[MEDIUM] Patch golang for CVE-2024-24789, CVE-2024-34155 & CVE-2025-22870 (#13586)

archana25-ms · web-flow · commit b863739dfcc7 · 2025-06-10T13:58:51.000+05:30
diff --git a/SPECS/golang/CVE-2024-24789.patch b/SPECS/golang/CVE-2024-24789.patch
@@ -0,0 +1,33 @@
+From 56d779bbf568122f560b51450e6ddc09a4fbf90b Mon Sep 17 00:00:00 2001
+From: archana25-ms <v-shettigara@microsoft.com>
+Date: Thu, 24 Apr 2025 22:36:50 +0000
+Subject: [PATCH] Address CVE-2024-24789
+Upstream Patch Reference: https://go-review.googlesource.com/c/go/+/585397/3/src/archive/zip/reader.go
+
+---
+ src/archive/zip/reader.go | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
+index 92fd6f6..3da6440 100644
+--- a/src/archive/zip/reader.go
++++ b/src/archive/zip/reader.go
+@@ -604,9 +604,13 @@ func findSignatureInBlock(b []byte) int {
+ 		if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 {
+ 			// n is length of comment
+ 			n := int(b[i+directoryEndLen-2]) | int(b[i+directoryEndLen-1])<<8
+-			if n+directoryEndLen+i <= len(b) {
+-				return i
++			if n+directoryEndLen+i > len(b) {
++				// Truncated comment.
++				// Some parsers (such as Info-ZIP) ignore the truncated comment
++				// rather than treating it as a hard error.
++				return -1
+ 			}
++			return i
+ 		}
+ 	}
+ 	return -1
+-- 
+2.45.3
+
diff --git a/SPECS/golang/CVE-2024-34155.patch b/SPECS/golang/CVE-2024-34155.patch
@@ -0,0 +1,47 @@
+From 5d26749e30c14254dabd04cb2b408d1484de2c14 Mon Sep 17 00:00:00 2001
+From: archana25-ms <v-shettigara@microsoft.com>
+Date: Wed, 7 May 2025 07:27:13 +0000
+Subject: [PATCH] Address CVE-2024-34155
+Upstream Patch Reference: https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb
+
+---
+ src/go/parser/parser.go      | 2 ++
+ src/go/parser/parser_test.go | 9 +++++----
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/go/parser/parser.go b/src/go/parser/parser.go
+index c34ccea..ea81cfc 100644
+--- a/src/go/parser/parser.go
++++ b/src/go/parser/parser.go
+@@ -1685,6 +1685,8 @@ func (p *parser) checkExprOrType(x ast.Expr) ast.Expr {
+ }
+ 
+ func (p *parser) parsePrimaryExpr(x ast.Expr) ast.Expr {
++	defer decNestLev(incNestLev(p))
++
+ 	if p.trace {
+ 		defer un(trace(p, "PrimaryExpr"))
+ 	}
+diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go
+index 1a46c87..9e4ce35 100644
+--- a/src/go/parser/parser_test.go
++++ b/src/go/parser/parser_test.go
+@@ -607,10 +607,11 @@ var parseDepthTests = []struct {
+ 	{name: "chan2", format: "package main; var x «<-chan »int"},
+ 	{name: "interface", format: "package main; var x «interface { M() «int» }»", scope: true, scopeMultiplier: 2}, // Scopes: InterfaceType, FuncType
+ 	{name: "map", format: "package main; var x «map[int]»int"},
+-	{name: "slicelit", format: "package main; var x = «[]any{«»}»", parseMultiplier: 2},             // Parser nodes: UnaryExpr, CompositeLit
+-	{name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 2},         // Parser nodes: UnaryExpr, CompositeLit
+-	{name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
+-	{name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 2},    // Parser nodes: CompositeLit, KeyValueExpr
++	{name: "slicelit", format: "package main; var x = []any{«[]any{«»}»}", parseMultiplier: 3},      // Parser nodes: UnaryExpr, CompositeLit
++	{name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 3},         // Parser nodes: UnaryExpr, CompositeLit
++	{name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit
++	{name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 3},    // Parser nodes: CompositeLit, KeyValueExpr
++	{name: "element", format: "package main; var x = struct{x any}{x: «{«»}»}"},
+ 	{name: "dot", format: "package main; var x = «x.»x"},
+ 	{name: "index", format: "package main; var x = x«[1]»"},
+ 	{name: "slice", format: "package main; var x = x«[1:2]»"},
+-- 
+2.45.3
+
diff --git a/SPECS/golang/CVE-2025-22870-1.18.patch b/SPECS/golang/CVE-2025-22870-1.18.patch
@@ -0,0 +1,48 @@
+From 83bf64f9e9f54aad64e00d6aa3a28caeb61eba1b Mon Sep 17 00:00:00 2001
+From: archana25-ms <v-shettigara@microsoft.com>
+Date: Wed, 23 Apr 2025 20:53:30 +0000
+Subject: [PATCH] Address CVE-2025-22870
+Upstream Patch Reference : https://github.com/golang/go/commit/334de7982f8ec959c74470dd709ceedfd6dbd50a#diff-535738d3f027e78324e07f2c97d9e1cd704253a1691bb1de8868565d56b4affe
+
+---
+ src/vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+index 6404aaf157d6ad..d89c257ae72314 100644
+--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
++++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+@@ -14,6 +14,7 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"net"
++	"net/netip"
+ 	"net/url"
+ 	"os"
+ 	"strings"
+@@ -177,8 +178,10 @@ func (cfg *config) useProxy(addr string) bool {
+ 	if host == "localhost" {
+ 		return false
+ 	}
+-	ip := net.ParseIP(host)
+-	if ip != nil {
++	nip, err := netip.ParseAddr(host)
++	var ip net.IP
++	if err == nil {
++		ip = net.IP(nip.AsSlice())
+ 		if ip.IsLoopback() {
+ 			return false
+ 		}
+@@ -360,6 +363,9 @@ type domainMatch struct {
+ }
+ 
+ func (m domainMatch) match(host, port string, ip net.IP) bool {
++	if ip != nil {
++		return false
++	}
+ 	if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) {
+ 		return m.port == "" || m.port == port
+ 	}
+-- 
+2.45.3
+
diff --git a/SPECS/golang/CVE-2025-22870.patch b/SPECS/golang/CVE-2025-22870.patch
@@ -0,0 +1,61 @@
+From 83bf64f9e9f54aad64e00d6aa3a28caeb61eba1b Mon Sep 17 00:00:00 2001
+From: archana25-ms <v-shettigara@microsoft.com>
+Date: Wed, 23 Apr 2025 20:53:30 +0000
+Subject: [PATCH] Address CVE-2025-22870
+Upstream Patch Reference : https://github.com/golang/go/commit/334de7982f8ec959c74470dd709ceedfd6dbd50a#diff-535738d3f027e78324e07f2c97d9e1cd704253a1691bb1de8868565d56b4affe
+
+---
+ src/cmd/internal/moddeps/moddeps_test.go            |  1 +
+ src/vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go
+index 2def029325be55..0b43b20b3c19fa 100644
+--- a/src/cmd/internal/moddeps/moddeps_test.go
++++ b/src/cmd/internal/moddeps/moddeps_test.go
+@@ -33,6 +33,7 @@ import (
+ // See issues 36852, 41409, and 43687.
+ // (Also see golang.org/issue/27348.)
+ func TestAllDependencies(t *testing.T) {
++	t.Skip("TODO(#71986): 1.24.1 contains unreleased changes from vendored modules")
+ 	goBin := testenv.GoToolPath(t)
+ 
+ 	// Ensure that all packages imported within GOROOT
+diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+index 6404aaf157d6ad..d89c257ae72314 100644
+--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
++++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+@@ -14,6 +14,7 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"net"
++	"net/netip"
+ 	"net/url"
+ 	"os"
+ 	"strings"
+@@ -177,8 +178,10 @@ func (cfg *config) useProxy(addr string) bool {
+ 	if host == "localhost" {
+ 		return false
+ 	}
+-	ip := net.ParseIP(host)
+-	if ip != nil {
++	nip, err := netip.ParseAddr(host)
++	var ip net.IP
++	if err == nil {
++		ip = net.IP(nip.AsSlice())
+ 		if ip.IsLoopback() {
+ 			return false
+ 		}
+@@ -360,6 +363,9 @@ type domainMatch struct {
+ }
+ 
+ func (m domainMatch) match(host, port string, ip net.IP) bool {
++	if ip != nil {
++		return false
++	}
+ 	if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) {
+ 		return m.port == "" || m.port == port
+ 	}
+-- 
+2.45.3
+
diff --git a/SPECS/golang/golang-1.18.spec b/SPECS/golang/golang-1.18.spec
@@ -13,7 +13,7 @@
 Summary:        Go
 Name:           golang
 Version:        1.18.8
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -29,6 +29,9 @@ Patch2:         CVE-2024-24790.patch
 Patch3:         CVE-2024-45341.patch
 Patch4:         CVE-2024-34158.patch
 Patch5:         CVE-2025-22871.patch
+Patch6:         CVE-2024-24789.patch
+Patch7:         CVE-2025-22870-1.18.patch
+Patch8:         CVE-2024-34155.patch
 Obsoletes:      %{name} < %{version}
 Provides:       %{name} = %{version}
 Provides:       go = %{version}-%{release}
@@ -50,6 +53,9 @@ patch -Np1 --ignore-whitespace < %{PATCH2}
 patch -Np1 --ignore-whitespace < %{PATCH3}
 patch -Np1 --ignore-whitespace < %{PATCH4}
 patch -Np1 --ignore-whitespace < %{PATCH5}
+patch -Np1 --ignore-whitespace < %{PATCH6}
+patch -Np1 --ignore-whitespace < %{PATCH7}
+patch -Np1 --ignore-whitespace < %{PATCH8}
 
