Bug#989498: marked as done (unblock: golang-1.15/1.15.9-5)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 17 Jun 2021 10:18:35 +0200
with message-id <c10784a7-bdef-15ee-6a43-548eb9af1d89@debian.org>
and subject line Re: Bug#989498: unblock: golang-1.15/1.15.9-5
has caused the Debian Bug report #989498,
regarding unblock: golang-1.15/1.15.9-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989498: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989498
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: golang-1.15/1.15.9-5
• From: Shengjing Zhu <zhsj@debian.org>
• Date: Sat, 5 Jun 2021 19:57:44 +0800
• Message-id: <YLtmuLP+i0kP/U16@local.zhsj.me>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: zhsj@debian.org

Please unblock package golang-1.15

[ Reason ]

Backport patches for CVE-2021-33195 CVE-2021-33197 CVE-2021-33198

[ Impact ]
Security issue.

[ Tests ]
Unit tests provided by upstream.

[ Risks ]
+ Key package

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock golang-1.15/1.15.9-5


diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.9/debian/changelog
--- golang-1.15-1.15.9/debian/changelog	2021-06-02 10:56:03.000000000 +0800
+++ golang-1.15-1.15.9/debian/changelog	2021-06-05 19:36:34.000000000 +0800
@@ -1,3 +1,15 @@
+golang-1.15 (1.15.9-5) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patches for CVE-2021-33195 CVE-2021-33197 CVE-2021-33198
+    + CVE-2021-33195: net: Lookup functions may return invalid host names
+    + CVE-2021-33197: net/http/httputil: ReverseProxy forwards Connection
+      headers if first one is empty
+    + CVE-2021-33198: math/big: (*Rat).SetString with "1.770p02041010010011001001"
+      crashes with "makeslice: len out of range"
+
+ -- Shengjing Zhu <zhsj@debian.org>  Sat, 05 Jun 2021 19:36:34 +0800
+
 golang-1.15 (1.15.9-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru golang-1.15-1.15.9/debian/patches/0009-CVE-2021-33195-1.patch golang-1.15-1.15.9/debian/patches/0009-CVE-2021-33195-1.patch
--- golang-1.15-1.15.9/debian/patches/0009-CVE-2021-33195-1.patch	1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0009-CVE-2021-33195-1.patch	2021-06-05 19:36:34.000000000 +0800
@@ -0,0 +1,369 @@
+From 31d60cda1f58b7558fc5725d2b9e4531655d980e Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Thu, 27 May 2021 10:40:06 -0700
+Subject: [PATCH] [release-branch.go1.15] net: verify results from Lookup* are
+ valid domain names
+
+For the methods LookupCNAME, LookupSRV, LookupMX, LookupNS, and
+LookupAddr check that the returned domain names are in fact valid DNS
+names using the existing isDomainName function.
+
+Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for
+reporting this issue.
+
+Updates #46241
+Fixes #46356
+Fixes CVE-2021-33195
+
+Change-Id: I47a4f58c031cb752f732e88bbdae7f819f0af4f3
+Reviewed-on: https://go-review.googlesource.com/c/go/+/323131
+Trust: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+(cherry picked from commit cdcd02842da7c004efd023881e3719105209c908)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/323269
+---
+ src/net/dnsclient_unix_test.go | 157 +++++++++++++++++++++++++++++++++
+ src/net/lookup.go              | 111 ++++++++++++++++++++---
+ 2 files changed, 255 insertions(+), 13 deletions(-)
+
+diff --git a/src/net/dnsclient_unix_test.go b/src/net/dnsclient_unix_test.go
+index 06553636eee25..819f20b887ae6 100644
+--- a/src/net/dnsclient_unix_test.go
++++ b/src/net/dnsclient_unix_test.go
+@@ -1799,3 +1799,160 @@ func TestPTRandNonPTR(t *testing.T) {
+ 		t.Errorf("names = %q; want %q", names, want)
+ 	}
+ }
++
++func TestCVE202133195(t *testing.T) {
++	fake := fakeDNSServer{
++		rh: func(n, _ string, q dnsmessage.Message, _ time.Time) (dnsmessage.Message, error) {
++			r := dnsmessage.Message{
++				Header: dnsmessage.Header{
++					ID:                 q.Header.ID,
++					Response:           true,
++					RCode:              dnsmessage.RCodeSuccess,
++					RecursionAvailable: true,
++				},
++				Questions: q.Questions,
++			}
++			switch q.Questions[0].Type {
++			case dnsmessage.TypeCNAME:
++				r.Answers = []dnsmessage.Resource{}
++			case dnsmessage.TypeA: // CNAME lookup uses a A/AAAA as a proxy
++				r.Answers = append(r.Answers,
++					dnsmessage.Resource{
++						Header: dnsmessage.ResourceHeader{
++							Name:   dnsmessage.MustNewName("<html>.golang.org."),
++							Type:   dnsmessage.TypeA,
++							Class:  dnsmessage.ClassINET,
++							Length: 4,
++						},
++						Body: &dnsmessage.AResource{
++							A: TestAddr,
++						},
++					},
++				)
++			case dnsmessage.TypeSRV:
++				n := q.Questions[0].Name
++				if n.String() == "_hdr._tcp.golang.org." {
++					n = dnsmessage.MustNewName("<html>.golang.org.")
++				}
++				r.Answers = append(r.Answers,
++					dnsmessage.Resource{
++						Header: dnsmessage.ResourceHeader{
++							Name:   n,
++							Type:   dnsmessage.TypeSRV,
++							Class:  dnsmessage.ClassINET,
++							Length: 4,
++						},
++						Body: &dnsmessage.SRVResource{
++							Target: dnsmessage.MustNewName("<html>.golang.org."),
++						},
++					},
++				)
++			case dnsmessage.TypeMX:
++				r.Answers = append(r.Answers,
++					dnsmessage.Resource{
++						Header: dnsmessage.ResourceHeader{
++							Name:   dnsmessage.MustNewName("<html>.golang.org."),
++							Type:   dnsmessage.TypeMX,
++							Class:  dnsmessage.ClassINET,
++							Length: 4,
++						},
++						Body: &dnsmessage.MXResource{
++							MX: dnsmessage.MustNewName("<html>.golang.org."),
++						},
++					},
++				)
++			case dnsmessage.TypeNS:
++				r.Answers = append(r.Answers,
++					dnsmessage.Resource{
++						Header: dnsmessage.ResourceHeader{
++							Name:   dnsmessage.MustNewName("<html>.golang.org."),
++							Type:   dnsmessage.TypeNS,
++							Class:  dnsmessage.ClassINET,
++							Length: 4,
++						},
++						Body: &dnsmessage.NSResource{
++							NS: dnsmessage.MustNewName("<html>.golang.org."),
++						},
++					},
++				)
++			case dnsmessage.TypePTR:
++				r.Answers = append(r.Answers,
++					dnsmessage.Resource{
++						Header: dnsmessage.ResourceHeader{
++							Name:   dnsmessage.MustNewName("<html>.golang.org."),
++							Type:   dnsmessage.TypePTR,
++							Class:  dnsmessage.ClassINET,
++							Length: 4,
++						},
++						Body: &dnsmessage.PTRResource{
++							PTR: dnsmessage.MustNewName("<html>.golang.org."),
++						},
++					},
++				)
++			}
++			return r, nil
++		},
++	}
++
++	r := Resolver{PreferGo: true, Dial: fake.DialContext}
++	// Change the default resolver to match our manipulated resolver
++	originalDefault := DefaultResolver
++	DefaultResolver = &r
++	defer func() {
++		DefaultResolver = originalDefault
++	}()
++
++	_, err := r.LookupCNAME(context.Background(), "golang.org")
++	if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++	_, err = LookupCNAME("golang.org")
++	if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++
++	_, _, err = r.LookupSRV(context.Background(), "target", "tcp", "golang.org")
++	if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++	_, _, err = LookupSRV("target", "tcp", "golang.org")
++	if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++
++	_, _, err = r.LookupSRV(context.Background(), "hdr", "tcp", "golang.org")
++	if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++	_, _, err = LookupSRV("hdr", "tcp", "golang.org")
++	if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++
++	_, err = r.LookupMX(context.Background(), "golang.org")
++	if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++	_, err = LookupMX("golang.org")
++	if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++
++	_, err = r.LookupNS(context.Background(), "golang.org")
++	if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++	_, err = LookupNS("golang.org")
++	if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++
++	_, err = r.LookupAddr(context.Background(), "1.2.3.4")
++	if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++	_, err = LookupAddr("1.2.3.4")
++	if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++}
+diff --git a/src/net/lookup.go b/src/net/lookup.go
+index 5f7119872a48d..0660268249bc7 100644
+--- a/src/net/lookup.go
++++ b/src/net/lookup.go
+@@ -389,8 +389,11 @@ func (r *Resolver) LookupPort(ctx context.Context, network, service string) (por
+ // LookupCNAME does not return an error if host does not
+ // contain DNS "CNAME" records, as long as host resolves to
+ // address records.
