[AUTO-CHERRYPICK] Patch golang for CVE-2025-22871[High] - branch main (#13512)

CBL-Mariner-Bot · bhagyapathak · jslobodzian · web-flow · commit 3f88cc7b5f85 · 2025-04-24T18:20:49.000-04:00
Co-authored-by: bhagyapathak &lt;bhagyapathak@users.noreply.github.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/golang/CVE-2025-22871.patch b/SPECS/golang/CVE-2025-22871.patch
@@ -0,0 +1,55 @@
+From 7caf9f7ef10cb314f6af9939b8a0cda080e8989d Mon Sep 17 00:00:00 2001
+From: Bhagyashri Pathak <bhapathak@microsoft.com>
+Date: Tue, 15 Apr 2025 19:08:45 +0530
+Subject: [PATCH] Patch for CVE-2025-22871
+
+Upstream patch reference: https://github.com/golang/go/commit/ac1f5aa3d62efe21e65ce4dc30e6996d59acfbd0
+---
+ src/net/http/internal/chunked.go | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/src/net/http/internal/chunked.go b/src/net/http/internal/chunked.go
+index 37a72e9..436c3db 100644
+--- a/src/net/http/internal/chunked.go
++++ b/src/net/http/internal/chunked.go
+@@ -137,6 +137,19 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
+ 		}
+ 		return nil, err
+ 	}
++
++	// RFC 9112 permits parsers to accept a bare \n as a line ending in headers,
++	// but not in chunked encoding lines. See https://www.rfc-editor.org/errata/eid7633,
++	// which explicitly rejects a clarification permitting \n as a chunk terminator.
++	//
++	// Verify that the line ends in a CRLF, and that no CRs appear before the end.
++	if idx := bytes.IndexByte(p, '\r'); idx == -1 {
++		return nil, errors.New("chunked line ends with bare LF")
++	} else if idx != len(p)-2 {
++		return nil, errors.New("invalid CR in chunked line")
++	}
++	p = p[:len(p)-2] // trim CRLF
++
+ 	if len(p) >= maxLineLength {
+ 		return nil, ErrLineTooLong
+ 	}
+@@ -149,14 +162,14 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
+ }
+ 
+ func trimTrailingWhitespace(b []byte) []byte {
+-	for len(b) > 0 && isASCIISpace(b[len(b)-1]) {
++	for len(b) > 0 && isOWS(b[len(b)-1]) {
+ 		b = b[:len(b)-1]
+ 	}
+ 	return b
+ }
+ 
+-func isASCIISpace(b byte) bool {
+-	return b == ' ' || b == '\t' || b == '\n' || b == '\r'
++func isOWS(b byte) bool {
++	return b == ' ' || b == '\t'
+ }
+ 
+ var semi = []byte(";")
+-- 
+2.34.1
+
diff --git a/SPECS/golang/golang-1.18.spec b/SPECS/golang/golang-1.18.spec
@@ -13,7 +13,7 @@
 Summary:        Go
 Name:           golang
 Version:        1.18.8
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -28,6 +28,7 @@ Patch1:         CVE-2022-41717.patch
 Patch2:         CVE-2024-24790.patch
 Patch3:         CVE-2024-45341.patch
 Patch4:         CVE-2024-34158.patch
+Patch5:         CVE-2025-22871.patch
 Obsoletes:      %{name} < %{version}
 Provides:       %{name} = %{version}
 Provides:       go = %{version}-%{release}
@@ -48,6 +49,7 @@ patch -Np1 --ignore-whitespace < %{PATCH1}
 patch -Np1 --ignore-whitespace < %{PATCH2}
 patch -Np1 --ignore-whitespace < %{PATCH3}
 patch -Np1 --ignore-whitespace < %{PATCH4}
+patch -Np1 --ignore-whitespace < %{PATCH5}
 
 %build
 # Build go 1.4 bootstrap
@@ -128,6 +130,9 @@ fi
 %{_bindir}/*
 
 %changelog
+* Mon Apr 21 2025 Bhagyashri Pathak <bhapathak@microsoft.com> - 1.18.8-7
+- Address CVE-2025-22871 using an upstream patch.
+
 * Fri Apr 18 2025 Kshitiz Godara <kgodara@microsoft.com> - 1.18.8-6
 - Address CVE-2024-34158 using an upstream patch.
 
diff --git a/SPECS/golang/golang.spec b/SPECS/golang/golang.spec
@@ -15,7 +15,7 @@
 Summary:        Go
 Name:           golang
 Version:        1.22.7
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -28,6 +28,7 @@ Source3:        https://dl.google.com/go/go%{bootstrap_compiler_version_1}.src.t
 Patch0:         go14_bootstrap_aarch64.patch
 Patch1:         CVE-2024-45336.patch
 Patch2:         CVE-2024-45341.patch
+Patch3:         CVE-2025-22871.patch
 Obsoletes:      %{name} < %{version}
 Provides:       %{name} = %{version}
 Provides:       go = %{version}-%{release}
@@ -45,6 +46,7 @@ mv -v go go-bootstrap
 %setup -q -n go
 %patch 1 -p1
 %patch 2 -p1
+%patch 3 -p1
 
 %build
 # Go 1.22 requires the final point release of Go 1.20 or later for bootstrap.
@@ -160,6 +162,9 @@ fi
 %{_bindir}/*
 
 %changelog
+* Thu Apr 10 2025 Bhagyashri Pathak <bhapathak@microsoft.com> - 1.22.7-3
+- Address CVE-2025-22871 using an upstream patch.
+
 * Tue Feb 04 2025 Kanishk bansal <kanbansal@microsoft.com> - 1.22.7-2
 - Address CVE-2024-45336, CVE-2024-45341 using an upstream patch.
 
