From 8067dc18977865750f85a114220ca4fa09581a0c Mon Sep 17 00:00:00 2001
From: jichao wu <wujichao1@huawei.com>
Date: Wed, 25 Jun 2025 16:55:34 +0800
Subject: [PATCH] fix CVE-2025-22874,CVE-2025-4673

---
 ...rypto-x509-decouple-key-usage-and-po.patch | 140 ++++++++++++++++++
 ...t-http-strip-sensitive-proxy-headers.patch |  67 +++++++++
 golang.spec                                   |  10 +-
 3 files changed, 216 insertions(+), 1 deletion(-)
 create mode 100644 1003-CVE-2025-22874-crypto-x509-decouple-key-usage-and-po.patch
 create mode 100644 1004-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch

diff --git a/1003-CVE-2025-22874-crypto-x509-decouple-key-usage-and-po.patch b/1003-CVE-2025-22874-crypto-x509-decouple-key-usage-and-po.patch
new file mode 100644
index 0000000..9c01f02
--- /dev/null
+++ b/1003-CVE-2025-22874-crypto-x509-decouple-key-usage-and-po.patch
@@ -0,0 +1,140 @@
+From 8cc22cc92b6941aaefe9c18b88662f5088228e92 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Tue, 6 May 2025 09:27:10 -0700
+Subject: [PATCH] crypto/x509: decouple key usage and policy validation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Disabling key usage validation (by passing ExtKeyUsageAny)
+unintentionally disabled policy validation. This change decouples these
+two checks, preventing the user from unintentionally disabling policy
+validation.
+
+Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this
+issue.
+
+Fixes #73612
+Fixes CVE-2025-22874
+
+Confict: no
+Reference:https://go-review.googlesource.com/c/go/+/670375
+
+Change-Id: Iec8f080a8879a3dd44cb3da30352fa3e7f539d40
+Reviewed-on: https://go-review.googlesource.com/c/go/+/670375
+Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
+Reviewed-by: Cherry Mui <cherryyz@google.com>
+Reviewed-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Signed-off-by: jichao wu <wujichao1@huawei.com>
+---
+ src/crypto/x509/verify.go      | 32 +++++++++++++++++++++---------
+ src/crypto/x509/verify_test.go | 36 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+), 9 deletions(-)
+
+diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
+index 5fe93c6..7cc0fb2 100644
+--- a/src/crypto/x509/verify.go
++++ b/src/crypto/x509/verify.go
+@@ -841,31 +841,45 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e
+ 		}
+ 	}
+ 
+-	if len(opts.KeyUsages) == 0 {
+-		opts.KeyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth}
++	chains = make([][]*Certificate, 0, len(candidateChains))
++
++	var invalidPoliciesChains int
++	for _, candidate := range candidateChains {
++		if !policiesValid(candidate, opts) {
++			invalidPoliciesChains++
++			continue
++		}
++		chains = append(chains, candidate)
++	}
++
++	if len(chains) == 0 {
++		return nil, CertificateInvalidError{c, NoValidChains, "all candidate chains have invalid policies"}
+ 	}
+ 
+ 	for _, eku := range opts.KeyUsages {
+ 		if eku == ExtKeyUsageAny {
+ 			// If any key usage is acceptable, no need to check the chain for
+ 			// key usages.
+-			return candidateChains, nil
++			return chains, nil
+ 		}
+ 	}
+ 
+-	chains = make([][]*Certificate, 0, len(candidateChains))
+-	var incompatibleKeyUsageChains, invalidPoliciesChains int
++	if len(opts.KeyUsages) == 0 {
++		opts.KeyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth}
++	}
++
++	candidateChains = chains
++	chains = chains[:0]
++
++	var incompatibleKeyUsageChains int
+ 	for _, candidate := range candidateChains {
+ 		if !checkChainForKeyUsage(candidate, opts.KeyUsages) {
+ 			incompatibleKeyUsageChains++
+ 			continue
+ 		}
+-		if !policiesValid(candidate, opts) {
+-			invalidPoliciesChains++
+-			continue
+-		}
+ 		chains = append(chains, candidate)
+ 	}
++
+ 	if len(chains) == 0 {
+ 		var details []string
+ 		if incompatibleKeyUsageChains > 0 {
+diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
+index 1175e7d..7991f49 100644
+--- a/src/crypto/x509/verify_test.go
++++ b/src/crypto/x509/verify_test.go
+@@ -3012,3 +3012,39 @@ func TestPoliciesValid(t *testing.T) {
+ 		})
+ 	}
+ }
++
++func TestInvalidPolicyWithAnyKeyUsage(t *testing.T) {
++	loadTestCert := func(t *testing.T, path string) *Certificate {
++		b, err := os.ReadFile(path)
++		if err != nil {
++			t.Fatal(err)
++		}
++		p, _ := pem.Decode(b)
++		c, err := ParseCertificate(p.Bytes)
++		if err != nil {
++			t.Fatal(err)
++		}
++		return c
++	}
++
++	testOID3 := mustNewOIDFromInts([]uint64{1, 2, 840, 113554, 4, 1, 72585, 2, 3})
++	root, intermediate, leaf := loadTestCert(t, "testdata/policy_root.pem"), loadTestCert(t, "testdata/policy_intermediate_require.pem"), loadTestCert(t, "testdata/policy_leaf.pem")
