!320 fix failure of net/http unit test and fix CVE-2024-24784

From: @hcnbxx Reviewed-by: @jing-rui Signed-off-by: @jing-rui
2024-03-28 08:37:06 +00:00 · 2024-03-28 08:37:06 +00:00 · 9d09ecc926
commit 9d09ecc926
parent 7619d4c97d f4c9675d23
5 changed files with 415 additions and 35 deletions
--- a/0114-release-branch.go1.21-html-template-escape-additiona.patch
+++ b/0114-release-branch.go1.21-html-template-escape-additiona.patch
@ -1,13 +1,22 @@
-From 6bf8cd883445c302836728eac62926bf14aa6c2b Mon Sep 17 00:00:00 2001
+From e7b9308c2106900310bbaeef1ddd948e845054e1 Mon Sep 17 00:00:00 2001
 From: Roland Shoemaker <roland@golang.org>
-Date: Wed, 14 Feb 2024 17:18:36 -0800
+Date: Thu, 15 Feb 2024 09:18:36 +0800
-Subject: [PATCH 2/4] [release-branch.go1.21] html/template: escape additional
+Subject: [PATCH 4/4] [Backport] html/template: escape additional tokens in
- tokens in MarshalJSON errors
+ MarshalJSON errors
 Offering: Cloud Core Network
 CVE: CVE-2024-24785
 Reference: https://go-review.googlesource.com/c/go/+/567515
 Escape "</script" and "<!--" in errors returned from MarshalJSON errors
 when attempting to marshal types in script blocks. This prevents any
 user controlled content from prematurely terminating the script block.
 Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
 Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
 Edited-by: machangwang m00509938
 Updates #65697
 Fixes #65968
@ -18,13 +27,14 @@ Reviewed-by: Damien Neil <dneil@google.com>
 (cherry picked from commit ccbc725f2d678255df1bd326fa511a492aa3a0aa)
 Reviewed-on: https://go-review.googlesource.com/c/go/+/567515
 Reviewed-by: Carlos Amedee <carlos@golang.org>
 Signed-off-by: Ma Chang Wang machangwang@huawei.com
 ---
 src/html/template/js.go      | 22 ++++++++-
 src/html/template/js_test.go | 96 ++++++++++++++++++++----------------
 2 files changed, 74 insertions(+), 44 deletions(-)
 diff --git a/src/html/template/js.go b/src/html/template/js.go
-index 35994f076eb..4d3b25d088c 100644
+index 35994f076e..4d3b25d088 100644
 --- a/src/html/template/js.go
 +++ b/src/html/template/js.go
@@ -171,13 +171,31 @@ func jsValEscaper(args ...interface{}) string {
@ -62,7 +72,7 @@ index 35994f076eb..4d3b25d088c 100644
 	// TODO: maybe post-process output to prevent it from containing
 diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
-index de9ef284106..0ad7b49d646 100644
+index de9ef28410..26d6dcd92c 100644
 --- a/src/html/template/js_test.go
 +++ b/src/html/template/js_test.go
@@ -6,6 +6,7 @@ package template
@ -87,7 +97,7 @@ index de9ef284106..0ad7b49d646 100644
 	tests := []struct {
 -		x  interface{}
 -		js string
-+		x        any
+		x        interface{}
 +		js       string
 +		skipNest bool
 	}{
@ -165,8 +175,8 @@ index de9ef284106..0ad7b49d646 100644
 -		{nil, " null "},
 +		{"\t\x0b", `"\t\u000b"`, false},
 +		{struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`, false},
-+		{[]any{}, "[]", false},
+		{[]interface{}{}, "[]", false},
-+		{[]any{42, "foo", nil}, `[42,"foo",null]`, false},
+		{[]interface{}{42, "foo", nil}, `[42,"foo",null]`, false},
 +		{[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`, false},
 +		{"<!--", `"\u003c!--"`, false},
 +		{"-->", `"--\u003e"`, false},
--- a/0115-net-textproto-mime-multipart-avoid-unbounded-read-in.patch
+++ b/0115-net-textproto-mime-multipart-avoid-unbounded-read-in.patch
@ -1,8 +1,12 @@
-From 7d40949db8a4b2d5cd294dc76b80f2a0c1c47db0 Mon Sep 17 00:00:00 2001
+From ad350209f937e05451e46bf55ca8a13f4b24e58e Mon Sep 17 00:00:00 2001
 From: Damien Neil <dneil@google.com>
 Date: Tue, 16 Jan 2024 15:37:52 -0800
-Subject: [PATCH 3/4] net/textproto, mime/multipart: avoid unbounded read in
+Subject: [PATCH 1/4] [Backport] net/textproto, mime/multipart: avoid unbounded
- MIME header
+ read in MIME header
 Offering: Cloud Core Network
 CVE: CVE-2023-45290
 Reference: https://go-review.googlesource.com/c/go/+/569341
 mime/multipart.Reader.ReadForm allows specifying the maximum amount
 of memory that will be consumed by the form. While this limit is
@ -15,6 +19,11 @@ runs out of memory.
 Limit the amount of data consumed when reading a header.
 Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
 Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
 Edited-by: zhaoshengwei z00581105
 Fixes CVE-2023-45290
 Fixes #65383
@ -27,6 +36,7 @@ Reviewed-by: Carlos Amedee <carlos@golang.org>
 Reviewed-by: Damien Neil <dneil@google.com>
 Auto-Submit: Michael Knyszek <mknyszek@google.com>
 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
 Signed-off-by: Zhao Sheng Wei zhaoshengwei@huawei.com
 ---
 src/mime/multipart/formdata_test.go | 42 +++++++++++++++++++++++++
 src/net/textproto/reader.go         | 48 ++++++++++++++++++++---------
@ -34,7 +44,7 @@ LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceacc
 3 files changed, 87 insertions(+), 15 deletions(-)
 diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
-index 24de7b89563..1eb301be641 100644
+index 24de7b8956..1eb301be64 100644
 --- a/src/mime/multipart/formdata_test.go
 +++ b/src/mime/multipart/formdata_test.go
@@ -407,6 +407,48 @@ func TestReadFormLimits(t *testing.T) {
@ -87,7 +97,7 @@ index 24de7b89563..1eb301be641 100644
 	for _, test := range []struct {
 		name string
 diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
-index d80f378801d..b377a7ce5d9 100644
+index d80f378801..b377a7ce5d 100644
 --- a/src/net/textproto/reader.go
 +++ b/src/net/textproto/reader.go
@@ -17,6 +17,10 @@ import (
@ -238,7 +248,7 @@ index d80f378801d..b377a7ce5d9 100644
 		if vv == nil && len(strs) > 0 {
 			// More than likely this will be a single-element key.
 diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
-index 3ae0de13530..db1ed91bd51 100644
+index 3ae0de1353..db1ed91bd5 100644
 --- a/src/net/textproto/reader_test.go
 +++ b/src/net/textproto/reader_test.go
@@ -34,6 +34,18 @@ func TestReadLine(t *testing.T) {
--- a/0116-release-branch.go1.21-net-http-net-http-cookiejar-av.patch
+++ b/0116-release-branch.go1.21-net-http-net-http-cookiejar-av.patch
@ -1,8 +1,12 @@
-From 80b1721f76672451256fd5e1ad508d185cfd74ef Mon Sep 17 00:00:00 2001
+From eccb945d92ba5e7f88c6f4f0e810862588ebd688 Mon Sep 17 00:00:00 2001
-From: Damien Neil <dneil@google.com>
+From: Gustavo Falco <comfortablynumb84@gmail.com>
-Date: Thu, 11 Jan 2024 11:31:57 -0800
+Date: Sun, 11 Dec 2022 02:39:20 +0000
-Subject: [PATCH 4/4] [release-branch.go1.21] net/http, net/http/cookiejar:
+Subject: [PATCH 2/4] [Backport] net/http, net/http/cookiejar: avoid subdomain
- avoid subdomain matches on IPv6 zones
+ matches on IPv6 zones
 Offering: Cloud Core Network
 CVE: CVE-2023-45289
 Reference: https://go-review.googlesource.com/c/go/+/569340
 When deciding whether to forward cookies or sensitive headers
 across a redirect, do not attempt to interpret an IPv6 address
@ -16,31 +20,71 @@ of "www.example.com".
