Discussion:
Bug#988210: [pre-approval] unblock: golang-1.15/1.15.9-2
(too old to reply)
Shengjing Zhu
2021-05-07 19:20:01 UTC
Permalink
Package: release.debian.org
Severity: normal
User: ***@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: ***@debian.org

Please unblock package golang-1.15

[ Reason ]
Backport patch for CVE-2021-31525
net/http: ReadRequest can stack overflow due to recursion with very
large headers. https://github.com/golang/go/issues/45711

[ Impact ]
Though CVE is assigned, the issue doesn't look like a serious one.
So if it's not approved, I think we can address it with other future
security fixes through DSA after release.

[ Tests ]
I have did a manual test for the affected function, to see if it's
stackoverflow with and without patch.

[ Risks ]
The diff is small.
The package is key package.
Due to the static link of Go packages, and the out of date built-using
thing, it needs another round of rebuild of all Go packages before
bullseye release.

[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing

[ Other info ]
golang-golang-x-net needs same fix for CVE-2021-31525


unblock golang-1.15/1.15.9-2


diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.9/debian/changelog
--- golang-1.15-1.15.9/debian/changelog 2021-03-11 23:43:18.000000000 +0800
+++ golang-1.15-1.15.9/debian/changelog 2021-05-08 02:45:35.000000000 +0800
@@ -1,3 +1,12 @@
+golang-1.15 (1.15.9-2) unstable; urgency=medium
+
+ * Team upload.
+ * Backport patch for CVE-2021-31525
+ net/http: ReadRequest can stack overflow due to recursion with very
+ large headers. https://github.com/golang/go/issues/45711
+
+ -- Shengjing Zhu <***@debian.org> Sat, 08 May 2021 02:45:35 +0800
+
golang-1.15 (1.15.9-1) unstable; urgency=medium