++
++	expectedErr := "x509: no valid chains built: all candidate chains have invalid policies"
++
++	roots, intermediates := NewCertPool(), NewCertPool()
++	roots.AddCert(root)
++	intermediates.AddCert(intermediate)
++
++	_, err := leaf.Verify(VerifyOptions{
++		Roots:               roots,
++		Intermediates:       intermediates,
++		KeyUsages:           []ExtKeyUsage{ExtKeyUsageAny},
++		CertificatePolicies: []OID{testOID3},
++	})
++	if err == nil {
++		t.Fatal("unexpected success, invalid policy shouldn't be bypassed by passing VerifyOptions.KeyUsages with ExtKeyUsageAny")
++	} else if err.Error() != expectedErr {
++		t.Fatalf("unexpected error, got %q, want %q", err, expectedErr)
++	}
++}
+-- 
+2.33.0
+
diff --git a/1004-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch b/1004-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch
new file mode 100644
index 0000000..44a575b
--- /dev/null
+++ b/1004-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch
@@ -0,0 +1,67 @@
+From 709fda0a42b8ffde78136af52e02f260622926fa Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Wed, 21 May 2025 14:11:44 -0400
+Subject: [PATCH] net/http: strip sensitive proxy headers from redirect
+ requests
+
+Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain.
+
+https://fetch.spec.whatwg.org/#authentication-entries
+
+Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.
+
+Updates golang/go#73816
+Fixes golang/go#73905
+Fixes CVE-2025-4673
+
+Confict: no
+Reference:https://go-review.googlesource.com/c/go/+/679255
+
+Change-Id: I1615f31977a2fd014fbc12aae43f82692315a6d0
+Reviewed-on: https://go-review.googlesource.com/c/go/+/679255
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Signed-off-by: jichao wu <wujichao1@huawei.com>
+---
+ src/net/http/client.go      | 3 ++-
+ src/net/http/client_test.go | 3 +++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/net/http/client.go b/src/net/http/client.go
+index 9231f63..a814cf3 100644
+--- a/src/net/http/client.go
++++ b/src/net/http/client.go
+@@ -805,7 +805,8 @@ func (c *Client) makeHeadersCopier(ireq *Request) func(req *Request, stripSensit
+ 		for k, vv := range ireqhdr {
+ 			sensitive := false
+ 			switch CanonicalHeaderKey(k) {
+-			case "Authorization", "Www-Authenticate", "Cookie", "Cookie2":
++			case "Authorization", "Www-Authenticate", "Cookie", "Cookie2",
++				"Proxy-Authorization", "Proxy-Authenticate":
+ 				sensitive = true
+ 			}
+ 			if !(sensitive && stripSensitiveHeaders) {
+diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
+index 1ce9539..8ab4f58 100644
+--- a/src/net/http/client_test.go
++++ b/src/net/http/client_test.go
+@@ -1547,6 +1547,8 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) {
+ 		if r.Host+r.URL.Path != "a.example.com/" {
+ 			if h := r.Header.Get("Authorization"); h != "" {
+ 				t.Errorf("on request to %v%v, Authorization=%q, want no header", r.Host, r.URL.Path, h)
++			} else if h := r.Header.Get("Proxy-Authorization"); h != "" {
++				t.Errorf("on request to %v%v, Proxy-Authorization=%q, want no header", r.Host, r.URL.Path, h)
+ 			}
+ 		}
+ 		// Follow a chain of redirects from a to b and back to a.
+@@ -1575,6 +1577,7 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) {
+ 	req, _ := NewRequest("GET", proto+"://a.example.com/", nil)
+ 	req.Header.Add("Cookie", "foo=bar")
+ 	req.Header.Add("Authorization", "secretpassword")
++	req.Header.Add("Proxy-Authorization", "secretpassword")
+ 	res, err := c.Do(req)
+ 	if err != nil {
+ 		t.Fatal(err)
+-- 
+2.33.0
+
diff --git a/golang.spec b/golang.spec
index f376991..529141f 100644
--- a/golang.spec
+++ b/golang.spec
@@ -68,7 +68,7 @@
 
 Name:           golang
 Version:        1.24.2
-Release:        33
+Release:        34
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -128,6 +128,8 @@ Requires:       %{vendor}-rpm-config
 Patch1000:	1000-all-implement-plugin-build-mode-for-riscv64.patch
 Patch1001:	1001-cmd-link-cmd-internal-add-R_GOT_PCREL_ITYPE_RELOC-fo.patch
 Patch1002:	1002-cmd-compile-don-t-merge-symbols-on-riscv64-when-dyna.patch
+Patch1003:	1003-CVE-2025-22874-crypto-x509-decouple-key-usage-and-po.patch
+Patch1004:	1004-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch
 
 Patch9001:  0001-fix-asan_test-test-case-failure.patch
 
@@ -368,6 +370,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Fri Jun 20 2025 wujichao <wujichao1@huawei.com> - 1.24.2-34
+- Type:CVE
+- CVE:CVE-2025-22874,CVE-2025-4673
+- SUG:NA
+- DESC:fix CVE-2025-22874,CVE-2025-4673
+
 * Thu Apr 17 2025 Suyun <ziyu.oerv@isrc.iscas.ac.cn> - 1.24.2-33
 - Update to 1.24.2
 
-- 
Gitee