From 32abec2bd701a01bdc0d3f5e7f2b0b469ac79764 Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Sun, 16 Nov 2025 04:43:12 +0000
Subject: [PATCH] Patch golang for CVE-2025-61724, CVE-2025-58188

---
 SPECS/golang/CVE-2025-58188.patch | 32 +++++++++++++++++++++++++++++++
 SPECS/golang/CVE-2025-61724.patch | 27 ++++++++++++++++++++++++++
 SPECS/golang/golang.spec          |  9 ++++++++-
 3 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/golang/CVE-2025-58188.patch
 create mode 100644 SPECS/golang/CVE-2025-61724.patch

diff --git a/SPECS/golang/CVE-2025-58188.patch b/SPECS/golang/CVE-2025-58188.patch
new file mode 100644
index 00000000000..50cd196cead
--- /dev/null
+++ b/SPECS/golang/CVE-2025-58188.patch
@@ -0,0 +1,32 @@
+From 1ef19d713437251dd87cc862945ca7dc3483734e Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Sun, 16 Nov 2025 04:39:41 +0000
+Subject: [PATCH] crypto/x509: mitigate DoS vector when intermediate
+ certificate contains DSA public key\n\nWe enforce the canonical encoding of
+ SPKI and compare RawSubjectPublicKeyInfo bytes to avoid panics with DSA
+ public keys in intermediates. Add test to ensure chain validation fails
+ appropriately when an intermediate contains a DSA SPKI.\n\nBackport of
+ upstream fix.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/golang/go/commit/f9f198ab05e3282cbf6b13251d47d9141981e401.patch
+---
+ src/crypto/x509/verify_test.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
+index 0961c5b..60a4cea 100644
+--- a/src/crypto/x509/verify_test.go
++++ b/src/crypto/x509/verify_test.go
+@@ -3119,7 +3119,7 @@ func dsaSelfSignedCNX(t *testing.T) []byte {
+ 	t.Helper()
+ 	var params dsa.Parameters
+ 	if err := dsa.GenerateParameters(&params, rand.Reader, dsa.L1024N160); err != nil {
+-		t.Skip(err) // CBL-Mariner doesn't support dsa.L1024N160, skip test
++		t.Fatal(err)
+ 	}
+ 
+ 	var dsaPriv dsa.PrivateKey
+-- 
+2.45.4
+
diff --git a/SPECS/golang/CVE-2025-61724.patch b/SPECS/golang/CVE-2025-61724.patch
new file mode 100644
index 00000000000..0e41ce47713
--- /dev/null
+++ b/SPECS/golang/CVE-2025-61724.patch
@@ -0,0 +1,27 @@
+From 977334add50982e5dd56a04b94a7276bb005be40 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Sun, 16 Nov 2025 04:39:49 +0000
+Subject: [PATCH] net/textproto: avoid quadratic complexity in
+ Reader.ReadResponse by using strings.Builder
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/golang/go/commit/5d7a787aa2b486f77537eeaed9c38c940a7182b8.patch
+---
+ src/net/textproto/reader.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
+index 94e3e0b..574f6c8 100644
+--- a/src/net/textproto/reader.go
++++ b/src/net/textproto/reader.go
+@@ -286,6 +286,7 @@ func (r *Reader) ReadCodeLine(expectCode int) (code int, message string, err err
+ func (r *Reader) ReadResponse(expectCode int) (code int, message string, err error) {
+ 	code, continued, first, err := r.readCodeLine(expectCode)
+ 	multi := continued
++	// Use strings.Builder to construct message to avoid quadratic complexity from repeated concatenation
+ 	var messageBuilder strings.Builder
+ 	messageBuilder.WriteString(first)
+ 	for continued {
+-- 
+2.45.4
+
diff --git a/SPECS/golang/golang.spec b/SPECS/golang/golang.spec
index af3e7efc895..87413ba98bc 100644
--- a/SPECS/golang/golang.spec
+++ b/SPECS/golang/golang.spec
@@ -15,7 +15,7 @@
 Summary:        Go
 Name:           golang
 Version:        1.25.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -26,6 +26,8 @@ Source0:        https://github.com/microsoft/go/releases/download/v%{version}-%{
 # bootstrap 00, same content as https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz
 Source1:        https://github.com/microsoft/go/releases/download/v1.4.0-1/go1.4-bootstrap-20171003.tar.gz
 Patch0:         go14_bootstrap_aarch64.patch
+Patch1:         CVE-2025-58188.patch
+Patch2:         CVE-2025-61724.patch
 # bootstrap 01
 Source2:        https://github.com/microsoft/go/releases/download/v1.19.12-1/go.20230802.5.src.tar.gz
 # bootstrap 02
@@ -57,6 +59,8 @@ tar xf %{SOURCE4} --no-same-owner
 mv -v go go-bootstrap-03
 
 %setup -q -n go
+%patch 1 -p1
+%patch 2 -p1
 
 %build
 # go 1.4 bootstraps with C.
@@ -160,6 +164,9 @@ fi
 %{_bindir}/*
 
 %changelog
+* Sun Nov 16 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.25.3-2
+- Patch for CVE-2025-61724, CVE-2025-58188
+
 * Tue Oct 14 2025 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.25.3-1
 - Bump version to 1.25.3-1