Fix for CVE-2019-16276

Resolves: BZ#1755970

.gitignore

@@ -62,3 +62,10 @@
 /go1.11.1.src.tar.gz
 /go1.11.2.src.tar.gz
 /go1.11.4.src.tar.gz
+/go1.11.5.src.tar.gz
+/go1.11.6.src.tar.gz
+/go1.11.7.src.tar.gz
+/go1.11.10.src.tar.gz
+/go1.11.11.src.tar.gz
+/go1.11.12.src.tar.gz
+/go1.11.13.src.tar.gz

CVE-2019-16276.patch

@@ -0,0 +1,103 @@
+diff -up ./go/src/net/http/serve_test.go ./go/src/net/http/serve_test.go
+--- ./go/src/net/http/serve_test.go	2019-08-13 18:50:13.000000000 +0200
++++ ./go/src/net/http/serve_test.go	2019-10-05 05:35:33.018025762 +0200
+@@ -4725,6 +4725,10 @@ func TestServerValidatesHeaders(t *testi
+ 		{"foo\xffbar: foo\r\n", 400},                         // binary in header
+ 		{"foo\x00bar: foo\r\n", 400},                         // binary in header
+ 		{"Foo: " + strings.Repeat("x", 1<<21) + "\r\n", 431}, // header too large
++		// Spaces between the header key and colon are not allowed.
++		// See RFC 7230, Section 3.2.4.
++		{"Foo : bar\r\n", 400},
++		{"Foo\t: bar\r\n", 400},
+ 
+ 		{"foo: foo foo\r\n", 200},    // LWS space is okay
+ 		{"foo: foo\tfoo\r\n", 200},   // LWS tab is okay
+diff -up ./go/src/net/http/transport_test.go ./go/src/net/http/transport_test.go
+--- ./go/src/net/http/transport_test.go	2019-10-05 05:35:33.019025756 +0200
++++ ./go/src/net/http/transport_test.go	2019-10-05 05:39:12.037927288 +0200
+@@ -4838,3 +4838,30 @@ func TestClientTimeoutKillsConn_AfterHea
+ 		t.Fatal("timeout")
+ 	}
+ }
++
++func TestInvalidHeaderResponse(t *testing.T) {
++	setParallel(t)
++	defer afterTest(t)
++	cst := newClientServerTest(t, h1Mode, HandlerFunc(func(w ResponseWriter, r *Request) {
++		conn, buf, _ := w.(Hijacker).Hijack()
++		buf.Write([]byte("HTTP/1.1 200 OK\r\n" +
++			"Date: Wed, 30 Aug 2017 19:09:27 GMT\r\n" +
++			"Content-Type: text/html; charset=utf-8\r\n" +
++			"Content-Length: 0\r\n" +
++			"Foo : bar\r\n\r\n"))
++		buf.Flush()
++		conn.Close()
++	}))
++	defer cst.close()
++	res, err := cst.c.Get(cst.ts.URL)
++	if err != nil {
++		t.Fatal(err)
++	}
++	defer res.Body.Close()
++	if v := res.Header.Get("Foo"); v != "" {
++		t.Errorf(`unexpected "Foo" header: %q`, v)
++	}
++	if v := res.Header.Get("Foo "); v != "bar" {
++		t.Errorf(`bad "Foo " header value: %q, want %q`, v, "bar")
++	}
++}
+diff -up ./go/src/net/textproto/reader.go ./go/src/net/textproto/reader.go
+--- ./go/src/net/textproto/reader.go	2019-08-13 18:50:13.000000000 +0200
++++ ./go/src/net/textproto/reader.go	2019-10-05 05:35:33.019025756 +0200
+@@ -492,18 +492,12 @@ func (r *Reader) ReadMIMEHeader() (MIMEH
+ 			return m, err
+ 		}
+ 
+-		// Key ends at first colon; should not have trailing spaces
+-		// but they appear in the wild, violating specs, so we remove
+-		// them if present.
++		// Key ends at first colon.
+ 		i := bytes.IndexByte(kv, ':')
+ 		if i < 0 {
+ 			return m, ProtocolError("malformed MIME header line: " + string(kv))
+ 		}
+-		endKey := i
+-		for endKey > 0 && kv[endKey-1] == ' ' {
+-			endKey--
+-		}
+-		key := canonicalMIMEHeaderKey(kv[:endKey])
++		key := canonicalMIMEHeaderKey(kv[:i])
+ 
+ 		// As per RFC 7230 field-name is a token, tokens consist of one or more chars.
+ 		// We could return a ProtocolError here, but better to be liberal in what we
+diff -up ./go/src/net/textproto/reader_test.go ./go/src/net/textproto/reader_test.go
+--- ./go/src/net/textproto/reader_test.go	2019-08-13 18:50:13.000000000 +0200
++++ ./go/src/net/textproto/reader_test.go	2019-10-05 05:43:58.156469247 +0200
+@@ -188,11 +188,10 @@ func TestLargeReadMIMEHeader(t *testing.
+ 	}
+ }
+ 
+-// Test that we read slightly-bogus MIME headers seen in the wild,
+-// with spaces before colons, and spaces in keys.
++// TestReadMIMEHeaderNonCompliant checks that we don't normalize headers
++// with spaces before colons, and accept spaces in keys.
+ func TestReadMIMEHeaderNonCompliant(t *testing.T) {
+-	// Invalid HTTP response header as sent by an Axis security
+-	// camera: (this is handled by IE, Firefox, Chrome, curl, etc.)
++	// These invalid headers will be rejected by net/http according to RFC 7230.
+ 	r := reader("Foo: bar\r\n" +
+ 		"Content-Language: en\r\n" +
+ 		"SID : 0\r\n" +
+@@ -202,9 +201,9 @@ func TestReadMIMEHeaderNonCompliant(t *t
+ 	want := MIMEHeader{
+ 		"Foo":              {"bar"},
+ 		"Content-Language": {"en"},
+-		"Sid":              {"0"},
+-		"Audio Mode":       {"None"},
+-		"Privilege":        {"127"},
++		"SID ":             {"0"},
++		"Audio Mode ":      {"None"},
++		"Privilege ":       {"127"},
+ 	}
+ 	if !reflect.DeepEqual(m, want) || err != nil {
+ 		t.Fatalf("ReadMIMEHeader =\n%v, %v; want:\n%v", m, err, want)

golang.spec

@@ -102,11 +102,11 @@
 %endif
 
 %global go_api 1.11
-%global go_version 1.11.4
+%global go_version 1.11.13
 
 Name:           golang
-Version:        1.11.4
-Release:        1%{?dist}
+Version:        1.11.13
+Release:        2%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
@@ -183,6 +183,8 @@ Requires:       go-srpm-macros
 
 Patch1:       0001-Don-t-use-the-bundled-tzdata-at-runtime-except-for-t.patch
 Patch2:       0002-syscall-expose-IfInfomsg.X__ifi_pad-on-s390x.patch
+# Backport of https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8
+Patch3:       CVE-2019-16276.patch
 
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
@@ -265,13 +267,13 @@ Obsoletes:      golang-vet < 0-12.1
 Obsoletes:      golang-cover < 0-12.1
 
 Requires(post): %{_sbindir}/update-alternatives
-Requires(postun): %{_sbindir}/update-alternatives
+Requires(preun): %{_sbindir}/update-alternatives
 
 # We strip the meta dependency, but go does require glibc.
 # This is an odd issue, still looking for a better fix.
 Requires:       glibc
 Requires:       gcc
-Requires:       git, subversion, mercurial
+Recommends:     git, subversion, mercurial
 %description    bin
 %{summary}
 
@@ -308,6 +310,7 @@ Requires:       %{name} = %{version}-%{release}
 
 %patch1 -p1
 %patch2 -p1
+%patch3 -p2
 
 cp %{SOURCE1} ./src/runtime/
 
@@ -412,8 +415,8 @@ pushd $RPM_BUILD_ROOT%{goroot}
         echo "%%{golibdir}/$(basename $file)" >> $shared_list
     done
     
-	find pkg/*_dynlink/ -type d -printf '%%%dir %{goroot}/%p\n' >> $shared_list
-	find pkg/*_dynlink/ ! -type d -printf '%{goroot}/%p\n' >> $shared_list
+    find pkg/*_dynlink/ -type d -printf '%%%dir %{goroot}/%p\n' >> $shared_list
+    find pkg/*_dynlink/ ! -type d -printf '%{goroot}/%p\n' >> $shared_list
 %endif
 
 %if %{race}
@@ -546,6 +549,39 @@ fi
 %endif
 
 %changelog
+* Sat Oct 5 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.13-2
+- Fix for CVE-2019-16276
+- Resolves: BZ#1755970
+
+* Mon Aug 26 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.13-1
+- Rebase to 1.11.13
+- Fix for CVE-2019-14809, CVE-2019-9514 and CVE-2019-9512
+- Resolves: BZ#1741816, BZ#1741827 and BZ#1743131
+
+* Wed Jul 10 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.12-1
+- Rebase to 1.11.12
+
+* Thu Jun 13 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.11-1
+- Rebase to 1.11.11
+
+* Thu May 16 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.10-1
+- Rebase to 1.11.10
+
+* Mon Apr 8 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.7-1
+- Rebase to 1.11.7
+
+* Fri Mar 15 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.6-1
+- Rebase to 1.11.6
+- Fix CVE-2019-9741
+- Fix requirement for %%preun (instead of %%postun) scriptlet thanks to Tim Landscheidt
+- Use weak deps for SCM deps
+- Resolves: BZ#1688233
+
+* Sun Jan 27 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.5-1
+- Rebase to go1.11.5
+- Fix for CVE-2019-6486
+- Resolves: BZ#1668973
+
 * Wed Jan 02 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.4-1
 - Rebase to go1.11.4
 - Fix for CVE-2018-16875, CVE-2018-16874 and CVE-2018-16873

sources

@@ -1 +1 @@
-SHA512 (go1.11.4.src.tar.gz) = 9aa2e1800807841ec0432289b672c1607bdcb295f29c02d38adfaf1e3bf043040c9f916e4cb170875d92fe168c5ba6baef2b3d1f824a56ff9138ca2cdcc646e0
+SHA512 (go1.11.13.src.tar.gz) = a5dc8ec2bdad226e2498fdfb3560d6e7e19a84711cc1adb91675a8563a0b1fd153513397ca2a2b8cf266d718a6964ad143dfa588313dcf7fe350dd4a24efc3e9