Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: zhsj@debian.org, team+go-compiler@tracker.debian.org
Please unblock package golang-1.15
[ Reason ]
Upstream security release, only target fix is introduced.
CVE-2021-27918: encoding/xml: infinite loop when using `xml.NewTokenDecoder`
with a custom `TokenReader`.
https://github.com/golang/go/issues/44913
[ Impact ]
Without this version, the Go compiler is vulnerable.
However with the new undetermined Go security policy, this
bug is classified as LOW (severity issues affect niche configurations,
have very limited impact, or are already widely known).
https://github.com/golang/go/issues/44918
[ Tests ]
+ Upstream tests in source package.
+ Have manually test some Go packages.
[ Risks ]
+ No autopkgtest
+ Diff is small
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
If this package is blocked in unstable, all Go packages will be prevented
from migrating to testing, due to the Built-Using thing..
So I fill this pre-approval request. And if possible, reduce the age too.
unblock golang-1.15/1.15.9-1
diff -Nru golang-1.15-1.15.8/debian/changelog golang-1.15-1.15.9/debian/changelog
--- golang-1.15-1.15.8/debian/changelog 2021-02-15 23:19:39.000000000 +0800
+++ golang-1.15-1.15.9/debian/changelog 2021-03-11 23:43:18.000000000 +0800
@@ -1,3 +1,12 @@
+golang-1.15 (1.15.9-1) unstable; urgency=medium
+
+ * Team upload.
+ * New upstream version 1.15.9
+ + encoding/xml: infinite loop when using `xml.NewTokenDecoder` with a
+ custom `TokenReader`. CVE-2021-27918
+
+ -- Shengjing Zhu <zhsj@debian.org> Thu, 11 Mar 2021 23:43:18 +0800
+
golang-1.15 (1.15.8-4) unstable; urgency=medium
* Team upload.
diff -Nru golang-1.15-1.15.8/src/encoding/xml/xml.go golang-1.15-1.15.9/src/encoding/xml/xml.go
--- golang-1.15-1.15.8/src/encoding/xml/xml.go 2021-02-05 20:48:37.000000000 +0800
+++ golang-1.15-1.15.9/src/encoding/xml/xml.go 2021-03-10 22:29:35.000000000 +0800
@@ -271,7 +271,7 @@
// it will return an error.
//
// Token implements XML name spaces as described by
-// https://www.w3.org/TR/REC-xml-names/. Each of the
+// https://www.w3.org/TR/REC-xml-names/. Each of the
// Name structures contained in the Token has the Space
// set to the URL identifying its name space when known.
// If Token encounters an unrecognized name space prefix,
@@ -285,16 +285,17 @@
if d.nextToken != nil {
t = d.nextToken
d.nextToken = nil
- } else if t, err = d.rawToken(); err != nil {
- switch {
- case err == io.EOF && d.t != nil:
- err = nil
- case err == io.EOF && d.stk != nil && d.stk.kind != stkEOF:
- err = d.syntaxError("unexpected EOF")
+ } else {
+ if t, err = d.rawToken(); t == nil && err != nil {
+ if err == io.EOF && d.stk != nil && d.stk.kind != stkEOF {
+ err = d.syntaxError("unexpected EOF")
+ }
+ return nil, err
}
- return t, err
+ // We still have a token to process, so clear any
+ // errors (e.g. EOF) and proceed.
+ err = nil
}
-
if !d.Strict {
if t1, ok := d.autoClose(t); ok {
d.nextToken = t
diff -Nru golang-1.15-1.15.8/src/encoding/xml/xml_test.go golang-1.15-1.15.9/src/encoding/xml/xml_test.go
--- golang-1.15-1.15.8/src/encoding/xml/xml_test.go 2021-02-05 20:48:37.000000000 +0800
+++ golang-1.15-1.15.9/src/encoding/xml/xml_test.go 2021-03-10 22:29:35.000000000 +0800
@@ -33,30 +33,90 @@
func TestDecodeEOF(t *testing.T) {
start := StartElement{Name: Name{Local: "test"}}
- t.Run("EarlyEOF", func(t *testing.T) {
- d := NewTokenDecoder(&toks{earlyEOF: true, t: []Token{
- start,
- start.End(),
- }})
- err := d.Decode(&struct {
- XMLName Name `xml:"test"`
- }{})
- if err != nil {
- t.Error(err)
+ tests := []struct {
+ name string
+ tokens []Token
+ ok bool
+ }{
+ {
+ name: "OK",
+ tokens: []Token{
+ start,
+ start.End(),
+ },
+ ok: true,
+ },
+ {
+ name: "Malformed",
+ tokens: []Token{
+ start,
+ StartElement{Name: Name{Local: "bad"}},
+ start.End(),
+ },
+ ok: false,
+ },
+ }
+ for _, tc := range tests {
+ for _, eof := range []bool{true, false} {
+ name := fmt.Sprintf("%s/earlyEOF=%v", tc.name, eof)
+ t.Run(name, func(t *testing.T) {
+ d := NewTokenDecoder(&toks{
+ earlyEOF: eof,
+ t: tc.tokens,
+ })
+ err := d.Decode(&struct {
+ XMLName Name `xml:"test"`
+ }{})
+ if tc.ok && err != nil {
+ t.Fatalf("d.Decode: expected nil error, got %v", err)
+ }
+ if _, ok := err.(*SyntaxError); !tc.ok && !ok {
+ t.Errorf("d.Decode: expected syntax error, got %v", err)
+ }
+ })
}
- })
- t.Run("LateEOF", func(t *testing.T) {
- d := NewTokenDecoder(&toks{t: []Token{
- start,
- start.End(),
- }})
- err := d.Decode(&struct {
- XMLName Name `xml:"test"`
- }{})
- if err != nil {
- t.Error(err)
+ }
+}
+
+type toksNil struct {
+ returnEOF bool
+ t []Token
+}
+
+func (t *toksNil) Token() (Token, error) {
+ if len(t.t) == 0 {
+ if !t.returnEOF {
+ // Return nil, nil before returning an EOF. It's legal, but
+ // discouraged.
+ t.returnEOF = true
+ return nil, nil
}
- })
+ return nil, io.EOF
+ }
+ var tok Token
+ tok, t.t = t.t[0], t.t[1:]
+ return tok, nil
+}
+
+func TestDecodeNilToken(t *testing.T) {
+ for _, strict := range []bool{true, false} {
+ name := fmt.Sprintf("Strict=%v", strict)
+ t.Run(name, func(t *testing.T) {
+ start := StartElement{Name: Name{Local: "test"}}
+ bad := StartElement{Name: Name{Local: "bad"}}
+ d := NewTokenDecoder(&toksNil{
+ // Malformed
+ t: []Token{start, bad, start.End()},
+ })
+ d.Strict = strict
+ err := d.Decode(&struct {
+ XMLName Name `xml:"test"`
+ }{})
+ if _, ok := err.(*SyntaxError); !ok {
+ t.Errorf("d.Decode: expected syntax error, got %v", err)
+ }
+ })
+ }
}
const testInput = `
diff -Nru golang-1.15-1.15.8/VERSION golang-1.15-1.15.9/VERSION
--- golang-1.15-1.15.8/VERSION 2021-02-05 20:48:37.000000000 +0800
+++ golang-1.15-1.15.9/VERSION 2021-03-10 22:31:50.000000000 +0800
@@ -1 +1 @@
-go1.15.8
\ No newline at end of file
+go1.15.9
\ No newline at end of file
Attachment:
signature.asc
Description: PGP signature