Processed: Re: Bug#1005340: bullseye-pu: package golang-1.15/1.15.15-1~deb11u3

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #1005340 [release.debian.org] bullseye-pu: package 
golang-1.15/1.15.15-1~deb11u3
Added tag(s) confirmed.

-- 
1005340: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005340
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1005340: bullseye-pu: package golang-1.15/1.15.15-1~deb11u3

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2022-02-12 at 00:52 +0800, Shengjing Zhu wrote:
> [ Reason ]
> Backport patches for CVE-2022-23806 CVE-2022-23772 CVE-2022-23773
> 
> [ Impact ]
> 
> + CVE-2022-23806: crypto/elliptic: fix IsOnCurve for big.Int values
>   that are not valid coordinates
> + CVE-2022-23772: math/big: prevent large memory consumption in
>   Rat.SetString
> + CVE-2022-23773: cmd/go: prevent branches from materializing into
> versions
> 
> All are minor security issues, so I'd like to go with stable-pu.
[...]
> CVE-2022-23806 and CVE-2022-23772 are for Go std library, which is
> statically
> linked in all Go programs. But these issues look like too minor to
> rebuild all
> Go programs.

Please go ahead.

Regards,

Adam

Bug#1005340: bullseye-pu: package golang-1.15/1.15.15-1~deb11u3

[Shengjing Zhu]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: z...@debian.org, t...@security.debian.org

[ Reason ]
Backport patches for CVE-2022-23806 CVE-2022-23772 CVE-2022-23773

[ Impact ]

+ CVE-2022-23806: crypto/elliptic: fix IsOnCurve for big.Int values
  that are not valid coordinates
+ CVE-2022-23772: math/big: prevent large memory consumption in
  Rat.SetString
+ CVE-2022-23773: cmd/go: prevent branches from materializing into versions

All are minor security issues, so I'd like to go with stable-pu.

[ Tests ]

For CVE-2022-23806 and CVE-2022-23772, regression tests are backported as well.

For CVE-2022-23773 the tests in upstream patch are hard to backport, so I test
it manully. The test is similar with upstream patch[1]

[1] 
https://github.com/golang/go/commit/fa4d9b8e2bc2612960c80474fca83a4c85a974eb#diff-6d41824e441b8846a74c31ab4968dc114a1e650c05172e1f89826ea9e55d4c5aR421

For example, running

  GOPROXY=direct /usr/lib/go-1.15/bin/go get 
vcs-test.golang.org/git/semver-branch.git@v1.0.0

Will get same result and error in [1].

[ Risks ]

Patch for CVE-2022-23806 and CVE-2022-23772 are trivial and easy to review.
Patch for CVE-2022-23773 is larger, and is backported by 3way merge.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable
  golang-1.15 has been removed from unstable.

[ Changes ]

See attachment.

[ Other info ]

CVE-2022-23806 and CVE-2022-23772 are for Go std library, which is statically
linked in all Go programs. But these issues look like too minor to rebuild all
Go programs.
diff -Nru golang-1.15-1.15.15/debian/changelog 
golang-1.15-1.15.15/debian/changelog
--- golang-1.15-1.15.15/debian/changelog2021-12-04 17:37:57.0 
+0800
+++ golang-1.15-1.15.15/debian/changelog2022-02-11 23:45:44.0 
+0800
@@ -1,3 +1,14 @@
+golang-1.15 (1.15.15-1~deb11u3) bullseye; urgency=medium
+
+  * Backport patches for CVE-2022-23806 CVE-2022-23772 CVE-2022-23773
++ CVE-2022-23806: crypto/elliptic: fix IsOnCurve for big.Int values
+  that are not valid coordinates
++ CVE-2022-23772: math/big: prevent large memory consumption in
+  Rat.SetString
++ CVE-2022-23773: cmd/go: prevent branches from materializing into versions
+
+ -- Shengjing Zhu   Fri, 11 Feb 2022 23:45:44 +0800
+
 golang-1.15 (1.15.15-1~deb11u2) bullseye; urgency=medium
 
   * Backport patch for CVE-2021-38297
diff -Nru golang-1.15-1.15.15/debian/patches/0012-CVE-2022-23806.patch 
golang-1.15-1.15.15/debian/patches/0012-CVE-2022-23806.patch
--- golang-1.15-1.15.15/debian/patches/0012-CVE-2022-23806.patch
1970-01-01 08:00:00.0 +0800
+++ golang-1.15-1.15.15/debian/patches/0012-CVE-2022-23806.patch
2022-02-11 23:45:44.0 +0800
@@ -0,0 +1,132 @@
+From: Filippo Valsorda 
+Date: Wed, 2 Feb 2022 09:15:44 -0800
+Subject: CVE-2022-23806
+
+Origin: backport, https://github.com/golang/go/commit/6b3e741a
+---
+ src/crypto/elliptic/elliptic.go  |  5 +++
+ src/crypto/elliptic/elliptic_test.go | 81 
+ src/crypto/elliptic/p224.go  |  5 +++
+ 3 files changed, 91 insertions(+)
+
+diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go
+index f93dc16..afedf18 100644
+--- a/src/crypto/elliptic/elliptic.go
 b/src/crypto/elliptic/elliptic.go
+@@ -71,6 +71,11 @@ func (curve *CurveParams) polynomial(x *big.Int) *big.Int {
+ }
+ 
+ func (curve *CurveParams) IsOnCurve(x, y *big.Int) bool {
++  if x.Sign() < 0 || x.Cmp(curve.P) >= 0 ||
++  y.Sign() < 0 || y.Cmp(curve.P) >= 0 {
++  return false
++  }
++
+   // y² = x³ - 3x + b
+   y2 := new(big.Int).Mul(y, y)
+   y2.Mod(y2, curve.P)
+diff --git a/src/crypto/elliptic/elliptic_test.go 
b/src/crypto/elliptic/elliptic_test.go
+index e80e773..bb16b0d 100644
+--- a/src/crypto/elliptic/elliptic_test.go
 b/src/crypto/elliptic/elliptic_test.go
+@@ -721,3 +721,84 @@ func testMarshalCompressed(t *testing.T, curve Curve, x, 
y *big.Int, want []byte
+   t.Errorf("point did not round-trip correctly: got (%v, %v), 
want (%v, %v)", X, Y, x, y)
+   }
+ }
++
++func testAllCurves(t *testing.T, f func(*testing.T, Curve)) {
++  tests := []struct {
++  name  string
++  curve Curve
++  }{
++  {"P256", P256()},
++  {"P256/Params", P256().Params()},
++  {"P224", P224()},
++  {"P224/Params", P224().Params()},
++  {"P384", P384()},
++  {"P384/Params", P384().Params()},
++  {"P521", P521()},
++  {"P521/Params", P521().Params()},
++  }
++  if testing.Short() {
++  tests = tests[:1]
++  }
++  for _, test := range tests {
++