Bug#989380: marked as done (unblock: golang-1.15/1.15.9-4)

To: Sebastian Ramacher <sramacher@respighi.debian.org>
Subject: Bug#989380: marked as done (unblock: golang-1.15/1.15.9-4)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 02 Jun 2021 18:21:03 +0000
Message-id: <[🔎] handler.989380.D989380.162265797832258.ackdone@bugs.debian.org>
Reply-to: 989380@bugs.debian.org
References: <E1loVSo-0005ud-SI@respighi.debian.org> <[🔎] 162262397643.638958.991551690780770258.reportbug@localhost>

Your message dated Wed, 02 Jun 2021 18:19:34 +0000
with message-id <E1loVSo-0005ud-SI@respighi.debian.org>
and subject line unblock golang-1.15
has caused the Debian Bug report #989380,
regarding unblock: golang-1.15/1.15.9-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989380: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989380
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: golang-1.15/1.15.9-4
From: Shengjing Zhu <zhsj@debian.org>
Date: Wed, 02 Jun 2021 16:52:56 +0800
Message-id: <[🔎] 162262397643.638958.991551690780770258.reportbug@localhost>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: zhsj@debian.org

Please unblock package golang-1.15

[ Reason ]
Backport patch for CVE-2021-33196

[ Impact ]
Security issue

[ Tests ]
Upstream has its own unit tests, and a new test is added in patch as
well.

[ Risks ]
+ Key package
+ Diff is small

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock golang-1.15/1.15.9-4

diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.9/debian/changelog
--- golang-1.15-1.15.9/debian/changelog	2021-05-08 14:22:26.000000000 +0800
+++ golang-1.15-1.15.9/debian/changelog	2021-06-02 10:56:03.000000000 +0800
@@ -1,3 +1,12 @@
+golang-1.15 (1.15.9-4) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patch for CVE-2021-33196
+    archive/zip: malformed archive may cause panic or memory exhaustion
+    https://github.com/golang/go/issues/46396
+
+ -- Shengjing Zhu <zhsj@debian.org>  Wed, 02 Jun 2021 10:56:03 +0800
+
 golang-1.15 (1.15.9-3) unstable; urgency=medium
 
   * Fix failed TestDependencyVersionsConsistent test.
diff -Nru golang-1.15-1.15.9/debian/patches/0008-CVE-2021-33196.patch golang-1.15-1.15.9/debian/patches/0008-CVE-2021-33196.patch
--- golang-1.15-1.15.9/debian/patches/0008-CVE-2021-33196.patch	1970-01-01 08:00:00.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/0008-CVE-2021-33196.patch	2021-06-02 10:56:03.000000000 +0800
@@ -0,0 +1,124 @@
+From: Roland Shoemaker <roland@golang.org>
+Date: Tue, 11 May 2021 11:31:31 -0700
+Subject: archive/zip: only preallocate File slice if reasonably sized
+
+Since the number of files in the EOCD record isn't validated, it isn't
+safe to preallocate Reader.Files using that field. A malformed archive
+can indicate it contains up to 1 << 128 - 1 files. We can still safely
+preallocate the slice by checking if the specified number of files in
+the archive is reasonable, given the size of the archive.
+
+Thanks to the OSS-Fuzz project for discovering this issue and to
+Emmanuel Odeke for reporting it.
+
+Updates #46242
+Fixes #46396
+Fixes CVE-2021-33196
+
+Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76
+Reviewed-on: https://go-review.googlesource.com/c/go/+/318909
+Trust: Roland Shoemaker <roland@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Trust: Joe Tsai <thebrokentoaster@gmail.com>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
+(cherry picked from commit 74242baa4136c7a9132a8ccd9881354442788c8c)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/322949
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+
+Origin: backport, https://github.com/golang/go/commit/c92adf420a3d9a5510f9aea382d826f0c9216a10
+---
+ src/archive/zip/reader.go      | 10 ++++++-
+ src/archive/zip/reader_test.go | 59 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
+index 13ff9dd..2d5151a 100644
+--- a/src/archive/zip/reader.go
++++ b/src/archive/zip/reader.go
+@@ -84,7 +84,15 @@ func (z *Reader) init(r io.ReaderAt, size int64) error {
+ 		return err
+ 	}
+ 	z.r = r
+-	z.File = make([]*File, 0, end.directoryRecords)
++	// Since the number of directory records is not validated, it is not
++	// safe to preallocate z.File without first checking that the specified
++	// number of files is reasonable, since a malformed archive may
++	// indicate it contains up to 1 << 128 - 1 files. Since each file has a
++	// header which will be _at least_ 30 bytes we can safely preallocate
++	// if (data size / 30) >= end.directoryRecords.
++	if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
++		z.File = make([]*File, 0, end.directoryRecords)
++	}
+ 	z.Comment = end.comment
+ 	rs := io.NewSectionReader(r, 0, size)
+ 	if _, err = rs.Seek(int64(end.directoryOffset), io.SeekStart); err != nil {
+diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
+index adca87a..6f67d2e 100644
+--- a/src/archive/zip/reader_test.go
++++ b/src/archive/zip/reader_test.go
+@@ -1070,3 +1070,62 @@ func TestIssue12449(t *testing.T) {
+ 		t.Errorf("Error reading the archive: %v", err)
+ 	}
+ }
++
++func TestCVE202133196(t *testing.T) {
++	// Archive that indicates it has 1 << 128 -1 files,
++	// this would previously cause a panic due to attempting
++	// to allocate a slice with 1 << 128 -1 elements.
++	data := []byte{
++		0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x08, 0x08,
++		0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x02,
++		0x03, 0x62, 0x61, 0x65, 0x03, 0x04, 0x00, 0x00,
++		0xff, 0xff, 0x50, 0x4b, 0x07, 0x08, 0xbe, 0x20,
++		0x5c, 0x6c, 0x09, 0x00, 0x00, 0x00, 0x03, 0x00,
++		0x00, 0x00, 0x50, 0x4b, 0x01, 0x02, 0x14, 0x00,
++		0x14, 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0xbe, 0x20, 0x5c, 0x6c, 0x09, 0x00,
++		0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x03, 0x00,
++		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x01, 0x02, 0x03, 0x50, 0x4b, 0x06, 0x06, 0x2c,
++		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
++		0x00, 0x2d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,
++		0xff, 0xff, 0xff, 0x31, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x50, 0x4b, 0x06, 0x07, 0x00,
++		0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50,
++		0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0xff,
++		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++		0xff, 0xff, 0xff, 0x00, 0x00,
++	}
++	_, err := NewReader(bytes.NewReader(data), int64(len(data)))
++	if err != ErrFormat {
++		t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
++	}
++
++	// Also check that an archive containing a handful of empty
++	// files doesn't cause an issue
++	b := bytes.NewBuffer(nil)
++	w := NewWriter(b)
++	for i := 0; i < 5; i++ {
++		_, err := w.Create("")
++		if err != nil {
++			t.Fatalf("Writer.Create failed: %s", err)
++		}
++	}
++	if err := w.Close(); err != nil {
++		t.Fatalf("Writer.Close failed: %s", err)
++	}
++	r, err := NewReader(bytes.NewReader(b.Bytes()), int64(b.Len()))
++	if err != nil {
++		t.Fatalf("NewReader failed: %s", err)
++	}
++	if len(r.File) != 5 {
++		t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
++	}
++}
diff -Nru golang-1.15-1.15.9/debian/patches/series golang-1.15-1.15.9/debian/patches/series
--- golang-1.15-1.15.9/debian/patches/series	2021-05-08 14:22:26.000000000 +0800
+++ golang-1.15-1.15.9/debian/patches/series	2021-06-02 10:56:03.000000000 +0800
@@ -5,3 +5,4 @@
 0005-cmd-dist-increase-default-timeout-scale-for-arm.patch
 0006-skip-userns-test-in-schroot-as-well.patch
 0007-CVE-2021-31525.patch
+0008-CVE-2021-33196.patch

--- End Message ---

--- Begin Message ---

To: 989380-done@bugs.debian.org

Subject: unblock golang-1.15

From: Sebastian Ramacher <sramacher@respighi.debian.org>

Date: Wed, 02 Jun 2021 18:19:34 +0000

Message-id: <E1loVSo-0005ud-SI@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#989380: unblock: golang-1.15/1.15.9-4
  - From: Shengjing Zhu <zhsj@debian.org>

Prev by Date: Bug#989324: marked as done (unblock: opendmarc/1.4.0~beta1+dfsg-4)
Next by Date: Bug#989379: marked as done (unblock: redis/5:6.0.14-1)
Previous by thread: Bug#989380: unblock: golang-1.15/1.15.9-4
Next by thread: Bug#963987: buster-pu: package libtool/2.4.6-9
Index(es):
- Date
- Thread