Control: tags -1 moreinfo confirmed On 2021-05-08 03:15:49 +0800, Shengjing Zhu wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: zhsj@debian.org > > Please unblock package golang-1.15 > > [ Reason ] > Backport patch for CVE-2021-31525 > net/http: ReadRequest can stack overflow due to recursion with very > large headers. https://github.com/golang/go/issues/45711 Please go ahead und remove the moreinfo tag once the package is available in unstable. Cheers > > [ Impact ] > Though CVE is assigned, the issue doesn't look like a serious one. > So if it's not approved, I think we can address it with other future > security fixes through DSA after release. > > [ Tests ] > I have did a manual test for the affected function, to see if it's > stackoverflow with and without patch. > > [ Risks ] > The diff is small. > The package is key package. > Due to the static link of Go packages, and the out of date built-using > thing, it needs another round of rebuild of all Go packages before > bullseye release. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > golang-golang-x-net needs same fix for CVE-2021-31525 > > > unblock golang-1.15/1.15.9-2 > > > diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.9/debian/changelog > --- golang-1.15-1.15.9/debian/changelog 2021-03-11 23:43:18.000000000 +0800 > +++ golang-1.15-1.15.9/debian/changelog 2021-05-08 02:45:35.000000000 +0800 > @@ -1,3 +1,12 @@ > +golang-1.15 (1.15.9-2) unstable; urgency=medium > + > + * Team upload. > + * Backport patch for CVE-2021-31525 > + net/http: ReadRequest can stack overflow due to recursion with very > + large headers. https://github.com/golang/go/issues/45711 > + > + -- Shengjing Zhu <zhsj@debian.org> Sat, 08 May 2021 02:45:35 +0800 > + > golang-1.15 (1.15.9-1) unstable; urgency=medium > > * Team upload. > diff -Nru golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch > --- golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 1970-01-01 08:00:00.000000000 +0800 > +++ golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 2021-05-08 02:45:35.000000000 +0800 > @@ -0,0 +1,90 @@ > +From 5aed4ce3c854bdbbb6dd5c1ccfa15c23d4b6c989 Mon Sep 17 00:00:00 2001 > +From: Katie Hockman <katie@golang.org> > +Date: Wed, 28 Apr 2021 14:47:48 -0400 > +Subject: [PATCH] [release-branch.go1.15] std: update golang.org/x/net to > + 20210428183841-261fb518b1ed > + > +Steps: > + go get -d golang.org/x/net@release-branch.go1.15 > + go mod tidy > + go mod vendor > + > +This http2 bundle does not need to be updated. > + > +Fixes #45711 > + > +Change-Id: I085ca592dfc8d5d9c328a7979142e88e7130a813 > +Reviewed-on: https://go-review.googlesource.com/c/go/+/314790 > +Trust: Katie Hockman <katie@golang.org> > +Run-TryBot: Katie Hockman <katie@golang.org> > +Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> > +--- > + src/go.mod | 2 +- > + src/go.sum | 4 ++-- > + src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10 ++++++---- > + src/vendor/modules.txt | 2 +- > + 4 files changed, 10 insertions(+), 8 deletions(-) > + > +diff --git a/src/go.mod b/src/go.mod > +index 6b97366bbe6c..dfcba7a1c8ac 100644 > +--- a/src/go.mod > ++++ b/src/go.mod > +@@ -4,7 +4,7 @@ go 1.15 > + > + require ( > + golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 > +- golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91 > ++ golang.org/x/net v0.0.0-20210428183841-261fb518b1ed > + golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 // indirect > + golang.org/x/text v0.3.3-0.20200430171850-afb9336c4530 // indirect > + ) > +diff --git a/src/go.sum b/src/go.sum > +index fbd3279aade6..47e918848c3e 100644 > +--- a/src/go.sum > ++++ b/src/go.sum > +@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk > + golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI= > + golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= > + golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= > +-golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91 h1:zd7kl5i5PDM0OnFbRWVM6B8mXojzv8LOkHN9LsOrRf4= > +-golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= > ++golang.org/x/net v0.0.0-20210428183841-261fb518b1ed h1:aunM0N/jnRHvQgZo3kYkfaAGet2kIMFOPIbopG5BhYw= > ++golang.org/x/net v0.0.0-20210428183841-261fb518b1ed/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= > + golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= > + golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= > + golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= > +diff --git a/src/vendor/golang.org/x/net/http/httpguts/httplex.go b/src/vendor/golang.org/x/net/http/httpguts/httplex.go > +index e7de24ee64ef..c79aa73f28bb 100644 > +--- a/src/vendor/golang.org/x/net/http/httpguts/httplex.go > ++++ b/src/vendor/golang.org/x/net/http/httpguts/httplex.go > +@@ -137,11 +137,13 @@ func trimOWS(x string) string { > + // contains token amongst its comma-separated tokens, ASCII > + // case-insensitively. > + func headerValueContainsToken(v string, token string) bool { > +- v = trimOWS(v) > +- if comma := strings.IndexByte(v, ','); comma != -1 { > +- return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token) > ++ for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') { > ++ if tokenEqual(trimOWS(v[:comma]), token) { > ++ return true > ++ } > ++ v = v[comma+1:] > + } > +- return tokenEqual(v, token) > ++ return tokenEqual(trimOWS(v), token) > + } > + > + // lowerASCII returns the ASCII lowercase version of b. > +diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt > +index 03ca3c3ae4c1..dd2296b6944d 100644 > +--- a/src/vendor/modules.txt > ++++ b/src/vendor/modules.txt > +@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519 > + golang.org/x/crypto/hkdf > + golang.org/x/crypto/internal/subtle > + golang.org/x/crypto/poly1305 > +-# golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91 > ++# golang.org/x/net v0.0.0-20210428183841-261fb518b1ed > + ## explicit > + golang.org/x/net/dns/dnsmessage > + golang.org/x/net/http/httpguts > diff -Nru golang-1.15-1.15.9/debian/patches/series golang-1.15-1.15.9/debian/patches/series > --- golang-1.15-1.15.9/debian/patches/series 2021-03-11 23:43:18.000000000 +0800 > +++ golang-1.15-1.15.9/debian/patches/series 2021-05-08 02:45:35.000000000 +0800 > @@ -4,3 +4,4 @@ > 0004-cmd-dist-fix-build-failure-of-misc-cgo-test-on-arm64.patch > 0005-cmd-dist-increase-default-timeout-scale-for-arm.patch > 0006-skip-userns-test-in-schroot-as-well.patch > +0007-CVE-2021-31525.patch > -- Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature