go, branch go1.24.10

[release-branch.go1.24] go1.24.10

2025-11-05T19:01:51Z

Change-Id: I74370108e95298bec0fe0f7738867072ece0d0ff Reviewed-on: https://go-review.googlesource.com/c/go/+/718063 TryBot-Bypass: Gopher Robot Auto-Submit: Gopher Robot Reviewed-by: Michael Knyszek Reviewed-by: Michael Pratt

[release-branch.go1.24] encoding/pem: properly calculate end indexes

2025-10-29T16:22:33Z

When a block is missing the END line trailer, calculate the indexes of the end and end trailer _before_ continuing the loop, making the reslicing at the start of the loop work as expected. Fixes #76028 Change-Id: If45c8cb473315623618f02cc7609f517a72d232d Reviewed-on: https://go-review.googlesource.com/c/go/+/714200 Auto-Submit: Roland Shoemaker Reviewed-by: Damien Neil LUCI-TryBot-Result: Go LUCI (cherry picked from commit 839da71f8907ac4434299db4353db31835c916df) Reviewed-on: https://go-review.googlesource.com/c/go/+/714680 Reviewed-by: David Chase

[release-branch.go1.24] encoding/pem: properly decode strange PEM data

2025-10-24T18:03:15Z

When the passed byte slice has leading garbage, properly handle ignoring it and continuing to parse the slice until we find a valid block (or nothing). Fixes #75951 Change-Id: I07e937d9c754fd71b028b99450b48f57b4464457 Reviewed-on: https://go-review.googlesource.com/c/go/+/712140 Reviewed-by: Damien Neil LUCI-TryBot-Result: Go LUCI (cherry picked from commit 09830901714d8b3a2cc5fb33e87a81886b21ea24) Reviewed-on: https://go-review.googlesource.com/c/go/+/712641 Reviewed-by: Dmitri Shuralyov

[release-branch.go1.24] net/url: allow IP-literals with IPv4-mapped IPv6 addresses

2025-10-17T22:02:30Z

The security fix we applied in CL709857 was overly broad. It applied rules from RFC 2732, which disallowed IPv4-mapped IPv6 addresses, but these were later allowed in RFC 3986, which is the canonical URI syntax RFC. Revert the portion of CL709857 which restricted IPv4-mapped addresses, and update the related tests. Updates #75815 Fixes #75831 Change-Id: I3192f2275ad5c386f5c15006a6716bdb5282919d Reviewed-on: https://go-review.googlesource.com/c/go/+/710375 LUCI-TryBot-Result: Go LUCI Reviewed-by: Ethan Lee Auto-Submit: Roland Shoemaker (cherry picked from commit 9db7e30bb42eed9912f5e7e9e3959f3b38879d5b) Reviewed-on: https://go-review.googlesource.com/c/go/+/712142 Reviewed-by: Dmitri Shuralyov Auto-Submit: Dmitri Shuralyov

[release-branch.go1.24] go1.24.9

2025-10-13T21:14:38Z

Change-Id: I6deccf317a5f19ca9ee2a2eaddf65203ecfeb665 Reviewed-on: https://go-review.googlesource.com/c/go/+/711461 Auto-Submit: Gopher Robot Reviewed-by: Michael Pratt TryBot-Bypass: Gopher Robot Reviewed-by: Carlos Amedee

[release-branch.go1.24] crypto/x509: rework fix for CVE-2025-58187

2025-10-13T15:39:27Z

In CL 709854 we enabled strict validation for a number of properties of domain names (and their constraints). This caused significant breakage, since we didn't previously disallow the creation of certificates which contained these malformed domains. Rollback a number of the properties we enforced, making domainNameValid only enforce the same properties that domainToReverseLabels does. Since this also undoes some of the DoS protections our initial fix enabled, this change also adds caching of constraints in isValid (which perhaps is the fix we should've initially chosen). Updates #75835 Updates #75828 Fixes #75860 Change-Id: Ie6ca6b4f30e9b8a143692b64757f7bbf4671ed0e Reviewed-on: https://go-review.googlesource.com/c/go/+/710735 LUCI-TryBot-Result: Go LUCI Reviewed-by: Damien Neil (cherry picked from commit 1cd71689f2ed8f07031a0cc58fc3586ca501839f) Reviewed-on: https://go-review.googlesource.com/c/go/+/710879 Reviewed-by: Michael Pratt Auto-Submit: Michael Pratt

