10 files changed, 260 insertions, 4 deletions
diff --git a/meta/recipes-devtools/go/go-1.22.6.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index 834debaf9b..b154aa3984 100644
--- a/meta/recipes-devtools/go/go-1.22.6.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -14,5 +14,7 @@ SRC_URI += "\
    file://0007-exec.go-filter-out-build-specific-paths-from-linker-.patch \
    file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \
    file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \
+    file://CVE-2025-22870.patch \
+    file://CVE-2025-22871.patch \
 "
-SRC_URI[main.sha256sum] = "9e48d99d519882579917d8189c17e98c373ce25abaebb98772e2927088992a51"
+SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
diff --git a/meta/recipes-devtools/go/go-binary-native_1.22.6.bb b/meta/recipes-devtools/go/go-binary-native_1.22.12.bb
index ea4577f20a..b15b60a691 100644
--- a/meta/recipes-devtools/go/go-binary-native_1.22.6.bb
+++ b/meta/recipes-devtools/go/go-binary-native_1.22.12.bb
@@ -9,14 +9,15 @@ PROVIDES = "go-native"
 # Checksums available at https://go.dev/dl/
 SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}"
-SRC_URI[go_linux_amd64.sha256sum] = "999805bed7d9039ec3da1a53bfbcafc13e367da52aa823cb60b68ba22d44c616"
+SRC_URI[go_linux_amd64.sha256sum] = "4fa4f869b0f7fc6bb1eb2660e74657fbf04cdd290b5aef905585c86051b34d43"
-SRC_URI[go_linux_arm64.sha256sum] = "c15fa895341b8eaf7f219fada25c36a610eb042985dc1a912410c1c90098eaf2"
+SRC_URI[go_linux_arm64.sha256sum] = "fd017e647ec28525e86ae8203236e0653242722a7436929b1f775744e26278e7"
-SRC_URI[go_linux_ppc64le.sha256sum] = "9d99fce3f6f72a76630fe91ec0884dfe3db828def4713368424900fa98bb2bd6"
+SRC_URI[go_linux_ppc64le.sha256sum] = "9573d30003b0796717a99d9e2e96c48fddd4fc0f29d840f212c503b03d7de112"
 UPSTREAM_CHECK_URI = "https://golang.org/dl/"
 UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
 CVE_PRODUCT = "golang:go"
+CVE_STATUS[CVE-2024-3566] = "not-applicable-platform: Issue only applies on Windows"
 S = "${WORKDIR}/go"
diff --git a/meta/recipes-devtools/go/go-common.inc b/meta/recipes-devtools/go/go-common.inc
index db165792dc..a39dea6c1c 100644
--- a/meta/recipes-devtools/go/go-common.inc
+++ b/meta/recipes-devtools/go/go-common.inc
@@ -21,6 +21,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.src\.tar"
 # all recipe variants are created from the same product
 CVE_PRODUCT = "golang:go"
+CVE_STATUS[CVE-2024-3566] = "not-applicable-platform: Issue only applies on Windows"
 INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
 SSTATE_SCAN_CMD = "true"
diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.22.6.bb b/meta/recipes-devtools/go/go-cross-canadian_1.22.12.bb
index 7ac9449e47..7ac9449e47 100644
--- a/meta/recipes-devtools/go/go-cross-canadian_1.22.6.bb
+++ b/meta/recipes-devtools/go/go-cross-canadian_1.22.12.bb
diff --git a/meta/recipes-devtools/go/go-cross_1.22.6.bb b/meta/recipes-devtools/go/go-cross_1.22.12.bb
index 80b5a03f6c..80b5a03f6c 100644
--- a/meta/recipes-devtools/go/go-cross_1.22.6.bb
+++ b/meta/recipes-devtools/go/go-cross_1.22.12.bb
diff --git a/meta/recipes-devtools/go/go-crosssdk_1.22.6.bb b/meta/recipes-devtools/go/go-crosssdk_1.22.12.bb
index 1857c8a577..1857c8a577 100644
--- a/meta/recipes-devtools/go/go-crosssdk_1.22.6.bb
+++ b/meta/recipes-devtools/go/go-crosssdk_1.22.12.bb
diff --git a/meta/recipes-devtools/go/go-runtime_1.22.6.bb b/meta/recipes-devtools/go/go-runtime_1.22.12.bb
index 63464a1501..63464a1501 100644
--- a/meta/recipes-devtools/go/go-runtime_1.22.6.bb
+++ b/meta/recipes-devtools/go/go-runtime_1.22.12.bb
diff --git a/meta/recipes-devtools/go/go/CVE-2025-22870.patch b/meta/recipes-devtools/go/go/CVE-2025-22870.patch
new file mode 100644
index 0000000000..6ed394c8e5
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-22870.patch
@@ -0,0 +1,80 @@
+From 25177ecde0922c50753c043579d17828b7ee88e7 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 26 Feb 2025 16:08:57 -0800
+Subject: [PATCH] all: updated vendored x/net with security fix
+0b6d719 [internal-branch.go1.23-vendor] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts
+Fixes CVE-2025-22870
+For #71985
+Change-Id: Ib72c96bd0ab44d9ed2ac1428e0a9fc245464b3fc
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2141
+Commit-Queue: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/654695
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Junyang Shao <shaojunyang@google.com>
+CVE: CVE-2025-22870
+Upstream-Status: Backport [https://github.com/golang/go/commit/25177ecde0922c50753c043579d17828b7ee88e7]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/cmd/internal/moddeps/moddeps_test.go            |  1 +
+ src/vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go
+index 3d4c99e..ffaa16c 100644
+--- a/src/cmd/internal/moddeps/moddeps_test.go
+++ b/src/cmd/internal/moddeps/moddeps_test.go
+@@ -33,6 +33,7 @@ import (
+ // See issues 36852, 41409, and 43687.
+ // (Also see golang.org/issue/27348.)
+ func TestAllDependencies(t *testing.T) {
+       t.Skip("TODO(#71985) 1.23.7 contains unreleased changes from vendored modules")
+        goBin := testenv.GoToolPath(t)
+        // Ensure that all packages imported within GOROOT
+diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+index c3bd9a1..864961c 100644
+--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+@@ -14,6 +14,7 @@ import (
+        "errors"
+        "fmt"
+        "net"
+       "net/netip"
+        "net/url"
+        "os"
+        "strings"
+@@ -180,8 +181,10 @@ func (cfg *config) useProxy(addr string) bool {
+        if host == "localhost" {
+                return false
+        }
+-       ip := net.ParseIP(host)
+-       if ip != nil {
+       nip, err := netip.ParseAddr(host)
+       var ip net.IP
+       if err == nil {
+               ip = net.IP(nip.AsSlice())
+                if ip.IsLoopback() {
+                        return false
+                }
+@@ -363,6 +366,9 @@ type domainMatch struct {
+ }
+ func (m domainMatch) match(host, port string, ip net.IP) bool {
+       if ip != nil {
+               return false
+       }
+        if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) {
+                return m.port == "" || m.port == port
+        }
+--
+2.40.0
diff --git a/meta/recipes-devtools/go/go/CVE-2025-22871.patch b/meta/recipes-devtools/go/go/CVE-2025-22871.patch
new file mode 100644
index 0000000000..2750178a42
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-22871.patch
@@ -0,0 +1,172 @@
+From 15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 26 Feb 2025 13:40:00 -0800
+Subject: [PATCH] [release-branch.go1.23] net/http: reject newlines in
+ chunk-size lines
+Unlike request headers, where we are allowed to leniently accept
+a bare LF in place of a CRLF, chunked bodies must always use CRLF
+line terminators. We were already enforcing this for chunk-data lines;
+do so for chunk-size lines as well. Also reject bare CRs anywhere
+other than as part of the CRLF terminator.
