Bug#989498: unblock: golang-1.15/1.15.9-5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: zhsj@debian.org
Please unblock package golang-1.15
[ Reason ]
Backport patches for CVE-2021-33195 CVE-2021-33197 CVE-2021-33198
[ Impact ]
Security issue.
[ Tests ]
Unit tests provided by upstream.
[ Risks ]
+ Key package
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
unblock golang-1.15/1.15.9-5
diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.9/debian/changelog
--- golang-1.15-1.15.9/debian/changelog 2021-06-02 10:56:03.000000000 +0800
+++ golang-1.15-1.15.9/debian/changelog 2021-06-05 19:36:34.000000000 +0800
@@ -1,3 +1,15 @@
+golang-1.15 (1.15.9-5) unstable; urgency=medium
+
+ * Team upload.
+ * Backport patches for CVE-2021-33195 CVE-2021-33197 CVE-2021-33198
+ + CVE-2021-33195: net: Lookup functions may return invalid host names
+ + CVE-2021-33197: net/http/httputil: ReverseProxy forwards Connection
+ headers if first one is empty
+ + CVE-2021-33198: math/big: (*Rat).SetString with "1.770p02041010010011001001"
+ crashes with "makeslice: len out of range"
+
+ -- Shengjing Zhu <zhsj@debian.org> Sat, 05 Jun 2021 19:36:34 +0800
+
golang-1.15 (1.15.9-4) unstable; urgency=medium
* Team upload.
diff -Nru golang-1.15-1.15.9/debian/patches/0009-CVE-2021-33195-1.patch golang-1.15-1.15.9/debian/patches/0009-CVE-2021-33195-1.patch
--- golang-1.15-1.15.9/debian/patches/0009-CVE-2021-33195-1.patch 1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0009-CVE-2021-33195-1.patch 2021-06-05 19:36:34.000000000 +0800
@@ -0,0 +1,369 @@
+From 31d60cda1f58b7558fc5725d2b9e4531655d980e Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Thu, 27 May 2021 10:40:06 -0700
+Subject: [PATCH] [release-branch.go1.15] net: verify results from Lookup* are
+ valid domain names
+
+For the methods LookupCNAME, LookupSRV, LookupMX, LookupNS, and
+LookupAddr check that the returned domain names are in fact valid DNS
+names using the existing isDomainName function.
+
+Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for
+reporting this issue.
+
+Updates #46241
+Fixes #46356
+Fixes CVE-2021-33195
+
+Change-Id: I47a4f58c031cb752f732e88bbdae7f819f0af4f3
+Reviewed-on: https://go-review.googlesource.com/c/go/+/323131
+Trust: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+(cherry picked from commit cdcd02842da7c004efd023881e3719105209c908)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/323269
+---
+ src/net/dnsclient_unix_test.go | 157 +++++++++++++++++++++++++++++++++
+ src/net/lookup.go | 111 ++++++++++++++++++++---
+ 2 files changed, 255 insertions(+), 13 deletions(-)
+
+diff --git a/src/net/dnsclient_unix_test.go b/src/net/dnsclient_unix_test.go
+index 06553636eee25..819f20b887ae6 100644
+--- a/src/net/dnsclient_unix_test.go
++++ b/src/net/dnsclient_unix_test.go
+@@ -1799,3 +1799,160 @@ func TestPTRandNonPTR(t *testing.T) {
+ t.Errorf("names = %q; want %q", names, want)
+ }
+ }
++
++func TestCVE202133195(t *testing.T) {
++ fake := fakeDNSServer{
++ rh: func(n, _ string, q dnsmessage.Message, _ time.Time) (dnsmessage.Message, error) {
++ r := dnsmessage.Message{
++ Header: dnsmessage.Header{
++ ID: q.Header.ID,
++ Response: true,
++ RCode: dnsmessage.RCodeSuccess,
++ RecursionAvailable: true,
++ },
++ Questions: q.Questions,
++ }
++ switch q.Questions[0].Type {
++ case dnsmessage.TypeCNAME:
++ r.Answers = []dnsmessage.Resource{}
++ case dnsmessage.TypeA: // CNAME lookup uses a A/AAAA as a proxy
++ r.Answers = append(r.Answers,
++ dnsmessage.Resource{
++ Header: dnsmessage.ResourceHeader{
++ Name: dnsmessage.MustNewName("<html>.golang.org."),
++ Type: dnsmessage.TypeA,
++ Class: dnsmessage.ClassINET,
++ Length: 4,
++ },
++ Body: &dnsmessage.AResource{
++ A: TestAddr,
++ },
++ },
++ )
++ case dnsmessage.TypeSRV:
++ n := q.Questions[0].Name
++ if n.String() == "_hdr._tcp.golang.org." {
++ n = dnsmessage.MustNewName("<html>.golang.org.")