++//
++// The returned canonical name is validated to be a properly
++// formatted presentation-format domain name.
+ func LookupCNAME(host string) (cname string, err error) {
+-	return DefaultResolver.lookupCNAME(context.Background(), host)
++	return DefaultResolver.LookupCNAME(context.Background(), host)
+ }
+ 
+ // LookupCNAME returns the canonical name for the given host.
+@@ -403,8 +406,18 @@ func LookupCNAME(host string) (cname string, err error) {
+ // LookupCNAME does not return an error if host does not
+ // contain DNS "CNAME" records, as long as host resolves to
+ // address records.
+-func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string, err error) {
+-	return r.lookupCNAME(ctx, host)
++//
++// The returned canonical name is validated to be a properly
++// formatted presentation-format domain name.
++func (r *Resolver) LookupCNAME(ctx context.Context, host string) (string, error) {
++	cname, err := r.lookupCNAME(ctx, host)
++	if err != nil {
++		return "", err
++	}
++	if !isDomainName(cname) {
++		return "", &DNSError{Err: "CNAME target is invalid", Name: host}
++	}
++	return cname, nil
+ }
+ 
+ // LookupSRV tries to resolve an SRV query of the given service,
+@@ -416,8 +429,11 @@ func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string,
+ // That is, it looks up _service._proto.name. To accommodate services
+ // publishing SRV records under non-standard names, if both service
+ // and proto are empty strings, LookupSRV looks up name directly.
++//
++// The returned service names are validated to be properly
++// formatted presentation-format domain names.
+ func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err error) {
+-	return DefaultResolver.lookupSRV(context.Background(), service, proto, name)
++	return DefaultResolver.LookupSRV(context.Background(), service, proto, name)
+ }
+ 
+ // LookupSRV tries to resolve an SRV query of the given service,
+@@ -429,28 +445,82 @@ func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err err
+ // That is, it looks up _service._proto.name. To accommodate services
+ // publishing SRV records under non-standard names, if both service
+ // and proto are empty strings, LookupSRV looks up name directly.
+-func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (cname string, addrs []*SRV, err error) {
+-	return r.lookupSRV(ctx, service, proto, name)
++//
++// The returned service names are validated to be properly
++// formatted presentation-format domain names.
++func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (string, []*SRV, error) {
++	cname, addrs, err := r.lookupSRV(ctx, service, proto, name)
++	if err != nil {
++		return "", nil, err
++	}
++	if cname != "" && !isDomainName(cname) {
++		return "", nil, &DNSError{Err: "SRV header name is invalid", Name: name}
++	}
++	for _, addr := range addrs {
++		if addr == nil {
++			continue
++		}
++		if !isDomainName(addr.Target) {
++			return "", nil, &DNSError{Err: "SRV target is invalid", Name: name}
++		}
++	}
++	return cname, addrs, nil
+ }
+ 
+ // LookupMX returns the DNS MX records for the given domain name sorted by preference.
++//
++// The returned mail server names are validated to be properly
++// formatted presentation-format domain names.
+ func LookupMX(name string) ([]*MX, error) {
+-	return DefaultResolver.lookupMX(context.Background(), name)
++	return DefaultResolver.LookupMX(context.Background(), name)
+ }
+ 
+ // LookupMX returns the DNS MX records for the given domain name sorted by preference.