+Fixes CVE-2025-22871
+Fixes #72010
+For #71988
+Change-Id: Ib0e21af5a8ba28c2a1ca52b72af8e2265ec79e4a
+Reviewed-on: https://go-review.googlesource.com/c/go/+/652998
+Reviewed-by: Jonathan Amsterdam <jba@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+(cherry picked from commit d31c805535f3fde95646ee4d87636aaaea66847b)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/657216
+Upstream-Status: Backport [https://github.com/golang/go/commit/15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931]
+CVE: CVE-2025-22871
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/net/http/internal/chunked.go      | 19 +++++++++--
+ src/net/http/internal/chunked_test.go | 27 +++++++++++++++
+ src/net/http/serve_test.go            | 49 +++++++++++++++++++++++++++
+ 3 files changed, 92 insertions(+), 3 deletions(-)
+diff --git a/src/net/http/internal/chunked.go b/src/net/http/internal/chunked.go
+index 196b5d8..0b08a97 100644
+--- a/src/net/http/internal/chunked.go
+++ b/src/net/http/internal/chunked.go
+@@ -164,6 +164,19 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
+                }
+                return nil, err
+        }
+
+       // RFC 9112 permits parsers to accept a bare \n as a line ending in headers,
+       // but not in chunked encoding lines. See https://www.rfc-editor.org/errata/eid7633,
+       // which explicitly rejects a clarification permitting \n as a chunk terminator.
+       //
+       // Verify that the line ends in a CRLF, and that no CRs appear before the end.
+       if idx := bytes.IndexByte(p, '\r'); idx == -1 {
+               return nil, errors.New("chunked line ends with bare LF")
+       } else if idx != len(p)-2 {
+               return nil, errors.New("invalid CR in chunked line")
+       }
+       p = p[:len(p)-2] // trim CRLF
+
+        if len(p) >= maxLineLength {
+                return nil, ErrLineTooLong
+        }
+@@ -171,14 +184,14 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
+ }
+ 
+ func trimTrailingWhitespace(b []byte) []byte {
+-       for len(b) > 0 && isASCIISpace(b[len(b)-1]) {
+       for len(b) > 0 && isOWS(b[len(b)-1]) {
+                b = b[:len(b)-1]
+        }
+        return b
+ }
+ 
+-func isASCIISpace(b byte) bool {
+-       return b == ' ' || b == '\t' || b == '\n' || b == '\r'
+func isOWS(b byte) bool {
+       return b == ' ' || b == '\t'
+ }
+ 
+ var semi = []byte(";")
+diff --git a/src/net/http/internal/chunked_test.go b/src/net/http/internal/chunked_test.go
+index af79711..312f173 100644
+--- a/src/net/http/internal/chunked_test.go
+++ b/src/net/http/internal/chunked_test.go
+@@ -280,6 +280,33 @@ func TestChunkReaderByteAtATime(t *testing.T) {
+        }
+ }
+ 
+func TestChunkInvalidInputs(t *testing.T) {
+       for _, test := range []struct {
+               name string
+               b    string
+       }{{
+               name: "bare LF in chunk size",
+               b:    "1\na\r\n0\r\n",
+       }, {
+               name: "extra LF in chunk size",
+               b:    "1\r\r\na\r\n0\r\n",
+       }, {
+               name: "bare LF in chunk data",
+               b:    "1\r\na\n0\r\n",
+       }, {
+               name: "bare LF in chunk extension",
+               b:    "1;\na\r\n0\r\n",
+       }} {
+               t.Run(test.name, func(t *testing.T) {
+                       r := NewChunkedReader(strings.NewReader(test.b))
+                       got, err := io.ReadAll(r)
+                       if err == nil {
+                               t.Fatalf("unexpectedly parsed invalid chunked data:\n%q", got)
+                       }
+               })
+       }
+}
+
