Bug#1008577: bullseye-pu: golang-github-russellhaering-goxmldsig/1.1.0-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
The attached debdiff for golang-github-russellhaering-goxmldsig fixes
CVE-2020-7711 in Bullseye. This CVE has been marked as no-dsa by the
security team.
Thorsten
diff -Nru golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog
--- golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog 2021-01-08 00:13:56.000000000 +0100
+++ golang-github-russellhaering-goxmldsig-1.1.0/debian/changelog 2022-03-28 22:32:49.000000000 +0200
@@ -1,3 +1,12 @@
+golang-github-russellhaering-goxmldsig (1.1.0-1+deb11u1) bullseye; urgency=medium
+
+ * CVE-2020-7711
+ null pointer dereference caused by crafted XML signatures
+ (Closes: #968928)
+ * according to ratt, nothing else has to be built
+
+ -- Thorsten Alteholz <[email protected]> Mon, 28 Mar 2022 22:32:49 +0200
+
golang-github-russellhaering-goxmldsig (1.1.0-1) unstable; urgency=medium
* New upstream release (Closes: #971615)
diff -Nru golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch
--- golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch 1970-01-01 01:00:00.000000000 +0100
+++ golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/CVE-2020-7711.patch 2022-03-24 02:38:42.000000000 +0100
@@ -0,0 +1,23 @@
+commit fb23e0af61c023e3a6dae8ad30dbd0f04d8a4d8f
+Merge: 3541f5e ca2b448
+Author: Russell Haering <[email protected]>
+Date: Fri Aug 27 20:19:01 2021 -0700
+
+ Merge pull request #71 from aporcupine/patch-1
+
+ Explicitly check for case where SignatureValue is nil
+
+Index: golang-github-russellhaering-goxmldsig-1.1.0/validate.go
+===================================================================
+--- golang-github-russellhaering-goxmldsig-1.1.0.orig/validate.go 2022-03-24 02:38:38.797524728 +0100
++++ golang-github-russellhaering-goxmldsig-1.1.0/validate.go 2022-03-24 02:38:38.797524728 +0100
+@@ -271,6 +271,9 @@
+ if !bytes.Equal(digest, decodedDigestValue) {
+ return nil, errors.New("Signature could not be verified")
+ }
++ if sig.SignatureValue == nil {
++ return nil, errors.New("Signature could not be verified")
++ }
+
+ // Decode the 'SignatureValue' so we can compare against it
+ decodedSignature, err := base64.StdEncoding.DecodeString(sig.SignatureValue.Data)
diff -Nru golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series
--- golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ golang-github-russellhaering-goxmldsig-1.1.0/debian/patches/series 2022-03-24 02:39:15.000000000 +0100
@@ -0,0 +1 @@
+CVE-2020-7711.patch
Reply to: