Bug#984988: pre-approval: unblock: golang-1.15/1.15.9-1

To: Shengjing Zhu <zhsj@debian.org>, 984988@bugs.debian.org
Subject: Bug#984988: pre-approval: unblock: golang-1.15/1.15.9-1
From: Sebastian Ramacher <sramacher@debian.org>
Date: Fri, 12 Mar 2021 10:16:19 +0100
Message-id: <[🔎] 20210312091619.GA5246@ramacher.at>
Reply-to: Sebastian Ramacher <sramacher@debian.org>, 984988@bugs.debian.org
In-reply-to: <YEo/f8Iie1NeDZ7Y@local.zhsj.me>
References: <YEo/f8Iie1NeDZ7Y@local.zhsj.me> <YEo/f8Iie1NeDZ7Y@local.zhsj.me>

Control: tags -1 + confirmed

On 2021-03-12 00:04:15, Shengjing Zhu wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: zhsj@debian.org, team+go-compiler@tracker.debian.org
> 
> Please unblock package golang-1.15
> 
> [ Reason ]
> Upstream security release, only target fix is introduced.
> CVE-2021-27918: encoding/xml: infinite loop when using `xml.NewTokenDecoder`
> with a custom `TokenReader`.
> https://github.com/golang/go/issues/44913
> 
> [ Impact ]
> Without this version, the Go compiler is vulnerable.
> However with the new undetermined Go security policy, this
> bug is classified as LOW (severity issues affect niche configurations,
> have very limited impact, or are already widely known).
> https://github.com/golang/go/issues/44918
> 
> [ Tests ]
> + Upstream tests in source package.
> + Have manually test some Go packages.
> 
> [ Risks ]
> + No autopkgtest
> + Diff is small
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> [ Other info ]
> If this package is blocked in unstable, all Go packages will be prevented
> from migrating to testing, due to the Built-Using thing..
> So I fill this pre-approval request. And if possible, reduce the age too.
> 
> unblock golang-1.15/1.15.9-1

Assuming the uploads happens soon, please go ahead.

