go: add patch for CVE-2025-22870 to Go 1.22

bcressey · bcressey · commit 9b5cfd735e1a · 2025-03-04T21:31:47.000Z
Signed-off-by: Ben Cressey &lt;bcressey@amazon.com&gt;
diff --git a/patches/go-1.22/0001-all-updated-vendored-x-net-with-security-fix.patch b/patches/go-1.22/0001-all-updated-vendored-x-net-with-security-fix.patch
@@ -0,0 +1,66 @@
+From 157d68b686ec5a5b4bfa8c871128f3e8406932f8 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 26 Feb 2025 16:08:57 -0800
+Subject: [PATCH] all: updated vendored x/net with security fix
+
+Fixes CVE-2025-22870
+
+(cherry picked from commit 25177ecde0922c50753c043579d17828b7ee88e7)
+
+[bcressey: backport to Go 1.22]
+Signed-off-by: Ben Cressey <bcressey@amazon.com>
+---
+ src/cmd/internal/moddeps/moddeps_test.go            |  1 +
+ src/vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go
+index 3d4c99eecb..ffaa16ce9c 100644
+--- a/src/cmd/internal/moddeps/moddeps_test.go
++++ b/src/cmd/internal/moddeps/moddeps_test.go
+@@ -33,6 +33,7 @@ import (
+ // See issues 36852, 41409, and 43687.
+ // (Also see golang.org/issue/27348.)
+ func TestAllDependencies(t *testing.T) {
++	t.Skip("TODO(#71985) 1.23.7 contains unreleased changes from vendored modules")
+ 	goBin := testenv.GoToolPath(t)
+ 
+ 	// Ensure that all packages imported within GOROOT
+diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+index c3bd9a1eeb..864961c75b 100644
+--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
++++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+@@ -14,6 +14,7 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"net"
++	"net/netip"
+ 	"net/url"
+ 	"os"
+ 	"strings"
+@@ -180,8 +181,10 @@ func (cfg *config) useProxy(addr string) bool {
+ 	if host == "localhost" {
+ 		return false
+ 	}
+-	ip := net.ParseIP(host)
+-	if ip != nil {
++	nip, err := netip.ParseAddr(host)
++	var ip net.IP
++	if err == nil {
++		ip = net.IP(nip.AsSlice())
+ 		if ip.IsLoopback() {
+ 			return false
+ 		}
+@@ -363,6 +366,9 @@ type domainMatch struct {
+ }
+ 
+ func (m domainMatch) match(host, port string, ip net.IP) bool {
++	if ip != nil {
++		return false
++	}
+ 	if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) {
+ 		return m.port == "" || m.port == port
+ 	}
+-- 
+2.48.1
+
