--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: z...@debian.org, t...@security.debian.org
[ Reason ]
Backport patches for CVE-2022-23806 CVE-2022-23772 CVE-2022-23773
[ Impact ]
+ CVE-2022-23806: crypto/elliptic: fix IsOnCurve for big.Int values
that are not valid coordinates
+ CVE-2022-23772: math/big: prevent large memory consumption in
Rat.SetString
+ CVE-2022-23773: cmd/go: prevent branches from materializing into versions
All are minor security issues, so I'd like to go with stable-pu.
[ Tests ]
For CVE-2022-23806 and CVE-2022-23772, regression tests are backported as well.
For CVE-2022-23773 the tests in upstream patch are hard to backport, so I test
it manully. The test is similar with upstream patch[1]
[1]
https://github.com/golang/go/commit/fa4d9b8e2bc2612960c80474fca83a4c85a974eb#diff-6d41824e441b8846a74c31ab4968dc114a1e650c05172e1f89826ea9e55d4c5aR421
For example, running
GOPROXY=direct /usr/lib/go-1.15/bin/go get
vcs-test.golang.org/git/semver-branch.git@v1.0.0
Will get same result and error in [1].
[ Risks ]
Patch for CVE-2022-23806 and CVE-2022-23772 are trivial and easy to review.
Patch for CVE-2022-23773 is larger, and is backported by 3way merge.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[ ] the issue is verified as fixed in unstable
golang-1.15 has been removed from unstable.
[ Changes ]
See attachment.
[ Other info ]
CVE-2022-23806 and CVE-2022-23772 are for Go std library, which is statically
linked in all Go programs. But these issues look like too minor to rebuild all
Go programs.
diff -Nru golang-1.15-1.15.15/debian/changelog
golang-1.15-1.15.15/debian/changelog
--- golang-1.15-1.15.15/debian/changelog 2021-12-04 17:37:57.000000000
+0800
+++ golang-1.15-1.15.15/debian/changelog 2022-02-11 23:45:44.000000000
+0800
@@ -1,3 +1,14 @@
+golang-1.15 (1.15.15-1~deb11u3) bullseye; urgency=medium
+
+ * Backport patches for CVE-2022-23806 CVE-2022-23772 CVE-2022-23773
+ + CVE-2022-23806: crypto/elliptic: fix IsOnCurve for big.Int values
+ that are not valid coordinates
+ + CVE-2022-23772: math/big: prevent large memory consumption in
+ Rat.SetString
+ + CVE-2022-23773: cmd/go: prevent branches from materializing into versions
+
+ -- Shengjing Zhu <z...@debian.org> Fri, 11 Feb 2022 23:45:44 +0800
+
golang-1.15 (1.15.15-1~deb11u2) bullseye; urgency=medium
* Backport patch for CVE-2021-38297
diff -Nru golang-1.15-1.15.15/debian/patches/0012-CVE-2022-23806.patch
golang-1.15-1.15.15/debian/patches/0012-CVE-2022-23806.patch
--- golang-1.15-1.15.15/debian/patches/0012-CVE-2022-23806.patch
1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.15/debian/patches/0012-CVE-2022-23806.patch
2022-02-11 23:45:44.000000000 +0800
@@ -0,0 +1,132 @@
+From: Filippo Valsorda <fili...@golang.org>
+Date: Wed, 2 Feb 2022 09:15:44 -0800
+Subject: CVE-2022-23806
+
+Origin: backport, https://github.com/golang/go/commit/6b3e741a
+---
+ src/crypto/elliptic/elliptic.go | 5 +++
+ src/crypto/elliptic/elliptic_test.go | 81 ++++++++++++++++++++++++++++++++++++
+ src/crypto/elliptic/p224.go | 5 +++
+ 3 files changed, 91 insertions(+)
+
+diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go
+index f93dc16..afedf18 100644
+--- a/src/crypto/elliptic/elliptic.go
++++ b/src/crypto/elliptic/elliptic.go
+@@ -71,6 +71,11 @@ func (curve *CurveParams) polynomial(x *big.Int) *big.Int {
+ }
+
+ func (curve *CurveParams) IsOnCurve(x, y *big.Int) bool {
++ if x.Sign() < 0 || x.Cmp(curve.P) >= 0 ||
++ y.Sign() < 0 || y.Cmp(curve.P) >= 0 {
++ return false
++ }
++
+ // y² = x³ - 3x + b
+ y2 := new(big.Int).Mul(y, y)
+ y2.Mod(y2, curve.P)
+diff --git a/src/crypto/elliptic/elliptic_test.go
b/src/crypto/elliptic/elliptic_test.go
+index e80e773..bb16b0d 100644
+--- a/src/crypto/elliptic/elliptic_test.go
++++ b/src/crypto/elliptic/elliptic_test.go
+@@ -721,3 +721,84 @@ func testMarshalCompressed(t *testing.T, curve Curve, x,
y *big.Int, want []byte
+ t.Errorf("point did not round-trip correctly: got (%v, %v),
want (%v, %v)", X, Y, x, y)
+ }
+ }
++
++func testAllCurves(t *testing.T, f func(*testing.T, Curve)) {
++ tests := []struct {
++ name string
++ curve Curve
++ }{
++ {"P256", P256()},
++ {"P256/Params", P256().Params()},
++ {"P224", P224()},
++ {"P224/Params", P224().Params()},
++ {"P384", P384()},
++ {"P384/Params", P384().Params()},
++ {"P521", P521()},
++ {"P521/Params", P521().Params()},
++ }
++ if testing.Short() {
++ tests = tests[:1]
++ }
++ for _, test := range tests {
++ curve := test.curve
++ t.Run(test.name, func(t *testing.T) {
++ t.Parallel()
++ f(t, curve)
++ })
++ }
++}
++
++// TestInvalidCoordinates tests big.Int values that are not valid field
elements
++// (negative or bigger than P). They are expected to return false from
++// IsOnCurve, all other behavior is undefined.
++func TestInvalidCoordinates(t *testing.T) {
++ testAllCurves(t, testInvalidCoordinates)
++}
++
++func testInvalidCoordinates(t *testing.T, curve Curve) {
++ checkIsOnCurveFalse := func(name string, x, y *big.Int) {
++ if curve.IsOnCurve(x, y) {
++ t.Errorf("IsOnCurve(%s) unexpectedly returned true",
name)
++ }
++ }
++
++ p := curve.Params().P
++ _, x, y, _ := GenerateKey(curve, rand.Reader)
++ xx, yy := new(big.Int), new(big.Int)
++
++ // Check if the sign is getting dropped.
++ xx.Neg(x)
++ checkIsOnCurveFalse("-x, y", xx, y)
++ yy.Neg(y)
++ checkIsOnCurveFalse("x, -y", x, yy)
++
++ // Check if negative values are reduced modulo P.
++ xx.Sub(x, p)
++ checkIsOnCurveFalse("x-P, y", xx, y)
++ yy.Sub(y, p)
++ checkIsOnCurveFalse("x, y-P", x, yy)
++
++ // Check if positive values are reduced modulo P.
++ xx.Add(x, p)
++ checkIsOnCurveFalse("x+P, y", xx, y)
++ yy.Add(y, p)
++ checkIsOnCurveFalse("x, y+P", x, yy)
++
++ // Check if the overflow is dropped.
++ xx.Add(x, new(big.Int).Lsh(big.NewInt(1), 535))
++ checkIsOnCurveFalse("x+2⁵³⁵, y", xx, y)
++ yy.Add(y, new(big.Int).Lsh(big.NewInt(1), 535))
++ checkIsOnCurveFalse("x, y+2⁵³⁵", x, yy)
++
++ // Check if P is treated like zero (if possible).
++ // y^2 = x^3 - 3x + B
++ // y = mod_sqrt(x^3 - 3x + B)
++ // y = mod_sqrt(B) if x = 0
++ // If there is no modsqrt, there is no point with x = 0, can't test x =
P.
++ if yy := new(big.Int).ModSqrt(curve.Params().B, p); yy != nil {
++ if !curve.IsOnCurve(big.NewInt(0), yy) {
++ t.Fatal("(0, mod_sqrt(B)) is not on the curve?")
++ }
++ checkIsOnCurveFalse("P, y", p, yy)
++ }
++}
+diff --git a/src/crypto/elliptic/p224.go b/src/crypto/elliptic/p224.go
+index 8c76021..ff5c834 100644
+--- a/src/crypto/elliptic/p224.go
++++ b/src/crypto/elliptic/p224.go
+@@ -48,6 +48,11 @@ func (curve p224Curve) Params() *CurveParams {
+ }
+
+ func (curve p224Curve) IsOnCurve(bigX, bigY *big.Int) bool {
++ if bigX.Sign() < 0 || bigX.Cmp(curve.P) >= 0 ||
++ bigY.Sign() < 0 || bigY.Cmp(curve.P) >= 0 {
++ return false
++ }
++
+ var x, y p224FieldElement
+ p224FromBig(&x, bigX)
+ p224FromBig(&y, bigY)
diff -Nru golang-1.15-1.15.15/debian/patches/0013-CVE-2022-23772.patch
golang-1.15-1.15.15/debian/patches/0013-CVE-2022-23772.patch
--- golang-1.15-1.15.15/debian/patches/0013-CVE-2022-23772.patch
1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.15/debian/patches/0013-CVE-2022-23772.patch
2022-02-11 23:45:44.000000000 +0800
@@ -0,0 +1,38 @@
+From: Katie Hockman <ka...@golang.org>
+Date: Wed, 19 Jan 2022 16:54:41 -0500
+Subject: CVE-2022-23772
+
+Origin: backport, https://github.com/golang/go/commit/07ee9e64
+---
+ src/math/big/ratconv.go | 5 +++++
+ src/math/big/ratconv_test.go | 1 +
+ 2 files changed, 6 insertions(+)
+
+diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go
+index ac3c8bd..90053a9 100644
+--- a/src/math/big/ratconv.go
++++ b/src/math/big/ratconv.go
+@@ -169,6 +169,11 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
+ n := exp5
+ if n < 0 {
+ n = -n
++ if n < 0 {
++ // This can occur if -n overflows. -(-1 << 63)
would become
++ // -1 << 63, which is still negative.
++ return nil, false
++ }
+ }
+ if n > 1e6 {
+ return nil, false // avoid excessively large exponents
+diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go
+index 15d206c..e55e655 100644
+--- a/src/math/big/ratconv_test.go
++++ b/src/math/big/ratconv_test.go
+@@ -104,6 +104,7 @@ var setStringTests = []StringTest{
+ {in: "4/3/"},
+ {in: "4/3."},
+ {in: "4/"},
++ {in: "13e-9223372036854775808"}, // CVE-2022-23772
+
+ // valid
+ {"0", "0", true},
diff -Nru golang-1.15-1.15.15/debian/patches/0014-CVE-2022-23773.patch
golang-1.15-1.15.15/debian/patches/0014-CVE-2022-23773.patch
--- golang-1.15-1.15.15/debian/patches/0014-CVE-2022-23773.patch
1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.15/debian/patches/0014-CVE-2022-23773.patch
2022-02-11 23:45:44.000000000 +0800
@@ -0,0 +1,323 @@
+From: "Bryan C. Mills" <bcmi...@google.com>
+Date: Thu, 13 Jan 2022 15:38:14 -0500
+Subject: CVE-2022-23773
+
+Origin: backport, https://github.com/golang/go/commit/de76489a
+
+Only change in coderep.go is backported. Changes in coderepo_test.go
+and mod_invalid_version.txt are used for testing, which can't be
+cherry-picked directly.
+---
+ src/cmd/go/internal/modfetch/coderepo.go | 215 +++++++++++++++----------------
+ 1 file changed, 106 insertions(+), 109 deletions(-)
+
+diff --git a/src/cmd/go/internal/modfetch/coderepo.go
b/src/cmd/go/internal/modfetch/coderepo.go
+index d043903..3297af9 100644
+--- a/src/cmd/go/internal/modfetch/coderepo.go
++++ b/src/cmd/go/internal/modfetch/coderepo.go
+@@ -298,16 +298,13 @@ func (r *codeRepo) Latest() (*RevInfo, error) {
+ // If statVers is a valid module version, it is used for the Version field.
+ // Otherwise, the Version is derived from the passed-in info and recent tags.
+ func (r *codeRepo) convert(info *codehost.RevInfo, statVers string)
(*RevInfo, error) {
+- info2 := &RevInfo{
+- Name: info.Name,
+- Short: info.Short,
+- Time: info.Time,
+- }
+-
+ // If this is a plain tag (no dir/ prefix)
+ // and the module path is unversioned,
+ // and if the underlying file tree has no go.mod,
+ // then allow using the tag with a +incompatible suffix.