++ }
++ r.Answers = append(r.Answers,
++ dnsmessage.Resource{
++ Header: dnsmessage.ResourceHeader{
++ Name: n,
++ Type: dnsmessage.TypeSRV,
++ Class: dnsmessage.ClassINET,
++ Length: 4,
++ },
++ Body: &dnsmessage.SRVResource{
++ Target: dnsmessage.MustNewName("<html>.golang.org."),
++ },
++ },
++ )
++ case dnsmessage.TypeMX:
++ r.Answers = append(r.Answers,
++ dnsmessage.Resource{
++ Header: dnsmessage.ResourceHeader{
++ Name: dnsmessage.MustNewName("<html>.golang.org."),
++ Type: dnsmessage.TypeMX,
++ Class: dnsmessage.ClassINET,
++ Length: 4,
++ },
++ Body: &dnsmessage.MXResource{
++ MX: dnsmessage.MustNewName("<html>.golang.org."),
++ },
++ },
++ )
++ case dnsmessage.TypeNS:
++ r.Answers = append(r.Answers,
++ dnsmessage.Resource{
++ Header: dnsmessage.ResourceHeader{
++ Name: dnsmessage.MustNewName("<html>.golang.org."),
++ Type: dnsmessage.TypeNS,
++ Class: dnsmessage.ClassINET,
++ Length: 4,
++ },
++ Body: &dnsmessage.NSResource{
++ NS: dnsmessage.MustNewName("<html>.golang.org."),
++ },
++ },
++ )
++ case dnsmessage.TypePTR:
++ r.Answers = append(r.Answers,
++ dnsmessage.Resource{
++ Header: dnsmessage.ResourceHeader{
++ Name: dnsmessage.MustNewName("<html>.golang.org."),
++ Type: dnsmessage.TypePTR,
++ Class: dnsmessage.ClassINET,
++ Length: 4,
++ },
++ Body: &dnsmessage.PTRResource{
++ PTR: dnsmessage.MustNewName("<html>.golang.org."),
++ },
++ },
++ )
++ }
++ return r, nil
++ },
++ }
++
++ r := Resolver{PreferGo: true, Dial: fake.DialContext}
++ // Change the default resolver to match our manipulated resolver
++ originalDefault := DefaultResolver
++ DefaultResolver = &r
++ defer func() {
++ DefaultResolver = originalDefault
++ }()
++
++ _, err := r.LookupCNAME(context.Background(), "golang.org")
++ if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected {
++ t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
++ }
++ _, err = LookupCNAME("golang.org")
++ if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected {
++ t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
++ }
++
++ _, _, err = r.LookupSRV(context.Background(), "target", "tcp", "golang.org")
++ if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected {
++ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++ }
++ _, _, err = LookupSRV("target", "tcp", "golang.org")
++ if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected {
++ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++ }
++
++ _, _, err = r.LookupSRV(context.Background(), "hdr", "tcp", "golang.org")
++ if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected {
++ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++ }
++ _, _, err = LookupSRV("hdr", "tcp", "golang.org")
++ if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected {
++ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++ }
++
++ _, err = r.LookupMX(context.Background(), "golang.org")
++ if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected {
++ t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
++ }
++ _, err = LookupMX("golang.org")
++ if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected {
++ t.Errorf("LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
++ }
++
++ _, err = r.LookupNS(context.Background(), "golang.org")
++ if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected {
++ t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
++ }
++ _, err = LookupNS("golang.org")
++ if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected {
++ t.Errorf("LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
++ }
++
++ _, err = r.LookupAddr(context.Background(), "1.2.3.4")
++ if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected {
++ t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
++ }
++ _, err = LookupAddr("1.2.3.4")
++ if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected {
++ t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
++ }
++}
+diff --git a/src/net/lookup.go b/src/net/lookup.go
+index 5f7119872a48d..0660268249bc7 100644
+--- a/src/net/lookup.go
++++ b/src/net/lookup.go
+@@ -389,8 +389,11 @@ func (r *Resolver) LookupPort(ctx context.Context, network, service string) (por
+ // LookupCNAME does not return an error if host does not
+ // contain DNS "CNAME" records, as long as host resolves to
+ // address records.
++//
++// The returned canonical name is validated to be a properly
++// formatted presentation-format domain name.
+ func LookupCNAME(host string) (cname string, err error) {
+- return DefaultResolver.lookupCNAME(context.Background(), host)
++ return DefaultResolver.LookupCNAME(context.Background(), host)
+ }
+
+ // LookupCNAME returns the canonical name for the given host.
+@@ -403,8 +406,18 @@ func LookupCNAME(host string) (cname string, err error) {
+ // LookupCNAME does not return an error if host does not
+ // contain DNS "CNAME" records, as long as host resolves to
+ // address records.
+-func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string, err error) {
+- return r.lookupCNAME(ctx, host)
++//
++// The returned canonical name is validated to be a properly
++// formatted presentation-format domain name.
++func (r *Resolver) LookupCNAME(ctx context.Context, host string) (string, error) {
++ cname, err := r.lookupCNAME(ctx, host)
++ if err != nil {
++ return "", err
++ }
++ if !isDomainName(cname) {
++ return "", &DNSError{Err: "CNAME target is invalid", Name: host}
++ }
++ return cname, nil
+ }
+
+ // LookupSRV tries to resolve an SRV query of the given service,
+@@ -416,8 +429,11 @@ func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string,
+ // That is, it looks up _service._proto.name. To accommodate services
+ // publishing SRV records under non-standard names, if both service
+ // and proto are empty strings, LookupSRV looks up name directly.
++//
++// The returned service names are validated to be properly
++// formatted presentation-format domain names.
+ func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err error) {
+- return DefaultResolver.lookupSRV(context.Background(), service, proto, name)
++ return DefaultResolver.LookupSRV(context.Background(), service, proto, name)
+ }
+
+ // LookupSRV tries to resolve an SRV query of the given service,
+@@ -429,28 +445,82 @@ func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err err
+ // That is, it looks up _service._proto.name. To accommodate services
+ // publishing SRV records under non-standard names, if both service
+ // and proto are empty strings, LookupSRV looks up name directly.
+-func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (cname string, addrs []*SRV, err error) {
+- return r.lookupSRV(ctx, service, proto, name)
++//
++// The returned service names are validated to be properly
++// formatted presentation-format domain names.
++func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (string, []*SRV, error) {
++ cname, addrs, err := r.lookupSRV(ctx, service, proto, name)
++ if err != nil {
++ return "", nil, err
++ }
++ if cname != "" && !isDomainName(cname) {
++ return "", nil, &DNSError{Err: "SRV header name is invalid", Name: name}
++ }
++ for _, addr := range addrs {
++ if addr == nil {
++ continue
++ }
++ if !isDomainName(addr.Target) {
++ return "", nil, &DNSError{Err: "SRV target is invalid", Name: name}
++ }
++ }
++ return cname, addrs, nil
+ }
+
+ // LookupMX returns the DNS MX records for the given domain name sorted by preference.
++//
++// The returned mail server names are validated to be properly
++// formatted presentation-format domain names.
+ func LookupMX(name string) ([]*MX, error) {
+- return DefaultResolver.lookupMX(context.Background(), name)
++ return DefaultResolver.LookupMX(context.Background(), name)
+ }
+
+ // LookupMX returns the DNS MX records for the given domain name sorted by preference.
++//
++// The returned mail server names are validated to be properly
++// formatted presentation-format domain names.
+ func (r *Resolver) LookupMX(ctx context.Context, name string) ([]*MX, error) {
+- return r.lookupMX(ctx, name)
++ records, err := r.lookupMX(ctx, name)
++ if err != nil {
++ return nil, err
++ }
++ for _, mx := range records {
++ if mx == nil {
++ continue
++ }
++ if !isDomainName(mx.Host) {
++ return nil, &DNSError{Err: "MX target is invalid", Name: name}
++ }
++ }
++ return records, nil
+ }
+
+ // LookupNS returns the DNS NS records for the given domain name.
++//
++// The returned name server names are validated to be properly
++// formatted presentation-format domain names.
+ func LookupNS(name string) ([]*NS, error) {
+- return DefaultResolver.lookupNS(context.Background(), name)
++ return DefaultResolver.LookupNS(context.Background(), name)
+ }
+
+ // LookupNS returns the DNS NS records for the given domain name.
