]> git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commitdiff
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 54ce53f)
go: fix CVE-2025-22870
authorArchana Polampalli <archana.polampalli@windriver.com>
Wed, 2 Apr 2025 11:45:32 +0000 (11:45 +0000)
committerSteve Sakoman <steve@sakoman.com>
Tue, 8 Apr 2025 15:38:30 +0000 (08:38 -0700)
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID
as a hostname component. For example, when the NO_PROXY environment variable
is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly
match and not be proxied.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
meta/recipes-devtools/go/go-1.22.12.inc patch | blob | blame | history
meta/recipes-devtools/go/go/CVE-2025-22870.patch [new file with mode: 0644] patch | blob

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index 05aa3a95b62cce42827df7eb9b89fbed92b7a13f..df77794506832026012a2d61d1ae85d1201b9a2d 100644 (file)
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -14,5 +14,6 @@ SRC_URI += "\
     file://0007-exec.go-filter-out-build-specific-paths-from-linker-.patch \
     file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \
     file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \
+    file://CVE-2025-22870.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
diff --git a/meta/recipes-devtools/go/go/CVE-2025-22870.patch b/meta/recipes-devtools/go/go/CVE-2025-22870.patch
new file mode 100644 (file)
index 0000000..6ed394c
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-22870.patch
@@ -0,0 +1,80 @@
+From 25177ecde0922c50753c043579d17828b7ee88e7 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 26 Feb 2025 16:08:57 -0800
+Subject: [PATCH] all: updated vendored x/net with security fix
+
+0b6d719 [internal-branch.go1.23-vendor] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts
+
+Fixes CVE-2025-22870
+For #71985
+
+Change-Id: Ib72c96bd0ab44d9ed2ac1428e0a9fc245464b3fc
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2141
+Commit-Queue: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/654695
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Junyang Shao <shaojunyang@google.com>
+
+CVE: CVE-2025-22870
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/25177ecde0922c50753c043579d17828b7ee88e7]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/cmd/internal/moddeps/moddeps_test.go            |  1 +
+ src/vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go
+index 3d4c99e..ffaa16c 100644
+--- a/src/cmd/internal/moddeps/moddeps_test.go
++++ b/src/cmd/internal/moddeps/moddeps_test.go
+@@ -33,6 +33,7 @@ import (
+ // See issues 36852, 41409, and 43687.
+ // (Also see golang.org/issue/27348.)
+ func TestAllDependencies(t *testing.T) {
++      t.Skip("TODO(#71985) 1.23.7 contains unreleased changes from vendored modules")
+       goBin := testenv.GoToolPath(t)
+
+       // Ensure that all packages imported within GOROOT
+diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+index c3bd9a1..864961c 100644
+--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
++++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+@@ -14,6 +14,7 @@ import (
+       "errors"
+       "fmt"
+       "net"
++      "net/netip"
+       "net/url"
+       "os"
+       "strings"
+@@ -180,8 +181,10 @@ func (cfg *config) useProxy(addr string) bool {
+       if host == "localhost" {
+               return false
+       }
+-      ip := net.ParseIP(host)
+-      if ip != nil {
++      nip, err := netip.ParseAddr(host)
++      var ip net.IP
++      if err == nil {
++              ip = net.IP(nip.AsSlice())
+               if ip.IsLoopback() {
+                       return false
+               }
+@@ -363,6 +366,9 @@ type domainMatch struct {
+ }
+
+ func (m domainMatch) match(host, port string, ip net.IP) bool {
++      if ip != nil {
++              return false
++      }
+       if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) {
+               return m.port == "" || m.port == port
+       }
+--
+2.40.0
Mirror of git://git.openembedded.org/openembedded-core-contrib