net/textproto: excessive CPU consumption in Reader.ReadResponse (CVE-2025-61724)

[neild]

The Reader.ReadResponse function constructed a response string through
repeated string concatenation of lines. When the number of lines in a response is large,
this could cause excessive CPU consumption.

Thanks to Jakub Ciolek for reporting this issue.

This is CVE-2025-61724 and Go issue https://go.dev/issue/75716.

---

This is a PRIVATE issue for CVE-2025-61724, tracked in http://b/445534197 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/2940.

/cc @golang/security and @golang/release

[neild]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #75717 (for 1.24), #75718 (for 1.25).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/709837 mentions this issue: [release-branch.go1.24] net/textproto: avoid quadratic complexity in Reader.ReadResponse

[gopherbot]

Change https://go.dev/cl/709859 mentions this issue: net/textproto: avoid quadratic complexity in Reader.ReadResponse

[gopherbot]

Change https://go.dev/cl/709846 mentions this issue: [release-branch.go1.25] net/textproto: avoid quadratic complexity in Reader.ReadResponse