Bug#988223: marked as done (unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 08 May 2021 19:13:07 +0000
with message-id <E1lfSNv-0006rd-9k@respighi.debian.org>
and subject line unblock golang-golang-x-net
has caused the Debian Bug report #988223,
regarding unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988223: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988223
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-3
• From: Shengjing Zhu <zhsj@debian.org>
• Date: Sat, 08 May 2021 12:19:01 +0800
• Message-id: <[🔎] 162044754174.2286726.12290682788047880567.reportbug@localhost>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: zhsj@debian.org

Please unblock package golang-golang-x-net

[ Reason ]
Same as #988210, backport patch for CVE-2021-31525
net/http: ReadRequest can stack overflow due to recursion with very
large headers. https://github.com/golang/go/issues/45710

[ Impact ]
Fix a security issue.

[ Tests ]
Manual test for the affected function.

[ Risks ]
The diff is small.
The package is key package.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
No

unblock golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-3


diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog	2021-02-05 07:37:28.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog	2021-05-08 12:12:17.000000000 +0800
@@ -1,3 +1,12 @@
+golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-3) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patch for CVE-2021-31525
+    net/http: ReadRequest can stack overflow due to recursion with very
+    large headers. https://github.com/golang/go/issues/45710
+
+ -- Shengjing Zhu <zhsj@debian.org>  Sat, 08 May 2021 12:12:17 +0800
+
 golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-2) unstable; urgency=medium
 
   [ Helmut Grohne ]
diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch	1970-01-01 08:00:00.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch	2021-05-08 12:12:17.000000000 +0800
@@ -0,0 +1,49 @@
+From 89ef3d95e781148a0951956029c92a211477f7f9 Mon Sep 17 00:00:00 2001
+From: Katie Hockman <katie@golang.org>
+Date: Fri, 23 Apr 2021 12:56:01 -0400
+Subject: [PATCH] http/httpguts: remove recursion in HeaderValuesContainsToken
+
+Previously, httpguts.HeaderValuesContainsToken called a
+function which could recurse to the point of a stack
+overflow when given a very large header (~10MB).
+
+Credit to Guido Vranken who reported the crash as
+part of the Ethereum 2.0 bounty program.
+
+Fixes CVE-2021-31525
+
+Fixes golang/go#45710
+
+Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3
+Reviewed-on: https://go-review.googlesource.com/c/net/+/313069
+Trust: Katie Hockman <katie@golang.org>
+Run-TryBot: Katie Hockman <katie@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+---
+ http/httpguts/httplex.go | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/http/httpguts/httplex.go b/http/httpguts/httplex.go
+index e7de24ee6..c79aa73f2 100644
+--- a/http/httpguts/httplex.go
++++ b/http/httpguts/httplex.go
+@@ -137,11 +137,13 @@ func trimOWS(x string) string {
+ // contains token amongst its comma-separated tokens, ASCII
+ // case-insensitively.
+ func headerValueContainsToken(v string, token string) bool {
+-	v = trimOWS(v)
+-	if comma := strings.IndexByte(v, ','); comma != -1 {
+-		return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
++	for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
++		if tokenEqual(trimOWS(v[:comma]), token) {
++			return true
++		}
++		v = v[comma+1:]
+ 	}
+-	return tokenEqual(v, token)
++	return tokenEqual(trimOWS(v), token)
+ }
+ 
+ // lowerASCII returns the ASCII lowercase version of b.
diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series	2020-02-21 21:20:40.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series	2021-05-08 12:12:17.000000000 +0800
@@ -1 +1,2 @@
 publicsuffix.patch
+CVE-2021-31525.patch

--- End Message ---

--- Begin Message ---

• To: 988223-done@bugs.debian.org
• Subject: unblock golang-golang-x-net
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Sat, 08 May 2021 19:13:07 +0000
• Message-id: <E1lfSNv-0006rd-9k@respighi.debian.org>

Unblocked.

--- End Message ---