Fix dependency cves (#6353)

* Upgraded golang.org/x/crypto v0.28.0 => v0.31.0.

Signed-off-by: peng wu <2030047311@qq.com>

* Upgraded golang.org/x/net v0.30.0 => v0.33.0.

Signed-off-by: peng wu <2030047311@qq.com>

* Upgraded github.com/golang/glog v1.2.2 => v1.2.4. Fix CVE-2024-45339.

Signed-off-by: peng wu <2030047311@qq.com>

* Upgrade go stdlib from 1.22.8 to 1.22.11. Fix CVE-2024-45336.

Signed-off-by: peng wu <2030047311@qq.com>

* Upgraded github.com/go-git/go-git/v5 v5.11.0 => v5.13.0. Fix CVE-2025-21613、CVE-2025-21614.

Signed-off-by: peng wu <2030047311@qq.com>

* Upgraded telemetry v1.0.1 => v1.0.2. Fix CVE-2024-45338、CVE-2024-34156、CVE-2024-34155、CVE-2024-34158、CVE-2024-4536、CVE-2024-45341.

Signed-off-by: peng wu <2030047311@qq.com>

---------

Signed-off-by: peng wu <2030047311@qq.com>
(cherry picked from commit d38db0054c)

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve_info.go

@@ -4,11 +4,14 @@ package ecc
 import (
 	"bytes"
 	"crypto/elliptic"
+
 	"github.com/ProtonMail/go-crypto/bitcurves"
 	"github.com/ProtonMail/go-crypto/brainpool"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/encoding"
 )
 
+const Curve25519GenName = "Curve25519"
+
 type CurveInfo struct {
 	GenName string
 	Oid     *encoding.OID
@@ -42,19 +45,19 @@ var Curves = []CurveInfo{
 	},
 	{
 		// Curve25519
-		GenName: "Curve25519",
+		GenName: Curve25519GenName,
 		Oid:     encoding.NewOID([]byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01}),
 		Curve:   NewCurve25519(),
 	},
 	{
-		// X448
+		// x448
 		GenName: "Curve448",
 		Oid:     encoding.NewOID([]byte{0x2B, 0x65, 0x6F}),
 		Curve:   NewX448(),
 	},
 	{
 		// Ed25519
-		GenName: "Curve25519",
+		GenName: Curve25519GenName,
 		Oid:     encoding.NewOID([]byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01}),
 		Curve:   NewEd25519(),
 	},

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed25519.go

@@ -2,6 +2,7 @@
 package ecc
 
 import (
+	"bytes"
 	"crypto/subtle"
 	"io"
 
@@ -90,7 +91,14 @@ func (c *ed25519) GenerateEdDSA(rand io.Reader) (pub, priv []byte, err error) {
 }
 
 func getEd25519Sk(publicKey, privateKey []byte) ed25519lib.PrivateKey {
-	return append(privateKey, publicKey...)
+	privateKeyCap, privateKeyLen, publicKeyLen := cap(privateKey), len(privateKey), len(publicKey)
+
+	if privateKeyCap >= privateKeyLen+publicKeyLen &&
+		bytes.Equal(privateKey[privateKeyLen:privateKeyLen+publicKeyLen], publicKey) {
+		return privateKey[:privateKeyLen+publicKeyLen]
+	}
+
+	return append(privateKey[:privateKeyLen:privateKeyLen], publicKey...)
 }
 
 func (c *ed25519) Sign(publicKey, privateKey, message []byte) (sig []byte, err error) {

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed448.go

@@ -2,6 +2,7 @@
 package ecc
 
 import (
+	"bytes"
 	"crypto/subtle"
 	"io"
 
@@ -84,7 +85,14 @@ func (c *ed448) GenerateEdDSA(rand io.Reader) (pub, priv []byte, err error) {
 }
 
 func getEd448Sk(publicKey, privateKey []byte) ed448lib.PrivateKey {
-	return append(privateKey, publicKey...)
+	privateKeyCap, privateKeyLen, publicKeyLen := cap(privateKey), len(privateKey), len(publicKey)
+
+	if privateKeyCap >= privateKeyLen+publicKeyLen &&
+		bytes.Equal(privateKey[privateKeyLen:privateKeyLen+publicKeyLen], publicKey) {
+		return privateKey[:privateKeyLen+publicKeyLen]
+	}
+
+	return append(privateKey[:privateKeyLen:privateKeyLen], publicKey...)
 }
 
 func (c *ed448) Sign(publicKey, privateKey, message []byte) (sig []byte, err error) {

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/x448.go

@@ -73,7 +73,9 @@ func (c *x448) GenerateECDH(rand io.Reader) (point []byte, secret []byte, err er
 func (c *x448) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecret []byte, err error) {
 	var pk, ss x448lib.Key
 	seed, e, err := c.generateKeyPairBytes(rand)
-
+	if err != nil {
+		return nil, nil, err
+	}
 	copy(pk[:], point)
 	x448lib.Shared(&ss, &seed, &pk)