Hi Sylvain and all Sylvain Thank you for pointing me to this. I have checked the first three packages in the list you gave and all have "skippy in it". Some many times.
All: The conclusion I draw is that we should not fix CVE-2021-3121 or any other golang packages. Or should we rebuild as we seem to plan to do for the other CVEs that we have in dla-needed. However before that it would be good with more information about the issue to conclude its severity... I start to realize that there are other people that have better knowledge about maintaining go packages and will therefore give this package to someone else to conclude. Cheers // Ola On Tue, 9 Mar 2021 at 18:45, Sylvain Beucler <[email protected]> wrote: > Hi, > > I'll let the Go packagers answer authoritatively but as I'm currently > working on golang fixes I'd like to share a few points: > > On 08/03/2021 22:48, Ola Lundqvist wrote: > > I have prepared a patch for CVE-2021-3121 described in: > > https://security-tracker.debian.org/tracker/CVE-2021-3121 > > > > You can find the patch here: > > > http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch > > > > The patch is based on the following commit: > > > https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc > > > > My conclusion is that the field function in stretch is unaffected. The > > reason is that there is no skippy check there at all in the stretch > version. > > For the generate function the iNdEx check was not in place so I added > > it, similar to the patch. > > > > I do have a problem, and that is to check whether the code introduce > > some regression issue. Also since the CVE lack a description of the > > effect of this problem I have little knowledge on what the result of > > this may be. > > > > Therefore I would highly appreciate a description of what this problem > > is and how to regression test the package. > > This appears to be a tricky issue to fix. > > First, due to static linking in Go, dependencies need to be rebuilt too, > but even then, the vulnerability lies in generated code. > (see below for a list of deps) > > Then, the vulnerability appears to be a serialization issue but even the > netapp report is vague. > > To test the fix, the package comes with a testsuite, though the original > patch includes dozens of testsuite changes (mostly regenerated files). > Then all the dependencies (that need a rebuild) do provide another way > to check if something broke. > > It should be noted that golang* packages are supported in stretch but > come with limited support, not to due to code generation but due to Go > static linking in the first place: > > https://salsa.debian.org/debian/debian-security-support/-/blob/stretch/security-support-limited > > > If you do decide to support this package, I recently documented how to > find direct reverse build dependencies at: > https://wiki.debian.org/LTS/TestSuites/golang > > $ dose-ceve --deb-native-arch=amd64 -r golang-github-gogo-protobuf-dev > -T debsrc > debsrc:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_source_Sources > > > deb:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_binary-amd64_Packages > > | grep-dctrl -n -s Package '' | sort -u > gobgp > golang-github-appc-goaci > golang-github-appc-spec > golang-github-mesos-mesos-go > influxdb > syncthing > (Note: this is not recursive.) > > > In addition, apt-file does provide a list of generated .pb.go files, > though it also includes those from "plain" protobuf (of which > gogoprotobuf if a fork) so not all are affected (the affected ones > should contain "skippy" somewhere): > # apt-file search .pb.go | cut -d: -f1 | sort -u > golang-github-appc-spec-dev > golang-github-gogo-protobuf-dev > golang-github-golang-groupcache-dev > golang-github-influxdb-influxdb-dev > golang-github-mesos-mesos-go-dev > golang-github-opencontainers-runc-dev > golang-github-osrg-gobgp-dev > golang-github-prometheus-alertmanager-dev > golang-github-prometheus-client-model-dev > golang-github-syncthing-syncthing-dev > golang-gomega-dev > golang-google-appengine-dev > golang-google-genproto-dev > golang-google-grpc-dev > golang-gopkg-dancannon-gorethink.v1-dev > golang-gopkg-dancannon-gorethink.v2-dev > golang-goprotobuf-dev > > > Cheers! > Sylvain > -- --- Inguza Technology AB --- MSc in Information Technology ---- | [email protected] [email protected] | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
