upload golang
Hi.
I prepared LTS security update for golang. Debdiff is attached along
with this mail.
Link:
https://mentors.debian.net/debian/pool/main/g/golang/golang_1.0.2-1.1+deb7u3.dsc
. I done following tests.
- installed in a wheezy machine.
- patch is on src/cmd/go/vcs.go . So run couple of go get <VCS> commands
- Compiled couple of go programs.
I don't have any experience with go. So it would be great if you could
give it some more testing, review and then upload.
Thanks
-abhijith
diff -Nru golang-1.0.2/debian/changelog golang-1.0.2/debian/changelog
--- golang-1.0.2/debian/changelog 2018-02-25 13:31:35.000000000 +0530
+++ golang-1.0.2/debian/changelog 2017-10-27 20:17:15.000000000 +0530
@@ -1,14 +1,3 @@
-golang (2:1.0.2-1.1+deb7u3) wheezy-security; urgency=high
-
- * Non-maintainer upload by the Debian LTS team.
- * CVE-2018-7187: "go get" implementation, doesnot validate the
- import path (get/vcs.go only checks for "://" anywhere in
- the string), which allows remote attackers to execute arbitrary
- OS commands via a crafted web site. Backported from
- upstream development branch.
-
- -- Abhijith PA <abhijith@disroot.org> Sun, 25 Feb 2018 13:31:35 +0530
-
golang (2:1.0.2-1.1+deb7u2) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru golang-1.0.2/debian/patches/CVE-2018-7187.patch golang-1.0.2/debian/patches/CVE-2018-7187.patch
--- golang-1.0.2/debian/patches/CVE-2018-7187.patch 2018-02-25 13:31:35.000000000 +0530
+++ golang-1.0.2/debian/patches/CVE-2018-7187.patch 1970-01-01 05:30:00.000000000 +0530
@@ -1,60 +0,0 @@
-Description: Fix CVE-2018-7187
- The "go get" implementation, doesnot validate the import path (get/vcs.go only
- checks for "://" anywhere in the string), which allows remote attackers to
- execute arbitrary OS commands via a crafted web site. Backported from
- upstream development branch.
-Author: Abhijith PA <abhijith@disroot.org>
-Origin: https://github.com/golang/go/commit/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc
-Bug: https://github.com/golang/go/issues/23867
-Last-Update: 2018-02-22
-
---- golang-1.0.2.orig/src/cmd/go/vcs.go
-+++ golang-1.0.2/src/cmd/go/vcs.go
-@@ -524,8 +524,8 @@ func repoRootForImportDynamic(importPath
- }
- }
-
-- if !strings.Contains(metaImport.RepoRoot, "://") {
-- return nil, fmt.Errorf("%s: invalid repo root %q; no scheme", urlStr, metaImport.RepoRoot)
-+ if err := validateRepoRootScheme(metaImport.RepoRoot); err != nil {
-+ return nil, fmt.Errorf("%s: invalid repo root %q: %v", urlStr, metaImport.RepoRoot, err)
- }
- rr := &repoRoot{
- vcs: vcsByCmd(metaImport.VCS),
-@@ -538,6 +538,36 @@ func repoRootForImportDynamic(importPath
- return rr, nil
- }
-
-+// validateRepoRootScheme returns an error if repoRoot does not seem
-+// to have a valid URL scheme. At this point we permit things that
-+// aren't valid URLs, although later, if not using -insecure, we will
-+// restrict repoRoots to be valid URLs. This is only because we've
-+// historically permitted them, and people may depend on that.
-+func validateRepoRootScheme(repoRoot string) error {
-+ end := strings.Index(repoRoot, "://")
-+ if end <= 0 {
-+ return errors.New("no scheme")
-+ }
-+
-+ // RFC 3986 section 3.1.
-+ for i := 0; i < end; i++ {
-+ c := repoRoot[i]
-+ switch {
-+ case 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z':
-+ // OK.
-+ case '0' <= c && c <= '9' || c == '+' || c == '-' || c == '.':
-+ // OK except at start.
-+ if i == 0 {
-+ return errors.New("invalid scheme")
-+ }
-+ default:
-+ return errors.New("invalid scheme")
-+ }
-+ }
-+
-+ return nil
-+}
-+
- // metaImport represents the parsed <meta name="go-import"
- // content="prefix vcs reporoot" /> tags from HTML files.
- type metaImport struct {
diff -Nru golang-1.0.2/debian/patches/series golang-1.0.2/debian/patches/series
--- golang-1.0.2/debian/patches/series 2018-02-25 13:31:35.000000000 +0530
+++ golang-1.0.2/debian/patches/series 2017-10-27 20:17:15.000000000 +0530
@@ -11,4 +11,3 @@
godoc-symlinks.diff
CVE-2017-1000098.patch
CVE-2017-15041.patch
-CVE-2018-7187.patch
Reply to: