exec/lp_plan9.go -index 87359b3551d32f..0430af9eefeb42 100644 ---- a/src/os/exec/lp_plan9.go -+++ b/src/os/exec/lp_plan9.go -@@ -36,6 +36,10 @@ func findExecutable(file string) error { - // As of Go 1.19, LookPath will instead return that path along with an error satisfying - // [errors.Is](err, [ErrDot]). See the package documentation for more details. - func LookPath(file string) (string, error) { -+ if err := validateLookPath(file); err != nil { -+ return "", &Error{file, err} -+ } -+ - // skip the path lookup for these prefixes - skip := []string{"/", "#", "./", "../"} - -diff --git a/src/os/exec/lp_unix.go b/src/os/exec/lp_unix.go -index 8617d45e983e6e..e5fddbafe21b94 100644 ---- a/src/os/exec/lp_unix.go -+++ b/src/os/exec/lp_unix.go -@@ -54,6 +54,10 @@ func LookPath(file string) (string, error) { - // (only bypass the path if file begins with / or ./ or ../) - // but that would not match all the Unix shells. - -+ if err := validateLookPath(file); err != nil { -+ return "", &Error{file, err} -+ } -+ - if strings.Contains(file, "/") { - err := findExecutable(file) - if err == nil { -diff --git a/src/os/exec/lp_windows.go b/src/os/exec/lp_windows.go -index 12256743064585..e01e7bbbbabde0 100644 ---- a/src/os/exec/lp_windows.go -+++ b/src/os/exec/lp_windows.go -@@ -67,6 +67,10 @@ func findExecutable(file string, exts []string) (string, error) { - // As of Go 1.19, LookPath will instead return that path along with an error satisfying - // [errors.Is](err, [ErrDot]). See the package documentation for more details. - func LookPath(file string) (string, error) { -+ if err := validateLookPath(file); err != nil { -+ return "", &Error{file, err} -+ } -+ - return lookPath(file, pathExt()) - } - -@@ -80,6 +84,10 @@ func LookPath(file string) (string, error) { - // "C:\foo\example.com" would be returned as-is even if the - // program is actually "C:\foo\example.com.exe". - func lookExtensions(path, dir string) (string, error) { -+ if err := validateLookPath(path); err != nil { -+ return "", &Error{path, err} -+ } -+ - if filepath.Base(path) == path { - path = "." + string(filepath.Separator) + path - } diff --git a/0048-Fix-CVE-2025-22870.patch b/0048-Fix-CVE-2025-22870.patch deleted file mode 100644 index faf65a7..0000000 --- a/0048-Fix-CVE-2025-22870.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 334de7982f8ec959c74470dd709ceedfd6dbd50a Mon Sep 17 00:00:00 2001 -From: Damien Neil -Date: Wed, 26 Feb 2025 16:46:43 -0800 -Subject: [PATCH] [release-branch.go1.24] all: updated vendored x/net with - security fix - -6ed00d0 [internal-branch.go1.24-vendor] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts - -Fixes CVE-2025-22870 -For #71986 - -Change-Id: I7bda0825f1a9470b0708714d9cc32b5eae212f8b -Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2121 -Reviewed-by: Neal Patel -Reviewed-by: Roland Shoemaker -Commit-Queue: Roland Shoemaker -Reviewed-on: https://go-review.googlesource.com/c/go/+/654715 -Reviewed-by: Michael Pratt -LUCI-TryBot-Result: Go LUCI -Auto-Submit: Junyang Shao -Reviewed-by: Damien Neil ---- - src/cmd/internal/moddeps/moddeps_test.go | 1 + - src/vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++-- - 2 files changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go -index 2def029325be55..0b43b20b3c19fa 100644 ---- a/src/cmd/internal/moddeps/moddeps_test.go -+++ b/src/cmd/internal/moddeps/moddeps_test.go -@@ -33,6 +33,7 @@ import ( - // See issues 36852, 41409, and 43687. - // (Also see golang.org/issue/27348.) - func TestAllDependencies(t *testing.T) { -+ t.Skip("TODO(#71986): 1.24.1 contains unreleased changes from vendored modules") - goBin := testenv.GoToolPath(t) - - // Ensure that all packages imported within GOROOT -diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go -index 6404aaf157d6ad..d89c257ae72314 100644 ---- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go -+++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go -@@ -14,6 +14,7 @@ import ( - "errors" - "fmt" - "net" -+ "net/netip" - "net/url" - "os" - "strings" -@@ -177,8 +178,10 @@ func (cfg *config) useProxy(addr string) bool { - if host == "localhost" { - return