++//
++// The returned name server names are validated to be properly
++// formatted presentation-format domain names.
+ func (r *Resolver) LookupNS(ctx context.Context, name string) ([]*NS, error) {
+- return r.lookupNS(ctx, name)
++ records, err := r.lookupNS(ctx, name)
++ if err != nil {
++ return nil, err
++ }
++ for _, ns := range records {
++ if ns == nil {
++ continue
++ }
++ if !isDomainName(ns.Host) {
++ return nil, &DNSError{Err: "NS target is invalid", Name: name}
++ }
++ }
++ return records, nil
+ }
+
+ // LookupTXT returns the DNS TXT records for the given domain name.
+@@ -466,14 +536,29 @@ func (r *Resolver) LookupTXT(ctx context.Context, name string) ([]string, error)
+ // LookupAddr performs a reverse lookup for the given address, returning a list
+ // of names mapping to that address.
+ //
++// The returned names are validated to be properly formatted presentation-format
++// domain names.
++//
+ // When using the host C library resolver, at most one result will be
+ // returned. To bypass the host resolver, use a custom Resolver.
+ func LookupAddr(addr string) (names []string, err error) {
+- return DefaultResolver.lookupAddr(context.Background(), addr)
++ return DefaultResolver.LookupAddr(context.Background(), addr)
+ }
+
+ // LookupAddr performs a reverse lookup for the given address, returning a list
+ // of names mapping to that address.
+-func (r *Resolver) LookupAddr(ctx context.Context, addr string) (names []string, err error) {
+- return r.lookupAddr(ctx, addr)
++//
++// The returned names are validated to be properly formatted presentation-format
++// domain names.
++func (r *Resolver) LookupAddr(ctx context.Context, addr string) ([]string, error) {
++ names, err := r.lookupAddr(ctx, addr)
++ if err != nil {
++ return nil, err
++ }
++ for _, name := range names {
++ if !isDomainName(name) {
++ return nil, &DNSError{Err: "PTR target is invalid", Name: addr}
++ }
++ }
++ return names, nil
+ }
diff -Nru golang-1.15-1.15.9/debian/patches/0010-CVE-2021-33195-2.patch golang-1.15-1.15.9/debian/patches/0010-CVE-2021-33195-2.patch
--- golang-1.15-1.15.9/debian/patches/0010-CVE-2021-33195-2.patch 1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0010-CVE-2021-33195-2.patch 2021-06-05 19:36:34.000000000 +0800
@@ -0,0 +1,111 @@
+From 6b411e90d4d017f28c1cc7d442b5ec8c1f9de549 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 2 Jun 2021 09:20:22 -0700
+Subject: [PATCH] [release-branch.go1.15] net: don't rely on system hosts in
+ TestCVE202133195
+
+Also don't unnecessarily deref the error return.
+
+Updates #46504
+Fixes #46531
+
+Change-Id: I22d14ac76776f8988fa0774bdcb5fcd801ce0185
+Reviewed-on: https://go-review.googlesource.com/c/go/+/324190
+Trust: David Chase <drchase@google.com>
+Trust: Damien Neil <dneil@google.com>
+Run-TryBot: David Chase <drchase@google.com>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit dd7ba3ba2c860c40be6d70b63d4a678449cae80f)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/324333
+Reviewed-by: Ian Lance Taylor <iant@golang.org>
+---
+ src/net/dnsclient_unix_test.go | 39 +++++++++++++++++-----------------
+ 1 file changed, 20 insertions(+), 19 deletions(-)
+
+diff --git a/src/net/dnsclient_unix_test.go b/src/net/dnsclient_unix_test.go
+index 819f20b887ae6..f646629912a3d 100644
+--- a/src/net/dnsclient_unix_test.go
++++ b/src/net/dnsclient_unix_test.go
+@@ -1898,61 +1898,62 @@ func TestCVE202133195(t *testing.T) {
+ // Change the default resolver to match our manipulated resolver
+ originalDefault := DefaultResolver
+ DefaultResolver = &r
+- defer func() {
+- DefaultResolver = originalDefault
+- }()
++ defer func() { DefaultResolver = originalDefault }()
++ // Redirect host file lookups.