 Thanks to Juho Nurminen of Mattermost for reporting this issue.
 Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
 Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
 Edited-by: zhaoshengwei z00581105
 Fixes CVE-2023-45289
-Fixes #65385
+Fixes #65065
 For #65065
 Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
 Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
 Reviewed-by: Roland Shoemaker <bracewell@google.com>
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775
+Reviewed-on: https://go-review.googlesource.com/c/go/+/569340
-Reviewed-by: Carlos Amedee <amedee@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
-Reviewed-on: https://go-review.googlesource.com/c/go/+/569239
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
 Reviewed-by: Carlos Amedee <carlos@golang.org>
 Auto-Submit: Michael Knyszek <mknyszek@google.com>
-TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
+Signed-off-by: Zhao Sheng Wei zhaoshengwei@huawei.com
 [Backport] net/http: keep sensitive headers on redirects to the same host
 Offering: Cloud Core Network
 Reference: https://go-review.googlesource.com/c/go/+/424935
 Preserve sensitive headers on a redirect to a different port of the same host.
 Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
 Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
 Edited-by: zhaoshengwei z00581105
 Fixes #35104
 Change-Id: I5ab57c414ce92a70e688ee684b9ff02fb062b3c6
 GitHub-Last-Rev: 8d53e71e2243c141d70d27a503d0f7e6dee64c3c
 GitHub-Pull-Request: golang/go#54539
 Reviewed-on: https://go-review.googlesource.com/c/go/+/424935
 TryBot-Result: Gopher Robot <gobot@golang.org>
 Reviewed-by: Cherry Mui <cherryyz@google.com>
 Reviewed-by: Damien Neil <dneil@google.com>
 Run-TryBot: Damien Neil <dneil@google.com>
 Signed-off-by: Zhao Sheng Wei zhaoshengwei@huawei.com
 ---
- src/net/http/client.go             |  6 ++++++
+ src/net/http/client.go             | 10 ++++++++--
- src/net/http/client_test.go        |  1 +
+ src/net/http/client_test.go        | 30 +++++++++++++++++++++++++-----
 src/net/http/cookiejar/jar.go      |  7 +++++++
 src/net/http/cookiejar/jar_test.go | 10 ++++++++++
- 4 files changed, 24 insertions(+)
+ src/net/http/transport.go          | 10 +++++++---
 5 files changed, 57 insertions(+), 10 deletions(-)
 diff --git a/src/net/http/client.go b/src/net/http/client.go
-index 3860d97d8f4..54866fe5d6c 100644
+index 3860d97d8f..5f24bfce7a 100644
 --- a/src/net/http/client.go
 +++ b/src/net/http/client.go
@@ -976,8 +976,8 @@ func shouldCopyHeaderOnRedirect(headerKey string, initial, dest *url.URL) bool {
 		// directly, we don't know their scope, so we assume
 		// it's for *.domain.com.
 -		ihost := canonicalAddr(initial)
 -		dhost := canonicalAddr(dest)
 +		ihost := idnaASCIIFromURL(initial)
 +		dhost := idnaASCIIFromURL(dest)
 		return isDomainOrSubdomain(dhost, ihost)
 	}
 	// All other headers are copied:
@@ -992,6 +992,12 @@ func isDomainOrSubdomain(sub, parent string) bool {
 	if sub == parent {
 		return true
@ -55,19 +99,79 @@ index 3860d97d8f4..54866fe5d6c 100644
 	// that means sub must end in "."+parent.
