fix CVE-2025-22870

(cherry picked from commit 4a46991579827fc2758c72a618bd81b4661cf0aa)

backport-0031-CVE-2025-22870.patch

@@ -0,0 +1,76 @@
+From 334de7982f8ec959c74470dd709ceedfd6dbd50a Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 26 Feb 2025 16:46:43 -0800
+Subject: [PATCH] [release-branch.go1.24] all: updated vendored x/net with
+ security fix
+
+6ed00d0 [internal-branch.go1.24-vendor] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts
+
+Fixes CVE-2025-22870
+For #71986
+
+Change-Id: I7bda0825f1a9470b0708714d9cc32b5eae212f8b
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2121
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Commit-Queue: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/654715
+Reviewed-by: Michael Pratt <mpratt@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Junyang Shao <shaojunyang@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+---
+ src/cmd/internal/moddeps/moddeps_test.go            |  1 +
+ src/vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go
+index ae890b6..9dc4741 100644
+--- a/src/cmd/internal/moddeps/moddeps_test.go
++++ b/src/cmd/internal/moddeps/moddeps_test.go
+@@ -33,6 +33,7 @@ import (
+ // See issues 36852, 41409, and 43687.
+ // (Also see golang.org/issue/27348.)
+ func TestAllDependencies(t *testing.T) {
++	t.Skip("TODO(#71986): 1.24.1 contains unreleased changes from vendored modules")
+ 	goBin := testenv.GoToolPath(t)
+ 
+ 	// Ensure that all packages imported within GOROOT
+diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+index c3bd9a1..334add3 100644
+--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
++++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+@@ -14,6 +14,7 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"net"
++	"net/netip"
+ 	"net/url"
+ 	"os"
+ 	"strings"
+@@ -180,8 +181,10 @@ func (cfg *config) useProxy(addr string) bool {
+ 	if host == "localhost" {
+ 		return false
+ 	}
+-	ip := net.ParseIP(host)
+-	if ip != nil {
++	nip, err := netip.ParseAddr(host)
++ 	var ip net.IP
++ 	if err == nil {
++ 		ip = net.IP(nip.AsSlice())
+ 		if ip.IsLoopback() {
+ 			return false
+ 		}
+@@ -363,6 +366,9 @@ type domainMatch struct {
+ }
+ 
+ func (m domainMatch) match(host, port string, ip net.IP) bool {
++	if ip != nil {
++ 		return false
++ 	}
+ 	if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) {
+ 		return m.port == "" || m.port == port
+ 	}
+-- 
+2.46.0
+

golang.spec

@@ -66,7 +66,7 @@
 
 Name:           golang
 Version:        1.21.4
-Release:        31
+Release:        32
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -151,6 +151,7 @@ Patch6027:	backport-0027-crypto-tls-fix-Config.Time-in-tests-using-expired-ce.pa
 Patch6028:	backport-0028-release-branch.go1.21-runtime-allow-update-of-system.patch
 Patch6029:	backport-0029-CVE-2024-45341-crypto-x509-properly-check-for-IPv6-h.patch
 Patch6030:	backport-0030-CVE-2024-45336-net-http-persist-header-stripping-acr.patch
+Patch6031:	backport-0031-CVE-2025-22870.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -389,6 +390,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Thu Mar 20 2025 changtao <changtao@kylinos.cn> - 1.21.4-32
+- Type:CVE
+- CVE:CVE-2025-22870
+- SUG:NA
+- DESC:fix CVE-2025-22870
+
 * Thu Feb 20 2025 wujichao <wujichao1@huawei.com> - 1.21.4-31
 - Type:CVE
 - CVE:CVE-2024-45341 CVE-2024-45336