Package: golang-1.21-go Version: 1.21~rc2-2 Severity: grave Tags: security Go 1.21 provides the `GOTOOLCHAIN` environment variable and associated functionality[0]. As part of this code, if go.mod indicates that a newer version of Go is required than the current toolchain supports, it proceeds by default to attempt to download a toolchain from the Internet and runs it without prompting the user.
It is unclear what, if any cryptographic verification it performs, especially if the user has disabled GOPROXY and GOSUMDB for privacy reasons. As far as I know, the Go core team does not sign Linux binaries cryptographically, so at best the data would be verified by a hash, which is not sufficient. Debian itself uses a strong cryptographic signature for APT archives. In addition, it's possible that a newer version of the toolchain might contain some vulnerability which is not present in the current toolchain, and therefore might expose the user to new vulnerabilities that are not patched. This is not at all far-fetched, since Go is known to have regressions all the time, so security-based regressions are not at all out of the question. I don't believe this is an appropriate way for software distributed in Debian to behave, especially by default, and I'd like to request that it be patched out for security reasons. Steps to reproduce: 1. Clone a Go project (e.g., Git LFS). 2. Update go.mod to state "go 1.22". 3. Run /usr/lib/go-1.21/bin/go build 4. Notice the following output: go: downloading go1.22 (linux/amd64) go: download go1.22 for linux/amd64: toolchain not available [0] https://tip.golang.org/doc/toolchain -- System Information: Debian Release: trixie/sid APT prefers oldstable-security APT policy: (500, 'oldstable-security'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.3.0-1-amd64 (SMP w/20 CPU threads; PREEMPT) Kernel taint flags: TAINT_USER, TAINT_WARN Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages golang-1.21-go depends on: ii golang-1.21-src 1.21~rc2-2 Versions of packages golang-1.21-go recommends: ii g++ 4:12.3.0-1 ii gcc 4:12.3.0-1 ii libc6-dev 2.37-3 ii pkg-config 1.8.1-1 ii pkgconf [pkg-config] 1.8.1-1 Versions of packages golang-1.21-go suggests: pn bzr | brz <none> ii ca-certificates 20230311 ii git 1:2.40.1+next.20230427-1 pn mercurial <none> pn subversion <none> -- no debconf information -- brian m. carlson (he/him or they/them) Toronto, Ontario, CA
signature.asc
Description: PGP signature
