Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: z...@debian.org
Please unblock package golang-1.15 [ Reason ] Backport patches for CVE-2021-33195 CVE-2021-33197 CVE-2021-33198 [ Impact ] Security issue. [ Tests ] Unit tests provided by upstream. [ Risks ] + Key package [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] unblock golang-1.15/1.15.9-5 diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.9/debian/changelog --- golang-1.15-1.15.9/debian/changelog 2021-06-02 10:56:03.000000000 +0800 +++ golang-1.15-1.15.9/debian/changelog 2021-06-05 19:36:34.000000000 +0800 @@ -1,3 +1,15 @@ +golang-1.15 (1.15.9-5) unstable; urgency=medium + + * Team upload. + * Backport patches for CVE-2021-33195 CVE-2021-33197 CVE-2021-33198 + + CVE-2021-33195: net: Lookup functions may return invalid host names + + CVE-2021-33197: net/http/httputil: ReverseProxy forwards Connection + headers if first one is empty + + CVE-2021-33198: math/big: (*Rat).SetString with "1.770p02041010010011001001" + crashes with "makeslice: len out of range" + + -- Shengjing Zhu <z...@debian.org> Sat, 05 Jun 2021 19:36:34 +0800 + golang-1.15 (1.15.9-4) unstable; urgency=medium * Team upload. diff -Nru golang-1.15-1.15.9/debian/patches/0009-CVE-2021-33195-1.patch golang-1.15-1.15.9/debian/patches/0009-CVE-2021-33195-1.patch --- golang-1.15-1.15.9/debian/patches/0009-CVE-2021-33195-1.patch 1970-01-01 08:00:00.000000000 +0800 +++ golang-1.15-1.15.9/debian/patches/0009-CVE-2021-33195-1.patch 2021-06-05 19:36:34.000000000 +0800 @@ -0,0 +1,369 @@ +From 31d60cda1f58b7558fc5725d2b9e4531655d980e Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <rol...@golang.org> +Date: Thu, 27 May 2021 10:40:06 -0700 +Subject: [PATCH] [release-branch.go1.15] net: verify results from Lookup* are + valid domain names + +For the methods LookupCNAME, LookupSRV, LookupMX, LookupNS, and +LookupAddr check that the returned domain names are in fact valid DNS +names using the existing isDomainName function. + +Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for +reporting this issue. + +Updates #46241 +Fixes #46356 +Fixes CVE-2021-33195 + +Change-Id: I47a4f58c031cb752f732e88bbdae7f819f0af4f3 +Reviewed-on: https://go-review.googlesource.com/c/go/+/323131 +Trust: Roland Shoemaker <rol...@golang.org> +Run-TryBot: Roland Shoemaker <rol...@golang.org> +TryBot-Result: Go Bot <go...@golang.org> +Reviewed-by: Filippo Valsorda <fili...@golang.org> +Reviewed-by: Katie Hockman <ka...@golang.org> +(cherry picked from commit cdcd02842da7c004efd023881e3719105209c908) +Reviewed-on: https://go-review.googlesource.com/c/go/+/323269 +--- + src/net/dnsclient_unix_test.go | 157 +++++++++++++++++++++++++++++++++ + src/net/lookup.go | 111 ++++++++++++++++++++--- + 2 files changed, 255 insertions(+), 13 deletions(-) + +diff --git a/src/net/dnsclient_unix_test.go b/src/net/dnsclient_unix_test.go +index 06553636eee25..819f20b887ae6 100644 +--- a/src/net/dnsclient_unix_test.go ++++ b/src/net/dnsclient_unix_test.go +@@ -1799,3 +1799,160 @@ func TestPTRandNonPTR(t *testing.T) { + t.Errorf("names = %q; want %q", names, want) + } + } ++ ++func TestCVE202133195(t *testing.T) { ++ fake := fakeDNSServer{ ++ rh: func(n, _ string, q dnsmessage.Message, _ time.Time) (dnsmessage.Message, error) { ++ r := dnsmessage.Message{ ++ Header: dnsmessage.Header{ ++ ID: q.Header.ID, ++ Response: true, ++ RCode: dnsmessage.RCodeSuccess, ++ RecursionAvailable: true, ++ }, ++ Questions: q.Questions, ++ } ++ switch q.Questions[0].Type { ++ case dnsmessage.TypeCNAME: ++ r.Answers = []dnsmessage.Resource{} ++ case dnsmessage.TypeA: // CNAME lookup uses a A/AAAA as a proxy ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: dnsmessage.MustNewName("<html>.golang.org."), ++ Type: dnsmessage.TypeA, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.AResource{ ++ A: TestAddr, ++ }, ++ }, ++ ) ++ case dnsmessage.TypeSRV: ++ n := q.Questions[0].Name ++ if n.String() == "_hdr._tcp.golang.org." { ++ n = dnsmessage.MustNewName("<html>.golang.org.") ++ } ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: n, ++ Type: dnsmessage.TypeSRV, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.SRVResource{ ++ Target: dnsmessage.MustNewName("<html>.golang.org."), ++ }, ++ }, ++ ) ++ case dnsmessage.TypeMX: ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: dnsmessage.MustNewName("<html>.golang.org."), ++ Type: dnsmessage.TypeMX, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.MXResource{ ++ MX: dnsmessage.MustNewName("<html>.golang.org."), ++ }, ++ }, ++ ) ++ case dnsmessage.TypeNS: ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: dnsmessage.MustNewName("<html>.golang.org."), ++ Type: dnsmessage.TypeNS, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.NSResource{ ++ NS: dnsmessage.MustNewName("<html>.golang.org."), ++ }, ++ }, ++ ) ++ case dnsmessage.TypePTR: ++ r.Answers = append(r.Answers, ++ dnsmessage.Resource{ ++ Header: dnsmessage.ResourceHeader{ ++ Name: dnsmessage.MustNewName("<html>.golang.org."), ++ Type: dnsmessage.TypePTR, ++ Class: dnsmessage.ClassINET, ++ Length: 4, ++ }, ++ Body: &dnsmessage.PTRResource{ ++ PTR: dnsmessage.MustNewName("<html>.golang.org."), ++ }, ++ }, ++ ) ++ } ++ return r, nil ++ }, ++ } ++ ++ r := Resolver{PreferGo: true, Dial: fake.DialContext} ++ // Change the default resolver to match our manipulated resolver ++ originalDefault := DefaultResolver ++ DefaultResolver = &r ++ defer func() { ++ DefaultResolver = originalDefault ++ }() ++ ++ _, err := r.LookupCNAME(context.Background(), "golang.org") ++ if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, err = LookupCNAME("golang.org") ++ if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, _, err = r.LookupSRV(context.Background(), "target", "tcp", "golang.org") ++ if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, _, err = LookupSRV("target", "tcp", "golang.org") ++ if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, _, err = r.LookupSRV(context.Background(), "hdr", "tcp", "golang.org") ++ if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, _, err = LookupSRV("hdr", "tcp", "golang.org") ++ if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, err = r.LookupMX(context.Background(), "golang.org") ++ if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, err = LookupMX("golang.org") ++ if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupMX returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, err = r.LookupNS(context.Background(), "golang.org") ++ if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, err = LookupNS("golang.org") ++ if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupNS returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ ++ _, err = r.LookupAddr(context.Background(), "1.2.3.4") ++ if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++ _, err = LookupAddr("1.2.3.4") ++ if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected) ++ } ++} +diff --git a/src/net/lookup.go b/src/net/lookup.go +index 5f7119872a48d..0660268249bc7 100644 +--- a/src/net/lookup.go ++++ b/src/net/lookup.go +@@ -389,8 +389,11 @@ func (r *Resolver) LookupPort(ctx context.Context, network, service string) (por + // LookupCNAME does not return an error if host does not + // contain DNS "CNAME" records, as long as host resolves to + // address records. ++// ++// The returned canonical name is validated to be a properly ++// formatted presentation-format domain name. + func LookupCNAME(host string) (cname string, err error) { +- return DefaultResolver.lookupCNAME(context.Background(), host) ++ return DefaultResolver.LookupCNAME(context.Background(), host) + } + + // LookupCNAME returns the canonical name for the given host. +@@ -403,8 +406,18 @@ func LookupCNAME(host string) (cname string, err error) { + // LookupCNAME does not return an error if host does not + // contain DNS "CNAME" records, as long as host resolves to + // address records. +-func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string, err error) { +- return r.lookupCNAME(ctx, host) ++// ++// The returned canonical name is validated to be a properly ++// formatted presentation-format domain name. ++func (r *Resolver) LookupCNAME(ctx context.Context, host string) (string, error) { ++ cname, err := r.lookupCNAME(ctx, host) ++ if err != nil { ++ return "", err ++ } ++ if !isDomainName(cname) { ++ return "", &DNSError{Err: "CNAME target is invalid", Name: host} ++ } ++ return cname, nil + } + + // LookupSRV tries to resolve an SRV query of the given service, +@@ -416,8 +429,11 @@ func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string, + // That is, it looks up _service._proto.name. To accommodate services + // publishing SRV records under non-standard names, if both service + // and proto are empty strings, LookupSRV looks up name directly. ++// ++// The returned service names are validated to be properly ++// formatted presentation-format domain names. + func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err error) { +- return DefaultResolver.lookupSRV(context.Background(), service, proto, name) ++ return DefaultResolver.LookupSRV(context.Background(), service, proto, name) + } + + // LookupSRV tries to resolve an SRV query of the given service, +@@ -429,28 +445,82 @@ func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err err + // That is, it looks up _service._proto.name. To accommodate services + // publishing SRV records under non-standard names, if both service + // and proto are empty strings, LookupSRV looks up name directly. +-func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (cname string, addrs []*SRV, err error) { +- return r.lookupSRV(ctx, service, proto, name) ++// ++// The returned service names are validated to be properly ++// formatted presentation-format domain names. ++func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (string, []*SRV, error) { ++ cname, addrs, err := r.lookupSRV(ctx, service, proto, name) ++ if err != nil { ++ return "", nil, err ++ } ++ if cname != "" && !isDomainName(cname) { ++ return "", nil, &DNSError{Err: "SRV header name is invalid", Name: name} ++ } ++ for _, addr := range addrs { ++ if addr == nil { ++ continue ++ } ++ if !isDomainName(addr.Target) { ++ return "", nil, &DNSError{Err: "SRV target is invalid", Name: name} ++ } ++ } ++ return cname, addrs, nil + } + + // LookupMX returns the DNS MX records for the given domain name sorted by preference. ++// ++// The returned mail server names are validated to be properly ++// formatted presentation-format domain names. + func LookupMX(name string) ([]*MX, error) { +- return DefaultResolver.lookupMX(context.Background(), name) ++ return DefaultResolver.LookupMX(context.Background(), name) + } + + // LookupMX returns the DNS MX records for the given domain name sorted by preference. ++// ++// The returned mail server names are validated to be properly ++// formatted presentation-format domain names. + func (r *Resolver) LookupMX(ctx context.Context, name string) ([]*MX, error) { +- return r.lookupMX(ctx, name) ++ records, err := r.lookupMX(ctx, name) ++ if err != nil { ++ return nil, err ++ } ++ for _, mx := range records { ++ if mx == nil { ++ continue ++ } ++ if !isDomainName(mx.Host) { ++ return nil, &DNSError{Err: "MX target is invalid", Name: name} ++ } ++ } ++ return records, nil + } + + // LookupNS returns the DNS NS records for the given domain name. ++// ++// The returned name server names are validated to be properly ++// formatted presentation-format domain names. + func LookupNS(name string) ([]*NS, error) { +- return DefaultResolver.lookupNS(context.Background(), name) ++ return DefaultResolver.LookupNS(context.Background(), name) + } + + // LookupNS returns the DNS NS records for the given domain name. ++// ++// The returned name server names are validated to be properly ++// formatted presentation-format domain names. + func (r *Resolver) LookupNS(ctx context.Context, name string) ([]*NS, error) { +- return r.lookupNS(ctx, name) ++ records, err := r.lookupNS(ctx, name) ++ if err != nil { ++ return nil, err ++ } ++ for _, ns := range records { ++ if ns == nil { ++ continue ++ } ++ if !isDomainName(ns.Host) { ++ return nil, &DNSError{Err: "NS target is invalid", Name: name} ++ } ++ } ++ return records, nil + } + + // LookupTXT returns the DNS TXT records for the given domain name. +@@ -466,14 +536,29 @@ func (r *Resolver) LookupTXT(ctx context.Context, name string) ([]string, error) + // LookupAddr performs a reverse lookup for the given address, returning a list + // of names mapping to that