* Team upload.
diff -Nru golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch
--- golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 2021-05-08 02:45:35.000000000 +0800
@@ -0,0 +1,90 @@
+From 5aed4ce3c854bdbbb6dd5c1ccfa15c23d4b6c989 Mon Sep 17 00:00:00 2001
+From: Katie Hockman <***@golang.org>
+Date: Wed, 28 Apr 2021 14:47:48 -0400
+Subject: [PATCH] [release-branch.go1.15] std: update golang.org/x/net to
+ 20210428183841-261fb518b1ed
+
+Steps:
+ go get -d golang.org/x/***@release-branch.go1.15
+ go mod tidy
+ go mod vendor
+
+This http2 bundle does not need to be updated.
+
+Fixes #45711
+
+Change-Id: I085ca592dfc8d5d9c328a7979142e88e7130a813
+Reviewed-on: https://go-review.googlesource.com/c/go/+/314790
+Trust: Katie Hockman <***@golang.org>
+Run-TryBot: Katie Hockman <***@golang.org>
+Reviewed-by: Dmitri Shuralyov <***@golang.org>
+---
+ src/go.mod | 2 +-
+ src/go.sum | 4 ++--
+ src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10 ++++++----
+ src/vendor/modules.txt | 2 +-
+ 4 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/go.mod b/src/go.mod
+index 6b97366bbe6c..dfcba7a1c8ac 100644
+--- a/src/go.mod
++++ b/src/go.mod
+@@ -4,7 +4,7 @@ go 1.15
+
+ require (
+ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
+- golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91
++ golang.org/x/net v0.0.0-20210428183841-261fb518b1ed
+ golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 // indirect
+ golang.org/x/text v0.3.3-0.20200430171850-afb9336c4530 // indirect
+ )
+diff --git a/src/go.sum b/src/go.sum
+index fbd3279aade6..47e918848c3e 100644
+--- a/src/go.sum
++++ b/src/go.sum
+@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
+ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
+ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+-golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91 h1:zd7kl5i5PDM0OnFbRWVM6B8mXojzv8LOkHN9LsOrRf4=
+-golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
++golang.org/x/net v0.0.0-20210428183841-261fb518b1ed h1:aunM0N/jnRHvQgZo3kYkfaAGet2kIMFOPIbopG5BhYw=
++golang.org/x/net v0.0.0-20210428183841-261fb518b1ed/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+diff --git a/src/vendor/golang.org/x/net/http/httpguts/httplex.go b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+index e7de24ee64ef..c79aa73f28bb 100644
+--- a/src/vendor/golang.org/x/net/http/httpguts/httplex.go
++++ b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+@@ -137,11 +137,13 @@ func trimOWS(x string) string {
+ // contains token amongst its comma-separated tokens, ASCII
+ // case-insensitively.
+ func headerValueContainsToken(v string, token string) bool {
+- v = trimOWS(v)
+- if comma := strings.IndexByte(v, ','); comma != -1 {
+- return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
++ for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
++ if tokenEqual(trimOWS(v[:comma]), token) {
++ return true
++ }
++ v = v[comma+1:]
+ }
+- return tokenEqual(v, token)
++ return tokenEqual(trimOWS(v), token)
+ }
+
+ // lowerASCII returns the ASCII lowercase version of b.
+diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
+index 03ca3c3ae4c1..dd2296b6944d 100644
+--- a/src/vendor/modules.txt
++++ b/src/vendor/modules.txt
+@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519
+ golang.org/x/crypto/hkdf
+ golang.org/x/crypto/internal/subtle
+ golang.org/x/crypto/poly1305
+-# golang.org/x/net v0.0.0-20201008223702-a5fa9d4b7c91
++# golang.org/x/net v0.0.0-20210428183841-261fb518b1ed
+ ## explicit
+ golang.org/x/net/dns/dnsmessage
+ golang.org/x/net/http/httpguts
diff -Nru golang-1.15-1.15.9/debian/patches/series golang-1.15-1.15.9/debian/patches/series
--- golang-1.15-1.15.9/debian/patches/series 2021-03-11 23:43:18.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/series 2021-05-08 02:45:35.000000000 +0800
@@ -4,3 +4,4 @@
0004-cmd-dist-fix-build-failure-of-misc-cgo-test-on-arm64.patch
0005-cmd-dist-increase-default-timeout-scale-for-arm.patch
0006-skip-userns-test-in-schroot-as-well.patch
+0007-CVE-2021-31525.patch
Shengjing Zhu
2021-05-07 19:40:01 UTC
Permalink
On Sat, May 8, 2021 at 3:18 AM Shengjing Zhu <***@debian.org> wrote:
[...]
Post by Shengjing Zhu
Due to the static link of Go packages, and the out of date built-using
thing, it needs another round of rebuild of all Go packages before
bullseye release.
Regarding to rebuild Go packages, I think it's easier if we do it
before release.
AFAIK, rebuild in stable doesn't happen for buster when golang-1.11
has security fixes. And I'm unsure if it will happen in bullseye.
--
Shengjing Zhu
Debian Bug Tracking System
2021-05-07 20:30:01 UTC
Permalink
tags -1 moreinfo confirmed
Bug #988210 [release.debian.org] [pre-approval] unblock: golang-1.15/1.15.9-2
Added tag(s) moreinfo and confirmed.
--
988210: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988210
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2021-05-08 07:20:01 UTC
Permalink
retitle -1 unblock: golang-1.15/1.15.9-3
Bug #988210 [release.debian.org] [pre-approval] unblock: golang-1.15/1.15.9-2
Changed Bug title to 'unblock: golang-1.15/1.15.9-3' from '[pre-approval] unblock: golang-1.15/1.15.9-2'.
--
988210: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988210
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Shengjing Zhu
2021-05-08 07:20:01 UTC
Permalink
Control: retitle -1 unblock: golang-1.15/1.15.9-3
Post by Shengjing Zhu
Please unblock package golang-1.15
[ Reason ]
Backport patch for CVE-2021-31525
net/http: ReadRequest can stack overflow due to recursion with very
large headers. https://github.com/golang/go/issues/45711
Please go ahead und remove the moreinfo tag once the package is
available in unstable.
It seems I forget to run all the test in my local sbuild env.
golang-1.15/1.15.9-2 FTBFS on buildd, so here is golang-1.15/1.15.9-3

new diff:

diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.9/debian/changelog
--- golang-1.15-1.15.9/debian/changelog 2021-03-11 23:43:18.000000000 +0800
+++ golang-1.15-1.15.9/debian/changelog 2021-05-08 14:22:26.000000000 +0800
@@ -1,3 +1,27 @@
+golang-1.15 (1.15.9-3) unstable; urgency=medium
+
+ * Fix failed TestDependencyVersionsConsistent test.
+ When dpkg-source unpack tarball, it produces .pc dir in source dir.
+ The last patch 0007-CVE-2021-31525.patch causes
+ go.mod/go.sum/modules.txt files in .pc dir with old content.
+ Then TestDependencyVersionsConsistent picks these old content in .pc
+ dir, results error:
+ --- FAIL: TestDependencyVersionsConsistent (0.00s)
+ moddeps_test.go:217: Modules within GOROOT require different versions of golang.org/x/net.
+ moddeps_test.go:229: std requires v0.0.0-20201008223702-a5fa9d4b7c91
+ moddeps_test.go:229: std requires v0.0.0-20210428183841-261fb518b1ed
+
+ -- Shengjing Zhu <***@debian.org> Sat, 08 May 2021 14:22:26 +0800
+
+golang-1.15 (1.15.9-2) unstable; urgency=medium
+
+ * Team upload.
+ * Backport patch for CVE-2021-31525
+ net/http: ReadRequest can stack overflow due to recursion with very
+ large headers. https://github.com/golang/go/issues/45711
+
+ -- Shengjing Zhu <***@debian.org> Sat, 08 May 2021 02:45:35 +0800
+
golang-1.15 (1.15.9-1) unstable; urgency=medium

* Team upload.
diff -Nru golang-1.15-1.15.9/debian/patches/0006-skip-userns-test-in-schroot-as-well.patch golang-1.15-1.15.9/debian/patches/0006-skip-userns-test-in-schroot-as-well.patch
--- golang-1.15-1.15.9/debian/patches/0006-skip-userns-test-in-schroot-as-well.patch 2021-03-11 23:43:18.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0006-skip-userns-test-in-schroot-as-well.patch 2021-05-08 14:22:26.000000000 +0800
@@ -3,7 +3,6 @@
Subject: skip userns test in schroot as well

When schroot is using overlayfs, it fails to detect it as chroot.
-
---
src/syscall/exec_linux_test.go | 7 +++++++
1 file changed, 7 insertions(+)
diff -Nru golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch
--- golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 2021-05-08 14:22:26.000000000 +0800
@@ -0,0 +1,45 @@
+From: Katie Hockman <***@golang.org>
+Date: Wed, 28 Apr 2021 14:47:48 -0400
+Subject: [PATCH] [release-branch.go1.15] std: update golang.org/x/net to
+ 20210428183841-261fb518b1ed
+
+Steps:
+ go get -d golang.org/x/***@release-branch.go1.15
+ go mod tidy
+ go mod vendor
+
+This http2 bundle does not need to be updated.
+
+Fixes #45711
+
+Change-Id: I085ca592dfc8d5d9c328a7979142e88e7130a813
+Reviewed-on: https://go-review.googlesource.com/c/go/+/314790
+Trust: Katie Hockman <***@golang.org>
+Run-TryBot: Katie Hockman <***@golang.org>
+Reviewed-by: Dmitri Shuralyov <***@golang.org>
+---
+ src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/vendor/golang.org/x/net/http/httpguts/httplex.go b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+index e7de24e..c79aa73 100644
+--- a/src/vendor/golang.org/x/net/http/httpguts/httplex.go
++++ b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+@@ -137,11 +137,13 @@ func trimOWS(x string) string {
+ // contains token amongst its comma-separated tokens, ASCII
+ // case-insensitively.
+ func headerValueContainsToken(v string, token string) bool {
+- v = trimOWS(v)
+- if comma := strings.IndexByte(v, ','); comma != -1 {
+- return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
++ for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
++ if tokenEqual(trimOWS(v[:comma]), token) {
++ return true
++ }
++ v = v[comma+1:]
+ }
+- return tokenEqual(v, token)
++ return tokenEqual(trimOWS(v), token)
+ }
+
+ // lowerASCII returns the ASCII lowercase version of b.
diff -Nru golang-1.15-1.15.9/debian/patches/series golang-1.15-1.15.9/debian/patches/series
--- golang-1.15-1.15.9/debian/patches/series 2021-03-11 23:43:18.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/series 2021-05-08 14:22:26.000000000 +0800
@@ -4,3 +4,4 @@
0004-cmd-dist-fix-build-failure-of-misc-cgo-test-on-arm64.patch
0005-cmd-dist-increase-default-timeout-scale-for-arm.patch
0006-skip-userns-test-in-schroot-as-well.patch
+0007-CVE-2021-31525.patch
Debian Bug Tracking System
2021-05-08 19:20:02 UTC
Permalink
Your message dated Sat, 08 May 2021 19:09:17 +0000
with message-id <E1lfSKD-0006hE-***@respighi.debian.org>
and subject line unblock golang-1.15
has caused the Debian Bug report #988210,
regarding unblock: golang-1.15/1.15.9-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
988210: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988210
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...