Hi. I prepared LTS security update for golang. Debdiff is attached along with this mail. Link: https://mentors.debian.net/debian/pool/main/g/golang/golang_1.0.2-1.1+deb7u3.dsc . I done following tests.
- installed in a wheezy machine. - patch is on src/cmd/go/vcs.go . So run couple of go get <VCS> commands - Compiled couple of go programs. I don't have any experience with go. So it would be great if you could give it some more testing, review and then upload. Thanks -abhijith
diff -Nru golang-1.0.2/debian/changelog golang-1.0.2/debian/changelog --- golang-1.0.2/debian/changelog 2018-02-25 13:31:35.000000000 +0530 +++ golang-1.0.2/debian/changelog 2017-10-27 20:17:15.000000000 +0530 @@ -1,14 +1,3 @@ -golang (2:1.0.2-1.1+deb7u3) wheezy-security; urgency=high - - * Non-maintainer upload by the Debian LTS team. - * CVE-2018-7187: "go get" implementation, doesnot validate the - import path (get/vcs.go only checks for "://" anywhere in - the string), which allows remote attackers to execute arbitrary - OS commands via a crafted web site. Backported from - upstream development branch. - - -- Abhijith PA <abhij...@disroot.org> Sun, 25 Feb 2018 13:31:35 +0530 - golang (2:1.0.2-1.1+deb7u2) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru golang-1.0.2/debian/patches/CVE-2018-7187.patch golang-1.0.2/debian/patches/CVE-2018-7187.patch --- golang-1.0.2/debian/patches/CVE-2018-7187.patch 2018-02-25 13:31:35.000000000 +0530 +++ golang-1.0.2/debian/patches/CVE-2018-7187.patch 1970-01-01 05:30:00.000000000 +0530 @@ -1,60 +0,0 @@ -Description: Fix CVE-2018-7187 - The "go get" implementation, doesnot validate the import path (get/vcs.go only - checks for "://" anywhere in the string), which allows remote attackers to - execute arbitrary OS commands via a crafted web site. Backported from - upstream development branch. -Author: Abhijith PA <abhij...@disroot.org> -Origin: https://github.com/golang/go/commit/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc -Bug: https://github.com/golang/go/issues/23867 -Last-Update: 2018-02-22 - ---- golang-1.0.2.orig/src/cmd/go/vcs.go -+++ golang-1.0.2/src/cmd/go/vcs.go -@@ -524,8 +524,8 @@ func repoRootForImportDynamic(importPath - } - } - -- if !strings.Contains(metaImport.RepoRoot, "://") { -- return nil, fmt.Errorf("%s: invalid repo root %q; no scheme", urlStr, metaImport.RepoRoot) -+ if err := validateRepoRootScheme(metaImport.RepoRoot); err != nil { -+ return nil, fmt.Errorf("%s: invalid repo root %q: %v", urlStr, metaImport.RepoRoot, err) - } - rr := &repoRoot{ - vcs: vcsByCmd(metaImport.VCS), -@@ -538,6 +538,36 @@ func repoRootForImportDynamic(importPath - return rr, nil - } - -+// validateRepoRootScheme returns an error if repoRoot does not seem -+// to have a valid URL scheme. At this point we permit things that -+// aren't valid URLs, although later, if not using -insecure, we will -+// restrict repoRoots to be valid URLs. This is only because we've -+// historically permitted them, and people may depend on that. -+func validateRepoRootScheme(repoRoot string) error { -+ end := strings.Index(repoRoot, "://") -+ if end <= 0 { -+ return errors.New("no scheme") -+ } -+ -+ // RFC 3986 section 3.1. -+ for i := 0; i < end; i++ { -+ c := repoRoot[i] -+ switch { -+ case 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z': -+ // OK. -+ case '0' <= c && c <= '9' || c == '+' || c == '-' || c == '.': -+ // OK except at start. -+ if i == 0 { -+ return errors.New("invalid scheme") -+ } -+ default: -+ return errors.New("invalid scheme") -+ } -+ } -+ -+ return nil -+} -+ - // metaImport represents the parsed <meta name="go-import" - // content="prefix vcs reporoot" /> tags from HTML files. - type metaImport struct { diff -Nru golang-1.0.2/debian/patches/series golang-1.0.2/debian/patches/series --- golang-1.0.2/debian/patches/series 2018-02-25 13:31:35.000000000 +0530 +++ golang-1.0.2/debian/patches/series 2017-10-27 20:17:15.000000000 +0530 @@ -11,4 +11,3 @@ godoc-symlinks.diff CVE-2017-1000098.patch CVE-2017-15041.patch -CVE-2018-7187.patch