+ type funcReader struct {
+        f   func(iteration int) ([]byte, error)
+        i   int
+diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
+index 0c76f1b..0e8af02 100644
+--- a/src/net/http/serve_test.go
+++ b/src/net/http/serve_test.go
+@@ -6980,3 +6980,52 @@ func testDisableContentLength(t *testing.T, mode testMode) {
+                t.Fatal(err)
+        }
+ }
+
+func TestInvalidChunkedBodies(t *testing.T) {
+       for _, test := range []struct {
+               name string
+               b    string
+       }{{
+               name: "bare LF in chunk size",
+               b:    "1\na\r\n0\r\n\r\n",
+       }, {
+               name: "bare LF at body end",
+               b:    "1\r\na\r\n0\r\n\n",
+       }} {
+               t.Run(test.name, func(t *testing.T) {
+                       reqc := make(chan error)
+                       ts := newClientServerTest(t, http1Mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+                               got, err := io.ReadAll(r.Body)
+                               if err == nil {
+                                       t.Logf("read body: %q", got)
+                               }
+                               reqc <- err
+                       })).ts
+
+                       serverURL, err := url.Parse(ts.URL)
+                       if err != nil {
+                               t.Fatal(err)
+                       }
+
+                       conn, err := net.Dial("tcp", serverURL.Host)
+                       if err != nil {
+                               t.Fatal(err)
+                       }
+
+                       if _, err := conn.Write([]byte(
+                               "POST / HTTP/1.1\r\n" +
+                                       "Host: localhost\r\n" +
+                                       "Transfer-Encoding: chunked\r\n" +
+                                       "Connection: close\r\n" +
+                                       "\r\n" +
+                                       test.b)); err != nil {
+                               t.Fatal(err)
+                       }
+                       conn.(*net.TCPConn).CloseWrite()
+
+                       if err := <-reqc; err == nil {
+                               t.Errorf("server handler: io.ReadAll(r.Body) succeeded, want error")
+                       }
+               })
+       }
+}
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/go/go_1.22.6.bb b/meta/recipes-devtools/go/go_1.22.12.bb
index 46f5fbc6be..46f5fbc6be 100644
--- a/meta/recipes-devtools/go/go_1.22.6.bb
+++ b/meta/recipes-devtools/go/go_1.22.12.bb

diff --git a/meta/recipes-devtools/go/go-1.22.6.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 834debaf9b..b154aa3984 100644 --- a/meta/recipes-devtools/go/go-1.22.6.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -14,5 +14,7 @@ SRC_URI += "\
14	file://0007-exec.go-filter-out-build-specific-paths-from-linker-.patch \	14	file://0007-exec.go-filter-out-build-specific-paths-from-linker-.patch \
15	file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \	15	file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \
16	file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \	16	file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \
		17	file://CVE-2025-22870.patch \
		18	file://CVE-2025-22871.patch \
17	"	19	"
18	SRC_URI[main.sha256sum] = "9e48d99d519882579917d8189c17e98c373ce25abaebb98772e2927088992a51"	20	SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"


diff --git a/meta/recipes-devtools/go/go-binary-native_1.22.6.bb b/meta/recipes-devtools/go/go-binary-native_1.22.12.bb index ea4577f20a..b15b60a691 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.22.6.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.22.12.bb