Cheers

> 
> 
> diff -Nru golang-1.15-1.15.8/debian/changelog golang-1.15-1.15.9/debian/changelog
> --- golang-1.15-1.15.8/debian/changelog	2021-02-15 23:19:39.000000000 +0800
> +++ golang-1.15-1.15.9/debian/changelog	2021-03-11 23:43:18.000000000 +0800
> @@ -1,3 +1,12 @@
> +golang-1.15 (1.15.9-1) unstable; urgency=medium
> +
> +  * Team upload.
> +  * New upstream version 1.15.9
> +    + encoding/xml: infinite loop when using `xml.NewTokenDecoder` with a
> +      custom `TokenReader`. CVE-2021-27918
> +
> + -- Shengjing Zhu <zhsj@debian.org>  Thu, 11 Mar 2021 23:43:18 +0800
> +
>  golang-1.15 (1.15.8-4) unstable; urgency=medium
>  
>    * Team upload.
> diff -Nru golang-1.15-1.15.8/src/encoding/xml/xml.go golang-1.15-1.15.9/src/encoding/xml/xml.go
> --- golang-1.15-1.15.8/src/encoding/xml/xml.go	2021-02-05 20:48:37.000000000 +0800
> +++ golang-1.15-1.15.9/src/encoding/xml/xml.go	2021-03-10 22:29:35.000000000 +0800
> @@ -271,7 +271,7 @@
>  // it will return an error.
>  //
>  // Token implements XML name spaces as described by
> -// https://www.w3.org/TR/REC-xml-names/.  Each of the
> +// https://www.w3.org/TR/REC-xml-names/. Each of the
>  // Name structures contained in the Token has the Space
>  // set to the URL identifying its name space when known.
>  // If Token encounters an unrecognized name space prefix,
> @@ -285,16 +285,17 @@
>  	if d.nextToken != nil {
>  		t = d.nextToken
>  		d.nextToken = nil
> -	} else if t, err = d.rawToken(); err != nil {
> -		switch {
> -		case err == io.EOF && d.t != nil:
> -			err = nil
> -		case err == io.EOF && d.stk != nil && d.stk.kind != stkEOF:
> -			err = d.syntaxError("unexpected EOF")
> +	} else {
> +		if t, err = d.rawToken(); t == nil && err != nil {
> +			if err == io.EOF && d.stk != nil && d.stk.kind != stkEOF {
> +				err = d.syntaxError("unexpected EOF")
> +			}
> +			return nil, err
>  		}
> -		return t, err
> +		// We still have a token to process, so clear any
> +		// errors (e.g. EOF) and proceed.
> +		err = nil
>  	}
> -
>  	if !d.Strict {
>  		if t1, ok := d.autoClose(t); ok {
>  			d.nextToken = t
> diff -Nru golang-1.15-1.15.8/src/encoding/xml/xml_test.go golang-1.15-1.15.9/src/encoding/xml/xml_test.go
> --- golang-1.15-1.15.8/src/encoding/xml/xml_test.go	2021-02-05 20:48:37.000000000 +0800
> +++ golang-1.15-1.15.9/src/encoding/xml/xml_test.go	2021-03-10 22:29:35.000000000 +0800
> @@ -33,30 +33,90 @@
>  
>  func TestDecodeEOF(t *testing.T) {
>  	start := StartElement{Name: Name{Local: "test"}}
> -	t.Run("EarlyEOF", func(t *testing.T) {
> -		d := NewTokenDecoder(&toks{earlyEOF: true, t: []Token{
> -			start,
> -			start.End(),
> -		}})
> -		err := d.Decode(&struct {
> -			XMLName Name `xml:"test"`
> -		}{})
> -		if err != nil {
> -			t.Error(err)
> +	tests := []struct {
> +		name   string
> +		tokens []Token
> +		ok     bool
> +	}{
> +		{
> +			name: "OK",
> +			tokens: []Token{
> +				start,
> +				start.End(),
> +			},
> +			ok: true,
> +		},
> +		{
> +			name: "Malformed",
> +			tokens: []Token{
> +				start,
> +				StartElement{Name: Name{Local: "bad"}},
> +				start.End(),
> +			},
> +			ok: false,
> +		},
> +	}
> +	for _, tc := range tests {
> +		for _, eof := range []bool{true, false} {
> +			name := fmt.Sprintf("%s/earlyEOF=%v", tc.name, eof)
> +			t.Run(name, func(t *testing.T) {
> +				d := NewTokenDecoder(&toks{
> +					earlyEOF: eof,
> +					t:        tc.tokens,
> +				})
> +				err := d.Decode(&struct {
> +					XMLName Name `xml:"test"`
> +				}{})
> +				if tc.ok && err != nil {
> +					t.Fatalf("d.Decode: expected nil error, got %v", err)
> +				}
> +				if _, ok := err.(*SyntaxError); !tc.ok && !ok {
> +					t.Errorf("d.Decode: expected syntax error, got %v", err)
> +				}
> +			})
>  		}
> -	})
> -	t.Run("LateEOF", func(t *testing.T) {
> -		d := NewTokenDecoder(&toks{t: []Token{
> -			start,
> -			start.End(),
> -		}})
> -		err := d.Decode(&struct {
> -			XMLName Name `xml:"test"`
> -		}{})
> -		if err != nil {
> -			t.Error(err)
> +	}
> +}
> +
> +type toksNil struct {
> +	returnEOF bool
> +	t         []Token
> +}
> +
> +func (t *toksNil) Token() (Token, error) {
> +	if len(t.t) == 0 {
> +		if !t.returnEOF {
> +			// Return nil, nil before returning an EOF. It's legal, but
> +			// discouraged.
> +			t.returnEOF = true
> +			return nil, nil
>  		}
> -	})
> +		return nil, io.EOF
> +	}
> +	var tok Token
> +	tok, t.t = t.t[0], t.t[1:]
> +	return tok, nil
> +}
> +
> +func TestDecodeNilToken(t *testing.T) {
> +	for _, strict := range []bool{true, false} {
> +		name := fmt.Sprintf("Strict=%v", strict)
> +		t.Run(name, func(t *testing.T) {
> +			start := StartElement{Name: Name{Local: "test"}}
> +			bad := StartElement{Name: Name{Local: "bad"}}
> +			d := NewTokenDecoder(&toksNil{
> +				// Malformed
> +				t: []Token{start, bad, start.End()},
> +			})
> +			d.Strict = strict
> +			err := d.Decode(&struct {
> +				XMLName Name `xml:"test"`
> +			}{})
> +			if _, ok := err.(*SyntaxError); !ok {
> +				t.Errorf("d.Decode: expected syntax error, got %v", err)
> +			}
> +		})
> +	}
>  }
>  
>  const testInput = `
> diff -Nru golang-1.15-1.15.8/VERSION golang-1.15-1.15.9/VERSION
> --- golang-1.15-1.15.8/VERSION	2021-02-05 20:48:37.000000000 +0800
> +++ golang-1.15-1.15.9/VERSION	2021-03-10 22:31:50.000000000 +0800
> @@ -1 +1 @@
> -go1.15.8
> \ No newline at end of file
> +go1.15.9
> \ No newline at end of file



-- 
Sebastian Ramacher

Reply to:

Follow-Ups:
- Bug#984988: pre-approval: unblock: golang-1.15/1.15.9-1
  - From: Shengjing Zhu <zhsj@debian.org>

References:
- Bug#984988: pre-approval: unblock: golang-1.15/1.15.9-1
  - From: Shengjing Zhu <zhsj@debian.org>

Prev by Date: Processed: Re: Bug#984988: pre-approval: unblock: golang-1.15/1.15.9-1
Next by Date: Bug#985049: unblock: libgweather/3.36.1-2
Previous by thread: Processed: Re: Bug#984988: pre-approval: unblock: golang-1.15/1.15.9-1
Next by thread: Bug#984988: pre-approval: unblock: golang-1.15/1.15.9-1
Index(es):
- Date
- Thread