Bug#988210: marked as done (unblock: golang-1.15/1.15.9-3)

Debian Bug Tracking System Sat, 08 May 2021 12:12:38 -0700

Your message dated Sat, 08 May 2021 19:09:17 +0000
with message-id <[email protected]>
and subject line unblock golang-1.15
has caused the Debian Bug report #988210,
regarding unblock: golang-1.15/1.15.9-3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
988210: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988210
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]

Please unblock package golang-1.15

[ Reason ]
Backport patch for CVE-2021-31525
net/http: ReadRequest can stack overflow due to recursion with very
large headers. https://github.com/golang/go/issues/45711

[ Impact ]
Though CVE is assigned, the issue doesn't look like a serious one.
So if it's not approved, I think we can address it with other future
security fixes through DSA after release.

[ Tests ]
I have did a manual test for the affected function, to see if it's
stackoverflow with and without patch.

[ Risks ]
The diff is small.
The package is key package.
Due to the static link of Go packages, and the out of date built-using
thing, it needs another round of rebuild of all Go packages before
bullseye release.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
golang-golang-x-net needs same fix for CVE-2021-31525


unblock golang-1.15/1.15.9-2


diff -Nru golang-1.15-1.15.9/debian/changelog 
golang-1.15-1.15.9/debian/changelog
--- golang-1.15-1.15.9/debian/changelog 2021-03-11 23:43:18.000000000 +0800
+++ golang-1.15-1.15.9/debian/changelog 2021-05-08 02:45:35.000000000 +0800
@@ -1,3 +1,12 @@
+golang-1.15 (1.15.9-2) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patch for CVE-2021-31525
+    net/http: ReadRequest can stack overflow due to recursion with very
+    large headers. https://github.com/golang/go/issues/45711
+
+ -- Shengjing Zhu <[email protected]>  Sat, 08 May 2021 02:45:35 +0800
+
 golang-1.15 (1.15.9-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 
golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch
--- golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 1970-01-01 
08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 2021-05-08 
02:45:35.000000000 +0800
@@ -0,0 +1,90 @@
+From 5aed4ce3c854bdbbb6dd5c1ccfa15c23d4b6c989 Mon Sep 17 00:00:00 2001
+From: Katie Hockman <[email protected]>
+Date: Wed, 28 Apr 2021 14:47:48 -0400
+Subject: [PATCH] [release-branch.go1.15] std: update golang.org/x/net to
+ 20210428183841-261fb518b1ed
+
+Steps:
+  go get -d golang.org/x/[email protected]
+  go mod tidy
+  go mod vendor
+
+This http2 bundle does not need to be updated.
+
+Fixes #45711
+
+Change-Id: I085ca592dfc8d5d9c328a7979142e88e7130a813
+Reviewed-on: https://go-review.googlesource.com/c/go/+/314790
+Trust: Katie Hockman <[email protected]>
+Run-TryBot: Katie Hockman <[email protected]>
+Reviewed-by: Dmitri Shuralyov <[email protected]>
+---
+ src/go.mod                                           |  2 +-
+ src/go.sum                                           |  4 ++--
+ src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10 ++++++----
+ src/vendor/modules.txt                               |  2 +-
+ 4 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/go.mod b/src/go.mod
+index 6b97366bbe6c..dfcba7a1c8ac 100644
+--- a/src/go.mod
++++ b/src/go.mod
+@@ -4,7 +4,7 @@ go 1.15
+ 
+ require (
+       golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
+-      golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91
++      golang.org/x/net v0.0.0-20210428183841-261fb518b1ed
+       golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 // indirect
+       golang.org/x/text v0.3.3-0.20200430171850-afb9336c4530 // indirect
+ )
+diff --git a/src/go.sum b/src/go.sum
+index fbd3279aade6..47e918848c3e 100644
+--- a/src/go.sum
++++ b/src/go.sum
+@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod 
h1:djNgcEr1/C05ACk
+ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 
h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
+ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod 
h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod 
h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+-golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91 
h1:zd7kl5i5PDM0OnFbRWVM6B8mXojzv8LOkHN9LsOrRf4=
+-golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91/go.mod 
h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
++golang.org/x/net v0.0.0-20210428183841-261fb518b1ed 
h1:aunM0N/jnRHvQgZo3kYkfaAGet2kIMFOPIbopG5BhYw=
++golang.org/x/net v0.0.0-20210428183841-261fb518b1ed/go.mod 
h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod 
h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod 
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod 
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+diff --git a/src/vendor/golang.org/x/net/http/httpguts/httplex.go 
b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+index e7de24ee64ef..c79aa73f28bb 100644
+--- a/src/vendor/golang.org/x/net/http/httpguts/httplex.go
++++ b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+@@ -137,11 +137,13 @@ func trimOWS(x string) string {
+ // contains token amongst its comma-separated tokens, ASCII
+ // case-insensitively.
+ func headerValueContainsToken(v string, token string) bool {
+-      v = trimOWS(v)
+-      if comma := strings.IndexByte(v, ','); comma != -1 {
+-              return tokenEqual(trimOWS(v[:comma]), token) || 
headerValueContainsToken(v[comma+1:], token)
++      for comma := strings.IndexByte(v, ','); comma != -1; comma = 
strings.IndexByte(v, ',') {
++              if tokenEqual(trimOWS(v[:comma]), token) {
++                      return true
++              }
++              v = v[comma+1:]
+       }
+-      return tokenEqual(v, token)
++      return tokenEqual(trimOWS(v), token)
+ }
+ 
+ // lowerASCII returns the ASCII lowercase version of b.
+diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
+index 03ca3c3ae4c1..dd2296b6944d 100644
+--- a/src/vendor/modules.txt
++++ b/src/vendor/modules.txt
+@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519
+ golang.org/x/crypto/hkdf
+ golang.org/x/crypto/internal/subtle
+ golang.org/x/crypto/poly1305
+-# golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91
++# golang.org/x/net v0.0.0-20210428183841-261fb518b1ed
+ ## explicit
+ golang.org/x/net/dns/dnsmessage
+ golang.org/x/net/http/httpguts
diff -Nru golang-1.15-1.15.9/debian/patches/series 
golang-1.15-1.15.9/debian/patches/series
--- golang-1.15-1.15.9/debian/patches/series    2021-03-11 23:43:18.000000000 
+0800
+++ golang-1.15-1.15.9/debian/patches/series    2021-05-08 02:45:35.000000000 
+0800
@@ -4,3 +4,4 @@
 0004-cmd-dist-fix-build-failure-of-misc-cgo-test-on-arm64.patch
 0005-cmd-dist-increase-default-timeout-scale-for-arm.patch
 0006-skip-userns-test-in-schroot-as-well.patch
+0007-CVE-2021-31525.patch

--- End Message ---

--- Begin Message ---
Unblocked.
--- End Message ---

Bug#988210: marked as done (unblock: golang-1.15/1.15.9-3)

Reply via email to