diff --git a/0005-release-branch.go1.17-net-http-preserve-nil-values-in-Header-Clone.patch b/0005-release-branch.go1.17-net-http-preserve-nil-values-in-Header-Clone.patch new file mode 100644 index 0000000000000000000000000000000000000000..16bf512315bcfca53d857bfcd0fc78f2605d511b --- /dev/null +++ b/0005-release-branch.go1.17-net-http-preserve-nil-values-in-Header-Clone.patch @@ -0,0 +1,64 @@ +From ed2f33e1a7e0d18f61bd56f7ee067331d612c27e Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 17 Jun 2022 10:09:45 -0700 +Subject: [PATCH] [release-branch.go1.17] net/http: preserve nil values in + Header.Clone + +ReverseProxy makes a distinction between nil and zero-length header values. +Avoid losing nil-ness when cloning a request. + +Thanks to Christian Mehlmauer for discovering this. + +For #53423 +For CVE-2022-32148 +Fixes #53620 + +Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 +Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 +Reviewed-by: Ian Lance Taylor +Reviewed-by: Brad Fitzpatrick +(cherry picked from commit b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a) +Reviewed-on: https://go-review.googlesource.com/c/go/+/415221 +Reviewed-by: Heschi Kreinick +TryBot-Result: Gopher Robot +Run-TryBot: Michael Knyszek +Run-TryBot: Heschi Kreinick +Reviewed-by: Michael Knyszek +--- + src/net/http/header.go | 6 ++++++ + src/net/http/header_test.go | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/src/net/http/header.go b/src/net/http/header.go +index 4c72dcb2c88d..ef4ee7ffa812 100644 +--- a/src/net/http/header.go ++++ b/src/net/http/header.go +@@ -101,6 +101,12 @@ func (h Header) Clone() Header { + sv := make([]string, nv) // shared backing array for headers' values + h2 := make(Header, len(h)) + for k, vv := range h { ++ if vv == nil { ++ // Preserve nil values. ReverseProxy distinguishes ++ // between nil and zero-length header values. ++ h2[k] = nil ++ continue ++ } + n := copy(sv, vv) + h2[k] = sv[:n:n] + sv = sv[n:] +diff --git a/src/net/http/header_test.go b/src/net/http/header_test.go +index 47893629194b..80c003551db8 100644 +--- a/src/net/http/header_test.go ++++ b/src/net/http/header_test.go +@@ -235,6 +235,11 @@ func TestCloneOrMakeHeader(t *testing.T) { + in: Header{"foo": {"bar"}}, + want: Header{"foo": {"bar"}}, + }, ++ { ++ name: "nil value", ++ in: Header{"foo": nil}, ++ want: Header{"foo": nil}, ++ }, + } + + for _, tt := range tests { diff --git a/golang.spec b/golang.spec index f28b76453835e90f28b6d8b853187ee1b15ae8d4..64ebfa10a8033f652102efe37a90aaadf8ee5f26 100644 --- a/golang.spec +++ b/golang.spec @@ -66,7 +66,7 @@ Name: golang Version: 1.17.3 -Release: 4 +Release: 5 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -157,6 +157,7 @@ Patch6001: 0001-release-branch.go1.17-crypto-elliptic-tolerate-zero-.patch Patch6002: 0002-release-branch.go1.17-encoding-pem-fix-stack-overflo.patch Patch6003: 0003-release-branch.go1.17-syscall-fix-ForkLock-spurious-.patch Patch6004: 0004-backport-cmd-link-mark-unexported-methods-for-plugins.patch +Patch6005: 0005-release-branch.go1.17-net-http-preserve-nil-values-in-Header-Clone.patch ExclusiveArch: %{golang_arches} @@ -391,6 +392,13 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Fri Jul 22 2022 zhaomengmeng - 1.17.3-5 +- Type:CVE +- CVE:CVE-2022-32148 +- SUG:NA +- DESC:fix CVE-2022-32148 +- fix CVE-2022-32148 + * Tue Jun 28 2022 Bin Hu - 1.17.3-4 - Type:bugfix - CVE:NA