diff --git a/.golang.spec.un~ b/.golang.spec.un~ new file mode 100644 index 0000000000000000000000000000000000000000..9971c299d3e6b74744a67bda9dcd87d08090678c Binary files /dev/null and b/.golang.spec.un~ differ diff --git a/0123-add-patch-to-fix-CVE-2025-61727.patch b/0123-add-patch-to-fix-CVE-2025-61727.patch new file mode 100644 index 0000000000000000000000000000000000000000..14b27fdb18646fa8d21edfc4c7f28c8c3ab35b98 --- /dev/null +++ b/0123-add-patch-to-fix-CVE-2025-61727.patch @@ -0,0 +1,210 @@ +From d1920dc4f483cebcfee5d50e8e8f5255b5a18031 Mon Sep 17 00:00:00 2001 +From: WB02254423 +Date: Fri, 12 Dec 2025 01:40:27 -0500 +Subject: [PATCH 1/1] add patch to fix CVE-2025-61727 + +--- + src/crypto/x509/name_constraints_test.go | 34 ++++++++++++++++++++ + src/crypto/x509/verify.go | 40 +++++++++++++++--------- + src/crypto/x509/verify_test.go | 2 +- + 3 files changed, 60 insertions(+), 16 deletions(-) + +diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go +index 831fcbc..1b4a37a 100644 +--- a/src/crypto/x509/name_constraints_test.go ++++ b/src/crypto/x509/name_constraints_test.go +@@ -1561,6 +1561,40 @@ var nameConstraintsTests = []nameConstraintsTest{ + }, + expectedError: "URI with IP", + }, ++ // #87: subdomain excluded constraints preclude wildcard names ++ { ++ roots: []constraintsSpec{ ++ { ++ bad: []string{"dns:foo.example.com"}, ++ }, ++ }, ++ intermediates: [][]constraintsSpec{ ++ { ++ {}, ++ }, ++ }, ++ leaf: leafSpec{ ++ sans: []string{"dns:*.example.com"}, ++ }, ++ expectedError: "\"*.example.com\" is excluded by constraint \"foo.example.com\"", ++ }, ++ // #88: wildcard names are not matched by subdomain permitted constraints ++ { ++ roots: []constraintsSpec{ ++ { ++ ok: []string{"dns:foo.example.com"}, ++ }, ++ }, ++ intermediates: [][]constraintsSpec{ ++ { ++ {}, ++ }, ++ }, ++ leaf: leafSpec{ ++ sans: []string{"dns:*.example.com"}, ++ }, ++ expectedError: "\"*.example.com\" is not permitted", ++ }, + } + + func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) { +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 058153f..06f1d3c 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -429,7 +429,7 @@ func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) { + return reverseLabels, true + } + +-func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string) (bool, error) { ++func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string, excluded bool, reversedDomainsCache map[string][]string, reversedConstraintsCache map[string][]string) (bool, error) { + // If the constraint contains an @, then it specifies an exact mailbox + // name. + if strings.Contains(constraint, "@") { +@@ -442,10 +442,10 @@ func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string) (bool, erro + + // Otherwise the constraint is like a DNS constraint of the domain part + // of the mailbox. +- return matchDomainConstraint(mailbox.domain, constraint) ++ return matchDomainConstraint(mailbox.domain, constraint, excluded, reversedDomainsCache, reversedConstraintsCache) + } + +-func matchURIConstraint(uri *url.URL, constraint string) (bool, error) { ++func matchURIConstraint(uri *url.URL, constraint string, excluded bool, reversedDomainsCache map[string][]string, reversedConstraintsCache map[string][]string) (bool, error) { + // From RFC 5280, Section 4.2.1.10: + // “a uniformResourceIdentifier that does not include an authority + // component with a host name specified as a fully qualified domain +@@ -474,7 +474,7 @@ func matchURIConstraint(uri *url.URL, constraint string) (bool, error) { + return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String()) + } + +- return matchDomainConstraint(host, constraint) ++ return matchDomainConstraint(host, constraint, excluded, reversedDomainsCache, reversedConstraintsCache) + } + + func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) { +@@ -491,7 +491,7 @@ func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) { + return true, nil + } + +-func matchDomainConstraint(domain, constraint string) (bool, error) { ++func matchDomainConstraint(domain, constraint string, excluded bool, reversedDomainsCache map[string][]string, reversedConstraintsCache map[string][]string) (bool, error) { + // The meaning of zero length constraints is not specified, but this + // code follows NSS and accepts them as matching everything. + if len(constraint) == 0 { +@@ -502,6 +502,11 @@ func matchDomainConstraint(domain, constraint string) (bool, error) { + if !ok { + return false, fmt.Errorf("x509: internal error: cannot parse domain %q", domain) + } ++ ++ wildcardDomain := false ++ if len(domain) > 0 && domain[0] == '*' { ++ wildcardDomain = true ++ } + + // RFC 5280 says that a leading period in a domain name means that at + // least one label must be prepended, but only for URI and email +@@ -523,6 +528,11 @@ func matchDomainConstraint(domain, constraint string) (bool, error) { + (mustHaveSubdomains && len(domainLabels) == len(constraintLabels)) { + return false, nil + } ++ ++ if excluded && wildcardDomain && len(domainLabels) > 1 && len(constraintLabels) > 0 { ++ domainLabels = domainLabels[:len(domainLabels)-1] ++ constraintLabels = constraintLabels[:len(constraintLabels)-1] ++ } + + for i, constraintLabel := range constraintLabels { + if !strings.EqualFold(constraintLabel, domainLabels[i]) { +@@ -543,7 +553,7 @@ func (c *Certificate) checkNameConstraints(count *int, + nameType string, + name string, + parsedName any, +- match func(parsedName, constraint any) (match bool, err error), ++ match func(parsedName, constraint any, excluded bool) (match bool, err error), + permitted, excluded any) error { + + excludedValue := reflect.ValueOf(excluded) +@@ -555,7 +565,7 @@ func (c *Certificate) checkNameConstraints(count *int, + + for i := 0; i < excludedValue.Len(); i++ { + constraint := excludedValue.Index(i).Interface() +- match, err := match(parsedName, constraint) ++ match, err := match(parsedName, constraint, true) + if err != nil { + return CertificateInvalidError{c, CANotAuthorizedForThisName, err.Error()} + } +@@ -577,7 +587,7 @@ func (c *Certificate) checkNameConstraints(count *int, + constraint := permittedValue.Index(i).Interface() + + var err error +- if ok, err = match(parsedName, constraint); err != nil { ++ if ok, err = match(parsedName, constraint, false); err != nil { + return CertificateInvalidError{c, CANotAuthorizedForThisName, err.Error()} + } + +@@ -656,8 +666,8 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V + } + + if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "email address", name, mailbox, +- func(parsedName, constraint any) (bool, error) { +- return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string)) ++ func(parsedName, constraint any, excluded bool) (bool, error) { ++ return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string), excluded, reversedDomainsCache, reversedConstraintsCache) + }, c.PermittedEmailAddresses, c.ExcludedEmailAddresses); err != nil { + return err + } +@@ -669,8 +679,8 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V + } + + if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "DNS name", name, name, +- func(parsedName, constraint any) (bool, error) { +- return matchDomainConstraint(parsedName.(string), constraint.(string)) ++ func(parsedName, constraint any, excluded bool) (bool, error) { ++ return matchDomainConstraint(parsedName.(string), constraint.(string), excluded, reversedDomainsCache, reversedConstraintsCache) + }, c.PermittedDNSDomains, c.ExcludedDNSDomains); err != nil { + return err + } +@@ -683,8 +693,8 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V + } + + if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "URI", name, uri, +- func(parsedName, constraint any) (bool, error) { +- return matchURIConstraint(parsedName.(*url.URL), constraint.(string)) ++ func(parsedName, constraint any, excluded bool) (bool, error) { ++ return matchURIConstraint(parsedName.(*url.URL), constraint.(string), excluded, reversedDomainsCache, reversedConstraintsCache) + }, c.PermittedURIDomains, c.ExcludedURIDomains); err != nil { + return err + } +@@ -696,7 +706,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V + } + + if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "IP address", ip.String(), ip, +- func(parsedName, constraint any) (bool, error) { ++ func(parsedName, constraint any, _ bool) (bool, error) { + return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet)) + }, c.PermittedIPRanges, c.ExcludedIPRanges); err != nil { + return err +diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go +index 5595f99..0faa496 100644 +--- a/src/crypto/x509/verify_test.go ++++ b/src/crypto/x509/verify_test.go +@@ -1352,8 +1352,8 @@ var nameConstraintTests = []struct { + + func TestNameConstraints(t *testing.T) { + for i, test := range nameConstraintTests { +- result, err := matchDomainConstraint(test.domain, test.constraint) + ++ result, err := matchDomainConstraint(test.domain, test.constraint, false, map[string][]string{}, map[string][]string{}) + if err != nil && !test.expectError { + t.Errorf("unexpected error for test #%d: domain=%s, constraint=%s, err=%s", i, test.domain, test.constraint, err) + continue +-- +2.47.3 + diff --git a/golang.spec b/golang.spec index fd1d467e9140092fb20bfb2d5c7d655e73d1e624..ea463b2b9e3ff849f8c8a618ee5fca954e01f227 100644 --- a/golang.spec +++ b/golang.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 # Disable debuginfo packages %global debug_package %{nil} @@ -205,6 +205,8 @@ Patch119: 0119-cmd-internal-obj-loong64-add-aliases-to-32-bit-arith.patc Patch120: 0120-cmd-internal-obj-loong64-remove-the-incorrect-unsign.patch Patch121: 0121-cmd-internal-obj-cmd-asm-reclassify-the-offset-of-me.patch Patch122: 0122-cmd-internal-obj-loong64-use-the-MOVVP-instruction-t.patch +# https://github.com/golang/go/commit/04db77a423cac75bb82cc9a6859991ae9c016344 +Patch123: 0123-add-patch-to-fix-CVE-2025-61727.patch # Part 1001-1999 for sw_64 Patch1001: 0001-cmd-comile-Add-sw64-port.patch @@ -700,6 +702,9 @@ fi %files docs -f go-docs.list %changelog +* Fri Dec 12 2025 lzq11122 -1.24.8.3 +- Add patch to fix CVE-2025-61727 + * Mon Dec 8 2025 limeidan - 1.24.8.2 - add new instructions of loong64. - optimize the crypto package on loong64.