Control: retitle -1 unblock: golang-1.15/1.15.9-3 On Fri, May 07, 2021 at 10:22:04PM +0200, Sebastian Ramacher wrote: > > Please unblock package golang-1.15 > > > > [ Reason ] > > Backport patch for CVE-2021-31525 > > net/http: ReadRequest can stack overflow due to recursion with very > > large headers. https://github.com/golang/go/issues/45711 > > Please go ahead und remove the moreinfo tag once the package is > available in unstable. >
It seems I forget to run all the test in my local sbuild env. golang-1.15/1.15.9-2 FTBFS on buildd, so here is golang-1.15/1.15.9-3 new diff: diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.9/debian/changelog --- golang-1.15-1.15.9/debian/changelog 2021-03-11 23:43:18.000000000 +0800 +++ golang-1.15-1.15.9/debian/changelog 2021-05-08 14:22:26.000000000 +0800 @@ -1,3 +1,27 @@ +golang-1.15 (1.15.9-3) unstable; urgency=medium + + * Fix failed TestDependencyVersionsConsistent test. + When dpkg-source unpack tarball, it produces .pc dir in source dir. + The last patch 0007-CVE-2021-31525.patch causes + go.mod/go.sum/modules.txt files in .pc dir with old content. + Then TestDependencyVersionsConsistent picks these old content in .pc + dir, results error: + --- FAIL: TestDependencyVersionsConsistent (0.00s) + moddeps_test.go:217: Modules within GOROOT require different versions of golang.org/x/net. + moddeps_test.go:229: std requires v0.0.0-20201008223702-a5fa9d4b7c91 + moddeps_test.go:229: std requires v0.0.0-20210428183841-261fb518b1ed + + -- Shengjing Zhu <z...@debian.org> Sat, 08 May 2021 14:22:26 +0800 + +golang-1.15 (1.15.9-2) unstable; urgency=medium + + * Team upload. + * Backport patch for CVE-2021-31525 + net/http: ReadRequest can stack overflow due to recursion with very + large headers. https://github.com/golang/go/issues/45711 + + -- Shengjing Zhu <z...@debian.org> Sat, 08 May 2021 02:45:35 +0800 + golang-1.15 (1.15.9-1) unstable; urgency=medium * Team upload. diff -Nru golang-1.15-1.15.9/debian/patches/0006-skip-userns-test-in-schroot-as-well.patch golang-1.15-1.15.9/debian/patches/0006-skip-userns-test-in-schroot-as-well.patch --- golang-1.15-1.15.9/debian/patches/0006-skip-userns-test-in-schroot-as-well.patch 2021-03-11 23:43:18.000000000 +0800 +++ golang-1.15-1.15.9/debian/patches/0006-skip-userns-test-in-schroot-as-well.patch 2021-05-08 14:22:26.000000000 +0800 @@ -3,7 +3,6 @@ Subject: skip userns test in schroot as well When schroot is using overlayfs, it fails to detect it as chroot. - --- src/syscall/exec_linux_test.go | 7 +++++++ 1 file changed, 7 insertions(+) diff -Nru golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch --- golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 1970-01-01 08:00:00.000000000 +0800 +++ golang-1.15-1.15.9/debian/patches/0007-CVE-2021-31525.patch 2021-05-08 14:22:26.000000000 +0800 @@ -0,0 +1,45 @@ +From: Katie Hockman <ka...@golang.org> +Date: Wed, 28 Apr 2021 14:47:48 -0400 +Subject: [PATCH] [release-branch.go1.15] std: update golang.org/x/net to + 20210428183841-261fb518b1ed + +Steps: + go get -d golang.org/x/net@release-branch.go1.15 + go mod tidy + go mod vendor + +This http2 bundle does not need to be updated. + +Fixes #45711 + +Change-Id: I085ca592dfc8d5d9c328a7979142e88e7130a813 +Reviewed-on: https://go-review.googlesource.com/c/go/+/314790 +Trust: Katie Hockman <ka...@golang.org> +Run-TryBot: Katie Hockman <ka...@golang.org> +Reviewed-by: Dmitri Shuralyov <dmits...@golang.org> +--- + src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/vendor/golang.org/x/net/http/httpguts/httplex.go b/src/vendor/golang.org/x/net/http/httpguts/httplex.go +index e7de24e..c79aa73 100644 +--- a/src/vendor/golang.org/x/net/http/httpguts/httplex.go ++++ b/src/vendor/golang.org/x/net/http/httpguts/httplex.go +@@ -137,11 +137,13 @@ func trimOWS(x string) string { + // contains token amongst its comma-separated tokens, ASCII + // case-insensitively. + func headerValueContainsToken(v string, token string) bool { +- v = trimOWS(v) +- if comma := strings.IndexByte(v, ','); comma != -1 { +- return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token) ++ for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') { ++ if tokenEqual(trimOWS(v[:comma]), token) { ++ return true ++ } ++ v = v[comma+1:] + } +- return tokenEqual(v, token) ++ return tokenEqual(trimOWS(v), token) + } + + // lowerASCII returns the ASCII lowercase version of b. diff -Nru golang-1.15-1.15.9/debian/patches/series golang-1.15-1.15.9/debian/patches/series --- golang-1.15-1.15.9/debian/patches/series 2021-03-11 23:43:18.000000000 +0800 +++ golang-1.15-1.15.9/debian/patches/series 2021-05-08 14:22:26.000000000 +0800 @@ -4,3 +4,4 @@ 0004-cmd-dist-fix-build-failure-of-misc-cgo-test-on-arm64.patch 0005-cmd-dist-increase-default-timeout-scale-for-arm.patch 0006-skip-userns-test-in-schroot-as-well.patch +0007-CVE-2021-31525.patch