 %build
 # Build go 1.4 bootstrap
@@ -130,6 +136,9 @@ fi
 %{_bindir}/*
 
 %changelog
+* Fri Apr 25 2025 Archana Shettigar <v-shettigara@microsoft.com> - 1.18.8-8
+- Patch CVE-2024-24789, CVE-2024-34155 & CVE-2025-22870
+
 * Mon Apr 21 2025 Bhagyashri Pathak <bhapathak@microsoft.com> - 1.18.8-7
 - Address CVE-2025-22871 using an upstream patch.
 
@@ -139,7 +148,7 @@ fi
 * Tue Feb 04 2025 Kanishk bansal <kanbansal@microsoft.com> - 1.18.8-5
 - Address CVE-2024-45341 using an upstream patch.
 
-* Mon July 29 2024 Bhagyashri Pathak bhapathak@microsoft.com - 1.18.8-4
+* Mon Jul 29 2024 Bhagyashri Pathak bhapathak@microsoft.com - 1.18.8-4
 - Patch CVE-2024-24790
 
 * Mon Jan 23 2022 Nicolas Guibourge <nicolasg@microsoft.com> - 1.18.8-3
diff --git a/SPECS/golang/golang.spec b/SPECS/golang/golang.spec
@@ -15,7 +15,7 @@
 Summary:        Go
 Name:           golang
 Version:        1.22.7
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -29,6 +29,7 @@ Patch0:         go14_bootstrap_aarch64.patch
 Patch1:         CVE-2024-45336.patch
 Patch2:         CVE-2024-45341.patch
 Patch3:         CVE-2025-22871.patch
+Patch4:         CVE-2025-22870.patch
 Obsoletes:      %{name} < %{version}
 Provides:       %{name} = %{version}
 Provides:       go = %{version}-%{release}
@@ -47,6 +48,7 @@ mv -v go go-bootstrap
 %patch 1 -p1
 %patch 2 -p1
 %patch 3 -p1
+%patch 4 -p1
 
 %build
 # Go 1.22 requires the final point release of Go 1.20 or later for bootstrap.
@@ -162,6 +164,9 @@ fi
 %{_bindir}/*
 
 %changelog
+* Thu May 08 2025 Archana Shettigar <v-shettigara@microsoft.com> - 1.22.7-4
+- Address CVE-2025-22870 using an upstream patch.
+
 * Thu Apr 10 2025 Bhagyashri Pathak <bhapathak@microsoft.com> - 1.22.7-3
 - Address CVE-2025-22871 using an upstream patch.
 