false - } -- ip := net.ParseIP(host) -- if ip != nil { -+ nip, err := netip.ParseAddr(host) -+ var ip net.IP -+ if err == nil { -+ ip = net.IP(nip.AsSlice()) - if ip.IsLoopback() { - return false - } -@@ -360,6 +363,9 @@ type domainMatch struct { - } - - func (m domainMatch) match(host, port string, ip net.IP) bool { -+ if ip != nil { -+ return false -+ } - if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) { - return m.port == "" || m.port == port - } - diff --git a/0049-Fix-CVE-2025-58189.patch b/0049-Fix-CVE-2025-58189.patch deleted file mode 100644 index bf8e453..0000000 --- a/0049-Fix-CVE-2025-58189.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 2e1e356e33b9c792a9643749a7626a1789197bb9 Mon Sep 17 00:00:00 2001 -From: Roland Shoemaker -Date: Mon, 29 Sep 2025 10:11:56 -0700 -Subject: [PATCH] [release-branch.go1.24] crypto/tls: quote protocols in ALPN - error message - -Quote the protocols sent by the client when returning the ALPN -negotiation error message. - -Fixes CVE-2025-58189 -Updates #75652 -Fixes #75660 - -Change-Id: Ie7b3a1ed0b6efcc1705b71f0f1e8417126661330 -Reviewed-on: https://go-review.googlesource.com/c/go/+/707776 -Auto-Submit: Roland Shoemaker -Reviewed-by: Neal Patel -Reviewed-by: Nicholas Husin -Auto-Submit: Nicholas Husin -Reviewed-by: Nicholas Husin -TryBot-Bypass: Roland Shoemaker -Reviewed-by: Daniel McCarney -(cherry picked from commit 4e9006a716533fe1c7ee08df02dfc73078f7dc19) -Reviewed-on: https://go-review.googlesource.com/c/go/+/708096 -LUCI-TryBot-Result: Go LUCI -Reviewed-by: Carlos Amedee ---- - src/crypto/tls/handshake_server.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go -index 7c75977ad3ffb2..6aebb742229a50 100644 ---- a/src/crypto/tls/handshake_server.go -+++ b/src/crypto/tls/handshake_server.go -@@ -338,7 +338,7 @@ func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, erro - if http11fallback { - return "", nil - } -- return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos) -+ return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos) - } - - // supportsECDHE returns whether ECDHE key exchanges can be used with this diff --git a/1001-add-patch-to-fix-CVE-2025-58185-and-CVE-2025-61723.patch b/1001-add-patch-to-fix-CVE-2025-58185-and-CVE-2025-61723.patch deleted file mode 100644 index 38399d7..0000000 --- a/1001-add-patch-to-fix-CVE-2025-58185-and-CVE-2025-61723.patch +++ /dev/null @@ -1,115 +0,0 @@ -From ea47462fc718a426b369e4c86c197e618f1ade86 Mon Sep 17 00:00:00 2001 -From: lzq11122 -Date: Fri, 14 Nov 2025 11:22:21 +0800 -Subject: [PATCH 1/1] add patch to fix CVE-2025-58185 and CVE-2025-61723 - ---- - src/encoding/asn1/asn1.go | 10 ++++++++- - src/encoding/asn1/asn1_test.go | 38 ++++++++++++++++++++++++++++++++++ - src/go/build/deps_test.go | 2 +- - 3 files changed, 48 insertions(+), 2 deletions(-) - -diff --git a/src/encoding/asn1/asn1.go b/src/encoding/asn1/asn1.go -index 488fb9b..e1f4cba 100644 ---- a/src/encoding/asn1/asn1.go -+++ b/src/encoding/asn1/asn1.go -@@ -22,6 +22,7 @@ package asn1 - import ( - "errors" - "fmt" -+ "internal/saferio" - "math" - "math/big" - "reflect" -@@ -635,10 +636,17 @@ func parseSequenceOf(bytes []byte, sliceType reflect.Type, elemType reflect.Type - offset += t.length - numElements++ - } -- ret = reflect.MakeSlice(sliceType, numElements, numElements) -+ elemSize := uint64(elemType.Size()) -+ safeCap := saferio.SliceCapWithSize(elemSize, uint64(numElements)) -+ if safeCap < 0 { -+ err = SyntaxError{fmt.Sprintf("%s slice too big: %d elements of %d bytes", elemType.Kind(), numElements, elemSize)} -+ return -+ } -+ ret = reflect.MakeSlice(sliceType, 0, safeCap) - params := fieldParameters{} - offset := 0 - for i := 0; i < numElements; i++ { -+ ret = reflect.Append(ret, reflect.Zero(elemType)) - offset, err = parseField(ret.Index(i), bytes, offset, params) - if err != nil { - return -diff --git a/src/encoding/asn1/asn1_test.go b/src/encoding/asn1/asn1_test.go -index 9a605e2..249d4e4 100644 ---- a/src/encoding/asn1/asn1_test.go -+++ b/src/encoding/asn1/asn1_test.go -@@ -7,10 +7,12 @@ package asn1 - import ( - "bytes" - "encoding/hex" -+ "errors" - "fmt" - "math" - "math/big" - "reflect" -+ "runtime" - "strings" - "testing" - "time" -@@ -1175,3 +1177,39 @@ func BenchmarkObjectIdentifierString(b *testing.B) { - _ = oidPublicKeyRSA.String() - } - } -+ -+func TestParsingMemoryConsumption(t *testing.T) { -+ // Craft a syntatically valid, but empty, ~10 MB DER bomb. A successful -+ // unmarshal of this bomb should yield ~280 MB. However, the parsing should -+ // fail due to the empty content; and, in such cases, we want to make sure -+ // that we do not unnecessarily allocate memories. -+ derBomb := make([]byte, 10_000_000) -+ for i := range derBomb { -+ derBomb[i] = 0x30 -+ } -+ derBomb = append([]byte{0x30, 0x83, 0x98, 0x96, 0x80}, derBomb...) -+ -+ var m runtime.MemStats -+ runtime.GC() -+ runtime.ReadMemStats(&m) -+ memBefore := m.TotalAlloc -+ -+ var out []struct { -+ Id []int -+ Critical bool `asn1:"optional"` -+ Value []byte -+ } -+ _, err := Unmarshal(derBomb, &out) -+ if !errors.As(err, &SyntaxError{}) { -+ t.Fatalf("Incorrect error result: want (%v), but got (%v) instead", &SyntaxError{}, err) -+ } -+ -+ runtime.ReadMemStats(&m) -+ memDiff := m.TotalAlloc - memBefore -+ -+ // Ensure that the memory allocated does not exceed 10<<21 (~20 MB) when -+ // the parsing fails. -+ if memDiff > 10<<21 { -+ t.Errorf("Too much memory allocated while parsing DER: %v MiB", memDiff/1024/1024) -+ } -+} -diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go -index e3e0107..2a1606e 100644 ---- a/src/go/build/deps_test.go -+++ b/src/go/build/deps_test.go -@@ -533,7 +533,7 @@ var depsRules = ` - - # CRYPTO-MATH is crypto that exposes math/big APIs - no cgo, net; fmt now ok. - -- CRYPTO, FMT, math/big -+ CRYPTO, FMT, math/big, internal/saferio - < crypto/internal/boring/bbig - < crypto/rand - < crypto/ed25519 # depends on crypto/rand.Reader --- -2.43.5 - diff --git a/download b/download index 1a715ee..26ed1dc 100644 --- a/download +++ b/download @@ -1 +1 @@ -7d78eecc98f887d1ea9cb5ca30387cea go1.24.0.src.tar.gz +22c7cfa0b7160a0bb2283226b9964967 go1.24.8.src.tar.gz diff --git a/golang.spec b/golang.spec index 00a21b7..a52ecaf 100644 --- a/golang.spec +++ b/golang.spec @@ -1,4 +1,4 @@ -%define anolis_release 12 +%define anolis_release 1 # Disable debuginfo packages %global debug_package %{nil} @@ -68,7 +68,7 @@ # Comment out go_patch as needed %global go_api 1.24 -%global go_patch 0 +%global go_patch 8 Name: golang Version: %{go_api}%{?go_patch:.%{go_patch}} @@ -124,18 +124,6 @@ Patch41: 0041-cmd-internal-obj-loong64-add-F-MAXA-MINA-.-S-D-instr.patch Patch42: 0042-math-implement-func-archExp-and-archExp2-in-assembly.patch Patch43: 0043-math-implement-func-archLog-in-assembly-on-loong64.patch Patch44: 0044-cmd-go-internal-work-allow-a-bunch-of-loong64-specif.patch -# https://github.com/golang/go/commit/ac1f5aa3d62efe21e65ce4dc30e6996d59acfbd0 -Patch45: 0045-Fix-CVE-2025-22871.patch -# https://github.com/golang/go/commit/03811ab1b31525e8d779997db169c6fedab7c505 -Patch46: 0046-Fix-CVE-2025-22874.patch -# https://github.com/golang/go/commit/0f5133b742bf61cda6c98b4cd1d313a330f13f32 -Patch47: 0047-Fix-CVE-2025-47906.patch -# https://github.com/golang/go/commit/334de7982f8ec959c74470dd709ceedfd6dbd50a -Patch48: 0048-Fix-CVE-2025-22870.patch -# https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9 -Patch49: 0049-Fix-CVE-2025-58189.patch -# https://github.com/golang/go/commit/5c3d61c886f7ecfce9a6d6d3c97e6d5a8afb17d1 -Patch50: 1001-add-patch-to-fix-CVE-2025-58185-and-CVE-2025-61723.patch # The compiler is written in Go. Needs go(1.4+) compiler for build. %if %{with bootstrap} @@ -613,6 +601,10 @@ fi %files docs -f go-docs.list %changelog +* Thu Nov 27 2025 zhoujiajia111 - 1.24.8.1 +- update to 1.24.8 to fix CVE-2025-4673,CVE-2025-58183 +- remove patches new version included + * Mon Nov 17 2025 lzq11122 - 1.24.0-12 - Add patch to fix CVE-2025-58185 and CVE-2025-61723 @@ -622,7 +614,7 @@ fi * Mon Oct 27 2025 mgb01105731 - 1.24.0-10 - Add patch to fix CVE-2025-22870 -* Sat Oct 10 2025 wh02252983 - 1.24.0-9 +* Fri Oct 10 2025 wh02252983 - 1.24.0-9 - Add patch to fix CVE-2025-47906 * Wed Jul 23 2025 Cheng Yang - 1.24.0-6 -- Gitee