diff --git a/CVE-2019-16276.patch b/CVE-2019-16276.patch new file mode 100644 index 0000000..56cab94 --- /dev/null +++ b/CVE-2019-16276.patch @@ -0,0 +1,103 @@ +diff -up ./go/src/net/http/serve_test.go ./go/src/net/http/serve_test.go +--- ./go/src/net/http/serve_test.go 2019-08-13 18:50:13.000000000 +0200 ++++ ./go/src/net/http/serve_test.go 2019-10-05 05:35:33.018025762 +0200 +@@ -4725,6 +4725,10 @@ func TestServerValidatesHeaders(t *testi + {"foo\xffbar: foo\r\n", 400}, // binary in header + {"foo\x00bar: foo\r\n", 400}, // binary in header + {"Foo: " + strings.Repeat("x", 1<<21) + "\r\n", 431}, // header too large ++ // Spaces between the header key and colon are not allowed. ++ // See RFC 7230, Section 3.2.4. ++ {"Foo : bar\r\n", 400}, ++ {"Foo\t: bar\r\n", 400}, + + {"foo: foo foo\r\n", 200}, // LWS space is okay + {"foo: foo\tfoo\r\n", 200}, // LWS tab is okay +diff -up ./go/src/net/http/transport_test.go ./go/src/net/http/transport_test.go +--- ./go/src/net/http/transport_test.go 2019-10-05 05:35:33.019025756 +0200 ++++ ./go/src/net/http/transport_test.go 2019-10-05 05:39:12.037927288 +0200 +@@ -4838,3 +4838,30 @@ func TestClientTimeoutKillsConn_AfterHea + t.Fatal("timeout") + } + } ++ ++func TestInvalidHeaderResponse(t *testing.T) { ++ setParallel(t) ++ defer afterTest(t) ++ cst := newClientServerTest(t, h1Mode, HandlerFunc(func(w ResponseWriter, r *Request) { ++ conn, buf, _ := w.(Hijacker).Hijack() ++ buf.Write([]byte("HTTP/1.1 200 OK\r\n" + ++ "Date: Wed, 30 Aug 2017 19:09:27 GMT\r\n" + ++ "Content-Type: text/html; charset=utf-8\r\n" + ++ "Content-Length: 0\r\n" + ++ "Foo : bar\r\n\r\n")) ++ buf.Flush() ++ conn.Close() ++ })) ++ defer cst.close() ++ res, err := cst.c.Get(cst.ts.URL) ++ if err != nil { ++ t.Fatal(err) ++ } ++ defer res.Body.Close() ++ if v := res.Header.Get("Foo"); v != "" { ++ t.Errorf(`unexpected "Foo" header: %q`, v) ++ } ++ if v := res.Header.Get("Foo "); v != "bar" { ++ t.Errorf(`bad "Foo " header value: %q, want %q`, v, "bar") ++ } ++} +diff -up ./go/src/net/textproto/reader.go ./go/src/net/textproto/reader.go +--- ./go/src/net/textproto/reader.go 2019-08-13 18:50:13.000000000 +0200 ++++ ./go/src/net/textproto/reader.go 2019-10-05 05:35:33.019025756 +0200 +@@ -492,18 +492,12 @@ func (r *Reader) ReadMIMEHeader() (MIMEH + return m, err + } + +- // Key ends at first colon; should not have trailing spaces +- // but they appear in the wild, violating specs, so we remove +- // them if present. ++ // Key ends at first colon. + i := bytes.IndexByte(kv, ':') + if i < 0 { + return m, ProtocolError("malformed MIME header line: " + string(kv)) + } +- endKey := i +- for endKey > 0 && kv[endKey-1] == ' ' { +- endKey-- +- } +- key := canonicalMIMEHeaderKey(kv[:endKey]) ++ key := canonicalMIMEHeaderKey(kv[:i]) + + // As per RFC 7230 field-name is a token, tokens consist of one or more chars. + // We could return a ProtocolError here, but better to be liberal in what we +diff -up ./go/src/net/textproto/reader_test.go ./go/src/net/textproto/reader_test.go +--- ./go/src/net/textproto/reader_test.go 2019-08-13 18:50:13.000000000 +0200 ++++ ./go/src/net/textproto/reader_test.go 2019-10-05 05:43:58.156469247 +0200 +@@ -188,11 +188,10 @@ func TestLargeReadMIMEHeader(t *testing. + } + } + +-// Test that we read slightly-bogus MIME headers seen in the wild, +-// with spaces before colons, and spaces in keys. ++// TestReadMIMEHeaderNonCompliant checks that we don't normalize headers ++// with spaces before colons, and accept spaces in keys. + func TestReadMIMEHeaderNonCompliant(t *testing.T) { +- // Invalid HTTP response header as sent by an Axis security +- // camera: (this is handled by IE, Firefox, Chrome, curl, etc.) ++ // These invalid headers will be rejected by net/http according to RFC 7230. + r := reader("Foo: bar\r\n" + + "Content-Language: en\r\n" + + "SID : 0\r\n" + +@@ -202,9 +201,9 @@ func TestReadMIMEHeaderNonCompliant(t *t + want := MIMEHeader{ + "Foo": {"bar"}, + "Content-Language": {"en"}, +- "Sid": {"0"}, +- "Audio Mode": {"None"}, +- "Privilege": {"127"}, ++ "SID ": {"0"}, ++ "Audio Mode ": {"None"}, ++ "Privilege ": {"127"}, + } + if !reflect.DeepEqual(m, want) || err != nil { + t.Fatalf("ReadMIMEHeader =\n%v, %v; want:\n%v", m, err, want) diff --git a/golang.spec b/golang.spec index 39fb4aa..c270b9c 100644 --- a/golang.spec +++ b/golang.spec @@ -106,7 +106,7 @@ Name: golang Version: 1.11.13 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Go Programming Language # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain License: BSD and Public Domain @@ -183,6 +183,8 @@ Requires: go-srpm-macros Patch1: 0001-Don-t-use-the-bundled-tzdata-at-runtime-except-for-t.patch Patch2: 0002-syscall-expose-IfInfomsg.X__ifi_pad-on-s390x.patch +# Backport of https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8 +Patch3: CVE-2019-16276.patch # Having documentation separate was broken Obsoletes: %{name}-docs < 1.1-4 @@ -308,6 +310,7 @@ Requires: %{name} = %{version}-%{release} %patch1 -p1 %patch2 -p1 +%patch3 -p2 cp %{SOURCE1} ./src/runtime/ @@ -412,8 +415,8 @@ pushd $RPM_BUILD_ROOT%{goroot} echo "%%{golibdir}/$(basename $file)" >> $shared_list done - find pkg/*_dynlink/ -type d -printf '%%%dir %{goroot}/%p\n' >> $shared_list - find pkg/*_dynlink/ ! -type d -printf '%{goroot}/%p\n' >> $shared_list + find pkg/*_dynlink/ -type d -printf '%%%dir %{goroot}/%p\n' >> $shared_list + find pkg/*_dynlink/ ! -type d -printf '%{goroot}/%p\n' >> $shared_list %endif %if %{race} @@ -546,6 +549,10 @@ fi %endif %changelog +* Sat Oct 5 2019 Jakub Čajka - 1.11.13-2 +- Fix for CVE-2019-16276 +- Resolves: BZ#1755970 + * Mon Aug 26 2019 Jakub Čajka - 1.11.13-1 - Rebase to 1.11.13 - Fix for CVE-2019-14809, CVE-2019-9514 and CVE-2019-9512 @@ -566,7 +573,7 @@ fi * Fri Mar 15 2019 Jakub Čajka - 1.11.6-1 - Rebase to 1.11.6 - Fix CVE-2019-9741 -- Fix requirement for %preun (instead of %postun) scriptlet thanks to Tim Landscheidt +- Fix requirement for %%preun (instead of %%postun) scriptlet thanks to Tim Landscheidt - Use weak deps for SCM deps - Resolves: BZ#1688233