++//
++// The returned mail server names are validated to be properly
++// formatted presentation-format domain names.
+ func (r *Resolver) LookupMX(ctx context.Context, name string) ([]*MX, error) {
+-	return r.lookupMX(ctx, name)
++	records, err := r.lookupMX(ctx, name)
++	if err != nil {
++		return nil, err
++	}
++	for _, mx := range records {
++		if mx == nil {
++			continue
++		}
++		if !isDomainName(mx.Host) {
++			return nil, &DNSError{Err: "MX target is invalid", Name: name}
++		}
++	}
++	return records, nil
+ }
+ 
+ // LookupNS returns the DNS NS records for the given domain name.
++//
++// The returned name server names are validated to be properly
++// formatted presentation-format domain names.
+ func LookupNS(name string) ([]*NS, error) {
+-	return DefaultResolver.lookupNS(context.Background(), name)
++	return DefaultResolver.LookupNS(context.Background(), name)
+ }
+ 
+ // LookupNS returns the DNS NS records for the given domain name.
++//
++// The returned name server names are validated to be properly
++// formatted presentation-format domain names.
+ func (r *Resolver) LookupNS(ctx context.Context, name string) ([]*NS, error) {
+-	return r.lookupNS(ctx, name)
++	records, err := r.lookupNS(ctx, name)
++	if err != nil {
++		return nil, err
++	}
++	for _, ns := range records {
++		if ns == nil {
++			continue
++		}
++		if !isDomainName(ns.Host) {
++			return nil, &DNSError{Err: "NS target is invalid", Name: name}
++		}
++	}
++	return records, nil
+ }
+ 
+ // LookupTXT returns the DNS TXT records for the given domain name.
+@@ -466,14 +536,29 @@ func (r *Resolver) LookupTXT(ctx context.Context, name string) ([]string, error)
+ // LookupAddr performs a reverse lookup for the given address, returning a list
+ // of names mapping to that address.
+ //
++// The returned names are validated to be properly formatted presentation-format
++// domain names.
++//
+ // When using the host C library resolver, at most one result will be
+ // returned. To bypass the host resolver, use a custom Resolver.
+ func LookupAddr(addr string) (names []string, err error) {
+-	return DefaultResolver.lookupAddr(context.Background(), addr)
++	return DefaultResolver.LookupAddr(context.Background(), addr)
+ }
+ 
+ // LookupAddr performs a reverse lookup for the given address, returning a list
+ // of names mapping to that address.
+-func (r *Resolver) LookupAddr(ctx context.Context, addr string) (names []string, err error) {
+-	return r.lookupAddr(ctx, addr)
++//
++// The returned names are validated to be properly formatted presentation-format
++// domain names.
++func (r *Resolver) LookupAddr(ctx context.Context, addr string) ([]string, error) {
++	names, err := r.lookupAddr(ctx, addr)
++	if err != nil {
++		return nil, err
++	}
++	for _, name := range names {
++		if !isDomainName(name) {
++			return nil, &DNSError{Err: "PTR target is invalid", Name: addr}
++		}
++	}
++	return names, nil
+ }
diff -Nru golang-1.15-1.15.9/debian/patches/0010-CVE-2021-33195-2.patch golang-1.15-1.15.9/debian/patches/0010-CVE-2021-33195-2.patch
--- golang-1.15-1.15.9/debian/patches/0010-CVE-2021-33195-2.patch	1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0010-CVE-2021-33195-2.patch	2021-06-05 19:36:34.000000000 +0800
@@ -0,0 +1,111 @@
+From 6b411e90d4d017f28c1cc7d442b5ec8c1f9de549 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 2 Jun 2021 09:20:22 -0700
+Subject: [PATCH] [release-branch.go1.15] net: don't rely on system hosts in
+ TestCVE202133195
+
+Also don't unnecessarily deref the error return.
