crypto/x509: excessive resource consumption in printing error string for host certificate validation (CVE-2025-61729)

[nicholashusin]

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out.
Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime.

Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
HostnameError.Error() now limits the number of hosts and utilizes strings.Builder when constructing an error string.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

This is CVE-2025-61729 and Go issue #76445 (this one).

---

This is a PRIVATE issue for CVE-2025-61729, tracked in http://b/450936127 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3000.

/cc @golang/security and @golang/release

[nicholashusin]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #76460 (for 1.24), #76461 (for 1.25).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/725820 mentions this issue: [release-branch.go1.24] crypto/x509: prevent HostnameError.Error() from consuming excessive resource

[gopherbot]

Change https://go.dev/cl/725800 mentions this issue: [release-branch.go1.25] crypto/x509: prevent HostnameError.Error() from consuming excessive resource

[gopherbot]

Change https://go.dev/cl/725920 mentions this issue: crypto/x509: prevent HostnameError.Error() from consuming excessive resource