Bug#988210: [pre-approval] unblock: golang-1.15/1.15.9-2

[Sebastian Ramacher <sramacher@debian.org>]

Control: tags -1 moreinfo confirmed

On 2021-05-08 03:15:49 +0800, Shengjing Zhu wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: zhsj@debian.org
> 
> Please unblock package golang-1.15
> 
> [ Reason ]
> Backport patch for CVE-2021-31525
> net/http: ReadRequest can stack overflow due to recursion with very
> large headers. https://github.com/golang/go/issues/45711

Please go ahead und remove the moreinfo tag once the package is
available in unstable.

Cheers

> 
> [ Impact ]
> Though CVE is assigned, the issue doesn't look like a serious one.
> So if it's not approved, I think we can address it with other future
> security fixes through DSA after release.
> 
> [ Tests ]
> I have did a manual test for the affected function, to see if it's
> stackoverflow with and without patch.
> 
> [ Risks ]
> The diff is small.
> The package is key package.
> Due to the static link of Go packages, and the out of date built-using
> thing, it needs another round of rebuild of all Go packages before
> bullseye release.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> [ Other info ]
> golang-golang-x-net needs same fix for CVE-2021-31525
> 
> 
> unblock golang-1.15/1.15.9-2
> 
> 
> diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.9/debian/changelog
> --- golang-1.15-1.15.9/debian/changelog	2021-03-11 23:43:18.000000000 +0800
> +++ golang-1.15-1.15.9/debian/changelog	2021-05-08 02:45:35.000000000 +0800
> @@ -1,3 +1,12 @@
> +golang-1.15 (1.15.9-2) unstable; urgency=medium
> +
> +  * Team upload.
> +  * Backport patch for CVE-2021-31525
> +    net/http: ReadRequest can stack overflow due to recursion with very
> +    large headers. https://github.com/golang/go/issues/45711
> +
> + -- Shengjing Zhu <zhsj@debian.org>  Sat, 08 May 2021 02:45:35 +0800
> +
>  golang-1.15 (1.15.9-1) unstable; urgency=medium
>  
>    * Team upload.
> diff -Nru golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch
> --- golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch	1970-01-01 08:00:00.000000000 +0800
> +++ golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch	2021-05-08 02:45:35.000000000 +0800
> @@ -0,0 +1,90 @@
> +From 5aed4ce3c854bdbbb6dd5c1ccfa15c23d4b6c989 Mon Sep 17 00:00:00 2001
> +From: Katie Hockman <katie@golang.org>
> +Date: Wed, 28 Apr 2021 14:47:48 -0400
> +Subject: [PATCH] [release-branch.go1.15] std: update golang.org/x/net to
> + 20210428183841-261fb518b1ed
> +
> +Steps:
> +  go get -d golang.org/x/net@release-branch.go1.15
> +  go mod tidy
> +  go mod vendor
> +
> +This http2 bundle does not need to be updated.
> +
> +Fixes #45711
> +
> +Change-Id: I085ca592dfc8d5d9c328a7979142e88e7130a813
> +Reviewed-on: https://go-review.googlesource.com/c/go/+/314790
> +Trust: Katie Hockman <katie@golang.org>
> +Run-TryBot: Katie Hockman <katie@golang.org>
> +Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
> +---
> + src/go.mod                                           |  2 +-
> + src/go.sum                                           |  4 ++--
> + src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10 ++++++----
> + src/vendor/modules.txt                               |  2 +-
> + 4 files changed, 10 insertions(+), 8 deletions(-)
> +
> +diff --git a/src/go.mod b/src/go.mod
> +index 6b97366bbe6c..dfcba7a1c8ac 100644
> +--- a/src/go.mod
> ++++ b/src/go.mod
> +@@ -4,7 +4,7 @@ go 1.15
> + 
> + require (
> + 	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
> +-	golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91
> ++	golang.org/x/net v0.0.0-20210428183841-261fb518b1ed
> + 	golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 // indirect
> + 	golang.org/x/text v0.3.3-0.20200430171850-afb9336c4530 // indirect
> + )
> +diff --git a/src/go.sum b/src/go.sum
> +index fbd3279aade6..47e918848c3e 100644
> +--- a/src/go.sum
> ++++ b/src/go.sum
> +@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
> + golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
> + golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
> + golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
> +-golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91 h1:zd7kl5i5PDM0OnFbRWVM6B8mXojzv8LOkHN9LsOrRf4=
> +-golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
> ++golang.org/x/net v0.0.0-20210428183841-261fb518b1ed h1:aunM0N/jnRHvQgZo3kYkfaAGet2kIMFOPIbopG5BhYw=
> ++golang.org/x/net v0.0.0-20210428183841-261fb518b1ed/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
> + golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
> + golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
> + golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
> +diff --git a/src/vendor/golang.org/x/net/http/httpguts/httplex.go b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
> +index e7de24ee64ef..c79aa73f28bb 100644
> +--- a/src/vendor/golang.org/x/net/http/httpguts/httplex.go
> ++++ b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
> +@@ -137,11 +137,13 @@ func trimOWS(x string) string {
> + // contains token amongst its comma-separated tokens, ASCII
> + // case-insensitively.
> + func headerValueContainsToken(v string, token string) bool {
> +-	v = trimOWS(v)
> +-	if comma := strings.IndexByte(v, ','); comma != -1 {
> +-		return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
> ++	for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
> ++		if tokenEqual(trimOWS(v[:comma]), token) {
> ++			return true
> ++		}
> ++		v = v[comma+1:]
> + 	}
> +-	return tokenEqual(v, token)
> ++	return tokenEqual(trimOWS(v), token)
> + }
> + 
> + // lowerASCII returns the ASCII lowercase version of b.
> +diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
> +index 03ca3c3ae4c1..dd2296b6944d 100644
> +--- a/src/vendor/modules.txt
> ++++ b/src/vendor/modules.txt
> +@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519
> + golang.org/x/crypto/hkdf
> + golang.org/x/crypto/internal/subtle
> + golang.org/x/crypto/poly1305
> +-# golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91
> ++# golang.org/x/net v0.0.0-20210428183841-261fb518b1ed
> + ## explicit
> + golang.org/x/net/dns/dnsmessage
> + golang.org/x/net/http/httpguts
> diff -Nru golang-1.15-1.15.9/debian/patches/series golang-1.15-1.15.9/debian/patches/series
> --- golang-1.15-1.15.9/debian/patches/series	2021-03-11 23:43:18.000000000 +0800
> +++ golang-1.15-1.15.9/debian/patches/series	2021-05-08 02:45:35.000000000 +0800
> @@ -4,3 +4,4 @@
>  0004-cmd-dist-fix-build-failure-of-misc-cgo-test-on-arm64.patch
>  0005-cmd-dist-increase-default-timeout-scale-for-arm.patch
>  0006-skip-userns-test-in-schroot-as-well.patch
> +0007-CVE-2021-31525.patch
> 

-- 
Sebastian Ramacher

Attachment: signature.asc
Description: PGP signature