+
+Updates #46504
+Fixes #46531
+
+Change-Id: I22d14ac76776f8988fa0774bdcb5fcd801ce0185
+Reviewed-on: https://go-review.googlesource.com/c/go/+/324190
+Trust: David Chase <drchase@google.com>
+Trust: Damien Neil <dneil@google.com>
+Run-TryBot: David Chase <drchase@google.com>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit dd7ba3ba2c860c40be6d70b63d4a678449cae80f)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/324333
+Reviewed-by: Ian Lance Taylor <iant@golang.org>
+---
+ src/net/dnsclient_unix_test.go | 39 +++++++++++++++++-----------------
+ 1 file changed, 20 insertions(+), 19 deletions(-)
+
+diff --git a/src/net/dnsclient_unix_test.go b/src/net/dnsclient_unix_test.go
+index 819f20b887ae6..f646629912a3d 100644
+--- a/src/net/dnsclient_unix_test.go
++++ b/src/net/dnsclient_unix_test.go
+@@ -1898,61 +1898,62 @@ func TestCVE202133195(t *testing.T) {
+ 	// Change the default resolver to match our manipulated resolver
+ 	originalDefault := DefaultResolver
+ 	DefaultResolver = &r
+-	defer func() {
+-		DefaultResolver = originalDefault
+-	}()
++	defer func() { DefaultResolver = originalDefault }()
++	// Redirect host file lookups.
++	defer func(orig string) { testHookHostsPath = orig }(testHookHostsPath)
++	testHookHostsPath = "testdata/hosts"
+ 
+ 	_, err := r.LookupCNAME(context.Background(), "golang.org")
+ 	if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected {
+-		t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
++		t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err, expected)
+ 	}
+ 	_, err = LookupCNAME("golang.org")
+ 	if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected {
+-		t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
++		t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err, expected)
+ 	}
+ 
+ 	_, _, err = r.LookupSRV(context.Background(), "target", "tcp", "golang.org")
+ 	if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected {
+-		t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++		t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err, expected)
+ 	}
+ 	_, _, err = LookupSRV("target", "tcp", "golang.org")
+ 	if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected {
+-		t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++		t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err, expected)
+ 	}
+ 
+ 	_, _, err = r.LookupSRV(context.Background(), "hdr", "tcp", "golang.org")
+ 	if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected {
+-		t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++		t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err, expected)
+ 	}
+ 	_, _, err = LookupSRV("hdr", "tcp", "golang.org")
+ 	if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected {
+-		t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++		t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err, expected)
+ 	}
+ 
+ 	_, err = r.LookupMX(context.Background(), "golang.org")
+ 	if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected {
+-		t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
++		t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err, expected)
+ 	}
+ 	_, err = LookupMX("golang.org")
+ 	if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected {
+-		t.Errorf("LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
++		t.Errorf("LookupMX returned unexpected error, got %q, want %q", err, expected)
+ 	}
+ 
+ 	_, err = r.LookupNS(context.Background(), "golang.org")
+ 	if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected {
+-		t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
++		t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err, expected)
+ 	}
+ 	_, err = LookupNS("golang.org")
+ 	if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected {
+-		t.Errorf("LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
++		t.Errorf("LookupNS returned unexpected error, got %q, want %q", err, expected)
+ 	}
+ 
+-	_, err = r.LookupAddr(context.Background(), "1.2.3.4")
+-	if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected {
+-		t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
++	_, err = r.LookupAddr(context.Background(), "192.0.2.42")
++	if expected := "lookup 192.0.2.42: PTR target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err, expected)
+ 	}
+-	_, err = LookupAddr("1.2.3.4")
+-	if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected {
+-		t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
++	_, err = LookupAddr("192.0.2.42")
++	if expected := "lookup 192.0.2.42: PTR target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err, expected)
+ 	}
+ }
diff -Nru golang-1.15-1.15.9/debian/patches/0011-CVE-2021-33197.patch golang-1.15-1.15.9/debian/patches/0011-CVE-2021-33197.patch
--- golang-1.15-1.15.9/debian/patches/0011-CVE-2021-33197.patch	1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0011-CVE-2021-33197.patch	2021-06-05 19:36:34.000000000 +0800
@@ -0,0 +1,147 @@
+From cbd1ca84453fecf3825a6bb9f985823e8bc32b76 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Fri, 21 May 2021 14:02:30 -0400
+Subject: [PATCH] [release-branch.go1.15] net/http/httputil: always remove
+ hop-by-hop headers
+
+Previously, we'd fail to remove the Connection header from a request
+like this:
+
+    Connection:
+    Connection: x-header
+
+Updates #46313
+Fixes #46314
+Fixes CVE-2021-33197
+
+Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d
+Reviewed-on: https://go-review.googlesource.com/c/go/+/321929
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Trust: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/323091
+Run-TryBot: Katie Hockman <katie@golang.org>
+---
+ src/net/http/httputil/reverseproxy.go      | 22 ++++----
+ src/net/http/httputil/reverseproxy_test.go | 63 +++++++++++++++++++++-
+ 2 files changed, 70 insertions(+), 15 deletions(-)
+
+diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go
+index 3f48fab544e91..f49cefbb4f171 100644
+--- a/src/net/http/httputil/reverseproxy.go
++++ b/src/net/http/httputil/reverseproxy.go
+@@ -248,22 +248,18 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+ 	// important is "Connection" because we want a persistent
+ 	// connection, regardless of what the client sent to us.
