@@ -15,5 +15,6 @@ SRC_URI += "\
file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \
file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \
file://CVE-2025-22870.patch \
+ file://CVE-2025-22871.patch \
"
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
new file mode 100644
@@ -0,0 +1,172 @@
+From 15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 26 Feb 2025 13:40:00 -0800
+Subject: [PATCH] [release-branch.go1.23] net/http: reject newlines in
+ chunk-size lines
+
+Unlike request headers, where we are allowed to leniently accept
+a bare LF in place of a CRLF, chunked bodies must always use CRLF
+line terminators. We were already enforcing this for chunk-data lines;
+do so for chunk-size lines as well. Also reject bare CRs anywhere
+other than as part of the CRLF terminator.
+
+Fixes CVE-2025-22871
+Fixes #72010
+For #71988
+
+Change-Id: Ib0e21af5a8ba28c2a1ca52b72af8e2265ec79e4a
+Reviewed-on: https://go-review.googlesource.com/c/go/+/652998
+Reviewed-by: Jonathan Amsterdam <jba@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+(cherry picked from commit d31c805535f3fde95646ee4d87636aaaea66847b)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/657216
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931]
+CVE: CVE-2025-22871
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/net/http/internal/chunked.go | 19 +++++++++--
+ src/net/http/internal/chunked_test.go | 27 +++++++++++++++
+ src/net/http/serve_test.go | 49 +++++++++++++++++++++++++++
+ 3 files changed, 92 insertions(+), 3 deletions(-)
+
+diff --git a/src/net/http/internal/chunked.go b/src/net/http/internal/chunked.go
+index 196b5d8..0b08a97 100644
+--- a/src/net/http/internal/chunked.go
++++ b/src/net/http/internal/chunked.go
+@@ -164,6 +164,19 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
+ }
+ return nil, err
+ }
++
++ // RFC 9112 permits parsers to accept a bare \n as a line ending in headers,
++ // but not in chunked encoding lines. See https://www.rfc-editor.org/errata/eid7633,
++ // which explicitly rejects a clarification permitting \n as a chunk terminator.
++ //
++ // Verify that the line ends in a CRLF, and that no CRs appear before the end.
++ if idx := bytes.IndexByte(p, '\r'); idx == -1 {
++ return nil, errors.New("chunked line ends with bare LF")
++ } else if idx != len(p)-2 {
++ return nil, errors.New("invalid CR in chunked line")
++ }
++ p = p[:len(p)-2] // trim CRLF
++
+ if len(p) >= maxLineLength {
+ return nil, ErrLineTooLong
+ }
+@@ -171,14 +184,14 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
+ }
+
+ func trimTrailingWhitespace(b []byte) []byte {
+- for len(b) > 0 && isASCIISpace(b[len(b)-1]) {
++ for len(b) > 0 && isOWS(b[len(b)-1]) {
+ b = b[:len(b)-1]
+ }
+ return b
+ }
+
+-func isASCIISpace(b byte) bool {
+- return b == ' ' || b == '\t' || b == '\n' || b == '\r'
++func isOWS(b byte) bool {
++ return b == ' ' || b == '\t'
+ }
+
+ var semi = []byte(";")
+diff --git a/src/net/http/internal/chunked_test.go b/src/net/http/internal/chunked_test.go
+index af79711..312f173 100644
+--- a/src/net/http/internal/chunked_test.go
++++ b/src/net/http/internal/chunked_test.go
+@@ -280,6 +280,33 @@ func TestChunkReaderByteAtATime(t *testing.T) {
+ }
+ }
+
++func TestChunkInvalidInputs(t *testing.T) {
++ for _, test := range []struct {
++ name string
++ b string
++ }{{
++ name: "bare LF in chunk size",
++ b: "1\na\r\n0\r\n",
++ }, {
++ name: "extra LF in chunk size",
++ b: "1\r\r\na\r\n0\r\n",
++ }, {
++ name: "bare LF in chunk data",
++ b: "1\r\na\n0\r\n",
++ }, {
++ name: "bare LF in chunk extension",
++ b: "1;\na\r\n0\r\n",
++ }} {
++ t.Run(test.name, func(t *testing.T) {
++ r := NewChunkedReader(strings.NewReader(test.b))
++ got, err := io.ReadAll(r)
++ if err == nil {
++ t.Fatalf("unexpectedly parsed invalid chunked data:\n%q", got)
++ }
++ })
++ }
++}
++
+ type funcReader struct {
+ f func(iteration int) ([]byte, error)
+ i int
+diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
+index 0c76f1b..0e8af02 100644
+--- a/src/net/http/serve_test.go
++++ b/src/net/http/serve_test.go
+@@ -6980,3 +6980,52 @@ func testDisableContentLength(t *testing.T, mode testMode) {
+ t.Fatal(err)
+ }
+ }
++
++func TestInvalidChunkedBodies(t *testing.T) {
++ for _, test := range []struct {
++ name string
++ b string
++ }{{
++ name: "bare LF in chunk size",
++ b: "1\na\r\n0\r\n\r\n",
++ }, {
++ name: "bare LF at body end",
++ b: "1\r\na\r\n0\r\n\n",
++ }} {
++ t.Run(test.name, func(t *testing.T) {
++ reqc := make(chan error)
++ ts := newClientServerTest(t, http1Mode, HandlerFunc(func(w ResponseWriter, r *Request) {
++ got, err := io.ReadAll(r.Body)
++ if err == nil {
++ t.Logf("read body: %q", got)
++ }
++ reqc <- err
++ })).ts
++
++ serverURL, err := url.Parse(ts.URL)
++ if err != nil {
++ t.Fatal(err)
++ }
++
++ conn, err := net.Dial("tcp", serverURL.Host)
++ if err != nil {
++ t.Fatal(err)
++ }
++
++ if _, err := conn.Write([]byte(
++ "POST / HTTP/1.1\r\n" +
++ "Host: localhost\r\n" +
++ "Transfer-Encoding: chunked\r\n" +
++ "Connection: close\r\n" +
++ "\r\n" +
++ test.b)); err != nil {
++ t.Fatal(err)
++ }
++ conn.(*net.TCPConn).CloseWrite()
++
++ if err := <-reqc; err == nil {
++ t.Errorf("server handler: io.ReadAll(r.Body) succeeded, want error")
++ }
++ })
++ }
++}
+--
+2.25.1
+
Upstream-Status: Backport from https://github.com/golang/go/commit/15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2025-22871.patch | 172 ++++++++++++++++++ 2 files changed, 173 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2025-22871.patch