Bug#984988: pre-approval: unblock: golang-1.15/1.15.9-1
Control: tags -1 + confirmed
On 2021-03-12 00:04:15, Shengjing Zhu wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: zhsj@debian.org, team+go-compiler@tracker.debian.org
>
> Please unblock package golang-1.15
>
> [ Reason ]
> Upstream security release, only target fix is introduced.
> CVE-2021-27918: encoding/xml: infinite loop when using `xml.NewTokenDecoder`
> with a custom `TokenReader`.
> https://github.com/golang/go/issues/44913
>
> [ Impact ]
> Without this version, the Go compiler is vulnerable.
> However with the new undetermined Go security policy, this
> bug is classified as LOW (severity issues affect niche configurations,
> have very limited impact, or are already widely known).
> https://github.com/golang/go/issues/44918
>
> [ Tests ]
> + Upstream tests in source package.
> + Have manually test some Go packages.
>
> [ Risks ]
> + No autopkgtest
> + Diff is small
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> [ Other info ]
> If this package is blocked in unstable, all Go packages will be prevented
> from migrating to testing, due to the Built-Using thing..
> So I fill this pre-approval request. And if possible, reduce the age too.
>
> unblock golang-1.15/1.15.9-1
Assuming the uploads happens soon, please go ahead.
Cheers
>
>
> diff -Nru golang-1.15-1.15.8/debian/changelog golang-1.15-1.15.9/debian/changelog
> --- golang-1.15-1.15.8/debian/changelog 2021-02-15 23:19:39.000000000 +0800
> +++ golang-1.15-1.15.9/debian/changelog 2021-03-11 23:43:18.000000000 +0800
> @@ -1,3 +1,12 @@
> +golang-1.15 (1.15.9-1) unstable; urgency=medium
> +
> + * Team upload.
> + * New upstream version 1.15.9
> + + encoding/xml: infinite loop when using `xml.NewTokenDecoder` with a
> + custom `TokenReader`. CVE-2021-27918
> +
> + -- Shengjing Zhu <zhsj@debian.org> Thu, 11 Mar 2021 23:43:18 +0800
> +
> golang-1.15 (1.15.8-4) unstable; urgency=medium
>
> * Team upload.
> diff -Nru golang-1.15-1.15.8/src/encoding/xml/xml.go golang-1.15-1.15.9/src/encoding/xml/xml.go
> --- golang-1.15-1.15.8/src/encoding/xml/xml.go 2021-02-05 20:48:37.000000000 +0800
> +++ golang-1.15-1.15.9/src/encoding/xml/xml.go 2021-03-10 22:29:35.000000000 +0800
> @@ -271,7 +271,7 @@
> // it will return an error.
> //
> // Token implements XML name spaces as described by
> -// https://www.w3.org/TR/REC-xml-names/. Each of the
> +// https://www.w3.org/TR/REC-xml-names/. Each of the
> // Name structures contained in the Token has the Space
> // set to the URL identifying its name space when known.
> // If Token encounters an unrecognized name space prefix,
> @@ -285,16 +285,17 @@
> if d.nextToken != nil {
> t = d.nextToken
> d.nextToken = nil
> - } else if t, err = d.rawToken(); err != nil {
> - switch {
> - case err == io.EOF && d.t != nil:
> - err = nil
> - case err == io.EOF && d.stk != nil && d.stk.kind != stkEOF:
> - err = d.syntaxError("unexpected EOF")
> + } else {
> + if t, err = d.rawToken(); t == nil && err != nil {
> + if err == io.EOF && d.stk != nil && d.stk.kind != stkEOF {
> + err = d.syntaxError("unexpected EOF")
> + }
> + return nil, err
> }
> - return t, err
> + // We still have a token to process, so clear any
> + // errors (e.g. EOF) and proceed.
> + err = nil
> }
> -
> if !d.Strict {
> if t1, ok := d.autoClose(t); ok {
> d.nextToken = t
> diff -Nru golang-1.15-1.15.8/src/encoding/xml/xml_test.go golang-1.15-1.15.9/src/encoding/xml/xml_test.go
> --- golang-1.15-1.15.8/src/encoding/xml/xml_test.go 2021-02-05 20:48:37.000000000 +0800
> +++ golang-1.15-1.15.9/src/encoding/xml/xml_test.go 2021-03-10 22:29:35.000000000 +0800
> @@ -33,30 +33,90 @@
>
> func TestDecodeEOF(t *testing.T) {
> start := StartElement{Name: Name{Local: "test"}}
> - t.Run("EarlyEOF", func(t *testing.T) {
> - d := NewTokenDecoder(&toks{earlyEOF: true, t: []Token{
> - start,
> - start.End(),
> - }})
> - err := d.Decode(&struct {
> - XMLName Name `xml:"test"`
> - }{})
> - if err != nil {
> - t.Error(err)
> + tests := []struct {
> + name string
> + tokens []Token
> + ok bool
> + }{
> + {
> + name: "OK",
> + tokens: []Token{
> + start,
> + start.End(),
> + },
> + ok: true,
> + },
> + {
> + name: "Malformed",
> + tokens: []Token{
> + start,
> + StartElement{Name: Name{Local: "bad"}},
> + start.End(),
> + },
> + ok: false,
> + },
> + }
> + for _, tc := range tests {
> + for _, eof := range []bool{true, false} {
> + name := fmt.Sprintf("%s/earlyEOF=%v", tc.name, eof)
> + t.Run(name, func(t *testing.T) {
> + d := NewTokenDecoder(&toks{
> + earlyEOF: eof,
> + t: tc.tokens,
> + })
> + err := d.Decode(&struct {
> + XMLName Name `xml:"test"`
> + }{})
> + if tc.ok && err != nil {
> + t.Fatalf("d.Decode: expected nil error, got %v", err)
> + }
> + if _, ok := err.(*SyntaxError); !tc.ok && !ok {
> + t.Errorf("d.Decode: expected syntax error, got %v", err)
> + }
> + })
> }
> - })
> - t.Run("LateEOF", func(t *testing.T) {
> - d := NewTokenDecoder(&toks{t: []Token{
> - start,
> - start.End(),
> - }})
> - err := d.Decode(&struct {
> - XMLName Name `xml:"test"`
> - }{})
> - if err != nil {
> - t.Error(err)
> + }
> +}
> +
> +type toksNil struct {
> + returnEOF bool
> + t []Token
> +}
> +
> +func (t *toksNil) Token() (Token, error) {
> + if len(t.t) == 0 {
> + if !t.returnEOF {
> + // Return nil, nil before returning an EOF. It's legal, but
> + // discouraged.
> + t.returnEOF = true
> + return nil, nil
> }
> - })
> + return nil, io.EOF
> + }
> + var tok Token
> + tok, t.t = t.t[0], t.t[1:]
> + return tok, nil
> +}
> +
> +func TestDecodeNilToken(t *testing.T) {
> + for _, strict := range []bool{true, false} {
> + name := fmt.Sprintf("Strict=%v", strict)
> + t.Run(name, func(t *testing.T) {
> + start := StartElement{Name: Name{Local: "test"}}
> + bad := StartElement{Name: Name{Local: "bad"}}
> + d := NewTokenDecoder(&toksNil{
> + // Malformed
> + t: []Token{start, bad, start.End()},
> + })
> + d.Strict = strict
> + err := d.Decode(&struct {
> + XMLName Name `xml:"test"`
> + }{})
> + if _, ok := err.(*SyntaxError); !ok {
> + t.Errorf("d.Decode: expected syntax error, got %v", err)
> + }
> + })
> + }
> }
>
> const testInput = `
> diff -Nru golang-1.15-1.15.8/VERSION golang-1.15-1.15.9/VERSION
> --- golang-1.15-1.15.8/VERSION 2021-02-05 20:48:37.000000000 +0800
> +++ golang-1.15-1.15.9/VERSION 2021-03-10 22:31:50.000000000 +0800
> @@ -1 +1 @@
> -go1.15.8
> \ No newline at end of file
> +go1.15.9
> \ No newline at end of file
--
Sebastian Ramacher
Reply to: