Hi, On Mon, Jul 12, 2021 at 10:52:47AM +0200, Sebastian Ramacher wrote: > > [ Risks ] > > > > It's security fix to standard library. So it needs binNMU for all Go > > packages. > > That's about 1.7k source packages. It would help if you can reduce the > set of affected packages to not waste time chasing binNMUs for packages > that don't need them. >
That's about 200+ binary packages. arch:all packages are not affected. Sadly the std library are statically embedded in all packages built by Go compiler. So if there's security issue in std library, bunch of packages need to be rebuild. It may be possible to disassemble all Go binaries to see how many std libraries are embedded, but currently we don't have such tool to go through all unpacked binary packages. > Cheers > > > As it's near hard freeze, I'd like to ask whether to fix it before release > > or after. > > I don't have preference FWIW. > > CCed security team as well. > > > > [ Checklist ] > > [ ] all changes are documented in the d/changelog > > [ ] I reviewed all changes and I approve them > > [ ] attach debdiff against the package in testing > > > > [ Other info ] > > > > That's just pre-announcement by Go upstream. So I really don't have diff > > yet. > > > > unblock golang-1.15/1.15.9-6 > > As the security issue is disclosed now, I have prepared the debdiff. diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.9/debian/changelog --- golang-1.15-1.15.9/debian/changelog 2021-06-05 19:36:34.000000000 +0800 +++ golang-1.15-1.15.9/debian/changelog 2021-07-13 13:55:42.000000000 +0800 @@ -1,3 +1,12 @@ +golang-1.15 (1.15.9-6) unstable; urgency=medium + + * Team upload. + * Backport patche for CVE-2021-34558 + crypto/tls: clients can panic when provided a certificate of the wrong type + for the negotiated parameters + + -- Shengjing Zhu <z...@debian.org> Tue, 13 Jul 2021 13:55:42 +0800 + golang-1.15 (1.15.9-5) unstable; urgency=medium * Team upload. diff -Nru golang-1.15-1.15.9/debian/patches/0013-CVE-2021-34558.patch golang-1.15-1.15.9/debian/patches/0013-CVE-2021-34558.patch --- golang-1.15-1.15.9/debian/patches/0013-CVE-2021-34558.patch 1970-01-01 08:00:00.000000000 +0800 +++ golang-1.15-1.15.9/debian/patches/0013-CVE-2021-34558.patch 2021-07-13 13:55:42.000000000 +0800 @@ -0,0 +1,46 @@ +From c77980bc077f3774276ab2deba78d8e6bfe4b3bd Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <rol...@golang.org> +Date: Wed, 9 Jun 2021 11:31:27 -0700 +Subject: [PATCH] [release-branch.go1.15] crypto/tls: test key type when + casting + +When casting the certificate public key in generateClientKeyExchange, +check the type is appropriate. This prevents a panic when a server +agrees to a RSA based key exchange, but then sends an ECDSA (or +other) certificate. + +Updates #47143 +Fixes #47144 +Fixes CVE-2021-34558 + +Thanks to Imre Rad for reporting this issue. + +Change-Id: Iabccacca6052769a605cccefa1216a9f7b7f6aea +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1116723 +Reviewed-by: Filippo Valsorda <valso...@google.com> +Reviewed-by: Katie Hockman <katiehock...@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/334030 +Trust: Filippo Valsorda <fili...@golang.org> +Run-TryBot: Filippo Valsorda <fili...@golang.org> +Reviewed-by: Dmitri Shuralyov <dmits...@golang.org> +--- + src/crypto/tls/key_agreement.go | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/crypto/tls/key_agreement.go b/src/crypto/tls/key_agreement.go +index 7e6534bd465e3..22f1b2e1f2441 100644 +--- a/src/crypto/tls/key_agreement.go ++++ b/src/crypto/tls/key_agreement.go +@@ -67,7 +67,11 @@ func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello + return nil, nil, err + } + +- encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret) ++ rsaKey, ok := cert.PublicKey.(*rsa.PublicKey) ++ if !ok { ++ return nil, nil, errors.New("tls: server certificate contains incorrect key type for selected ciphersuite") ++ } ++ encrypted, err := rsa.EncryptPKCS1v15(config.rand(), rsaKey, preMasterSecret) + if err != nil { + return nil, nil, err + } diff -Nru golang-1.15-1.15.9/debian/patches/series golang-1.15-1.15.9/debian/patches/series --- golang-1.15-1.15.9/debian/patches/series 2021-06-05 19:36:34.000000000 +0800 +++ golang-1.15-1.15.9/debian/patches/series 2021-07-13 13:55:42.000000000 +0800 @@ -10,3 +10,4 @@ 0010-CVE-2021-33195-2.patch 0011-CVE-2021-33197.patch 0012-CVE-2021-33198.patch +0013-CVE-2021-34558.patch
