Control: tags -1 + confirmed On 2021-03-12 00:04:15, Shengjing Zhu wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: z...@debian.org, team+go-compi...@tracker.debian.org > > Please unblock package golang-1.15 > > [ Reason ] > Upstream security release, only target fix is introduced. > CVE-2021-27918: encoding/xml: infinite loop when using `xml.NewTokenDecoder` > with a custom `TokenReader`. > https://github.com/golang/go/issues/44913 > > [ Impact ] > Without this version, the Go compiler is vulnerable. > However with the new undetermined Go security policy, this > bug is classified as LOW (severity issues affect niche configurations, > have very limited impact, or are already widely known). > https://github.com/golang/go/issues/44918 > > [ Tests ] > + Upstream tests in source package. > + Have manually test some Go packages. > > [ Risks ] > + No autopkgtest > + Diff is small > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > If this package is blocked in unstable, all Go packages will be prevented > from migrating to testing, due to the Built-Using thing.. > So I fill this pre-approval request. And if possible, reduce the age too. > > unblock golang-1.15/1.15.9-1
Assuming the uploads happens soon, please go ahead. Cheers > > > diff -Nru golang-1.15-1.15.8/debian/changelog > golang-1.15-1.15.9/debian/changelog > --- golang-1.15-1.15.8/debian/changelog 2021-02-15 23:19:39.000000000 > +0800 > +++ golang-1.15-1.15.9/debian/changelog 2021-03-11 23:43:18.000000000 > +0800 > @@ -1,3 +1,12 @@ > +golang-1.15 (1.15.9-1) unstable; urgency=medium > + > + * Team upload. > + * New upstream version 1.15.9 > + + encoding/xml: infinite loop when using `xml.NewTokenDecoder` with a > + custom `TokenReader`. CVE-2021-27918 > + > + -- Shengjing Zhu <z...@debian.org> Thu, 11 Mar 2021 23:43:18 +0800 > + > golang-1.15 (1.15.8-4) unstable; urgency=medium > > * Team upload. > diff -Nru golang-1.15-1.15.8/src/encoding/xml/xml.go > golang-1.15-1.15.9/src/encoding/xml/xml.go > --- golang-1.15-1.15.8/src/encoding/xml/xml.go 2021-02-05 > 20:48:37.000000000 +0800 > +++ golang-1.15-1.15.9/src/encoding/xml/xml.go 2021-03-10 > 22:29:35.000000000 +0800 > @@ -271,7 +271,7 @@ > // it will return an error. > // > // Token implements XML name spaces as described by > -// https://www.w3.org/TR/REC-xml-names/. Each of the > +// https://www.w3.org/TR/REC-xml-names/. Each of the > // Name structures contained in the Token has the Space > // set to the URL identifying its name space when known. > // If Token encounters an unrecognized name space prefix, > @@ -285,16 +285,17 @@ > if d.nextToken != nil { > t = d.nextToken > d.nextToken = nil > - } else if t, err = d.rawToken(); err != nil { > - switch { > - case err == io.EOF && d.t != nil: > - err = nil > - case err == io.EOF && d.stk != nil && d.stk.kind != stkEOF: > - err = d.syntaxError("unexpected EOF") > + } else { > + if t, err = d.rawToken(); t == nil && err != nil { > + if err == io.EOF && d.stk != nil && d.stk.kind != > stkEOF { > + err = d.syntaxError("unexpected EOF") > + } > + return nil, err > } > - return t, err > + // We still have a token to process, so clear any > + // errors (e.g. EOF) and proceed. > + err = nil > } > - > if !d.Strict { > if t1, ok := d.autoClose(t); ok { > d.nextToken = t > diff -Nru golang-1.15-1.15.8/src/encoding/xml/xml_test.go > golang-1.15-1.15.9/src/encoding/xml/xml_test.go > --- golang-1.15-1.15.8/src/encoding/xml/xml_test.go 2021-02-05 > 20:48:37.000000000 +0800 > +++ golang-1.15-1.15.9/src/encoding/xml/xml_test.go 2021-03-10 > 22:29:35.000000000 +0800 > @@ -33,30 +33,90 @@ > > func TestDecodeEOF(t *testing.T) { > start := StartElement{Name: Name{Local: "test"}} > - t.Run("EarlyEOF", func(t *testing.T) { > - d := NewTokenDecoder(&toks{earlyEOF: true, t: []Token{ > - start, > - start.End(), > - }}) > - err := d.Decode(&struct { > - XMLName Name `xml:"test"` > - }{}) > - if err != nil { > - t.Error(err) > + tests := []struct { > + name string > + tokens []Token > + ok bool > + }{ > + { > + name: "OK", > + tokens: []Token{ > + start, > + start.End(), > + }, > + ok: true, > + }, > + { > + name: "Malformed", > + tokens: []Token{ > + start, > + StartElement{Name: Name{Local: "bad"}}, > + start.End(), > + }, > + ok: false, > + }, > + } > + for _, tc := range tests { > + for _, eof := range []bool{true, false} { > + name := fmt.Sprintf("%s/earlyEOF=%v", tc.name, eof) > + t.Run(name, func(t *testing.T) { > + d := NewTokenDecoder(&toks{ > + earlyEOF: eof, > + t: tc.tokens, > + }) > + err := d.Decode(&struct { > + XMLName Name `xml:"test"` > + }{}) > + if tc.ok && err != nil { > + t.Fatalf("d.Decode: expected nil error, > got %v", err) > + } > + if _, ok := err.(*SyntaxError); !tc.ok && !ok { > + t.Errorf("d.Decode: expected syntax > error, got %v", err) > + } > + }) > } > - }) > - t.Run("LateEOF", func(t *testing.T) { > - d := NewTokenDecoder(&toks{t: []Token{ > - start, > - start.End(), > - }}) > - err := d.Decode(&struct { > - XMLName Name `xml:"test"` > - }{}) > - if err != nil { > - t.Error(err) > + } > +} > + > +type toksNil struct { > + returnEOF bool > + t []Token > +} > + > +func (t *toksNil) Token() (Token, error) { > + if len(t.t) == 0 { > + if !t.returnEOF { > + // Return nil, nil before returning an EOF. It's legal, > but > + // discouraged. > + t.returnEOF = true > + return nil, nil > } > - }) > + return nil, io.EOF > + } > + var tok Token > + tok, t.t = t.t[0], t.t[1:] > + return tok, nil > +} > + > +func TestDecodeNilToken(t *testing.T) { > + for _, strict := range []bool{true, false} { > + name := fmt.Sprintf("Strict=%v", strict) > + t.Run(name, func(t *testing.T) { > + start := StartElement{Name: Name{Local: "test"}} > + bad := StartElement{Name: Name{Local: "bad"}} > + d := NewTokenDecoder(&toksNil{ > + // Malformed > + t: []Token{start, bad, start.End()}, > + }) > + d.Strict = strict > + err := d.Decode(&struct { > + XMLName Name `xml:"test"` > + }{}) > + if _, ok := err.(*SyntaxError); !ok { > + t.Errorf("d.Decode: expected syntax error, got > %v", err) > + } > + }) > + } > } > > const testInput = ` > diff -Nru golang-1.15-1.15.8/VERSION golang-1.15-1.15.9/VERSION > --- golang-1.15-1.15.8/VERSION 2021-02-05 20:48:37.000000000 +0800 > +++ golang-1.15-1.15.9/VERSION 2021-03-10 22:31:50.000000000 +0800 > @@ -1 +1 @@ > -go1.15.8 > \ No newline at end of file > +go1.15.9 > \ No newline at end of file -- Sebastian Ramacher