 	// Do it without allocating.
 diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
-index 80807fae7a4..b4698eee082 100644
+index 80807fae7a..ce476d1a34 100644
 --- a/src/net/http/client_test.go
 +++ b/src/net/http/client_test.go
-@@ -1703,6 +1703,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
+@@ -1466,6 +1466,9 @@ func TestClientRedirectResponseWithoutRequest(t *testing.T) {
 }
 // Issue 4800: copy (some) headers when Client follows a redirect.
 +// Issue 35104: Since both URLs have the same host (localhost)
 +// but different ports, sensitive headers like Cookie and Authorization
 +// are preserved.
 func TestClientCopyHeadersOnRedirect(t *testing.T) {
 	const (
 		ua   = "some-agent/1.2"
@@ -1478,6 +1481,8 @@ func TestClientCopyHeadersOnRedirect(t *testing.T) {
 			"X-Foo":           []string{xfoo},
 			"Referer":         []string{ts2URL},
 			"Accept-Encoding": []string{"gzip"},
 +			"Cookie":          []string{"foo=bar"},
 +			"Authorization":   []string{"secretpassword"},
 		}
 		if !reflect.DeepEqual(r.Header, want) {
 			t.Errorf("Request.Header = %#v; want %#v", r.Header, want)
@@ -1498,9 +1503,11 @@ func TestClientCopyHeadersOnRedirect(t *testing.T) {
 	c := ts1.Client()
 	c.CheckRedirect = func(r *Request, via []*Request) error {
 		want := Header{
 -			"User-Agent": []string{ua},
 -			"X-Foo":      []string{xfoo},
 -			"Referer":    []string{ts2URL},
 +			"User-Agent":    []string{ua},
 +			"X-Foo":         []string{xfoo},
 +			"Referer":       []string{ts2URL},
 +			"Cookie":        []string{"foo=bar"},
 +			"Authorization": []string{"secretpassword"},
 		}
 		if !reflect.DeepEqual(r.Header, want) {
 			t.Errorf("CheckRedirect Request.Header = %#v; want %#v", r.Header, want)
@@ -1702,18 +1709,31 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
 		{"cookie", "http://foo.com/", "http://bar.com/", false},
 		{"cookie2", "http://foo.com/", "http://bar.com/", false},
 		{"authorization", "http://foo.com/", "http://bar.com/", false},
 +		{"authorization", "http://foo.com/", "https://foo.com/", true},
 +		{"authorization", "http://foo.com:1234/", "http://foo.com:4321/", true},
 		{"www-authenticate", "http://foo.com/", "http://bar.com/", false},
 +		{"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false},
 		// But subdomains should work:
 		{"www-authenticate", "http://foo.com/", "http://foo.com/", true},
 		{"www-authenticate", "http://foo.com/", "http://sub.foo.com/", true},
 		{"www-authenticate", "http://foo.com/", "http://notfoo.com/", false},
 -		{"www-authenticate", "http://foo.com/", "https://foo.com/", false},
 +		{"www-authenticate", "http://foo.com/", "https://foo.com/", true},
 		{"www-authenticate", "http://foo.com:80/", "http://foo.com/", true},
 		{"www-authenticate", "http://foo.com:80/", "http://sub.foo.com/", true},
 		{"www-authenticate", "http://foo.com:443/", "https://foo.com/", true},
 		{"www-authenticate", "http://foo.com:443/", "https://sub.foo.com/", true},
 -		{"www-authenticate", "http://foo.com:1234/", "http://foo.com/", false},
 +		{"www-authenticate", "http://foo.com:1234/", "http://foo.com/", true},
 +
 +		{"authorization", "http://foo.com/", "http://foo.com/", true},
 +		{"authorization", "http://foo.com/", "http://sub.foo.com/", true},