address. + // ++// The returned names are validated to be properly formatted presentation-format ++// domain names. ++// + // When using the host C library resolver, at most one result will be + // returned. To bypass the host resolver, use a custom Resolver. + func LookupAddr(addr string) (names []string, err error) { +- return DefaultResolver.lookupAddr(context.Background(), addr) ++ return DefaultResolver.LookupAddr(context.Background(), addr) + } + + // LookupAddr performs a reverse lookup for the given address, returning a list + // of names mapping to that address. +-func (r *Resolver) LookupAddr(ctx context.Context, addr string) (names []string, err error) { +- return r.lookupAddr(ctx, addr) ++// ++// The returned names are validated to be properly formatted presentation-format ++// domain names. ++func (r *Resolver) LookupAddr(ctx context.Context, addr string) ([]string, error) { ++ names, err := r.lookupAddr(ctx, addr) ++ if err != nil { ++ return nil, err ++ } ++ for _, name := range names { ++ if !isDomainName(name) { ++ return nil, &DNSError{Err: "PTR target is invalid", Name: addr} ++ } ++ } ++ return names, nil + } diff -Nru golang-1.15-1.15.9/debian/patches/0010-CVE-2021-33195-2.patch golang-1.15-1.15.9/debian/patches/0010-CVE-2021-33195-2.patch --- golang-1.15-1.15.9/debian/patches/0010-CVE-2021-33195-2.patch 1970-01-01 08:00:00.000000000 +0800 +++ golang-1.15-1.15.9/debian/patches/0010-CVE-2021-33195-2.patch 2021-06-05 19:36:34.000000000 +0800 @@ -0,0 +1,111 @@ +From 6b411e90d4d017f28c1cc7d442b5ec8c1f9de549 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <rol...@golang.org> +Date: Wed, 2 Jun 2021 09:20:22 -0700 +Subject: [PATCH] [release-branch.go1.15] net: don't rely on system hosts in + TestCVE202133195 + +Also don't unnecessarily deref the error return. + +Updates #46504 +Fixes #46531 + +Change-Id: I22d14ac76776f8988fa0774bdcb5fcd801ce0185 +Reviewed-on: https://go-review.googlesource.com/c/go/+/324190 +Trust: David Chase <drch...@google.com> +Trust: Damien Neil <dn...@google.com> +Run-TryBot: David Chase <drch...@google.com> +TryBot-Result: Go Bot <go...@golang.org> +Reviewed-by: Damien Neil <dn...@google.com> +(cherry picked from commit dd7ba3ba2c860c40be6d70b63d4a678449cae80f) +Reviewed-on: https://go-review.googlesource.com/c/go/+/324333 +Reviewed-by: Ian Lance Taylor <i...@golang.org> +--- + src/net/dnsclient_unix_test.go | 39 +++++++++++++++++----------------- + 1 file changed, 20 insertions(+), 19 deletions(-) + +diff --git a/src/net/dnsclient_unix_test.go b/src/net/dnsclient_unix_test.go +index 819f20b887ae6..f646629912a3d 100644 +--- a/src/net/dnsclient_unix_test.go ++++ b/src/net/dnsclient_unix_test.go +@@ -1898,61 +1898,62 @@ func TestCVE202133195(t *testing.T) { + // Change the default resolver to match our manipulated resolver + originalDefault := DefaultResolver + DefaultResolver = &r +- defer func() { +- DefaultResolver = originalDefault +- }() ++ defer func() { DefaultResolver = originalDefault }() ++ // Redirect host file lookups. ++ defer func(orig string) { testHookHostsPath = orig }(testHookHostsPath) ++ testHookHostsPath = "testdata/hosts" + + _, err := r.LookupCNAME(context.Background(), "golang.org") + if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected { +- t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected) ++ t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err, expected) + } + _, err = LookupCNAME("golang.org") + if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected { +- t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected) ++ t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err, expected) + } + + _, _, err = r.LookupSRV(context.Background(), "target", "tcp", "golang.org") + if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected { +- t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err, expected) + } + _, _, err = LookupSRV("target", "tcp", "golang.org") + if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected { +- t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err, expected) + } + + _, _, err = r.LookupSRV(context.Background(), "hdr", "tcp", "golang.org") + if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected { +- t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err, expected) + } + _, _, err = LookupSRV("hdr", "tcp", "golang.org") + if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected { +- t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected) ++ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err, expected) + } + + _, err = r.LookupMX(context.Background(), "golang.org") + if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected { +- t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err.Error(), expected) ++ t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err, expected) + } + _, err = LookupMX("golang.org") + if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected { +- t.Errorf("LookupMX returned unexpected error, got %q, want %q", err.Error(), expected) ++ t.Errorf("LookupMX returned unexpected error, got %q, want %q", err, expected) + } + + _, err = r.LookupNS(context.Background(), "golang.org") + if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected { +- t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err.Error(), expected) ++ t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err, expected) + } + _, err = LookupNS("golang.org") + if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected { +- t.Errorf("LookupNS returned unexpected error, got %q, want %q", err.Error(), expected) ++ t.Errorf("LookupNS returned unexpected error, got %q, want %q", err, expected) + } + +- _, err = r.LookupAddr(context.Background(), "1.2.3.4") +- if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected { +- t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected) ++ _, err = r.LookupAddr(context.Background(), "192.0.2.42") ++ if expected := "lookup 192.0.2.42: PTR target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err, expected) + } +- _, err = LookupAddr("1.2.3.4") +- if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected { +- t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected) ++ _, err = LookupAddr("192.0.2.42") ++ if expected := "lookup 192.0.2.42: PTR target is invalid"; err == nil || err.Error() != expected { ++ t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err, expected) + } + } diff -Nru golang-1.15-1.15.9/debian/patches/0011-CVE-2021-33197.patch golang-1.15-1.15.9/debian/patches/0011-CVE-2021-33197.patch --- golang-1.15-1.15.9/debian/patches/0011-CVE-2021-33197.patch 1970-01-01 08:00:00.000000000 +0800 +++ golang-1.15-1.15.9/debian/patches/0011-CVE-2021-33197.patch 2021-06-05 19:36:34.000000000 +0800 @@ -0,0 +1,147 @@ +From cbd1ca84453fecf3825a6bb9f985823e8bc32b76 Mon Sep 17 00:00:00 2001 +From: Filippo Valsorda <fili...@golang.org> +Date: Fri, 21 May 2021 14:02:30 -0400 +Subject: [PATCH] [release-branch.go1.15] net/http/httputil: always remove + hop-by-hop headers + +Previously, we'd fail to remove the Connection header from a request +like this: + + Connection: + Connection: x-header + +Updates #46313 +Fixes #46314 +Fixes CVE-2021-33197 + +Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d +Reviewed-on: https://go-review.googlesource.com/c/go/+/321929 +Run-TryBot: Filippo Valsorda <fili...@golang.org> +Reviewed-by: Katie Hockman <ka...@golang.org> +Trust: Katie Hockman <ka...@golang.org> +Trust: Filippo Valsorda <fili...@golang.org> +TryBot-Result: Go Bot <go...@golang.org> +Reviewed-on: https://go-review.googlesource.com/c/go/+/323091 +Run-TryBot: Katie Hockman <ka...@golang.org> +--- + src/net/http/httputil/reverseproxy.go | 22 ++++---- + src/net/http/httputil/reverseproxy_test.go | 63 +++++++++++++++++++++- + 2 files changed, 70 insertions(+), 15 deletions(-) + +diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go +index 3f48fab544e91..f49cefbb4f171 100644 +--- a/src/net/http/httputil/reverseproxy.go ++++ b/src/net/http/httputil/reverseproxy.go +@@ -248,22 +248,18 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { + // important is "Connection" because we want a persistent + // connection, regardless of what the client sent to us. + for _, h := range hopHeaders { +- hv := outreq.Header.Get(h) +- if hv == "" { +- continue +- } +- if h == "Te" && hv == "trailers" { +- // Issue 21096: tell