Bug#988210: [pre-approval] unblock: golang-1.15/1.15.9-2
Control: retitle -1 unblock: golang-1.15/1.15.9-3
On Fri, May 07, 2021 at 10:22:04PM +0200, Sebastian Ramacher wrote:
> > Please unblock package golang-1.15
> >
> > [ Reason ]
> > Backport patch for CVE-2021-31525
> > net/http: ReadRequest can stack overflow due to recursion with very
> > large headers. https://github.com/golang/go/issues/45711
>
> Please go ahead und remove the moreinfo tag once the package is
> available in unstable.
>
It seems I forget to run all the test in my local sbuild env.
golang-1.15/1.15.9-2 FTBFS on buildd, so here is golang-1.15/1.15.9-3
new diff:
diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.9/debian/changelog
--- golang-1.15-1.15.9/debian/changelog 2021-03-11 23:43:18.000000000 +0800
+++ golang-1.15-1.15.9/debian/changelog 2021-05-08 14:22:26.000000000 +0800
@@ -1,3 +1,27 @@
+golang-1.15 (1.15.9-3) unstable; urgency=medium
+
+ * Fix failed TestDependencyVersionsConsistent test.
+ When dpkg-source unpack tarball, it produces .pc dir in source dir.
+ The last patch 0007-CVE-2021-31525.patch causes
+ go.mod/go.sum/modules.txt files in .pc dir with old content.
+ Then TestDependencyVersionsConsistent picks these old content in .pc
+ dir, results error:
+ --- FAIL: TestDependencyVersionsConsistent (0.00s)
+ moddeps_test.go:217: Modules within GOROOT require different versions of golang.org/x/net.
+ moddeps_test.go:229: std requires v0.0.0-20201008223702-a5fa9d4b7c91
+ moddeps_test.go:229: std requires v0.0.0-20210428183841-261fb518b1ed
+
+ -- Shengjing Zhu <zhsj@debian.org> Sat, 08 May 2021 14:22:26 +0800
+
+golang-1.15 (1.15.9-2) unstable; urgency=medium
+
+ * Team upload.
+ * Backport patch for CVE-2021-31525
+ net/http: ReadRequest can stack overflow due to recursion with very
+ large headers. https://github.com/golang/go/issues/45711
+
+ -- Shengjing Zhu <zhsj@debian.org> Sat, 08 May 2021 02:45:35 +0800
+
golang-1.15 (1.15.9-1) unstable; urgency=medium
* Team upload.
diff -Nru golang-1.15-1.15.9/debian/patches/0006-skip-userns-test-in-schroot-as-well.patch golang-1.15-1.15.9/debian/patches/0006-skip-userns-test-in-schroot-as-well.patch
--- golang-1.15-1.15.9/debian/patches/0006-skip-userns-test-in-schroot-as-well.patch 2021-03-11 23:43:18.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0006-skip-userns-test-in-schroot-as-well.patch 2021-05-08 14:22:26.000000000 +0800
@@ -3,7 +3,6 @@
Subject: skip userns test in schroot as well
When schroot is using overlayfs, it fails to detect it as chroot.
-
---
src/syscall/exec_linux_test.go | 7 +++++++
1 file changed, 7 insertions(+)
diff -Nru golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch
--- golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 2021-05-08 14:22:26.000000000 +0800
@@ -0,0 +1,45 @@
+From: Katie Hockman <katie@golang.org>
+Date: Wed, 28 Apr 2021 14:47:48 -0400
+Subject: [PATCH] [release-branch.go1.15] std: update golang.org/x/net to
+ 20210428183841-261fb518b1ed
+
+Steps:
+ go get -d golang.org/x/net@release-branch.go1.15
+ go mod tidy
+ go mod vendor
+
+This http2 bundle does not need to be updated.
+
+Fixes #45711
+
+Change-Id: I085ca592dfc8d5d9c328a7979142e88e7130a813
+Reviewed-on: https://go-review.googlesource.com/c/go/+/314790
+Trust: Katie Hockman <katie@golang.org>
+Run-TryBot: Katie Hockman <katie@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+---
+ src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/vendor/golang.org/x/net/http/httpguts/httplex.go b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+index e7de24e..c79aa73 100644
+--- a/src/vendor/golang.org/x/net/http/httpguts/httplex.go
++++ b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+@@ -137,11 +137,13 @@ func trimOWS(x string) string {
+ // contains token amongst its comma-separated tokens, ASCII
+ // case-insensitively.
+ func headerValueContainsToken(v string, token string) bool {
+- v = trimOWS(v)
+- if comma := strings.IndexByte(v, ','); comma != -1 {
+- return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
++ for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
++ if tokenEqual(trimOWS(v[:comma]), token) {
++ return true
++ }
++ v = v[comma+1:]
+ }
+- return tokenEqual(v, token)
++ return tokenEqual(trimOWS(v), token)
+ }
+
+ // lowerASCII returns the ASCII lowercase version of b.
diff -Nru golang-1.15-1.15.9/debian/patches/series golang-1.15-1.15.9/debian/patches/series
--- golang-1.15-1.15.9/debian/patches/series 2021-03-11 23:43:18.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/series 2021-05-08 14:22:26.000000000 +0800
@@ -4,3 +4,4 @@
0004-cmd-dist-fix-build-failure-of-misc-cgo-test-on-arm64.patch
0005-cmd-dist-increase-default-timeout-scale-for-arm.patch
0006-skip-userns-test-in-schroot-as-well.patch
+0007-CVE-2021-31525.patch
Reply to: