Bug#988210: [pre-approval] unblock: golang-1.15/1.15.9-2

Fri, 07 May 2021 12:18:28 -0700 

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]

Please unblock package golang-1.15

[ Reason ]
Backport patch for CVE-2021-31525
net/http: ReadRequest can stack overflow due to recursion with very
large headers. https://github.com/golang/go/issues/45711

[ Impact ]
Though CVE is assigned, the issue doesn't look like a serious one.
So if it's not approved, I think we can address it with other future
security fixes through DSA after release.

[ Tests ]
I have did a manual test for the affected function, to see if it's
stackoverflow with and without patch.

[ Risks ]
The diff is small.
The package is key package.
Due to the static link of Go packages, and the out of date built-using
thing, it needs another round of rebuild of all Go packages before
bullseye release.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
golang-golang-x-net needs same fix for CVE-2021-31525


unblock golang-1.15/1.15.9-2


diff -Nru golang-1.15-1.15.9/debian/changelog 
golang-1.15-1.15.9/debian/changelog
--- golang-1.15-1.15.9/debian/changelog 2021-03-11 23:43:18.000000000 +0800
+++ golang-1.15-1.15.9/debian/changelog 2021-05-08 02:45:35.000000000 +0800
@@ -1,3 +1,12 @@
+golang-1.15 (1.15.9-2) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patch for CVE-2021-31525
+    net/http: ReadRequest can stack overflow due to recursion with very
+    large headers. https://github.com/golang/go/issues/45711
+
+ -- Shengjing Zhu <[email protected]>  Sat, 08 May 2021 02:45:35 +0800
+
 golang-1.15 (1.15.9-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 
golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch
--- golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 1970-01-01 
08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 2021-05-08 
02:45:35.000000000 +0800
@@ -0,0 +1,90 @@
+From 5aed4ce3c854bdbbb6dd5c1ccfa15c23d4b6c989 Mon Sep 17 00:00:00 2001
+From: Katie Hockman <[email protected]>
+Date: Wed, 28 Apr 2021 14:47:48 -0400
+Subject: [PATCH] [release-branch.go1.15] std: update golang.org/x/net to
+ 20210428183841-261fb518b1ed
+
+Steps:
+  go get -d golang.org/x/[email protected]
+  go mod tidy
+  go mod vendor
+
+This http2 bundle does not need to be updated.
+
+Fixes #45711
+
+Change-Id: I085ca592dfc8d5d9c328a7979142e88e7130a813
+Reviewed-on: https://go-review.googlesource.com/c/go/+/314790
+Trust: Katie Hockman <[email protected]>
+Run-TryBot: Katie Hockman <[email protected]>
+Reviewed-by: Dmitri Shuralyov <[email protected]>
+---
+ src/go.mod                                           |  2 +-
+ src/go.sum                                           |  4 ++--
+ src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10 ++++++----
+ src/vendor/modules.txt                               |  2 +-
+ 4 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/go.mod b/src/go.mod
+index 6b97366bbe6c..dfcba7a1c8ac 100644
+--- a/src/go.mod
++++ b/src/go.mod
+@@ -4,7 +4,7 @@ go 1.15
+ 
+ require (
+       golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
+-      golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91
++      golang.org/x/net v0.0.0-20210428183841-261fb518b1ed
+       golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 // indirect
+       golang.org/x/text v0.3.3-0.20200430171850-afb9336c4530 // indirect
+ )
+diff --git a/src/go.sum b/src/go.sum
+index fbd3279aade6..47e918848c3e 100644
+--- a/src/go.sum
++++ b/src/go.sum
+@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod 
h1:djNgcEr1/C05ACk
+ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 
h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
+ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod 
h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod 
h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+-golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91 
h1:zd7kl5i5PDM0OnFbRWVM6B8mXojzv8LOkHN9LsOrRf4=
+-golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91/go.mod 
h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
++golang.org/x/net v0.0.0-20210428183841-261fb518b1ed 
h1:aunM0N/jnRHvQgZo3kYkfaAGet2kIMFOPIbopG5BhYw=
++golang.org/x/net v0.0.0-20210428183841-261fb518b1ed/go.mod 
h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod 
h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod 
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod 
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+diff --git a/src/vendor/golang.org/x/net/http/httpguts/httplex.go 
b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+index e7de24ee64ef..c79aa73f28bb 100644
+--- a/src/vendor/golang.org/x/net/http/httpguts/httplex.go
++++ b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+@@ -137,11 +137,13 @@ func trimOWS(x string) string {
+ // contains token amongst its comma-separated tokens, ASCII
+ // case-insensitively.
+ func headerValueContainsToken(v string, token string) bool {
+-      v = trimOWS(v)
+-      if comma := strings.IndexByte(v, ','); comma != -1 {
+-              return tokenEqual(trimOWS(v[:comma]), token) || 
headerValueContainsToken(v[comma+1:], token)
++      for comma := strings.IndexByte(v, ','); comma != -1; comma = 
strings.IndexByte(v, ',') {
++              if tokenEqual(trimOWS(v[:comma]), token) {
++                      return true
++              }
++              v = v[comma+1:]
+       }
+-      return tokenEqual(v, token)
++      return tokenEqual(trimOWS(v), token)
+ }
+ 
+ // lowerASCII returns the ASCII lowercase version of b.
+diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
+index 03ca3c3ae4c1..dd2296b6944d 100644
+--- a/src/vendor/modules.txt
++++ b/src/vendor/modules.txt
+@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519
+ golang.org/x/crypto/hkdf
+ golang.org/x/crypto/internal/subtle
+ golang.org/x/crypto/poly1305
+-# golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91
++# golang.org/x/net v0.0.0-20210428183841-261fb518b1ed
+ ## explicit
+ golang.org/x/net/dns/dnsmessage
+ golang.org/x/net/http/httpguts
diff -Nru golang-1.15-1.15.9/debian/patches/series 
golang-1.15-1.15.9/debian/patches/series
--- golang-1.15-1.15.9/debian/patches/series    2021-03-11 23:43:18.000000000 
+0800
+++ golang-1.15-1.15.9/debian/patches/series    2021-05-08 02:45:35.000000000 
+0800
@@ -4,3 +4,4 @@
 0004-cmd-dist-fix-build-failure-of-misc-cgo-test-on-arm64.patch
 0005-cmd-dist-increase-default-timeout-scale-for-arm.patch
 0006-skip-userns-test-in-schroot-as-well.patch
+0007-CVE-2021-31525.patch

Reply via email to