Bug#989380: unblock: golang-1.15/1.15.9-4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#989380: unblock: golang-1.15/1.15.9-4
From: Shengjing Zhu <zhsj@debian.org>
Date: Wed, 02 Jun 2021 16:52:56 +0800
Message-id: <[🔎] 162262397643.638958.991551690780770258.reportbug@localhost>
Reply-to: Shengjing Zhu <zhsj@debian.org>, 989380@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: zhsj@debian.org

Please unblock package golang-1.15

[ Reason ]
Backport patch for CVE-2021-33196

[ Impact ]
Security issue

[ Tests ]
Upstream has its own unit tests, and a new test is added in patch as
well.

[ Risks ]
+ Key package
+ Diff is small

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock golang-1.15/1.15.9-4

diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.9/debian/changelog
--- golang-1.15-1.15.9/debian/changelog	2021-05-08 14:22:26.000000000 +0800
+++ golang-1.15-1.15.9/debian/changelog	2021-06-02 10:56:03.000000000 +0800
@@ -1,3 +1,12 @@
+golang-1.15 (1.15.9-4) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patch for CVE-2021-33196
+    archive/zip: malformed archive may cause panic or memory exhaustion
+    https://github.com/golang/go/issues/46396
+
+ -- Shengjing Zhu <zhsj@debian.org>  Wed, 02 Jun 2021 10:56:03 +0800
+
 golang-1.15 (1.15.9-3) unstable; urgency=medium
 
   * Fix failed TestDependencyVersionsConsistent test.
diff -Nru golang-1.15-1.15.9/debian/patches/0008-CVE-2021-33196.patch golang-1.15-1.15.9/debian/patches/0008-CVE-2021-33196.patch
--- golang-1.15-1.15.9/debian/patches/0008-CVE-2021-33196.patch	1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0008-CVE-2021-33196.patch	2021-06-02 10:56:03.000000000 +0800
@@ -0,0 +1,124 @@
+From: Roland Shoemaker <roland@golang.org>
+Date: Tue, 11 May 2021 11:31:31 -0700
+Subject: archive/zip: only preallocate File slice if reasonably sized
+
+Since the number of files in the EOCD record isn't validated, it isn't
+safe to preallocate Reader.Files using that field. A malformed archive
+can indicate it contains up to 1 << 128 - 1 files. We can still safely
+preallocate the slice by checking if the specified number of files in
+the archive is reasonable, given the size of the archive.
+
+Thanks to the OSS-Fuzz project for discovering this issue and to
+Emmanuel Odeke for reporting it.
+
+Updates #46242
+Fixes #46396
+Fixes CVE-2021-33196
+
+Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76
+Reviewed-on: https://go-review.googlesource.com/c/go/+/318909
+Trust: Roland Shoemaker <roland@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Trust: Joe Tsai <thebrokentoaster@gmail.com>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
+(cherry picked from commit 74242baa4136c7a9132a8ccd9881354442788c8c)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/322949
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+
+Origin: backport, https://github.com/golang/go/commit/c92adf420a3d9a5510f9aea382d826f0c9216a10
+---
+ src/archive/zip/reader.go      | 10 ++++++-
+ src/archive/zip/reader_test.go | 59 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
+index 13ff9dd..2d5151a 100644
+--- a/src/archive/zip/reader.go
++++ b/src/archive/zip/reader.go
+@@ -84,7 +84,15 @@ func (z *Reader) init(r io.ReaderAt, size int64) error {
+ 		return err
+ 	}
+ 	z.r = r
+-	z.File = make([]*File, 0, end.directoryRecords)
++	// Since the number of directory records is not validated, it is not
++	// safe to preallocate z.File without first checking that the specified
++	// number of files is reasonable, since a malformed archive may
++	// indicate it contains up to 1 << 128 - 1 files. Since each file has a
++	// header which will be _at least_ 30 bytes we can safely preallocate
++	// if (data size / 30) >= end.directoryRecords.
++	if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
++		z.File = make([]*File, 0, end.directoryRecords)
++	}
+ 	z.Comment = end.comment
+ 	rs := io.NewSectionReader(r, 0, size)
+ 	if _, err = rs.Seek(int64(end.directoryOffset), io.SeekStart); err != nil {
+diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
+index adca87a..6f67d2e 100644
+--- a/src/archive/zip/reader_test.go
++++ b/src/archive/zip/reader_test.go
+@@ -1070,3 +1070,62 @@ func TestIssue12449(t *testing.T) {
+ 		t.Errorf("Error reading the archive: %v", err)
+ 	}
+ }
++
++func TestCVE202133196(t *testing.T) {
++	// Archive that indicates it has 1 << 128 -1 files,
++	// this would previously cause a panic due to attempting
++	// to allocate a slice with 1 << 128 -1 elements.
++	data := []byte{
++		0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x08, 0x08,
++		0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x02,
++		0x03, 0x62, 0x61, 0x65, 0x03, 0x04, 0x00, 0x00,
++		0xff, 0xff, 0x50, 0x4b, 0x07, 0x08, 0xbe, 0x20,
++		0x5c, 0x6c, 0x09, 0x00, 0x00, 0x00, 0x03, 0x00,
++		0x00, 0x00, 0x50, 0x4b, 0x01, 0x02, 0x14, 0x00,
++		0x14, 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0xbe, 0x20, 0x5c, 0x6c, 0x09, 0x00,
++		0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x03, 0x00,
++		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x01, 0x02, 0x03, 0x50, 0x4b, 0x06, 0x06, 0x2c,
++		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
++		0x00, 0x2d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,
++		0xff, 0xff, 0xff, 0x31, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x50, 0x4b, 0x06, 0x07, 0x00,
++		0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50,
++		0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0xff,
++		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++		0xff, 0xff, 0xff, 0x00, 0x00,
++	}
++	_, err := NewReader(bytes.NewReader(data), int64(len(data)))
++	if err != ErrFormat {
++		t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
++	}
++
++	// Also check that an archive containing a handful of empty
++	// files doesn't cause an issue
++	b := bytes.NewBuffer(nil)
++	w := NewWriter(b)
++	for i := 0; i < 5; i++ {
++		_, err := w.Create("")
++		if err != nil {
++			t.Fatalf("Writer.Create failed: %s", err)
++		}
++	}
++	if err := w.Close(); err != nil {
++		t.Fatalf("Writer.Close failed: %s", err)
++	}
++	r, err := NewReader(bytes.NewReader(b.Bytes()), int64(b.Len()))
++	if err != nil {
++		t.Fatalf("NewReader failed: %s", err)
++	}
++	if len(r.File) != 5 {
++		t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
++	}
++}
diff -Nru golang-1.15-1.15.9/debian/patches/series golang-1.15-1.15.9/debian/patches/series
--- golang-1.15-1.15.9/debian/patches/series	2021-05-08 14:22:26.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/series	2021-06-02 10:56:03.000000000 +0800
@@ -5,3 +5,4 @@
 0005-cmd-dist-increase-default-timeout-scale-for-arm.patch
 0006-skip-userns-test-in-schroot-as-well.patch
 0007-CVE-2021-31525.patch
+0008-CVE-2021-33196.patch

Reply to:

Follow-Ups:
- Bug#989380: marked as done (unblock: golang-1.15/1.15.9-4)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#989324: unblock: opendmarc/1.4.0~beta1+dfsg-4
Next by Date: Bug#988442: unblock: linux/5.10.40-1
Previous by thread: Bug#989379: marked as done (unblock: redis/5:6.0.14-1)
Next by thread: Bug#989380: marked as done (unblock: golang-1.15/1.15.9-4)
Index(es):
- Date
- Thread