++ //
++ // (If the version is +incompatible, then the go.mod file must not
exist:
++ // +incompatible is not an ongoing opt-out from semantic import
versioning.)
+ var canUseIncompatible func() bool
+ canUseIncompatible = func() bool {
+ var ok bool
+@@ -321,19 +318,12 @@ func (r *codeRepo) convert(info *codehost.RevInfo,
statVers string) (*RevInfo, e
+ return ok
+ }
+
+- invalidf := func(format string, args ...interface{}) error {
+- return &module.ModuleError{
+- Path: r.modPath,
+- Err: &module.InvalidVersionError{
+- Version: info2.Version,
+- Err: fmt.Errorf(format, args...),
+- },
+- }
+- }
+-
+- // checkGoMod verifies that the go.mod file for the module exists or
does not
+- // exist as required by info2.Version and the module path represented
by r.
+- checkGoMod := func() (*RevInfo, error) {
++ // checkCanonical verifies that the canonical version v is compatible
with the
++ // module path represented by r, adding a "+incompatible" suffix if
needed.
++ //
++ // If statVers is also canonical, checkCanonical also verifies that v is
++ // either statVers or statVers with the added "+incompatible" suffix.
++ checkCanonical := func(v string) (*RevInfo, error) {
+ // If r.codeDir is non-empty, then the go.mod file must exist:
the module
+ // author — not the module consumer, — gets to decide how to
carve up the repo
+ // into modules.
+@@ -344,73 +334,91 @@ func (r *codeRepo) convert(info *codehost.RevInfo,
statVers string) (*RevInfo, e
+ // r.findDir verifies both of these conditions. Execute it now
so that
+ // r.Stat will correctly return a notExistError if the go.mod
location or
+ // declared module path doesn't match.
+- _, _, _, err := r.findDir(info2.Version)
++ _, _, _, err := r.findDir(v)
+ if err != nil {
+ // TODO: It would be nice to return an error like "not
a module".
+ // Right now we return "missing go.mod", which is a
little confusing.
+ return nil, &module.ModuleError{
+ Path: r.modPath,
+ Err: &module.InvalidVersionError{
+- Version: info2.Version,
++ Version: v,
+ Err: notExistError{err: err},
+ },
+ }
+ }
+
+- // If the version is +incompatible, then the go.mod file must
not exist:
+- // +incompatible is not an ongoing opt-out from semantic import
versioning.
+- if strings.HasSuffix(info2.Version, "+incompatible") {
+- if !canUseIncompatible() {
++ invalidf := func(format string, args ...interface{}) error {
++ return &module.ModuleError{
++ Path: r.modPath,
++ Err: &module.InvalidVersionError{
++ Version: v,
++ Err: fmt.Errorf(format, args...),
++ },
++ }
++ }
++
++ // Add the +incompatible suffix if needed or requested
explicitly, and
++ // verify that its presence or absence is appropriate for this
version
++ // (which depends on whether it has an explicit go.mod file).
++
++ if v == strings.TrimSuffix(statVers, "+incompatible") {
++ v = statVers
++ }
++ base := strings.TrimSuffix(v, "+incompatible")
++ var errIncompatible error
++ if !module.MatchPathMajor(base, r.pathMajor) {
++ if canUseIncompatible() {
++ v = base + "+incompatible"
++ } else {
+ if r.pathMajor != "" {
+- return nil, invalidf("+incompatible
suffix not allowed: module path includes a major version suffix, so major
version must match")
++ errIncompatible = invalidf("module path
includes a major version suffix, so major version must match")
+ } else {
+- return nil, invalidf("+incompatible
suffix not allowed: module contains a go.mod file, so semantic import
versioning is required")
++ errIncompatible = invalidf("module
contains a go.mod file, so module path must match major version (%q)",
path.Join(r.pathPrefix, semver.Major(v)))
+ }
+ }
+-
+- if err :=
module.CheckPathMajor(strings.TrimSuffix(info2.Version, "+incompatible"),
r.pathMajor); err == nil {
+- return nil, invalidf("+incompatible suffix not
allowed: major version %s is compatible", semver.Major(info2.Version))
++ } else if strings.HasSuffix(v, "+incompatible") {
++ errIncompatible = invalidf("+incompatible suffix not
allowed: major version %s is compatible", semver.Major(v))
++ }
++
++ if statVers != "" && statVers ==
module.CanonicalVersion(statVers) {
++ // Since the caller-requested version is canonical, it
would be very
++ // confusing to resolve it to anything but itself,
possibly with a
++ // "+incompatible" suffix. Error out explicitly.
++ if statBase := strings.TrimSuffix(statVers,
"+incompatible"); statBase != base {
++ return nil, &module.ModuleError{
++ Path: r.modPath,
++ Err: &module.InvalidVersionError{
++ Version: statVers,
++ Err: fmt.Errorf("resolves
to version %v (%s is not a tag)", v, statBase),
++ },
++ }
+ }
+ }
+
+- return info2, nil
++ if errIncompatible != nil {
++ return nil, errIncompatible
++ }
++
++ return &RevInfo{
++ Name: info.Name,
++ Short: info.Short,
++ Time: info.Time,
++ Version: v,
++ }, nil
+ }
+
+ // Determine version.
+- //
+- // If statVers is canonical, then the original call was
repo.Stat(statVers).
+- // Since the version is canonical, we must not resolve it to anything
but
+- // itself, possibly with a '+incompatible' annotation: we do not need
to do
+- // the work required to look for an arbitrary pseudo-version.
+- if statVers != "" && statVers == module.CanonicalVersion(statVers) {
+- info2.Version = statVers
+-
+- if IsPseudoVersion(info2.Version) {
+- if err := r.validatePseudoVersion(info, info2.Version);
err != nil {
+- return nil, err
+- }
+- return checkGoMod()
+- }
+
+- if err := module.CheckPathMajor(info2.Version, r.pathMajor);
err != nil {
+- if canUseIncompatible() {
+- info2.Version += "+incompatible"
+- return checkGoMod()
+- } else {
+- if vErr, ok :=
err.(*module.InvalidVersionError); ok {
+- // We're going to describe why the
version is invalid in more detail,
+- // so strip out the existing “invalid
version” wrapper.
+- err = vErr.Err
+- }
+- return nil, invalidf("module contains a go.mod
file, so major version must be compatible: %v", err)
+- }
++ if IsPseudoVersion(statVers) {
++ if err := r.validatePseudoVersion(info, statVers); err != nil {
++ return nil, err
+ }
+-
+- return checkGoMod()
++ return checkCanonical(statVers)
+ }
+
+- // statVers is empty or non-canonical, so we need to resolve it to a
canonical
+- // version or pseudo-version.
++ // statVers is not a pseudo-version, so we need to either resolve it to
a
++ // canonical version or verify that it is already a canonical tag
++ // (not a branch).
+
+ // Derive or verify a version from a code repo tag.
+ // Tag must have a prefix matching codeDir.
+@@ -439,65 +447,59 @@ func (r *codeRepo) convert(info *codehost.RevInfo,
statVers string) (*RevInfo, e
+ if v == trimmed {
+ tagIsCanonical = true
+ }
+-
+- if err := module.CheckPathMajor(v, r.pathMajor); err != nil {
+- if canUseIncompatible() {
+- return v + "+incompatible", tagIsCanonical
+- }
+- return "", false
+- }
+-
+ return v, tagIsCanonical
+ }
+
+ // If the VCS gave us a valid version, use that.
+ if v, tagIsCanonical := tagToVersion(info.Version); tagIsCanonical {
+- info2.Version = v
+- return checkGoMod()
++ if info, err := checkCanonical(v); err == nil {
++ return info, err
++ }
+ }
+
+ // Look through the tags on the revision for either a usable canonical
version
+ // or an appropriate base for a pseudo-version.
+- var pseudoBase string
++ var (
++ highestCanonical string
++ pseudoBase string
++ )
+ for _, pathTag := range info.Tags {
+ v, tagIsCanonical := tagToVersion(pathTag)
+- if tagIsCanonical {
+- if statVers != "" && semver.Compare(v, statVers) == 0 {
+- // The user requested a non-canonical version,
but the tag for the
+- // canonical equivalent refers to the same
revision. Use it.
+- info2.Version = v
+- return checkGoMod()
++ if statVers != "" && semver.Compare(v, statVers) == 0 {
++ // The tag is equivalent to the version requested by
the user.
++ if tagIsCanonical {
++ // This tag is the canonical form of the
requested version,
++ // not some other form with extra build
metadata.
