[AUTO-CHERRYPICK] Patch msft-golang for CVE-2025-22871 [High] - branch main (#13462)

CBL-Mariner-Bot · bhagyapathak · web-flow · commit 57d8eaaa5a77 · 2025-04-21T15:25:59.000-04:00
Co-authored-by: bhagyapathak &lt;bhagyapathak@users.noreply.github.com&gt;
diff --git a/SPECS/msft-golang/CVE-2025-22871.patch b/SPECS/msft-golang/CVE-2025-22871.patch
@@ -0,0 +1,55 @@
+From 7caf9f7ef10cb314f6af9939b8a0cda080e8989d Mon Sep 17 00:00:00 2001
+From: Bhagyashri Pathak <bhapathak@microsoft.com>
+Date: Tue, 15 Apr 2025 19:08:45 +0530
+Subject: [PATCH] Patch for CVE-2025-22871
+
+Upstream patch reference: https://github.com/golang/go/commit/ac1f5aa3d62efe21e65ce4dc30e6996d59acfbd0
+---
+ src/net/http/internal/chunked.go | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/src/net/http/internal/chunked.go b/src/net/http/internal/chunked.go
+index 37a72e9..436c3db 100644
+--- a/src/net/http/internal/chunked.go
++++ b/src/net/http/internal/chunked.go
+@@ -137,6 +137,19 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
+ 		}
+ 		return nil, err
+ 	}
++
++	// RFC 9112 permits parsers to accept a bare \n as a line ending in headers,
++	// but not in chunked encoding lines. See https://www.rfc-editor.org/errata/eid7633,
++	// which explicitly rejects a clarification permitting \n as a chunk terminator.
++	//
++	// Verify that the line ends in a CRLF, and that no CRs appear before the end.
++	if idx := bytes.IndexByte(p, '\r'); idx == -1 {
++		return nil, errors.New("chunked line ends with bare LF")
++	} else if idx != len(p)-2 {
++		return nil, errors.New("invalid CR in chunked line")
++	}
++	p = p[:len(p)-2] // trim CRLF
++
+ 	if len(p) >= maxLineLength {
+ 		return nil, ErrLineTooLong
+ 	}
+@@ -149,14 +162,14 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
+ }
+ 
+ func trimTrailingWhitespace(b []byte) []byte {
+-	for len(b) > 0 && isASCIISpace(b[len(b)-1]) {
++	for len(b) > 0 && isOWS(b[len(b)-1]) {
+ 		b = b[:len(b)-1]
+ 	}
+ 	return b
+ }
+ 
+-func isASCIISpace(b byte) bool {
+-	return b == ' ' || b == '\t' || b == '\n' || b == '\r'
++func isOWS(b byte) bool {
++	return b == ' ' || b == '\t'
+ }
+ 
+ var semi = []byte(";")
+-- 
+2.34.1
+
diff --git a/SPECS/msft-golang/msft-golang.spec b/SPECS/msft-golang/msft-golang.spec
@@ -15,7 +15,7 @@
 Summary:        Go
 Name:           msft-golang
 Version:        1.24.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -31,6 +31,7 @@ Source3:        https://github.com/microsoft/go/releases/download/v1.20.14-1/go.
 # bootstrap 03
 Source4:        https://github.com/microsoft/go/releases/download/v1.22.12-2/go1.22.12-20250211.4.src.tar.gz
 Patch0:         go14_bootstrap_aarch64.patch
+Patch1:         CVE-2025-22871.patch
 Conflicts:      go
 Conflicts:      golang
 
@@ -53,7 +54,7 @@ tar xf %{SOURCE4} --no-same-owner
 mv -v go go-bootstrap-03
 
 %setup -q -n go
-
+patch -Np1 --ignore-whitespace < %{PATCH1}
 %build
 # go 1.4 bootstraps with C.
 # go 1.20 bootstraps with go >= 1.17.13
@@ -159,6 +160,9 @@ fi
 %{_bindir}/*
 
 %changelog
+Mon Apr 14 2025 Bhagyashri Pathak <bhapathak@microsoft.com> - 1.24.1-2
+- Patch to address CVE-2025-22871
+
 * Mon Mar 31 2025 Andrew Phelps <anphel@microsoft.com> - 1.24.1-1
 - Bump version to 1.24.1 to address CVE-2025-22870, CVE-2024-45341, CVE-2024-45336, CVE-2024-34158
 
