Bug#1008577: marked as done (bullseye-pu: golang-github-russellhaering-goxmldsig/1.1.0-1+deb11u1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#1008577: marked as done (bullseye-pu: golang-github-russellhaering-goxmldsig/1.1.0-1+deb11u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 09 Jul 2022 10:51:50 +0000
Message-id: <[🔎] handler.1008577.D1008577.165736378427156.ackdone@bugs.debian.org>
Reply-to: 1008577@bugs.debian.org
References: <2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.camel@adam-barratt.org.uk> <alpine.DEB.2.21.2203282150370.25097@postfach.intern.alteholz.me>

Your message dated Sat, 09 Jul 2022 11:47:43 +0100
with message-id <2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 11.4
has caused the Debian Bug report #1008577,
regarding bullseye-pu: golang-github-russellhaering-goxmldsig/1.1.0-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1008577: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008577
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: bullseye-pu: golang-github-russellhaering-goxmldsig/1.1.0-1+deb11u1
From: Thorsten Alteholz <debian@alteholz.de>
Date: Mon, 28 Mar 2022 21:51:57 +0000 (UTC)
Message-id: <alpine.DEB.2.21.2203282150370.25097@postfach.intern.alteholz.me>

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu


The attached debdiff for golang-github-russellhaering-goxmldsig fixes
CVE-2020-7711 in Bullseye. This CVE has been marked as no-dsa by the
security team.

  Thorsten

diff -Nru golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog
--- golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog	2021-01-08 00:13:56.000000000 +0100
+++ golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog	2022-03-28 22:32:49.000000000 +0200
@@ -1,3 +1,12 @@
+golang-github-russellhaering-goxmldsig (1.1.0-1+deb11u1) bullseye; urgency=medium
+
+  * CVE-2020-7711
+    null pointer dereference caused by crafted XML signatures
+    (Closes: #968928)
+  * according to ratt, nothing else has to be built
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Mon, 28 Mar 2022 22:32:49 +0200
+
 golang-github-russellhaering-goxmldsig (1.1.0-1) unstable; urgency=medium
 
   * New upstream release (Closes: #971615)
diff -Nru golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch
--- golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch	1970-01-01 01:00:00.000000000 +0100
+++ golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch	2022-03-24 02:38:42.000000000 +0100
@@ -0,0 +1,23 @@
+commit fb23e0af61c023e3a6dae8ad30dbd0f04d8a4d8f
+Merge: 3541f5e ca2b448
+Author: Russell Haering <russellhaering@gmail.com>
+Date:   Fri Aug 27 20:19:01 2021 -0700
+
+    Merge pull request #71 from aporcupine/patch-1
+    
+    Explicitly check for case where SignatureValue is nil
+
+Index: golang-github-russellhaering-goxmldsig-1.1.0/validate.go
+===================================================================
+--- golang-github-russellhaering-goxmldsig-1.1.0.orig/validate.go	2022-03-24 02:38:38.797524728 +0100
++++ golang-github-russellhaering-goxmldsig-1.1.0/validate.go	2022-03-24 02:38:38.797524728 +0100
+@@ -271,6 +271,9 @@
+ 	if !bytes.Equal(digest, decodedDigestValue) {
+ 		return nil, errors.New("Signature could not be verified")
+ 	}
++	if sig.SignatureValue == nil {
++		return nil, errors.New("Signature could not be verified")
++	}
+ 
+ 	// Decode the 'SignatureValue' so we can compare against it
+ 	decodedSignature, err := base64.StdEncoding.DecodeString(sig.SignatureValue.Data)
diff -Nru golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series
--- golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series	2022-03-24 02:39:15.000000000 +0100
@@ -0,0 +1 @@
+CVE-2020-7711.patch

--- End Message ---

--- Begin Message ---

To: 1000355-done@bugs.debian.org, 1003261-done@bugs.debian.org, 1003713-done@bugs.debian.org, 1004459-done@bugs.debian.org, 1004580-done@bugs.debian.org, 1005129-done@bugs.debian.org, 1005135-done@bugs.debian.org, 1005231-done@bugs.debian.org, 1005237-done@bugs.debian.org, 1005252-done@bugs.debian.org, 1005256-done@bugs.debian.org, 1006316-done@bugs.debian.org, 1006504-done@bugs.debian.org, 1007714-done@bugs.debian.org, 1007762-done@bugs.debian.org, 1008045-done@bugs.debian.org, 1008153-done@bugs.debian.org, 1008161-done@bugs.debian.org, 1008162-done@bugs.debian.org, 1008166-done@bugs.debian.org, 1008168-done@bugs.debian.org, 1008268-done@bugs.debian.org, 1008577-done@bugs.debian.org, 1009077-done@bugs.debian.org, 1009250-done@bugs.debian.org, 1009345-done@bugs.debian.org, 1009363-done@bugs.debian.org, 1009726-done@bugs.debian.org, 1010037-done@bugs.debian.org, 1010050-done@bugs.debian.org, 1010058-done@bugs.debian.org, 1010194-done@bugs.debian.org, 1010211-done@bugs.debian.org, 1010304-done@bugs.debian.org, 1010383-done@bugs.debian.org, 1010439-done@bugs.debian.org, 1010613-done@bugs.debian.org, 1010857-done@bugs.debian.org, 1010924-done@bugs.debian.org, 1010963-done@bugs.debian.org, 1011022-done@bugs.debian.org, 1011198-done@bugs.debian.org, 1011271-done@bugs.debian.org, 1011287-done@bugs.debian.org, 1011331-done@bugs.debian.org, 1011359-done@bugs.debian.org, 1011365-done@bugs.debian.org, 1011426-done@bugs.debian.org, 1011746-done@bugs.debian.org, 1011939-done@bugs.debian.org, 1011942-done@bugs.debian.org, 1012033-done@bugs.debian.org, 1012047-done@bugs.debian.org, 1012140-done@bugs.debian.org, 1012322-done@bugs.debian.org, 1012323-done@bugs.debian.org, 1012331-done@bugs.debian.org, 1012553-done@bugs.debian.org, 1012585-done@bugs.debian.org, 1012723-done@bugs.debian.org, 1013237-done@bugs.debian.org, 1013306-done@bugs.debian.org, 1013418-done@bugs.debian.org, 1013755-done@bugs.debian.org, 1013879-done@bugs.debian.org, 1013880-done@bugs.debian.org, 1013944-done@bugs.debian.org, 1014014-done@bugs.debian.org, 1014054-done@bugs.debian.org, 1014079-done@bugs.debian.org, 1014199-done@bugs.debian.org, 1014206-done@bugs.debian.org, 1014221-done@bugs.debian.org

Subject: Closing requests for updates included in 11.4

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 09 Jul 2022 11:47:43 +0100

Message-id: <2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.camel@adam-barratt.org.uk>
Package: release.debian.org
Version: 11.4

(re-sending with fixed bug numbers)

Hi,

The updates discussed in these bugs were included in today's bullseye
point release.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#1008153: marked as done (bullseye-pu: package node-node-forge/0.10.0~dfsg-3+deb11u1)
Next by Date: Bug#1008166: marked as done (bullseye-pu: package debian-edu-config/2.11.56+deb11u4)
Previous by thread: Bug#1008153: marked as done (bullseye-pu: package node-node-forge/0.10.0~dfsg-3+deb11u1)
Next by thread: Bug#1008166: marked as done (bullseye-pu: package debian-edu-config/2.11.56+deb11u4)
Index(es):
- Date
- Thread