Bug#1008577: bullseye-pu: golang-github-russellhaering-goxmldsig/1.1.0-1+deb11u1

2022-05-30 Thread Thorsten Alteholz 




On Sat, 28 May 2022, Adam D. Barratt wrote:

Please go ahead.


Great, thanks ... and uploaded.

 Thorsten

Bug#1008577: bullseye-pu: golang-github-russellhaering-goxmldsig/1.1.0-1+deb11u1

2022-05-28 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Mon, 2022-03-28 at 21:51 +, Thorsten Alteholz wrote:
> The attached debdiff for golang-github-russellhaering-goxmldsig fixes
> CVE-2020-7711 in Bullseye. This CVE has been marked as no-dsa by the
> security team.
> 

Please go ahead.

Regards,

Adam

Bug#1008577: bullseye-pu: golang-github-russellhaering-goxmldsig/1.1.0-1+deb11u1

2022-03-28 Thread Thorsten Alteholz 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu


The attached debdiff for golang-github-russellhaering-goxmldsig fixes
CVE-2020-7711 in Bullseye. This CVE has been marked as no-dsa by the
security team.

  Thorsten
diff -Nru golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog 
golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog
--- golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog   
2021-01-08 00:13:56.0 +0100
+++ golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog   
2022-03-28 22:32:49.0 +0200
@@ -1,3 +1,12 @@
+golang-github-russellhaering-goxmldsig (1.1.0-1+deb11u1) bullseye; 
urgency=medium
+
+  * CVE-2020-7711
+null pointer dereference caused by crafted XML signatures
+(Closes: #968928)
+  * according to ratt, nothing else has to be built
+
+ -- Thorsten Alteholz   Mon, 28 Mar 2022 22:32:49 +0200
+
 golang-github-russellhaering-goxmldsig (1.1.0-1) unstable; urgency=medium
 
   * New upstream release (Closes: #971615)
diff -Nru 
golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch 
golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch
--- 
golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch 
1970-01-01 01:00:00.0 +0100
+++ 
golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch 
2022-03-24 02:38:42.0 +0100
@@ -0,0 +1,23 @@
+commit fb23e0af61c023e3a6dae8ad30dbd0f04d8a4d8f
+Merge: 3541f5e ca2b448
+Author: Russell Haering 
+Date:   Fri Aug 27 20:19:01 2021 -0700
+
+Merge pull request #71 from aporcupine/patch-1
+
+Explicitly check for case where SignatureValue is nil
+
+Index: golang-github-russellhaering-goxmldsig-1.1.0/validate.go
+===
+--- golang-github-russellhaering-goxmldsig-1.1.0.orig/validate.go  
2022-03-24 02:38:38.797524728 +0100
 golang-github-russellhaering-goxmldsig-1.1.0/validate.go   2022-03-24 
02:38:38.797524728 +0100
+@@ -271,6 +271,9 @@
+   if !bytes.Equal(digest, decodedDigestValue) {
+   return nil, errors.New("Signature could not be verified")
+   }
++  if sig.SignatureValue == nil {
++  return nil, errors.New("Signature could not be verified")
++  }
+ 
+   // Decode the 'SignatureValue' so we can compare against it
+   decodedSignature, err := 
base64.StdEncoding.DecodeString(sig.SignatureValue.Data)
diff -Nru golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series 
golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series
--- golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series  
1970-01-01 01:00:00.0 +0100
+++ golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series  
2022-03-24 02:39:15.0 +0100
@@ -0,0 +1 @@
+CVE-2020-7711.patch