backend applications that +- // care about trailer support that we support +- // trailers. (We do, but we don't go out of +- // our way to advertise that unless the +- // incoming client request thought it was +- // worth mentioning) +- continue +- } + outreq.Header.Del(h) + } + ++ // Issue 21096: tell backend applications that care about trailer support ++ // that we support trailers. (We do, but we don't go out of our way to ++ // advertise that unless the incoming client request thought it was worth ++ // mentioning.) Note that we look at req.Header, not outreq.Header, since ++ // the latter has passed through removeConnectionHeaders. ++ if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") { ++ outreq.Header.Set("Te", "trailers") ++ } ++ + // After stripping all the hop-by-hop connection headers above, add back any + // necessary for protocol upgrades, such as for websockets. + if reqUpType != "" { +diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go +index 764939fb0f0c2..1f2dfb9867f68 100644 +--- a/src/net/http/httputil/reverseproxy_test.go ++++ b/src/net/http/httputil/reverseproxy_test.go +@@ -91,8 +91,9 @@ func TestReverseProxy(t *testing.T) { + + getReq, _ := http.NewRequest("GET", frontend.URL, nil) + getReq.Host = "some-name" +- getReq.Header.Set("Connection", "close") +- getReq.Header.Set("Te", "trailers") ++ getReq.Header.Set("Connection", "close, TE") ++ getReq.Header.Add("Te", "foo") ++ getReq.Header.Add("Te", "bar, trailers") + getReq.Header.Set("Proxy-Connection", "should be deleted") + getReq.Header.Set("Upgrade", "foo") + getReq.Close = true +@@ -236,6 +237,64 @@ func TestReverseProxyStripHeadersPresentInConnection(t *testing.T) { + } + } + ++func TestReverseProxyStripEmptyConnection(t *testing.T) { ++ // See Issue 46313. ++ const backendResponse = "I am the backend" ++ ++ // someConnHeader is some arbitrary header to be declared as a hop-by-hop header ++ // in the Request's Connection header. ++ const someConnHeader = "X-Some-Conn-Header" ++ ++ backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { ++ if c := r.Header.Values("Connection"); len(c) != 0 { ++ t.Errorf("handler got header %q = %v; want empty", "Connection", c) ++ } ++ if c := r.Header.Get(someConnHeader); c != "" { ++ t.Errorf("handler got header %q = %q; want empty", someConnHeader, c) ++ } ++ w.Header().Add("Connection", "") ++ w.Header().Add("Connection", someConnHeader) ++ w.Header().Set(someConnHeader, "should be deleted") ++ io.WriteString(w, backendResponse) ++ })) ++ defer backend.Close() ++ backendURL, err := url.Parse(backend.URL) ++ if err != nil { ++ t.Fatal(err) ++ } ++ proxyHandler := NewSingleHostReverseProxy(backendURL) ++ frontend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { ++ proxyHandler.ServeHTTP(w, r) ++ if c := r.Header.Get(someConnHeader); c != "should be deleted" { ++ t.Errorf("handler modified header %q = %q; want %q", someConnHeader, c, "should be deleted") ++ } ++ })) ++ defer frontend.Close() ++ ++ getReq, _ := http.NewRequest("GET", frontend.URL, nil) ++ getReq.Header.Add("Connection", "") ++ getReq.Header.Add("Connection", someConnHeader) ++ getReq.Header.Set(someConnHeader, "should be deleted") ++ res, err := frontend.Client().Do(getReq) ++ if err != nil { ++ t.Fatalf("Get: %v", err) ++ } ++ defer res.Body.Close() ++ bodyBytes, err := ioutil.ReadAll(res.Body) ++ if err != nil { ++ t.Fatalf("reading body: %v", err) ++ } ++ if got, want := string(bodyBytes), backendResponse; got != want { ++ t.Errorf("got body %q; want %q", got, want) ++ } ++ if c := res.Header.Get("Connection"); c != "" { ++ t.Errorf("handler got header %q = %q; want empty", "Connection", c) ++ } ++ if c := res.Header.Get(someConnHeader); c != "" { ++ t.Errorf("handler got header %q = %q; want empty", someConnHeader, c) ++ } ++} ++ + func TestXForwardedFor(t *testing.T) { + const prevForwardedFor = "client ip" + const backendResponse = "I am the backend" diff -Nru golang-1.15-1.15.9/debian/patches/0012-CVE-2021-33198.patch golang-1.15-1.15.9/debian/patches/0012-CVE-2021-33198.patch --- golang-1.15-1.15.9/debian/patches/0012-CVE-2021-33198.patch 1970-01-01 08:00:00.000000000 +0800 +++ golang-1.15-1.15.9/debian/patches/0012-CVE-2021-33198.patch 2021-06-05 19:36:34.000000000 +0800 @@ -0,0 +1,107 @@ +From df9ce19db6df32d94eae8760927bdfbc595433c3 Mon Sep 17 00:00:00 2001 +From: Robert Griesemer <g...