++ defer func(orig string) { testHookHostsPath = orig }(testHookHostsPath)
++ testHookHostsPath = "testdata/hosts"
+
+ _, err := r.LookupCNAME(context.Background(), "golang.org")
+ if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected {
+- t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
++ t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err, expected)
+ }
+ _, err = LookupCNAME("golang.org")
+ if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected {
+- t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
++ t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err, expected)
+ }
+
+ _, _, err = r.LookupSRV(context.Background(), "target", "tcp", "golang.org")
+ if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected {
+- t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err, expected)
+ }
+ _, _, err = LookupSRV("target", "tcp", "golang.org")
+ if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected {
+- t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err, expected)
+ }
+
+ _, _, err = r.LookupSRV(context.Background(), "hdr", "tcp", "golang.org")
+ if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected {
+- t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err, expected)
+ }
+ _, _, err = LookupSRV("hdr", "tcp", "golang.org")
+ if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected {
+- t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err, expected)
+ }
+
+ _, err = r.LookupMX(context.Background(), "golang.org")
+ if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected {
+- t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
++ t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err, expected)
+ }
+ _, err = LookupMX("golang.org")
+ if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected {
+- t.Errorf("LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
++ t.Errorf("LookupMX returned unexpected error, got %q, want %q", err, expected)
+ }
+
+ _, err = r.LookupNS(context.Background(), "golang.org")
+ if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected {
+- t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
++ t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err, expected)
+ }
+ _, err = LookupNS("golang.org")
+ if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected {
+- t.Errorf("LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
++ t.Errorf("LookupNS returned unexpected error, got %q, want %q", err, expected)
+ }
+
+- _, err = r.LookupAddr(context.Background(), "1.2.3.4")
+- if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected {
+- t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
++ _, err = r.LookupAddr(context.Background(), "192.0.2.42")
++ if expected := "lookup 192.0.2.42: PTR target is invalid"; err == nil || err.Error() != expected {
++ t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err, expected)
+ }
+- _, err = LookupAddr("1.2.3.4")
+- if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected {
+- t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
++ _, err = LookupAddr("192.0.2.42")
++ if expected := "lookup 192.0.2.42: PTR target is invalid"; err == nil || err.Error() != expected {
++ t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err, expected)
+ }
+ }
diff -Nru golang-1.15-1.15.9/debian/patches/0011-CVE-2021-33197.patch golang-1.15-1.15.9/debian/patches/0011-CVE-2021-33197.patch
--- golang-1.15-1.15.9/debian/patches/0011-CVE-2021-33197.patch 1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0011-CVE-2021-33197.patch 2021-06-05 19:36:34.000000000 +0800
@@ -0,0 +1,147 @@
+From cbd1ca84453fecf3825a6bb9f985823e8bc32b76 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Fri, 21 May 2021 14:02:30 -0400
+Subject: [PATCH] [release-branch.go1.15] net/http/httputil: always remove
+ hop-by-hop headers
+
+Previously, we'd fail to remove the Connection header from a request
+like this:
+
+ Connection:
+ Connection: x-header
+
+Updates #46313
+Fixes #46314
+Fixes CVE-2021-33197
+
+Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d
+Reviewed-on: https://go-review.googlesource.com/c/go/+/321929
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Trust: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/323091
+Run-TryBot: Katie Hockman <katie@golang.org>
+---
+ src/net/http/httputil/reverseproxy.go | 22 ++++----
+ src/net/http/httputil/reverseproxy_test.go | 63 +++++++++++++++++++++-
+ 2 files changed, 70 insertions(+), 15 deletions(-)
+
+diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go
+index 3f48fab544e91..f49cefbb4f171 100644
+--- a/src/net/http/httputil/reverseproxy.go
++++ b/src/net/http/httputil/reverseproxy.go
+@@ -248,22 +248,18 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+ // important is "Connection" because we want a persistent
+ // connection, regardless of what the client sent to us.
+ for _, h := range hopHeaders {
+- hv := outreq.Header.Get(h)
+- if hv == "" {
+- continue
+- }
+- if h == "Te" && hv == "trailers" {
+- // Issue 21096: tell backend applications that
+- // care about trailer support that we support
+- // trailers. (We do, but we don't go out of
+- // our way to advertise that unless the
+- // incoming client request thought it was
+- // worth mentioning)
+- continue
+- }
+ outreq.Header.Del(h)
+ }
+
++ // Issue 21096: tell backend applications that care about trailer support
++ // that we support trailers. (We do, but we don't go out of our way to
++ // advertise that unless the incoming client request thought it was worth
++ // mentioning.) Note that we look at req.Header, not outreq.Header, since
++ // the latter has passed through removeConnectionHeaders.
++ if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") {
++ outreq.Header.Set("Te", "trailers")
++ }
++
+ // After stripping all the hop-by-hop connection headers above, add back any
+ // necessary for protocol upgrades, such as for websockets.
+ if reqUpType != "" {
+diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go
+index 764939fb0f0c2..1f2dfb9867f68 100644
+--- a/src/net/http/httputil/reverseproxy_test.go
++++ b/src/net/http/httputil/reverseproxy_test.go
+@@ -91,8 +91,9 @@ func TestReverseProxy(t *testing.T) {
+
+ getReq, _ := http.NewRequest("GET", frontend.URL, nil)
+ getReq.Host = "some-name"
+- getReq.Header.Set("Connection", "close")
+- getReq.Header.Set("Te", "trailers")
++ getReq.Header.Set("Connection", "close, TE")
++ getReq.Header.Add("Te", "foo")
++ getReq.Header.Add("Te", "bar, trailers")
+ getReq.Header.Set("Proxy-Connection", "should be deleted")
+ getReq.Header.Set("Upgrade", "foo")
+ getReq.Close = true
+@@ -236,6 +237,64 @@ func TestReverseProxyStripHeadersPresentInConnection(t *testing.T) {
+ }
+ }
+
++func TestReverseProxyStripEmptyConnection(t *testing.T) {
++ // See Issue 46313.
++ const backendResponse = "I am the backend"
++
++ // someConnHeader is some arbitrary header to be declared as a hop-by-hop header
++ // in the Request's Connection header.
++ const someConnHeader = "X-Some-Conn-Header"
++
++ backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
++ if c := r.Header.Values("Connection"); len(c) != 0 {
++ t.Errorf("handler got header %q = %v; want empty", "Connection", c)
++ }
++ if c := r.Header.Get(someConnHeader); c != "" {
++ t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
++ }
++ w.Header().Add("Connection", "")
++ w.Header().Add("Connection", someConnHeader)
++ w.Header().Set(someConnHeader, "should be deleted")
++ io.WriteString(w, backendResponse)
++ }))
++ defer backend.Close()
++ backendURL, err := url.Parse(backend.URL)
++ if err != nil {
++ t.Fatal(err)
++ }
++ proxyHandler := NewSingleHostReverseProxy(backendURL)
++ frontend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
++ proxyHandler.ServeHTTP(w, r)
++ if c := r.Header.Get(someConnHeader); c != "should be deleted" {
++ t.Errorf("handler modified header %q = %q; want %q", someConnHeader, c, "should be deleted")
++ }
++ }))
++ defer frontend.Close()
++
++ getReq, _ := http.NewRequest("GET", frontend.URL, nil)
++ getReq.Header.Add("Connection", "")
++ getReq.Header.Add("Connection", someConnHeader)
++ getReq.Header.Set(someConnHeader, "should be deleted")
++ res, err := frontend.Client().Do(getReq)
++ if err != nil {
++ t.Fatalf("Get: %v", err)
++ }
++ defer res.Body.Close()
++ bodyBytes, err := ioutil.ReadAll(res.Body)
++ if err != nil {
++ t.Fatalf("reading body: %v", err)
++ }
++ if got, want := string(bodyBytes), backendResponse; got != want {
++ t.Errorf("got body %q; want %q", got, want)
++ }
++ if c := res.Header.Get("Connection"); c != "" {
++ t.Errorf("handler got header %q = %q; want empty", "Connection", c)
++ }
++ if c := res.Header.Get(someConnHeader); c != "" {
++ t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
++ }
++}
++
+ func TestXForwardedFor(t *testing.T) {
+ const prevForwardedFor = "client ip"
+ const backendResponse = "I am the backend"
diff -Nru golang-1.15-1.15.9/debian/patches/0012-CVE-2021-33198.patch golang-1.15-1.15.9/debian/patches/0012-CVE-2021-33198.patch
--- golang-1.15-1.15.9/debian/patches/0012-CVE-2021-33198.patch 1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0012-CVE-2021-33198.patch 2021-06-05 19:36:34.000000000 +0800
@@ -0,0 +1,107 @@
+From df9ce19db6df32d94eae8760927bdfbc595433c3 Mon Sep 17 00:00:00 2001
+From: Robert Griesemer <gri@golang.org>
+Date: Sun, 2 May 2021 11:27:03 -0700
+Subject: [PATCH] [release-branch.go1.15] math/big: check for excessive
+ exponents in Rat.SetString
+
+Found by OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33284
+
+Thanks to Emmanuel Odeke for reporting this issue.