+ 	for _, h := range hopHeaders {
+-		hv := outreq.Header.Get(h)
+-		if hv == "" {
+-			continue
+-		}
+-		if h == "Te" && hv == "trailers" {
+-			// Issue 21096: tell backend applications that
+-			// care about trailer support that we support
+-			// trailers. (We do, but we don't go out of
+-			// our way to advertise that unless the
+-			// incoming client request thought it was
+-			// worth mentioning)
+-			continue
+-		}
+ 		outreq.Header.Del(h)
+ 	}
+ 
++	// Issue 21096: tell backend applications that care about trailer support
++	// that we support trailers. (We do, but we don't go out of our way to
++	// advertise that unless the incoming client request thought it was worth
++	// mentioning.) Note that we look at req.Header, not outreq.Header, since
++	// the latter has passed through removeConnectionHeaders.
++	if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") {
++		outreq.Header.Set("Te", "trailers")
++	}
++
+ 	// After stripping all the hop-by-hop connection headers above, add back any
+ 	// necessary for protocol upgrades, such as for websockets.
+ 	if reqUpType != "" {
+diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go
+index 764939fb0f0c2..1f2dfb9867f68 100644
+--- a/src/net/http/httputil/reverseproxy_test.go
++++ b/src/net/http/httputil/reverseproxy_test.go
+@@ -91,8 +91,9 @@ func TestReverseProxy(t *testing.T) {
+ 
+ 	getReq, _ := http.NewRequest("GET", frontend.URL, nil)
+ 	getReq.Host = "some-name"
+-	getReq.Header.Set("Connection", "close")
+-	getReq.Header.Set("Te", "trailers")
++	getReq.Header.Set("Connection", "close, TE")
++	getReq.Header.Add("Te", "foo")
++	getReq.Header.Add("Te", "bar, trailers")
+ 	getReq.Header.Set("Proxy-Connection", "should be deleted")
+ 	getReq.Header.Set("Upgrade", "foo")
+ 	getReq.Close = true
+@@ -236,6 +237,64 @@ func TestReverseProxyStripHeadersPresentInConnection(t *testing.T) {
+ 	}
+ }
+ 
++func TestReverseProxyStripEmptyConnection(t *testing.T) {
++	// See Issue 46313.
++	const backendResponse = "I am the backend"
++
++	// someConnHeader is some arbitrary header to be declared as a hop-by-hop header
++	// in the Request's Connection header.
++	const someConnHeader = "X-Some-Conn-Header"
++
++	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
++		if c := r.Header.Values("Connection"); len(c) != 0 {
++			t.Errorf("handler got header %q = %v; want empty", "Connection", c)
++		}
++		if c := r.Header.Get(someConnHeader); c != "" {
++			t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
++		}
++		w.Header().Add("Connection", "")
++		w.Header().Add("Connection", someConnHeader)
++		w.Header().Set(someConnHeader, "should be deleted")
++		io.WriteString(w, backendResponse)
++	}))
++	defer backend.Close()
++	backendURL, err := url.Parse(backend.URL)
++	if err != nil {
++		t.Fatal(err)
++	}
++	proxyHandler := NewSingleHostReverseProxy(backendURL)
++	frontend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
++		proxyHandler.ServeHTTP(w, r)
++		if c := r.Header.Get(someConnHeader); c != "should be deleted" {
++			t.Errorf("handler modified header %q = %q; want %q", someConnHeader, c, "should be deleted")
++		}
++	}))
++	defer frontend.Close()
++
++	getReq, _ := http.NewRequest("GET", frontend.URL, nil)
++	getReq.Header.Add("Connection", "")
++	getReq.Header.Add("Connection", someConnHeader)
++	getReq.Header.Set(someConnHeader, "should be deleted")
++	res, err := frontend.Client().Do(getReq)
++	if err != nil {
++		t.Fatalf("Get: %v", err)
++	}
++	defer res.Body.Close()
++	bodyBytes, err := ioutil.ReadAll(res.Body)
++	if err != nil {
++		t.Fatalf("reading body: %v", err)
++	}
++	if got, want := string(bodyBytes), backendResponse; got != want {
++		t.Errorf("got body %q; want %q", got, want)
++	}
++	if c := res.Header.Get("Connection"); c != "" {
++		t.Errorf("handler got header %q = %q; want empty", "Connection", c)
++	}
++	if c := res.Header.Get(someConnHeader); c != "" {
++		t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
++	}
++}
++
+ func TestXForwardedFor(t *testing.T) {
+ 	const prevForwardedFor = "client ip"
+ 	const backendResponse = "I am the backend"
diff -Nru golang-1.15-1.15.9/debian/patches/0012-CVE-2021-33198.patch golang-1.15-1.15.9/debian/patches/0012-CVE-2021-33198.patch
--- golang-1.15-1.15.9/debian/patches/0012-CVE-2021-33198.patch	1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0012-CVE-2021-33198.patch	2021-06-05 19:36:34.000000000 +0800
@@ -0,0 +1,107 @@
+From df9ce19db6df32d94eae8760927bdfbc595433c3 Mon Sep 17 00:00:00 2001
+From: Robert Griesemer <gri@golang.org>
+Date: Sun, 2 May 2021 11:27:03 -0700
+Subject: [PATCH] [release-branch.go1.15] math/big: check for excessive
+ exponents in Rat.SetString
+
+Found by OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33284
+
+Thanks to Emmanuel Odeke for reporting this issue.
+
+Updates #45910
+Fixes #46305
+Fixes CVE-2021-33198
+
+Change-Id: I61e7b04dbd80343420b57eede439e361c0f7b79c
+Reviewed-on: https://go-review.googlesource.com/c/go/+/316149
+Trust: Robert Griesemer <gri@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Run-TryBot: Robert Griesemer <gri@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
+(cherry picked from commit 6c591f79b0b5327549bd4e94970f7a279efb4ab0)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/321831
+Run-TryBot: Katie Hockman <katie@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+---
+ src/math/big/ratconv.go      | 15 ++++++++-------
+ src/math/big/ratconv_test.go | 25 +++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go
+index 941139e72d1c4..ac3c8bd11f8a8 100644
+--- a/src/math/big/ratconv.go
++++ b/src/math/big/ratconv.go
+@@ -51,7 +51,8 @@ func (z *Rat) Scan(s fmt.ScanState, ch rune) error {
+ // An optional base-10 ``e'' or base-2 ``p'' (or their upper-case variants)
+ // exponent may be provided as well, except for hexadecimal floats which
+ // only accept an (optional) ``p'' exponent (because an ``e'' or ``E'' cannot
+-// be distinguished from a mantissa digit).
++// be distinguished from a mantissa digit). If the exponent's absolute value
++// is too large, the operation may fail.
+ // The entire string, not just a prefix, must be valid for success. If the
+ // operation failed, the value of z is undefined but the returned value is nil.
