Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
The attached debdiff for golang-github-russellhaering-goxmldsig fixes CVE-2020-7711 in Bullseye. This CVE has been marked as no-dsa by the security team. Thorsten
diff -Nru golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog --- golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog 2021-01-08 00:13:56.000000000 +0100 +++ golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog 2022-03-28 22:32:49.000000000 +0200 @@ -1,3 +1,12 @@ +golang-github-russellhaering-goxmldsig (1.1.0-1+deb11u1) bullseye; urgency=medium + + * CVE-2020-7711 + null pointer dereference caused by crafted XML signatures + (Closes: #968928) + * according to ratt, nothing else has to be built + + -- Thorsten Alteholz <deb...@alteholz.de> Mon, 28 Mar 2022 22:32:49 +0200 + golang-github-russellhaering-goxmldsig (1.1.0-1) unstable; urgency=medium * New upstream release (Closes: #971615) diff -Nru golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch --- golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch 1970-01-01 01:00:00.000000000 +0100 +++ golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch 2022-03-24 02:38:42.000000000 +0100 @@ -0,0 +1,23 @@ +commit fb23e0af61c023e3a6dae8ad30dbd0f04d8a4d8f +Merge: 3541f5e ca2b448 +Author: Russell Haering <russellhaer...@gmail.com> +Date: Fri Aug 27 20:19:01 2021 -0700 + + Merge pull request #71 from aporcupine/patch-1 + + Explicitly check for case where SignatureValue is nil + +Index: golang-github-russellhaering-goxmldsig-1.1.0/validate.go +=================================================================== +--- golang-github-russellhaering-goxmldsig-1.1.0.orig/validate.go 2022-03-24 02:38:38.797524728 +0100 ++++ golang-github-russellhaering-goxmldsig-1.1.0/validate.go 2022-03-24 02:38:38.797524728 +0100 +@@ -271,6 +271,9 @@ + if !bytes.Equal(digest, decodedDigestValue) { + return nil, errors.New("Signature could not be verified") + } ++ if sig.SignatureValue == nil { ++ return nil, errors.New("Signature could not be verified") ++ } + + // Decode the 'SignatureValue' so we can compare against it + decodedSignature, err := base64.StdEncoding.DecodeString(sig.SignatureValue.Data) diff -Nru golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series --- golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series 2022-03-24 02:39:15.000000000 +0100 @@ -0,0 +1 @@ +CVE-2020-7711.patch