 +		{"authorization", "http://foo.com/", "http://notfoo.com/", false},
 +		{"authorization", "http://foo.com/", "https://foo.com/", true},
 +		{"authorization", "http://foo.com:80/", "http://foo.com/", true},
 +		{"authorization", "http://foo.com:80/", "http://sub.foo.com/", true},
 +		{"authorization", "http://foo.com:443/", "https://foo.com/", true},
 +		{"authorization", "http://foo.com:443/", "https://sub.foo.com/", true},
 +		{"authorization", "http://foo.com:1234/", "http://foo.com/", true},
 	}
 	for i, tt := range tests {
 		u0, err := url.Parse(tt.initialURL)
 diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go
-index 9f199170847..18cbfc272d7 100644
+index 9f19917084..18cbfc272d 100644
 --- a/src/net/http/cookiejar/jar.go
 +++ b/src/net/http/cookiejar/jar.go
@@ -356,6 +356,13 @@ func jarKey(host string, psl PublicSuffixList) string {
@ -85,7 +189,7 @@ index 9f199170847..18cbfc272d7 100644
 }
 diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go
-index 47fb1abdaaf..fd8d40ed1b9 100644
+index 47fb1abdaa..fd8d40ed1b 100644
 --- a/src/net/http/cookiejar/jar_test.go
 +++ b/src/net/http/cookiejar/jar_test.go
@@ -251,6 +251,7 @@ var isIPTests = map[string]bool{
@ -112,6 +216,35 @@ index 47fb1abdaaf..fd8d40ed1b9 100644
 }
 func TestBasics(t *testing.T) {
 diff --git a/src/net/http/transport.go b/src/net/http/transport.go
 index 88d15a5919..e48026b7be 100644
 --- a/src/net/http/transport.go
 +++ b/src/net/http/transport.go
@@ -2678,17 +2678,21 @@ var portMap = map[string]string{
 	"socks5": "1080",
 }
 -// canonicalAddr returns url.Host but always with a ":port" suffix
 -func canonicalAddr(url *url.URL) string {
 +func idnaASCIIFromURL(url *url.URL) string {
 	addr := url.Hostname()
 	if v, err := idnaASCII(addr); err == nil {
 		addr = v
 	}
 +	return addr
 +}
 +
 +// canonicalAddr returns url.Host but always with a ":port" suffix.
 +func canonicalAddr(url *url.URL) string {
 	port := url.Port()
 	if port == "" {
 		port = portMap[url.Scheme]
 	}
 -	return net.JoinHostPort(addr, port)
 +	return net.JoinHostPort(idnaASCIIFromURL(url), port)
 }
 // bodyEOFSignal is used by the HTTP/1 transport when reading response
 -- 
 2.33.0
--- a/0117-Backport-net-mail-properly-handle-special-characters.patch
+++ b/0117-Backport-net-mail-properly-handle-special-characters.patch
@ -0,0 +1,214 @@
 From 7cb2b9f6cb44d5ce59c0c30138a20fc6c9c4eb0c Mon Sep 17 00:00:00 2001
 From: Roland Shoemaker <bracewell@google.com>
 Date: Wed, 10 Jan 2024 11:02:14 -0800
 Subject: [PATCH 3/4] [Backport] net/mail: properly handle special characters
 in phrase and obs-phrase
 Offering: Cloud Core Network
 CVE: CVE-2024-24784
 Reference: https://go-review.googlesource.com/c/go/+/566195
 Fixes a couple of misalignments with RFC 5322 which introduce
 significant diffs between (mostly) conformant parsers.
 This change reverts the changes made in CL50911, which allowed certain
 special RFC 5322 characters to appear unquoted in the "phrase" syntax.
 It is unclear why this change was made in the first place, and created
 a divergence from comformant parsers. In particular this resulted in
 treating comments in display names incorrectly.
 Additionally properly handle trailing malformed comments in the group
 syntax.
 Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
 Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
 Edited-by: machangwang m00509938
 For #65083
 Fixes #65848
 Change-Id: I00dddc044c6ae3381154e43236632604c390f672
 Reviewed-on: https://go-review.googlesource.com/c/go/+/555596
 Reviewed-by: Damien Neil <dneil@google.com>
 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
 Reviewed-on: https://go-review.googlesource.com/c/go/+/566195
 Reviewed-by: Carlos Amedee <carlos@golang.org>
 Signed-off-by: Ma Chang Wang machangwang@huawei.com
 ---
 src/net/mail/message.go      | 30 +++++++++++++++------------
 src/net/mail/message_test.go | 40 ++++++++++++++++++++++++++----------
 2 files changed, 46 insertions(+), 24 deletions(-)
 diff --git a/src/net/mail/message.go b/src/net/mail/message.go
 index 09fb794005..f1d7e2f989 100644
 --- a/src/net/mail/message.go
 +++ b/src/net/mail/message.go
@@ -217,7 +217,7 @@ func (a *Address) String() string {
 	// Add quotes if needed
 	quoteLocal := false
 	for i, r := range local {
 -		if isAtext(r, false, false) {
 +		if isAtext(r, false) {
 			continue
 		}
 		if r == '.' {
@@ -381,7 +381,7 @@ func (p *addrParser) parseAddress(handleGroup bool) ([]*Address, error) {
 	if !p.consume('<') {
 		atext := true
 		for _, r := range displayName {
 -			if !isAtext(r, true, false) {
 +			if !isAtext(r, true) {
 				atext = false
 				break
 			}
@@ -416,7 +416,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
 	// handle empty group.
 	p.skipSpace()
 	if p.consume(';') {
 -		p.skipCFWS()
 +		if !p.skipCFWS() {
 +			return nil, errors.New("mail: misformatted parenthetical comment")
 +		}
 		return group, nil
 	}
@@ -433,7 +435,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
 			return nil, errors.New("mail: misformatted parenthetical comment")
 		}
 		if p.consume(';') {
 -			p.skipCFWS()
 +			if !p.skipCFWS() {
 +				return nil, errors.New("mail: misformatted parenthetical comment")
 +			}
 			break
 		}
 		if !p.consume(',') {
@@ -503,6 +507,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) {
 	var words []string
 	var isPrevEncoded bool
 	for {
 +		// obs-phrase allows CFWS after one word
 +		if len(words) > 0 {
 +			if !p.skipCFWS() {
 +				return "", errors.New("mail: misformatted parenthetical comment")
 +			}
 +		}
 		// word = atom / quoted-string
 		var word string
 		p.skipSpace()
@@ -598,7 +608,6 @@ Loop:
 // If dot is true, consumeAtom parses an RFC 5322 dot-atom instead.
 // If permissive is true, consumeAtom will not fail on:
 // - leading/trailing/double dots in the atom (see golang.org/issue/4938)
 -// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018)
 func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) {
 	i := 0
@@ -609,7 +618,7 @@ Loop:
 		case size == 1 && r == utf8.RuneError:
 			return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s)
 -		case size == 0 || !isAtext(r, dot, permissive):
 +		case size == 0 || !isAtext(r, dot):
 			break Loop
 		default:
@@ -763,18 +772,13 @@ func (e charsetError) Error() string {
 // isAtext reports whether r is an RFC 5322 atext character.
 // If dot is true, period is included.
 -// If permissive is true, RFC 5322 3.2.3 specials is included,
 -// except '<', '>', ':' and '"'.