@golang.org> +Date: Sun, 2 May 2021 11:27:03 -0700 +Subject: [PATCH] [release-branch.go1.15] math/big: check for excessive + exponents in Rat.SetString + +Found by OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33284 + +Thanks to Emmanuel Odeke for reporting this issue. + +Updates #45910 +Fixes #46305 +Fixes CVE-2021-33198 + +Change-Id: I61e7b04dbd80343420b57eede439e361c0f7b79c +Reviewed-on: https://go-review.googlesource.com/c/go/+/316149 +Trust: Robert Griesemer <g...@golang.org> +Trust: Katie Hockman <ka...@golang.org> +Run-TryBot: Robert Griesemer <g...@golang.org> +TryBot-Result: Go Bot <go...@golang.org> +Reviewed-by: Katie Hockman <ka...@golang.org> +Reviewed-by: Emmanuel Odeke <emman...@orijtech.com> +(cherry picked from commit 6c591f79b0b5327549bd4e94970f7a279efb4ab0) +Reviewed-on: https://go-review.googlesource.com/c/go/+/321831 +Run-TryBot: Katie Hockman <ka...@golang.org> +Reviewed-by: Roland Shoemaker <rol...@golang.org> +--- + src/math/big/ratconv.go | 15 ++++++++------- + src/math/big/ratconv_test.go | 25 +++++++++++++++++++++++++ + 2 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go +index 941139e72d1c4..ac3c8bd11f8a8 100644 +--- a/src/math/big/ratconv.go ++++ b/src/math/big/ratconv.go +@@ -51,7 +51,8 @@ func (z *Rat) Scan(s fmt.ScanState, ch rune) error { + // An optional base-10 ``e'' or base-2 ``p'' (or their upper-case variants) + // exponent may be provided as well, except for hexadecimal floats which + // only accept an (optional) ``p'' exponent (because an ``e'' or ``E'' cannot +-// be distinguished from a mantissa digit). ++// be distinguished from a mantissa digit). If the exponent's absolute value ++// is too large, the operation may fail. + // The entire string, not just a prefix, must be valid for success. If the + // operation failed, the value of z is undefined but the returned value is nil. + func (z *Rat) SetString(s string) (*Rat, bool) { +@@ -169,6 +170,9 @@ func (z *Rat) SetString(s string) (*Rat, bool) { + if n < 0 { + n = -n + } ++ if n > 1e6 { ++ return nil, false // avoid excessively large exponents ++ } + pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs + if exp5 > 0 { + z.a.abs = z.a.abs.mul(z.a.abs, pow5) +@@ -181,15 +185,12 @@ func (z *Rat) SetString(s string) (*Rat, bool) { + } + + // apply exp2 contributions ++ if exp2 < -1e7 || exp2 > 1e7 { ++ return nil, false // avoid excessively large exponents ++ } + if exp2 > 0 { +- if int64(uint(exp2)) != exp2 { +- panic("exponent too large") +- } + z.a.abs = z.a.abs.shl(z.a.abs, uint(exp2)) + } else if exp2 < 0 { +- if int64(uint(-exp2)) != -exp2 { +- panic("exponent too large") +- } + z.b.abs = z.b.abs.shl(z.b.abs, uint(-exp2)) + } + +diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go +index ba0d1ba9e1158..15d206cb386ab 100644 +--- a/src/math/big/ratconv_test.go ++++ b/src/math/big/ratconv_test.go +@@ -589,3 +589,28 @@ func TestIssue31184(t *testing.T) { + } + } + } ++ ++func TestIssue45910(t *testing.T) { ++ var x Rat ++ for _, test := range []struct { ++ input string ++ want bool ++ }{ ++ {"1e-1000001", false}, ++ {"1e-1000000", true}, ++ {"1e+1000000", true}, ++ {"1e+1000001", false}, ++ ++ {"0p1000000000000", true}, ++ {"1p-10000001", false}, ++ {"1p-10000000", true}, ++ {"1p+10000000", true}, ++ {"1p+10000001", false}, ++ {"1.770p02041010010011001001", false}, // test case from issue ++ } { ++ _, got := x.SetString(test.input) ++ if got != test.want { ++ t.Errorf("SetString(%s) got ok = %v; want %v", test.input, got, test.want) ++ } ++ } ++} diff -Nru golang-1.15-1.15.9/debian/patches/series golang-1.15-1.15.9/debian/patches/series --- golang-1.15-1.15.9/debian/patches/series 2021-06-02 10:56:03.000000000 +0800 +++ golang-1.15-1.15.9/debian/patches/series 2021-06-05 19:36:34.000000000 +0800 @@ -6,3 +6,7 @@ 0006-skip-userns-test-in-schroot-as-well.patch 0007-CVE-2021-31525.patch 0008-CVE-2021-33196.patch +0009-CVE-2021-33195-1.patch +0010-CVE-2021-33195-2.patch +0011-CVE-2021-33197.patch +0012-CVE-2021-33198.patch