[release-branch.go1.24] go1.24.8

2025-10-07T18:17:23Z

Change-Id: Ib7865e22255a979da9552ffd35145bb9dd39b53f Reviewed-on: https://go-review.googlesource.com/c/go/+/709896 TryBot-Bypass: Gopher Robot Reviewed-by: Carlos Amedee Auto-Submit: Gopher Robot Reviewed-by: Michael Pratt

[release-branch.go1.24] archive/tar: set a limit on the size of GNU sparse file 1.0 regions

2025-10-07T18:01:00Z

Sparse files in tar archives contain only the non-zero components of the file. There are several different encodings for sparse files. When reading GNU tar pax 1.0 sparse files, archive/tar did not set a limit on the size of the sparse region data. A malicious archive containing a large number of sparse blocks could cause archive/tar to read an unbounded amount of data from the archive into memory. Since a malicious input can be highly compressable, a small compressed input could cause very large allocations. Cap the size of the sparse block data to the same limit used for PAX headers (1 MiB). Thanks to Harshit Gupta (Mr HAX) (https://www.linkedin.com/in/iam-harshit-gupta/) for reporting this issue. Fixes CVE-2025-58183 For #75677 Fixes #75710 Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2800 Reviewed-by: Roland Shoemaker Reviewed-by: Nicholas Husin Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2967 Reviewed-by: Damien Neil Reviewed-on: https://go-review.googlesource.com/c/go/+/709843 Reviewed-by: Carlos Amedee TryBot-Bypass: Michael Pratt Auto-Submit: Michael Pratt

[release-branch.go1.24] encoding/pem: make Decode complexity linear

2025-10-07T18:00:57Z

Because Decode scanned the input first for the first BEGIN line, and then the first END line, the complexity of Decode is quadratic. If the input contained a large number of BEGINs and then a single END right at the end of the input, we would find the first BEGIN, and then scan the entire input for the END, and fail to parse the block, so move onto the next BEGIN, scan the entire input for the END, etc. Instead, look for the first END in the input, and then the first BEGIN that precedes the found END. We then process the bytes between the BEGIN and END, and move onto the bytes after the END for further processing. This gives us linear complexity. Fixes CVE-2025-61723 For #75676 Fixes #75708 Change-Id: I813c4f63e78bca4054226c53e13865c781564ccf Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2921 Reviewed-by: Nicholas Husin Reviewed-by: Damien Neil Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2986 Reviewed-on: https://go-review.googlesource.com/c/go/+/709842 TryBot-Bypass: Michael Pratt Auto-Submit: Michael Pratt Reviewed-by: Carlos Amedee

[release-branch.go1.24] encoding/asn1: prevent memory exhaustion when parsing using internal/saferio

2025-10-07T18:00:54Z

Within parseSequenceOf, reflect.MakeSlice is being used to pre-allocate a slice that is needed in order to fully validate the given DER payload. The size of the slice allocated are also multiple times larger than the input DER: - When using asn1.Unmarshal directly, the allocated slice is ~28x larger. - When passing in DER using x509.ParseCertificateRequest, the allocated slice is ~48x larger. - When passing in DER using ocsp.ParseResponse, the allocated slice is ~137x larger. As a result, a malicious actor can craft a big empty DER payload, resulting in an unnecessary large allocation of memories. This can be a way to cause memory exhaustion. To prevent this, we now use SliceCapWithSize within internal/saferio to enforce a memory allocation cap. Thanks to Jakub Ciolek for reporting this issue. For #75671 Fixes #75704 Fixes CVE-2025-58185 Change-Id: Id50e76187eda43f594be75e516b9ca1d2ae6f428 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2700 Reviewed-by: Roland Shoemaker Reviewed-by: Damien Neil Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2984 Reviewed-by: Nicholas Husin Reviewed-on: https://go-review.googlesource.com/c/go/+/709841 Reviewed-by: Carlos Amedee Auto-Submit: Michael Pratt TryBot-Bypass: Michael Pratt