Bug#988223: unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#988223: unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-3
From: Shengjing Zhu <zhsj@debian.org>
Date: Sat, 08 May 2021 12:19:01 +0800
Message-id: <[🔎] 162044754174.2286726.12290682788047880567.reportbug@localhost>
Reply-to: Shengjing Zhu <zhsj@debian.org>, 988223@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: zhsj@debian.org

Please unblock package golang-golang-x-net

[ Reason ]
Same as #988210, backport patch for CVE-2021-31525
net/http: ReadRequest can stack overflow due to recursion with very
large headers. https://github.com/golang/go/issues/45710

[ Impact ]
Fix a security issue.

[ Tests ]
Manual test for the affected function.

[ Risks ]
The diff is small.
The package is key package.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
No

unblock golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-3


diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog	2021-02-05 07:37:28.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog	2021-05-08 12:12:17.000000000 +0800
@@ -1,3 +1,12 @@
+golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-3) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patch for CVE-2021-31525
+    net/http: ReadRequest can stack overflow due to recursion with very
+    large headers. https://github.com/golang/go/issues/45710
+
+ -- Shengjing Zhu <zhsj@debian.org>  Sat, 08 May 2021 12:12:17 +0800
+
 golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-2) unstable; urgency=medium
 
   [ Helmut Grohne ]
diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch	1970-01-01 08:00:00.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch	2021-05-08 12:12:17.000000000 +0800
@@ -0,0 +1,49 @@
+From 89ef3d95e781148a0951956029c92a211477f7f9 Mon Sep 17 00:00:00 2001
+From: Katie Hockman <katie@golang.org>
+Date: Fri, 23 Apr 2021 12:56:01 -0400
+Subject: [PATCH] http/httpguts: remove recursion in HeaderValuesContainsToken
+
+Previously, httpguts.HeaderValuesContainsToken called a
+function which could recurse to the point of a stack
+overflow when given a very large header (~10MB).
+
+Credit to Guido Vranken who reported the crash as
+part of the Ethereum 2.0 bounty program.
+
+Fixes CVE-2021-31525
+
+Fixes golang/go#45710
+
+Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3
+Reviewed-on: https://go-review.googlesource.com/c/net/+/313069
+Trust: Katie Hockman <katie@golang.org>
+Run-TryBot: Katie Hockman <katie@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+---
+ http/httpguts/httplex.go | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/http/httpguts/httplex.go b/http/httpguts/httplex.go
+index e7de24ee6..c79aa73f2 100644
+--- a/http/httpguts/httplex.go
++++ b/http/httpguts/httplex.go
+@@ -137,11 +137,13 @@ func trimOWS(x string) string {
+ // contains token amongst its comma-separated tokens, ASCII
+ // case-insensitively.
+ func headerValueContainsToken(v string, token string) bool {
+-	v = trimOWS(v)
+-	if comma := strings.IndexByte(v, ','); comma != -1 {
+-		return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
++	for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
++		if tokenEqual(trimOWS(v[:comma]), token) {
++			return true
++		}
++		v = v[comma+1:]
+ 	}
+-	return tokenEqual(v, token)
++	return tokenEqual(trimOWS(v), token)
+ }
+ 
+ // lowerASCII returns the ASCII lowercase version of b.
diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series	2020-02-21 21:20:40.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series	2021-05-08 12:12:17.000000000 +0800
@@ -1 +1,2 @@
 publicsuffix.patch
+CVE-2021-31525.patch

Reply to:

Follow-Ups:
- Bug#988223: marked as done (unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#988222: unblock: plasma-workspace/4:5.20.5-6
Next by Date: Processed: tagging 988210
Previous by thread: Bug#988222: marked as done (unblock: plasma-workspace/4:5.20.5-6)
Next by thread: Bug#988223: marked as done (unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-3)
Index(es):
- Date
- Thread