@@ -9,14 +9,15 @@ PROVIDES = "go-native"
9		9
10	# Checksums available at https://go.dev/dl/	10	# Checksums available at https://go.dev/dl/
11	SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}"	11	SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}"
12	SRC_URI[go_linux_amd64.sha256sum] = "999805bed7d9039ec3da1a53bfbcafc13e367da52aa823cb60b68ba22d44c616"	12	SRC_URI[go_linux_amd64.sha256sum] = "4fa4f869b0f7fc6bb1eb2660e74657fbf04cdd290b5aef905585c86051b34d43"
13	SRC_URI[go_linux_arm64.sha256sum] = "c15fa895341b8eaf7f219fada25c36a610eb042985dc1a912410c1c90098eaf2"	13	SRC_URI[go_linux_arm64.sha256sum] = "fd017e647ec28525e86ae8203236e0653242722a7436929b1f775744e26278e7"
14	SRC_URI[go_linux_ppc64le.sha256sum] = "9d99fce3f6f72a76630fe91ec0884dfe3db828def4713368424900fa98bb2bd6"	14	SRC_URI[go_linux_ppc64le.sha256sum] = "9573d30003b0796717a99d9e2e96c48fddd4fc0f29d840f212c503b03d7de112"
15		15
16	UPSTREAM_CHECK_URI = "https://golang.org/dl/"	16	UPSTREAM_CHECK_URI = "https://golang.org/dl/"
17	UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"	17	UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
18		18
19	CVE_PRODUCT = "golang:go"	19	CVE_PRODUCT = "golang:go"
		20	CVE_STATUS[CVE-2024-3566] = "not-applicable-platform: Issue only applies on Windows"
20		21
21	S = "${WORKDIR}/go"	22	S = "${WORKDIR}/go"
22		23


diff --git a/meta/recipes-devtools/go/go-common.inc b/meta/recipes-devtools/go/go-common.inc index db165792dc..a39dea6c1c 100644 --- a/meta/recipes-devtools/go/go-common.inc +++ b/meta/recipes-devtools/go/go-common.inc
@@ -21,6 +21,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.src\.tar"
21		21
22	# all recipe variants are created from the same product	22	# all recipe variants are created from the same product
23	CVE_PRODUCT = "golang:go"	23	CVE_PRODUCT = "golang:go"
		24	CVE_STATUS[CVE-2024-3566] = "not-applicable-platform: Issue only applies on Windows"
24		25
25	INHIBIT_PACKAGE_DEBUG_SPLIT = "1"	26	INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
26	SSTATE_SCAN_CMD = "true"	27	SSTATE_SCAN_CMD = "true"


diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.22.6.bb b/meta/recipes-devtools/go/go-cross-canadian_1.22.12.bb index 7ac9449e47..7ac9449e47 100644 --- a/meta/recipes-devtools/go/go-cross-canadian_1.22.6.bb +++ b/meta/recipes-devtools/go/go-cross-canadian_1.22.12.bb


diff --git a/meta/recipes-devtools/go/go-cross_1.22.6.bb b/meta/recipes-devtools/go/go-cross_1.22.12.bb index 80b5a03f6c..80b5a03f6c 100644 --- a/meta/recipes-devtools/go/go-cross_1.22.6.bb +++ b/meta/recipes-devtools/go/go-cross_1.22.12.bb


diff --git a/meta/recipes-devtools/go/go-crosssdk_1.22.6.bb b/meta/recipes-devtools/go/go-crosssdk_1.22.12.bb index 1857c8a577..1857c8a577 100644 --- a/meta/recipes-devtools/go/go-crosssdk_1.22.6.bb +++ b/meta/recipes-devtools/go/go-crosssdk_1.22.12.bb


diff --git a/meta/recipes-devtools/go/go-runtime_1.22.6.bb b/meta/recipes-devtools/go/go-runtime_1.22.12.bb index 63464a1501..63464a1501 100644 --- a/meta/recipes-devtools/go/go-runtime_1.22.6.bb +++ b/meta/recipes-devtools/go/go-runtime_1.22.12.bb


diff --git a/meta/recipes-devtools/go/go/CVE-2025-22870.patch b/meta/recipes-devtools/go/go/CVE-2025-22870.patch new file mode 100644 index 0000000000..6ed394c8e5 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-22870.patch
@@ -0,0 +1,80 @@
		1	From 25177ecde0922c50753c043579d17828b7ee88e7 Mon Sep 17 00:00:00 2001
		2	From: Damien Neil <dneil@google.com>
		3	Date: Wed, 26 Feb 2025 16:08:57 -0800