+ func (z *Rat) SetString(s string) (*Rat, bool) {
+@@ -169,6 +170,9 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
+ 		if n < 0 {
+ 			n = -n
+ 		}
++		if n > 1e6 {
++			return nil, false // avoid excessively large exponents
++		}
+ 		pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs
+ 		if exp5 > 0 {
+ 			z.a.abs = z.a.abs.mul(z.a.abs, pow5)
+@@ -181,15 +185,12 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
+ 	}
+ 
+ 	// apply exp2 contributions
++	if exp2 < -1e7 || exp2 > 1e7 {
++		return nil, false // avoid excessively large exponents
++	}
+ 	if exp2 > 0 {
+-		if int64(uint(exp2)) != exp2 {
+-			panic("exponent too large")
+-		}
+ 		z.a.abs = z.a.abs.shl(z.a.abs, uint(exp2))
+ 	} else if exp2 < 0 {
+-		if int64(uint(-exp2)) != -exp2 {
+-			panic("exponent too large")
+-		}
+ 		z.b.abs = z.b.abs.shl(z.b.abs, uint(-exp2))
+ 	}
+ 
+diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go
+index ba0d1ba9e1158..15d206cb386ab 100644
+--- a/src/math/big/ratconv_test.go
++++ b/src/math/big/ratconv_test.go
+@@ -589,3 +589,28 @@ func TestIssue31184(t *testing.T) {
+ 		}
+ 	}
+ }
++
++func TestIssue45910(t *testing.T) {
++	var x Rat
++	for _, test := range []struct {
++		input string
++		want  bool
++	}{
++		{"1e-1000001", false},
++		{"1e-1000000", true},
++		{"1e+1000000", true},
++		{"1e+1000001", false},
++
++		{"0p1000000000000", true},
++		{"1p-10000001", false},
++		{"1p-10000000", true},
++		{"1p+10000000", true},
++		{"1p+10000001", false},
++		{"1.770p02041010010011001001", false}, // test case from issue
++	} {
++		_, got := x.SetString(test.input)
++		if got != test.want {
++			t.Errorf("SetString(%s) got ok = %v; want %v", test.input, got, test.want)
++		}
++	}
++}
diff -Nru golang-1.15-1.15.9/debian/patches/series golang-1.15-1.15.9/debian/patches/series
--- golang-1.15-1.15.9/debian/patches/series	2021-06-02 10:56:03.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/series	2021-06-05 19:36:34.000000000 +0800
@@ -6,3 +6,7 @@
 0006-skip-userns-test-in-schroot-as-well.patch
 0007-CVE-2021-31525.patch
 0008-CVE-2021-33196.patch
+0009-CVE-2021-33195-1.patch
+0010-CVE-2021-33195-2.patch
+0011-CVE-2021-33197.patch
+0012-CVE-2021-33198.patch

--- End Message ---

--- Begin Message ---

• To: Shengjing Zhu <zhsj@debian.org>, 989498-done@bugs.debian.org
• Subject: Re: Bug#989498: unblock: golang-1.15/1.15.9-5
• From: Paul Gevers <elbrus@debian.org>
• Date: Thu, 17 Jun 2021 10:18:35 +0200
• Message-id: <c10784a7-bdef-15ee-6a43-548eb9af1d89@debian.org>
• In-reply-to: <[🔎] CAFyCLW_ZcxNVeczX1e400G9=LULbE26GxZff1_iWpaE8db4_dg@mail.gmail.com>
• References: <[🔎] 89f989a8-85d2-b66c-2d72-b3435b8187e2@debian.org> <YLtmuLP+i0kP/U16@local.zhsj.me> <[🔎] CAFyCLW97YTet+HGkeYfU+mroBUDhSQPOkZk-bQ35Ti87iHydrg@mail.gmail.com> <[🔎] 62608cba-dc59-660a-e828-c7f2f2d32961@debian.org> <[🔎] YMH2PKKU77IU7qx3@local.zhsj.me> <YLtmuLP+i0kP/U16@local.zhsj.me> <[🔎] CAFyCLW_ZcxNVeczX1e400G9=LULbE26GxZff1_iWpaE8db4_dg@mail.gmail.com>

Hi

On 14-06-2021 16:42, Shengjing Zhu wrote:
> Would you like to close the bug?

Yes, let's do that.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---