[Medium] Patch vitess for CVE-2025-22872 (#13614)

Author: kevin-b-lockwood

SPECS/vitess/CVE-2025-22872.patch

@@ -0,0 +1,42 @@
+From 8a2ee9d764b649c4ab4917daac4a9696e85414bb Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <[email protected]>
+Date: Thu, 8 May 2025 13:35:38 -0700
+Subject: [PATCH] Patch CVE-2025-22872
+
+Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9.patch
+---
+ vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go
+index 3c57880..6598c1f 100644
+--- a/vendor/golang.org/x/net/html/token.go
++++ b/vendor/golang.org/x/net/html/token.go
+@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
+ 	if raw {
+ 		z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
+ 	}
+-	// Look for a self-closing token like "<br/>".
+-	if z.err == nil && z.buf[z.raw.end-2] == '/' {
++	// Look for a self-closing token (e.g. <br/>).
++	//
++	// Originally, we did this by just checking that the last character of the
++	// tag (ignoring the closing bracket) was a solidus (/) character, but this
++	// is not always accurate.
++	//
++	// We need to be careful that we don't misinterpret a non-self-closing tag
++	// as self-closing, as can happen if the tag contains unquoted attribute
++	// values (i.e. <p a=/>).
++	//
++	// To avoid this, we check that the last non-bracket character of the tag
++	// (z.raw.end-2) isn't the same character as the last non-quote character of
++	// the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
++	// attributes.
++	nAttrs := len(z.attr)
++	if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
+ 		return SelfClosingTagToken
+ 	}
+ 	return StartTagToken
+-- 
+2.34.1
+

SPECS/vitess/vitess.spec

@@ -3,7 +3,7 @@
 
 Name:           vitess
 Version:        17.0.7
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        Database clustering system for horizontal scaling of MySQL
 # Upstream license specification: MIT and Apache-2.0
 License:        MIT and ASL 2.0
@@ -31,6 +31,8 @@ Patch1:         CVE-2024-45339.patch
 Patch2:         CVE-2025-22868.patch
 Patch3:         CVE-2024-53257.patch
 Patch4:         CVE-2025-22870.patch
+# CVE-2025-22872 is fixed in go net v0.38 by https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9
+Patch5:         CVE-2025-22872.patch
 BuildRequires: golang
 
 %description
@@ -44,10 +46,7 @@ with an atomic cutover step that takes only a few seconds.
 
 
 %prep
-%autosetup -N
-# Apply vendor before patching
-tar --no-same-owner -xf %{SOURCE1}
-%autopatch -p1
+%autosetup -p1 -a1
 
 # sed in Mariner does not work on a group of files; use for-loop to apply
 # to apply to individual file
@@ -103,6 +102,9 @@ go test -v ./go/cmd/... \
 %{_bindir}/*
 
 %changelog
+* Fri Apr 25 2025 Kevin Lockwood <[email protected]> - 17.0.7-8
+- Add patch for CVE-2025-22872
+
 * Thu Mar 20 2025 Sreeniavsulu Malavathula <[email protected]> - 17.0.7-7
 - Fix CVE-2024-51744 with an upstream patch