++ // Use this tag so that the resolved version
will match exactly.
++ // (If it isn't actually allowed, we'll error
out in checkCanonical.)
++ return checkCanonical(v)
+ } else {
+- // Save the highest canonical tag for the
revision. If we don't find a
+- // better match, we'll use it as the canonical
version.
++ // The user explicitly requested something
equivalent to this tag. We
++ // can't use the version from the tag directly:
since the tag is not
++ // canonical, it could be ambiguous. For
example, tags v0.0.1+a and
++ // v0.0.1+b might both exist and refer to
different revisions.
+ //
+- // NOTE: Do not replace this with semver.Max.
Despite the name,
+- // semver.Max *also* canonicalizes its
arguments, which uses
+- // semver.Canonical instead of
module.CanonicalVersion and thereby
+- // strips our "+incompatible" suffix.
+- if semver.Compare(info2.Version, v) < 0 {
+- info2.Version = v
+- }
++ // The tag is otherwise valid for the module,
so we can at least use it as
++ // the base of an unambiguous pseudo-version.
++ //
++ // If multiple tags match, tagToVersion will
canonicalize them to the same
++ // base version.
++ pseudoBase = v
++ }
++ }
++ // Save the highest non-retracted canonical tag for the
revision.
++ // If we don't find a better match, we'll use it as the
canonical version.
++ if tagIsCanonical && semver.Compare(highestCanonical, v) < 0 {
++ if module.MatchPathMajor(v, r.pathMajor) ||
canUseIncompatible() {
++ highestCanonical = v
+ }
+- } else if v != "" && semver.Compare(v, statVers) == 0 {
+- // The user explicitly requested something equivalent
to this tag. We
+- // can't use the version from the tag directly: since
the tag is not
+- // canonical, it could be ambiguous. For example, tags
v0.0.1+a and
+- // v0.0.1+b might both exist and refer to different
revisions.
+- //
+- // The tag is otherwise valid for the module, so we can
at least use it as
+- // the base of an unambiguous pseudo-version.
+- //
+- // If multiple tags match, tagToVersion will
canonicalize them to the same
+- // base version.
+- pseudoBase = v
+ }
+ }
+
+- // If we found any canonical tag for the revision, return it.
++ // If we found a valid canonical tag for the revision, return it.
+ // Even if we found a good pseudo-version base, a canonical version is
better.
+- if info2.Version != "" {
+- return checkGoMod()
++ if highestCanonical != "" {
++ return checkCanonical(highestCanonical)
+ }
+
+ if pseudoBase == "" {
+@@ -511,11 +513,10 @@ func (r *codeRepo) convert(info *codehost.RevInfo,
statVers string) (*RevInfo, e
+ tag, _ = r.code.RecentTag(info.Name, tagPrefix,
"v0")
+ }
+ }
+- pseudoBase, _ = tagToVersion(tag) // empty if the tag is invalid
++ pseudoBase, _ = tagToVersion(tag)
+ }
+
+- info2.Version = PseudoVersion(r.pseudoMajor, pseudoBase, info.Time,
info.Short)
+- return checkGoMod()
++ return checkCanonical(PseudoVersion(r.pseudoMajor, pseudoBase,
info.Time, info.Short))
+ }
+
+ // validatePseudoVersion checks that version has a major version compatible
with
+@@ -539,10 +540,6 @@ func (r *codeRepo) validatePseudoVersion(info
*codehost.RevInfo, version string)
+ }
+ }()
+
+- if err := module.CheckPathMajor(version, r.pathMajor); err != nil {
+- return err
+- }
+-
+ rev, err := PseudoVersionRev(version)
+ if err != nil {
+ return err
diff -Nru golang-1.15-1.15.15/debian/patches/series
golang-1.15-1.15.15/debian/patches/series
--- golang-1.15-1.15.15/debian/patches/series 2021-12-04 17:37:57.000000000
+0800
+++ golang-1.15-1.15.15/debian/patches/series 2022-02-11 23:45:44.000000000
+0800
@@ -9,3 +9,6 @@
0009-CVE-2021-41771.patch
0010-CVE-2021-44716.patch
0011-CVE-2021-44717.patch
+0012-CVE-2022-23806.patch
+0013-CVE-2022-23772.patch
+0014-CVE-2022-23773.patch
--- End Message ---