 -func isAtext(r rune, dot, permissive bool) bool {
 +func isAtext(r rune, dot bool) bool {
 	switch r {
 	case '.':
 		return dot
 	// RFC 5322 3.2.3. specials
 -	case '(', ')', '[', ']', ';', '@', '\\', ',':
 -		return permissive
 -
 -	case '<', '>', '"', ':':
 +	case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials
 		return false
 	}
 	return isVchar(r)
 diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go
 index 67e3643aeb..eeaa86e028 100644
 --- a/src/net/mail/message_test.go
 +++ b/src/net/mail/message_test.go
@@ -296,8 +296,11 @@ func TestAddressParsingError(t *testing.T) {
 		13: {"group not closed: null@example.com", "expected comma"},
 		14: {"group: first@example.com, second@example.com;", "group with multiple addresses"},
 		15: {"john.doe", "missing '@' or angle-addr"},
 -		16: {"john.doe@", "no angle-addr"},
 +		16: {"john.doe@", "missing '@' or angle-addr"},
 		17: {"John Doe@foo.bar", "no angle-addr"},
 +		18: {" group: null@example.com; (asd", "misformatted parenthetical comment"},
 +		19: {" group: ; (asd", "misformatted parenthetical comment"},
 +		20: {`(John) Doe <jdoe@machine.example>`, "missing word in phrase:"},
 	}
 	for i, tc := range mustErrTestCases {
@@ -336,24 +339,19 @@ func TestAddressParsing(t *testing.T) {
 				Address: "john.q.public@example.com",
 			}},
 		},
 -		{
 -			`"John (middle) Doe" <jdoe@machine.example>`,
 -			[]*Address{{
 -				Name:    "John (middle) Doe",
 -				Address: "jdoe@machine.example",
 -			}},
 -		},
 +		// Comment in display name
 		{
 			`John (middle) Doe <jdoe@machine.example>`,
 			[]*Address{{
 -				Name:    "John (middle) Doe",
 +				Name:    "John Doe",
 				Address: "jdoe@machine.example",
 			}},
 		},
 +		// Display name is quoted string, so comment is not a comment
 		{
 -			`John !@M@! Doe <jdoe@machine.example>`,
 +			`"John (middle) Doe" <jdoe@machine.example>`,
 			[]*Address{{
 -				Name:    "John !@M@! Doe",
 +				Name:    "John (middle) Doe",
 				Address: "jdoe@machine.example",
 			}},
 		},
@@ -688,6 +686,26 @@ func TestAddressParsing(t *testing.T) {
 				},
 			},
 		},
 +		// Comment in group display name
 +		{
 +			`group (comment:): a@example.com, b@example.com;`,
 +			[]*Address{
 +				{
 +					Address: "a@example.com",
 +				},
 +				{
 +					Address: "b@example.com",
 +				},
 +			},
 +		},
 +		{
 +			`x(:"):"@a.example;("@b.example;`,
 +			[]*Address{
 +				{
 +					Address: `@a.example;(@b.example`,
 +				},
 +			},
 +		},
 	}
 	for _, test := range tests {
 		if len(test.exp) == 1 {
 -- 
 2.33.0
--- a/golang.spec
+++ b/golang.spec
@ -58,7 +58,7 @@
 Name:           golang
 Version:        1.15.7
-Release:        39
+Release:        41
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@ -258,6 +258,7 @@ Patch6113:	0113-release-branch.go1.21-crypto-x509-make-sure-pub-key-.patch
 Patch6114:	0114-release-branch.go1.21-html-template-escape-additiona.patch
 Patch6115:	0115-net-textproto-mime-multipart-avoid-unbounded-read-in.patch
 Patch6116:	0116-release-branch.go1.21-net-http-net-http-cookiejar-av.patch
 Patch6117:	0117-Backport-net-mail-properly-handle-special-characters.patch
 Patch9001:  0001-drop-hard-code-cert.patch
 Patch9002:  0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch
@ -497,6 +498,18 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 %changelog
 * Thu Mar 28 2024 hanchao <hanchao63@huawei.com> - 1.15.7-41
 - Type:CVE
 - CVE:CVE-2024-24784
 - SUG:NA
 - DESC:fix CVE-2024-24784
 * Thu Mar 28 2024 hanchao <hanchao63@huawei.com> - 1.15.7-40
 - Type:bugfix
 - CVE:
 - SUG:NA
 - DESC:fix failure of net/http unit test
 * Fri Mar 15 2024 hanchao <hanchao63@huawei.com> - 1.15.7-39
 - Type:CVE
 - CVE:CVE-2024-24783,CVE-2024-24785,CVE-2023-45290,CVE-2023-45289