Bug#988210: [pre-approval] unblock: golang-1.15/1.15.9-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#988210: [pre-approval] unblock: golang-1.15/1.15.9-2
From: Shengjing Zhu <zhsj@debian.org>
Date: Sat, 8 May 2021 03:15:49 +0800
Message-id: <YJWR5Ty9zqCDj/Hv@local.zhsj.me>
Reply-to: Shengjing Zhu <zhsj@debian.org>, 988210@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: zhsj@debian.org

Please unblock package golang-1.15

[ Reason ]
Backport patch for CVE-2021-31525
net/http: ReadRequest can stack overflow due to recursion with very
large headers. https://github.com/golang/go/issues/45711

[ Impact ]
Though CVE is assigned, the issue doesn't look like a serious one.
So if it's not approved, I think we can address it with other future
security fixes through DSA after release.

[ Tests ]
I have did a manual test for the affected function, to see if it's
stackoverflow with and without patch.

[ Risks ]
The diff is small.
The package is key package.
Due to the static link of Go packages, and the out of date built-using
thing, it needs another round of rebuild of all Go packages before
bullseye release.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
golang-golang-x-net needs same fix for CVE-2021-31525


unblock golang-1.15/1.15.9-2


diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.9/debian/changelog
--- golang-1.15-1.15.9/debian/changelog	2021-03-11 23:43:18.000000000 +0800
+++ golang-1.15-1.15.9/debian/changelog	2021-05-08 02:45:35.000000000 +0800
@@ -1,3 +1,12 @@
+golang-1.15 (1.15.9-2) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patch for CVE-2021-31525
+    net/http: ReadRequest can stack overflow due to recursion with very
+    large headers. https://github.com/golang/go/issues/45711
+
+ -- Shengjing Zhu <zhsj@debian.org>  Sat, 08 May 2021 02:45:35 +0800
+
 golang-1.15 (1.15.9-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch
--- golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch	1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch	2021-05-08 02:45:35.000000000 +0800
@@ -0,0 +1,90 @@
+From 5aed4ce3c854bdbbb6dd5c1ccfa15c23d4b6c989 Mon Sep 17 00:00:00 2001
+From: Katie Hockman <katie@golang.org>
+Date: Wed, 28 Apr 2021 14:47:48 -0400
+Subject: [PATCH] [release-branch.go1.15] std: update golang.org/x/net to
+ 20210428183841-261fb518b1ed
+
+Steps:
+  go get -d golang.org/x/net@release-branch.go1.15
+  go mod tidy
+  go mod vendor
+
+This http2 bundle does not need to be updated.
+
+Fixes #45711
+
+Change-Id: I085ca592dfc8d5d9c328a7979142e88e7130a813
+Reviewed-on: https://go-review.googlesource.com/c/go/+/314790
+Trust: Katie Hockman <katie@golang.org>
+Run-TryBot: Katie Hockman <katie@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+---
+ src/go.mod                                           |  2 +-
+ src/go.sum                                           |  4 ++--
+ src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10 ++++++----
+ src/vendor/modules.txt                               |  2 +-
+ 4 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/go.mod b/src/go.mod
+index 6b97366bbe6c..dfcba7a1c8ac 100644
+--- a/src/go.mod
++++ b/src/go.mod
+@@ -4,7 +4,7 @@ go 1.15
+ 
+ require (
+ 	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
+-	golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91
++	golang.org/x/net v0.0.0-20210428183841-261fb518b1ed
+ 	golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 // indirect
+ 	golang.org/x/text v0.3.3-0.20200430171850-afb9336c4530 // indirect
+ )
+diff --git a/src/go.sum b/src/go.sum
+index fbd3279aade6..47e918848c3e 100644
+--- a/src/go.sum
++++ b/src/go.sum
+@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
+ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
+ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+-golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91 h1:zd7kl5i5PDM0OnFbRWVM6B8mXojzv8LOkHN9LsOrRf4=
+-golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
++golang.org/x/net v0.0.0-20210428183841-261fb518b1ed h1:aunM0N/jnRHvQgZo3kYkfaAGet2kIMFOPIbopG5BhYw=
++golang.org/x/net v0.0.0-20210428183841-261fb518b1ed/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+diff --git a/src/vendor/golang.org/x/net/http/httpguts/httplex.go b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+index e7de24ee64ef..c79aa73f28bb 100644
+--- a/src/vendor/golang.org/x/net/http/httpguts/httplex.go
++++ b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+@@ -137,11 +137,13 @@ func trimOWS(x string) string {
+ // contains token amongst its comma-separated tokens, ASCII
+ // case-insensitively.
+ func headerValueContainsToken(v string, token string) bool {
+-	v = trimOWS(v)
+-	if comma := strings.IndexByte(v, ','); comma != -1 {
+-		return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
++	for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
++		if tokenEqual(trimOWS(v[:comma]), token) {
++			return true
++		}
++		v = v[comma+1:]
+ 	}
+-	return tokenEqual(v, token)
++	return tokenEqual(trimOWS(v), token)
+ }
+ 
+ // lowerASCII returns the ASCII lowercase version of b.
+diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
+index 03ca3c3ae4c1..dd2296b6944d 100644
+--- a/src/vendor/modules.txt
++++ b/src/vendor/modules.txt
+@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519
+ golang.org/x/crypto/hkdf
+ golang.org/x/crypto/internal/subtle
+ golang.org/x/crypto/poly1305
+-# golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91
++# golang.org/x/net v0.0.0-20210428183841-261fb518b1ed
+ ## explicit
+ golang.org/x/net/dns/dnsmessage
+ golang.org/x/net/http/httpguts
diff -Nru golang-1.15-1.15.9/debian/patches/series golang-1.15-1.15.9/debian/patches/series
--- golang-1.15-1.15.9/debian/patches/series	2021-03-11 23:43:18.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/series	2021-05-08 02:45:35.000000000 +0800
@@ -4,3 +4,4 @@
 0004-cmd-dist-fix-build-failure-of-misc-cgo-test-on-arm64.patch
 0005-cmd-dist-increase-default-timeout-scale-for-arm.patch
 0006-skip-userns-test-in-schroot-as-well.patch
+0007-CVE-2021-31525.patch

Reply to:

Follow-Ups:
- Bug#988210: [pre-approval] unblock: golang-1.15/1.15.9-2
  - From: Shengjing Zhu <zhsj@debian.org>
- Processed: Re: Bug#988210: [pre-approval] unblock: golang-1.15/1.15.9-2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#988210: [pre-approval] unblock: golang-1.15/1.15.9-2
  - From: Sebastian Ramacher <sramacher@debian.org>
- Processed: Re: Bug#988210: [pre-approval] unblock: golang-1.15/1.15.9-2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#988210: marked as done (unblock: golang-1.15/1.15.9-3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: NEW changes in stable-new
Next by Date: Bug#988012: marked as done (unblock: diaspora-installer/0.7.14.0+debian2+nmu2)
Previous by thread: Bug#988193: marked as done (unblock: deepin-terminal/5.0.0+ds1-3)
Next by thread: Bug#988210: [pre-approval] unblock: golang-1.15/1.15.9-2
Index(es):
- Date
- Thread