From d387a24327bc97bb7301b6d08d586e9bbc1a035d Mon Sep 17 00:00:00 2001
From: wujichao <wujichao1@huawei.com>
Date: Tue, 8 Apr 2025 15:14:39 +0800
Subject: [PATCH] [backport]fix CVE-2025-22870

Note:In the modification of the original CVE, the net/netip package was used. However, this package is not available in current version.Therefore, the parseIPZone function in the net package is used instead for the fix.
(cherry picked from commit bc6a64df2b449c94b4d88e4e09761f05fefc3e99)
---
 ...870-do-not-mismatch-IPv6-zone-ids-ag.patch | 80 +++++++++++++++++++
 golang.spec                                   |  9 ++-
 2 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 0074-CVE-2025-22870-do-not-mismatch-IPv6-zone-ids-ag.patch

diff --git a/0074-CVE-2025-22870-do-not-mismatch-IPv6-zone-ids-ag.patch b/0074-CVE-2025-22870-do-not-mismatch-IPv6-zone-ids-ag.patch
new file mode 100644
index 0000000..0dbaafd
--- /dev/null
+++ b/0074-CVE-2025-22870-do-not-mismatch-IPv6-zone-ids-ag.patch
@@ -0,0 +1,80 @@
+From 334de7982f8ec959c74470dd709ceedfd6dbd50a Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 26 Feb 2025 16:46:43 -0800
+Subject: [PATCH] [release-branch.go1.24] all: updated vendored x/net with security fix
+
+6ed00d0 [internal-branch.go1.24-vendor] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts
+
+Fixes CVE-2025-22870
+For #71986
+
+Change-Id: I7bda0825f1a9470b0708714d9cc32b5eae212f8b
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2121
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Commit-Queue: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/654715
+Reviewed-by: Michael Pratt <mpratt@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Junyang Shao <shaojunyang@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+
+Conflict:NA
+Reference:https://go-review.googlesource.com/c/go/+/654715
+
+Note:In the modification of the original CVE, the net/netip package was used. However, this package is not available in current version.Therefore, the parseIPZone function in the net package is used instead for the fix.
+Edited-by: wujichao wujichao1@hauwei.com
+---
+ .../golang.org/x/net/http/httpproxy/proxy.go      | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+index 1415b07..148c62f 100644
+--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
++++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+@@ -18,6 +18,7 @@ import (
+ 	"os"
+ 	"strings"
+ 	"unicode/utf8"
++	_ "unsafe"
+ 
+ 	"golang.org/x/net/idna"
+ )
+@@ -181,11 +182,9 @@ func (cfg *config) useProxy(addr string) bool {
+ 	if host == "localhost" {
+ 		return false
+ 	}
+-	ip := net.ParseIP(host)
+-	if ip != nil {
+-		if ip.IsLoopback() {
+-			return false
+-		}
++	ip, _ := parseIPZone(host)
++	if ip != nil && ip.IsLoopback() {
++		return false
+ 	}
+ 
+ 	addr = strings.ToLower(strings.TrimSpace(host))
+@@ -205,6 +204,9 @@ func (cfg *config) useProxy(addr string) bool {
+ 	return true
+ }
+ 
++//go:linkname parseIPZone net.parseIPZone
++func parseIPZone(s string) (net.IP, string)
++
+ func (c *config) init() {
+ 	if parsed, err := parseProxy(c.HTTPProxy); err == nil {
+ 		c.httpProxy = parsed
+@@ -361,6 +363,9 @@ type domainMatch struct {
+ }
+ 
+ func (m domainMatch) match(host, port string, ip net.IP) bool {
++	if ip != nil {
++		return false
++	}
+ 	if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) {
+ 		return m.port == "" || m.port == port
+ 	}
+-- 
+2.33.0
+
diff --git a/golang.spec b/golang.spec
index bcddb79..aa1163b 100644
--- a/golang.spec
+++ b/golang.spec
@@ -63,7 +63,7 @@
 
 Name:           golang
 Version:        1.17.3
-Release:        38
+Release:        39
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -223,6 +223,7 @@ Patch6070:	0070-Backport-go-build-constraint-add-parsing-limits.patch
 Patch6071:	0071-CVE-2024-45341-crypto-x509-properly-check-for-IPv6-h.patch
 Patch6072:	0072-CVE-2024-45336-net-http-persist-header-stripping-acr.patch
 Patch6073:	0073-crypto-tls-fix-Config.Time-in-tests-using-expir.patch
+Patch6074: 	0074-CVE-2025-22870-do-not-mismatch-IPv6-zone-ids-ag.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -461,6 +462,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Tue Apr 08 2025 wujichao <wujichao1@huawei.com> - 1.17.3-39
+- Type:CVE
+- CVE:CVE-2025-22870
+- SUG:NA
+- DESC:fix CVE-2025-22870
+
 * Fri Feb 21 2025 wujichao <wujichao1@huawei.com> - 1.17.3-38
 - Type:CVE
 - CVE:CVE-2024-45341 CVE-2024-45336
-- 
Gitee