		4	Subject: [PATCH] all: updated vendored x/net with security fix
		5
		6	0b6d719 [internal-branch.go1.23-vendor] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts
		7
		8	Fixes CVE-2025-22870
		9	For #71985
		10
		11	Change-Id: Ib72c96bd0ab44d9ed2ac1428e0a9fc245464b3fc
		12	Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2141
		13	Commit-Queue: Damien Neil <dneil@google.com>
		14	Reviewed-by: Roland Shoemaker <bracewell@google.com>
		15	Reviewed-by: Neal Patel <nealpatel@google.com>
		16	Reviewed-on: https://go-review.googlesource.com/c/go/+/654695
		17	Reviewed-by: Damien Neil <dneil@google.com>
		18	Reviewed-by: Michael Pratt <mpratt@google.com>
		19	LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
		20	Auto-Submit: Junyang Shao <shaojunyang@google.com>
		21
		22	CVE: CVE-2025-22870
		23
		24	Upstream-Status: Backport [https://github.com/golang/go/commit/25177ecde0922c50753c043579d17828b7ee88e7]
		25
		26	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		27	---
		28	src/cmd/internal/moddeps/moddeps_test.go \| 1 +
		29	src/vendor/golang.org/x/net/http/httpproxy/proxy.go \| 10 ++++++++--
		30	2 files changed, 9 insertions(+), 2 deletions(-)
		31
		32	diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go
		33	index 3d4c99e..ffaa16c 100644
		34	--- a/src/cmd/internal/moddeps/moddeps_test.go
		35	+++ b/src/cmd/internal/moddeps/moddeps_test.go
		36	@@ -33,6 +33,7 @@ import (
		37	// See issues 36852, 41409, and 43687.
		38	// (Also see golang.org/issue/27348.)
		39	func TestAllDependencies(t *testing.T) {
		40	+ t.Skip("TODO(#71985) 1.23.7 contains unreleased changes from vendored modules")
		41	goBin := testenv.GoToolPath(t)
		42
		43	// Ensure that all packages imported within GOROOT
		44	diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
		45	index c3bd9a1..864961c 100644
		46	--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
		47	+++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
		48	@@ -14,6 +14,7 @@ import (
		49	"errors"
		50	"fmt"
		51	"net"
		52	+ "net/netip"
		53	"net/url"
		54	"os"
		55	"strings"
		56	@@ -180,8 +181,10 @@ func (cfg *config) useProxy(addr string) bool {
		57	if host == "localhost" {
		58	return false
		59	}
		60	- ip := net.ParseIP(host)
		61	- if ip != nil {
		62	+ nip, err := netip.ParseAddr(host)
		63	+ var ip net.IP
		64	+ if err == nil {
		65	+ ip = net.IP(nip.AsSlice())
		66	if ip.IsLoopback() {
		67	return false
		68	}
		69	@@ -363,6 +366,9 @@ type domainMatch struct {
		70	}
		71
		72	func (m domainMatch) match(host, port string, ip net.IP) bool {
		73	+ if ip != nil {
		74	+ return false
		75	+ }
		76	if strings.HasSuffix(host, m.host) \|\| (m.matchHost && host == m.host[1:]) {
		77	return m.port == "" \|\| m.port == port
		78	}
		79	--
		80	2.40.0


diff --git a/meta/recipes-devtools/go/go/CVE-2025-22871.patch b/meta/recipes-devtools/go/go/CVE-2025-22871.patch new file mode 100644 index 0000000000..2750178a42 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-22871.patch
@@ -0,0 +1,172 @@
		1	From 15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931 Mon Sep 17 00:00:00 2001
		2	From: Damien Neil <dneil@google.com>
		3	Date: Wed, 26 Feb 2025 13:40:00 -0800
		4	Subject: [PATCH] [release-branch.go1.23] net/http: reject newlines in
		5	chunk-size lines
		6
		7	Unlike request headers, where we are allowed to leniently accept
		8	a bare LF in place of a CRLF, chunked bodies must always use CRLF
		9	line terminators. We were already enforcing this for chunk-data lines;
		10	do so for chunk-size lines as well. Also reject bare CRs anywhere
		11	other than as part of the CRLF terminator.
		12
		13	Fixes CVE-2025-22871
		14	Fixes #72010
		15	For #71988
		16
		17	Change-Id: Ib0e21af5a8ba28c2a1ca52b72af8e2265ec79e4a
		18	Reviewed-on: https://go-review.googlesource.com/c/go/+/652998
		19	Reviewed-by: Jonathan Amsterdam <jba@google.com>
		20	LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
		21	(cherry picked from commit d31c805535f3fde95646ee4d87636aaaea66847b)
		22	Reviewed-on: https://go-review.googlesource.com/c/go/+/657216
		23
		24	Upstream-Status: Backport [https://github.com/golang/go/commit/15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931]
		25	CVE: CVE-2025-22871
		26	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		27	---
		28	src/net/http/internal/chunked.go \| 19 +++++++++--
		29	src/net/http/internal/chunked_test.go \| 27 +++++++++++++++
		30	src/net/http/serve_test.go \| 49 +++++++++++++++++++++++++++
		31	3 files changed, 92 insertions(+), 3 deletions(-)
		32
		33	diff --git a/src/net/http/internal/chunked.go b/src/net/http/internal/chunked.go
		34	index 196b5d8..0b08a97 100644
		35	--- a/src/net/http/internal/chunked.go
		36	+++ b/src/net/http/internal/chunked.go
		37	@@ -164,6 +164,19 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
		38	}
		39	return nil, err
		40	}
		41	+
		42	+ // RFC 9112 permits parsers to accept a bare \n as a line ending in headers,
		43	+ // but not in chunked encoding lines. See https://www.rfc-editor.org/errata/eid7633,
		44	+ // which explicitly rejects a clarification permitting \n as a chunk terminator.
		45	+ //
		46	+ // Verify that the line ends in a CRLF, and that no CRs appear before the end.
		47	+ if idx := bytes.IndexByte(p, '\r'); idx == -1 {
		48	+ return nil, errors.New("chunked line ends with bare LF")
		49	+ } else if idx != len(p)-2 {
		50	+ return nil, errors.New("invalid CR in chunked line")
		51	+ }
		52	+ p = p[:len(p)-2] // trim CRLF
		53	+
		54	if len(p) >= maxLineLength {
		55	return nil, ErrLineTooLong
		56	}
		57	@@ -171,14 +184,14 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
		58	}
		59
		60	func trimTrailingWhitespace(b []byte) []byte {
		61	- for len(b) > 0 && isASCIISpace(b[len(b)-1]) {
		62	+ for len(b) > 0 && isOWS(b[len(b)-1]) {
		63	b = b[:len(b)-1]
		64	}
		65	return b
		66	}
		67
		68	-func isASCIISpace(b byte) bool {
		69	- return b == ' ' \|\| b == '\t' \|\| b == '\n' \|\| b == '\r'
		70	+func isOWS(b byte) bool {
		71	+ return b == ' ' \|\| b == '\t'
		72	}
		73
		74	var semi = []byte(";")
		75	diff --git a/src/net/http/internal/chunked_test.go b/src/net/http/internal/chunked_test.go
		76	index af79711..312f173 100644
		77	--- a/src/net/http/internal/chunked_test.go
		78	+++ b/src/net/http/internal/chunked_test.go
		79	@@ -280,6 +280,33 @@ func TestChunkReaderByteAtATime(t *testing.T) {
		80	}
		81	}
		82
		83	+func TestChunkInvalidInputs(t *testing.T) {
		84	+ for _, test := range []struct {
		85	+ name string
		86	+ b string
		87	+ }{{
		88	+ name: "bare LF in chunk size",
		89	+ b: "1\na\r\n0\r\n",
		90	+ }, {
		91	+ name: "extra LF in chunk size",
		92	+ b: "1\r\r\na\r\n0\r\n",
		93	+ }, {
		94	+ name: "bare LF in chunk data",
		95	+ b: "1\r\na\n0\r\n",
		96	+ }, {
		97	+ name: "bare LF in chunk extension",
		98	+ b: "1;\na\r\n0\r\n",
		99	+ }} {
		100	+ t.Run(test.name, func(t *testing.T) {
		101	+ r := NewChunkedReader(strings.NewReader(test.b))
		102	+ got, err := io.ReadAll(r)
		103	+ if err == nil {
		104	+ t.Fatalf("unexpectedly parsed invalid chunked data:\n%q", got)
		105	+ }
		106	+ })
		107	+ }
		108	+}
		109	+
		110	type funcReader struct {
		111	f func(iteration int) ([]byte, error)
		112	i int
		113	diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
		114	index 0c76f1b..0e8af02 100644
		115	--- a/src/net/http/serve_test.go
		116	+++ b/src/net/http/serve_test.go
		117	@@ -6980,3 +6980,52 @@ func testDisableContentLength(t *testing.T, mode testMode) {
		118	t.Fatal(err)
		119	}
		120	}
		121	+
		122	+func TestInvalidChunkedBodies(t *testing.T) {
		123	+ for _, test := range []struct {
		124	+ name string
		125	+ b string
		126	+ }{{
		127	+ name: "bare LF in chunk size",
		128	+ b: "1\na\r\n0\r\n\r\n",
		129	+ }, {
		130	+ name: "bare LF at body end",
		131	+ b: "1\r\na\r\n0\r\n\n",
		132	+ }} {
		133	+ t.Run(test.name, func(t *testing.T) {
		134	+ reqc := make(chan error)
		135	+ ts := newClientServerTest(t, http1Mode, HandlerFunc(func(w ResponseWriter, r *Request) {
		136	+ got, err := io.ReadAll(r.Body)
		137	+ if err == nil {
		138	+ t.Logf("read body: %q", got)
		139	+ }
		140	+ reqc <- err
		141	+ })).ts
		142	+
		143	+ serverURL, err := url.Parse(ts.URL)
		144	+ if err != nil {
		145	+ t.Fatal(err)
		146	+ }
		147	+
		148	+ conn, err := net.Dial("tcp", serverURL.Host)
		149	+ if err != nil {
		150	+ t.Fatal(err)
		151	+ }
		152	+
		153	+ if _, err := conn.Write([]byte(
		154	+ "POST / HTTP/1.1\r\n" +
		155	+ "Host: localhost\r\n" +
		156	+ "Transfer-Encoding: chunked\r\n" +
		157	+ "Connection: close\r\n" +
		158	+ "\r\n" +
		159	+ test.b)); err != nil {
		160	+ t.Fatal(err)
		161	+ }
		162	+ conn.(*net.TCPConn).CloseWrite()
		163	+
		164	+ if err := <-reqc; err == nil {
		165	+ t.Errorf("server handler: io.ReadAll(r.Body) succeeded, want error")
		166	+ }
		167	+ })
		168	+ }
		169	+}
		170	--
		171	2.25.1
		172


diff --git a/meta/recipes-devtools/go/go_1.22.6.bb b/meta/recipes-devtools/go/go_1.22.12.bb index 46f5fbc6be..46f5fbc6be 100644 --- a/meta/recipes-devtools/go/go_1.22.6.bb +++ b/meta/recipes-devtools/go/go_1.22.12.bb