Bug#988223: marked as done (unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-3)

Debian Bug Tracking System Sat, 08 May 2021 12:15:38 -0700

Your message dated Sat, 08 May 2021 19:13:07 +0000
with message-id <e1lfsnv-0006rd...@respighi.debian.org>
and subject line unblock golang-golang-x-net
has caused the Debian Bug report #988223,
regarding unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
988223: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988223
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: z...@debian.org

Please unblock package golang-golang-x-net

[ Reason ]
Same as #988210, backport patch for CVE-2021-31525
net/http: ReadRequest can stack overflow due to recursion with very
large headers. https://github.com/golang/go/issues/45710

[ Impact ]
Fix a security issue.

[ Tests ]
Manual test for the affected function.

[ Risks ]
The diff is small.
The package is key package.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
No

unblock golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-3


diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog 
golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog   
2021-02-05 07:37:28.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog   
2021-05-08 12:12:17.000000000 +0800
@@ -1,3 +1,12 @@
+golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-3) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patch for CVE-2021-31525
+    net/http: ReadRequest can stack overflow due to recursion with very
+    large headers. https://github.com/golang/go/issues/45710
+
+ -- Shengjing Zhu <z...@debian.org>  Sat, 08 May 2021 12:12:17 +0800
+
 golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-2) unstable; urgency=medium
 
   [ Helmut Grohne ]
diff -Nru 
golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch
 
golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch
--- 
golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch
        1970-01-01 08:00:00.000000000 +0800
+++ 
golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-31525.patch
        2021-05-08 12:12:17.000000000 +0800
@@ -0,0 +1,49 @@
+From 89ef3d95e781148a0951956029c92a211477f7f9 Mon Sep 17 00:00:00 2001
+From: Katie Hockman <ka...@golang.org>
+Date: Fri, 23 Apr 2021 12:56:01 -0400
+Subject: [PATCH] http/httpguts: remove recursion in HeaderValuesContainsToken
+
+Previously, httpguts.HeaderValuesContainsToken called a
+function which could recurse to the point of a stack
+overflow when given a very large header (~10MB).
+
+Credit to Guido Vranken who reported the crash as
+part of the Ethereum 2.0 bounty program.
+
+Fixes CVE-2021-31525
+
+Fixes golang/go#45710
+
+Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3
+Reviewed-on: https://go-review.googlesource.com/c/net/+/313069
+Trust: Katie Hockman <ka...@golang.org>
+Run-TryBot: Katie Hockman <ka...@golang.org>
+TryBot-Result: Go Bot <go...@golang.org>
+Reviewed-by: Filippo Valsorda <fili...@golang.org>
+Reviewed-by: Roland Shoemaker <rol...@golang.org>
+---
+ http/httpguts/httplex.go | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/http/httpguts/httplex.go b/http/httpguts/httplex.go
+index e7de24ee6..c79aa73f2 100644
+--- a/http/httpguts/httplex.go
++++ b/http/httpguts/httplex.go
+@@ -137,11 +137,13 @@ func trimOWS(x string) string {
+ // contains token amongst its comma-separated tokens, ASCII
+ // case-insensitively.
+ func headerValueContainsToken(v string, token string) bool {
+-      v = trimOWS(v)
+-      if comma := strings.IndexByte(v, ','); comma != -1 {
+-              return tokenEqual(trimOWS(v[:comma]), token) || 
headerValueContainsToken(v[comma+1:], token)
++      for comma := strings.IndexByte(v, ','); comma != -1; comma = 
strings.IndexByte(v, ',') {
++              if tokenEqual(trimOWS(v[:comma]), token) {
++                      return true
++              }
++              v = v[comma+1:]
+       }
+-      return tokenEqual(v, token)
++      return tokenEqual(trimOWS(v), token)
+ }
+ 
+ // lowerASCII returns the ASCII lowercase version of b.
diff -Nru 
golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series 
golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series      
2020-02-21 21:20:40.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series      
2021-05-08 12:12:17.000000000 +0800
@@ -1 +1,2 @@
 publicsuffix.patch
+CVE-2021-31525.patch

--- End Message ---

--- Begin Message ---
Unblocked.
--- End Message ---

Bug#988223: marked as done (unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-3)

Reply via email to