+
+Updates #45910
+Fixes #46305
+Fixes CVE-2021-33198
+
+Change-Id: I61e7b04dbd80343420b57eede439e361c0f7b79c
+Reviewed-on: https://go-review.googlesource.com/c/go/+/316149
+Trust: Robert Griesemer <gri@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Run-TryBot: Robert Griesemer <gri@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
+(cherry picked from commit 6c591f79b0b5327549bd4e94970f7a279efb4ab0)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/321831
+Run-TryBot: Katie Hockman <katie@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+---
+ src/math/big/ratconv.go | 15 ++++++++-------
+ src/math/big/ratconv_test.go | 25 +++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go
+index 941139e72d1c4..ac3c8bd11f8a8 100644
+--- a/src/math/big/ratconv.go
++++ b/src/math/big/ratconv.go
+@@ -51,7 +51,8 @@ func (z *Rat) Scan(s fmt.ScanState, ch rune) error {
+ // An optional base-10 ``e'' or base-2 ``p'' (or their upper-case variants)
+ // exponent may be provided as well, except for hexadecimal floats which
+ // only accept an (optional) ``p'' exponent (because an ``e'' or ``E'' cannot
+-// be distinguished from a mantissa digit).
++// be distinguished from a mantissa digit). If the exponent's absolute value
++// is too large, the operation may fail.
+ // The entire string, not just a prefix, must be valid for success. If the
+ // operation failed, the value of z is undefined but the returned value is nil.
+ func (z *Rat) SetString(s string) (*Rat, bool) {
+@@ -169,6 +170,9 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
+ if n < 0 {
+ n = -n
+ }
++ if n > 1e6 {
++ return nil, false // avoid excessively large exponents
++ }
+ pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs
+ if exp5 > 0 {
+ z.a.abs = z.a.abs.mul(z.a.abs, pow5)
+@@ -181,15 +185,12 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
+ }
+
+ // apply exp2 contributions
++ if exp2 < -1e7 || exp2 > 1e7 {
++ return nil, false // avoid excessively large exponents
++ }
+ if exp2 > 0 {
+- if int64(uint(exp2)) != exp2 {
+- panic("exponent too large")
+- }
+ z.a.abs = z.a.abs.shl(z.a.abs, uint(exp2))
+ } else if exp2 < 0 {
+- if int64(uint(-exp2)) != -exp2 {
+- panic("exponent too large")
+- }
+ z.b.abs = z.b.abs.shl(z.b.abs, uint(-exp2))
+ }
+
+diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go
+index ba0d1ba9e1158..15d206cb386ab 100644
+--- a/src/math/big/ratconv_test.go
++++ b/src/math/big/ratconv_test.go
+@@ -589,3 +589,28 @@ func TestIssue31184(t *testing.T) {
+ }
+ }
+ }
++
++func TestIssue45910(t *testing.T) {
++ var x Rat
++ for _, test := range []struct {
++ input string
++ want bool
++ }{
++ {"1e-1000001", false},
++ {"1e-1000000", true},
++ {"1e+1000000", true},
++ {"1e+1000001", false},
++
++ {"0p1000000000000", true},
++ {"1p-10000001", false},
++ {"1p-10000000", true},
++ {"1p+10000000", true},
++ {"1p+10000001", false},
++ {"1.770p02041010010011001001", false}, // test case from issue
++ } {
++ _, got := x.SetString(test.input)
++ if got != test.want {
++ t.Errorf("SetString(%s) got ok = %v; want %v", test.input, got, test.want)
++ }
++ }
++}
diff -Nru golang-1.15-1.15.9/debian/patches/series golang-1.15-1.15.9/debian/patches/series
--- golang-1.15-1.15.9/debian/patches/series 2021-06-02 10:56:03.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/series 2021-06-05 19:36:34.000000000 +0800
@@ -6,3 +6,7 @@
0006-skip-userns-test-in-schroot-as-well.patch
0007-CVE-2021-31525.patch
0008-CVE-2021-33196.patch
+0009-CVE-2021-33195-1.patch
+0010-CVE-2021-33195-2.patch
+0011-CVE-2021-33197.patch
+0012-CVE-2021-33198.patch
Reply to: