diff options
| author | Archana Polampalli <archana.polampalli@windriver.com> | 2025-04-02 11:45:32 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-04-16 06:41:24 -0700 |
| commit | 60feedab223cc7adee7eb56d13ae4e7f301ae9f1 (patch) | |
| tree | f0d3d704fb88a5ae1856d00efe11a4861b5e65b4 /meta/recipes-devtools/go | |
| parent | 92c44bc7888a1606434fceb7576b4dd05e8569a9 (diff) | |
| download | poky-60feedab223cc7adee7eb56d13ae4e7f301ae9f1.tar.gz | |
go: fix CVE-2025-22870
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID
as a hostname component. For example, when the NO_PROXY environment variable
is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly
match and not be proxied.
(From OE-Core rev: 88e79f915137edc5a37a110abdc79f5800404e45)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/go')
| -rw-r--r-- | meta/recipes-devtools/go/go-1.22.12.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/go/go/CVE-2025-22870.patch | 80 |
2 files changed, 81 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 05aa3a95b6..df77794506 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc | |||
| @@ -14,5 +14,6 @@ SRC_URI += "\ | |||
| 14 | file://0007-exec.go-filter-out-build-specific-paths-from-linker-.patch \ | 14 | file://0007-exec.go-filter-out-build-specific-paths-from-linker-.patch \ |
| 15 | file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ | 15 | file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ |
| 16 | file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ | 16 | file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ |
| 17 | file://CVE-2025-22870.patch \ | ||
| 17 | " | 18 | " |
| 18 | SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" | 19 | SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" |
diff --git a/meta/recipes-devtools/go/go/CVE-2025-22870.patch b/meta/recipes-devtools/go/go/CVE-2025-22870.patch new file mode 100644 index 0000000000..6ed394c8e5 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-22870.patch | |||
| @@ -0,0 +1,80 @@ | |||
| 1 | From 25177ecde0922c50753c043579d17828b7ee88e7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Damien Neil <dneil@google.com> | ||
| 3 | Date: Wed, 26 Feb 2025 16:08:57 -0800 | ||
| 4 | Subject: [PATCH] all: updated vendored x/net with security fix | ||
| 5 | |||
| 6 | 0b6d719 [internal-branch.go1.23-vendor] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts | ||
| 7 | |||
| 8 | Fixes CVE-2025-22870 | ||
| 9 | For #71985 | ||
| 10 | |||
| 11 | Change-Id: Ib72c96bd0ab44d9ed2ac1428e0a9fc245464b3fc | ||
| 12 | Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2141 | ||
| 13 | Commit-Queue: Damien Neil <dneil@google.com> | ||
| 14 | Reviewed-by: Roland Shoemaker <bracewell@google.com> | ||
| 15 | Reviewed-by: Neal Patel <nealpatel@google.com> | ||
| 16 | Reviewed-on: https://go-review.googlesource.com/c/go/+/654695 | ||
| 17 | Reviewed-by: Damien Neil <dneil@google.com> | ||
| 18 | Reviewed-by: Michael Pratt <mpratt@google.com> | ||
| 19 | LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> | ||
| 20 | Auto-Submit: Junyang Shao <shaojunyang@google.com> | ||
| 21 | |||
| 22 | CVE: CVE-2025-22870 | ||
| 23 | |||
| 24 | Upstream-Status: Backport [https://github.com/golang/go/commit/25177ecde0922c50753c043579d17828b7ee88e7] | ||
| 25 | |||
| 26 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
| 27 | --- | ||
| 28 | src/cmd/internal/moddeps/moddeps_test.go | 1 + | ||
| 29 | src/vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++-- | ||
| 30 | 2 files changed, 9 insertions(+), 2 deletions(-) | ||
| 31 | |||
| 32 | diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go | ||
| 33 | index 3d4c99e..ffaa16c 100644 | ||
| 34 | --- a/src/cmd/internal/moddeps/moddeps_test.go | ||
| 35 | +++ b/src/cmd/internal/moddeps/moddeps_test.go | ||
| 36 | @@ -33,6 +33,7 @@ import ( | ||
| 37 | // See issues 36852, 41409, and 43687. | ||
| 38 | // (Also see golang.org/issue/27348.) | ||
| 39 | func TestAllDependencies(t *testing.T) { | ||
| 40 | + t.Skip("TODO(#71985) 1.23.7 contains unreleased changes from vendored modules") | ||
| 41 | goBin := testenv.GoToolPath(t) | ||
| 42 | |||
| 43 | // Ensure that all packages imported within GOROOT | ||
| 44 | diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go | ||
| 45 | index c3bd9a1..864961c 100644 | ||
| 46 | --- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go | ||
| 47 | +++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go | ||
| 48 | @@ -14,6 +14,7 @@ import ( | ||
| 49 | "errors" | ||
| 50 | "fmt" | ||
| 51 | "net" | ||
| 52 | + "net/netip" | ||
| 53 | "net/url" | ||
| 54 | "os" | ||
| 55 | "strings" | ||
| 56 | @@ -180,8 +181,10 @@ func (cfg *config) useProxy(addr string) bool { | ||
| 57 | if host == "localhost" { | ||
| 58 | return false | ||
| 59 | } | ||
| 60 | - ip := net.ParseIP(host) | ||
| 61 | - if ip != nil { | ||
| 62 | + nip, err := netip.ParseAddr(host) | ||
| 63 | + var ip net.IP | ||
| 64 | + if err == nil { | ||
| 65 | + ip = net.IP(nip.AsSlice()) | ||
| 66 | if ip.IsLoopback() { | ||
| 67 | return false | ||
| 68 | } | ||
| 69 | @@ -363,6 +366,9 @@ type domainMatch struct { | ||
| 70 | } | ||
| 71 | |||
| 72 | func (m domainMatch) match(host, port string, ip net.IP) bool { | ||
| 73 | + if ip != nil { | ||
| 74 | + return false | ||
| 75 | + } | ||
| 76 | if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) { | ||
| 77 | return m.port == "" || m.port == port | ||
| 78 | } | ||
| 79 | -- | ||
| 80 | 2.40.0 | ||