Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock X-Debbugs-Cc: [email protected]
Please unblock package golang-golang-x-net [ Reason ] Same as #988210, backport patch for CVE-2021-31525 net/http: ReadRequest can stack overflow due to recursion with very large headers. https://github.com/golang/go/issues/45710 [ Impact ] Fix a security issue. [ Tests ] Manual test for the affected function. [ Risks ] The diff is small. The package is key package. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] No unblock golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-3 diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog --- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog 2021-02-05 07:37:28.000000000 +0800 +++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog 2021-05-08 12:12:17.000000000 +0800 @@ -1,3 +1,12 @@ +golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-3) unstable; urgency=medium + + * Team upload. + * Backport patch for CVE-2021-31525 + net/http: ReadRequest can stack overflow due to recursion with very + large headers. https://github.com/golang/go/issues/45710 + + -- Shengjing Zhu <[email protected]> Sat, 08 May 2021 12:12:17 +0800 + golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-2) unstable; urgency=medium [ Helmut Grohne ] diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch --- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch 1970-01-01 08:00:00.000000000 +0800 +++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch 2021-05-08 12:12:17.000000000 +0800 @@ -0,0 +1,49 @@ +From 89ef3d95e781148a0951956029c92a211477f7f9 Mon Sep 17 00:00:00 2001 +From: Katie Hockman <[email protected]> +Date: Fri, 23 Apr 2021 12:56:01 -0400 +Subject: [PATCH] http/httpguts: remove recursion in HeaderValuesContainsToken + +Previously, httpguts.HeaderValuesContainsToken called a +function which could recurse to the point of a stack +overflow when given a very large header (~10MB). + +Credit to Guido Vranken who reported the crash as +part of the Ethereum 2.0 bounty program. + +Fixes CVE-2021-31525 + +Fixes golang/go#45710 + +Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3 +Reviewed-on: https://go-review.googlesource.com/c/net/+/313069 +Trust: Katie Hockman <[email protected]> +Run-TryBot: Katie Hockman <[email protected]> +TryBot-Result: Go Bot <[email protected]> +Reviewed-by: Filippo Valsorda <[email protected]> +Reviewed-by: Roland Shoemaker <[email protected]> +--- + http/httpguts/httplex.go | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/http/httpguts/httplex.go b/http/httpguts/httplex.go +index e7de24ee6..c79aa73f2 100644 +--- a/http/httpguts/httplex.go ++++ b/http/httpguts/httplex.go +@@ -137,11 +137,13 @@ func trimOWS(x string) string { + // contains token amongst its comma-separated tokens, ASCII + // case-insensitively. + func headerValueContainsToken(v string, token string) bool { +- v = trimOWS(v) +- if comma := strings.IndexByte(v, ','); comma != -1 { +- return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token) ++ for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') { ++ if tokenEqual(trimOWS(v[:comma]), token) { ++ return true ++ } ++ v = v[comma+1:] + } +- return tokenEqual(v, token) ++ return tokenEqual(trimOWS(v), token) + } + + // lowerASCII returns the ASCII lowercase version of b. diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series --- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series 2020-02-21 21:20:40.000000000 +0800 +++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series 2021-05-08 12:12:17.000000000 +0800 @@ -1 +1,2 @@ publicsuffix.patch +CVE-2021-31525.patch
