On Fri, 4 Aug 2023 at 19:48, Nilesh Patra <nil...@debian.org> wrote: > On Fri, Aug 04, 2023 at 07:20:32PM +0200, Tom Payne wrote: > > On Thu, 3 Aug 2023 at 05:03, Nilesh Patra <nil...@debian.org> wrote: > > > On Thu, Aug 03, 2023 at 01:28:44AM +0200, Tom Payne wrote: > > They're every month or so. For example, Go 1.19 has had twelve patch > > releases to address security problems since it's release on year ago. Of > > course, not all of these affect chezmoi. > > > > Security problems in other dependencies are less frequent, maybe a few > per > > year. I have a scheduled daily govulncheck run and fix problems as soon > as > > I can, usually within a few hours. > > so, allow me to clarify this -- where are the vulnerabilities usually > found? > > a) In chezmoi code itself > b) In the dependencies of chezmoi > c) In the libraries vendored by chezmoi (i.e. in vendor/ directory if it > has one). > > If it's "b" then I don't think you need to do much except for tagging > the CVE with updated version in go.mod. >
Not all security problems get CVEs, and not all CVEs are security problems, but I was curious about the govulncheck output for a version 2.19.0 of chezmoi, which was released about one year ago. govulncheck reports 23 vulnerabilities, 2 from modules, and the rest from the standard library. Output attached. You can reproduce this output with the following commands: go install golang.org/x/vuln/cmd/govulncheck@latest curl -LO https://github.com/twpayne/chezmoi/releases/download/v2.19.0/chezmoi-linux-amd64 govulncheck -mode=binary chezmoi-linux-amd64 As far as I know, there have been no code vulnerabilities in chezmoi itself. An astute user spotted a typo pointing to a domain squatting page in chezmoi's documentation (fixed in this commit <https://github.com/twpayne/chezmoi/commit/c8541b35c4d3130437d49ce29df34dfa56d6c734> within one hour of being reported). Vulnerabilities have been in the Go standard library and direct dependencies of chezmoi (golang.org/x/net and golang.org/x/text). Running govulncheck on the latest release of chezmoi <https://github.com/twpayne/chezmoi/releases/tag/v2.36.1> lists one vulnerability <https://pkg.go.dev/vuln/GO-2023-1987>. This is already fixed in chezmoi <https://github.com/twpayne/chezmoi/pull/3140>, and will be included in the next release of chezmoi (likely this weekend or next) as it is unlikely to be exploited in practice. > > If so, do note that the debian release cycle may have quirks with > > > the same. Debian is released once in ~2 years and the stable version > > > needs support for ~3 years. Except for very urgent cases, packages > > > are not updated in stable. > > > > > > If a security bug hits the version in stable, do you find it a > possibility > > > to support backporting security patches? > > > > > > > Yes-ish. Go itself only supports security fixes up to ~1 year, so I'm not > > sure how chezmoi (or Debian) can do better than that. Are you backporting > > security fixes from Go 1.20.7 (which has a recent security fix) to Go > 1.15 > > (which was released ~3 years ago)? > > Can you provide the exact CVE number you are referring to? > Example CVE numbers CVE-2022-41723 <https://nvd.nist.gov/vuln/detail/CVE-2022-41723>, CVE-2022-41724 <https://nvd.nist.gov/vuln/detail/CVE-2022-41724>, CVE-2022-41725 <https://nvd.nist.gov/vuln/detail/CVE-2022-41725>. You can find more be looking for the string "security" in the Go releases page <https://go.dev/doc/devel/release>, following the "milestone" link in the description. The GitHub issue titles include the CVE numbers. > Would vendoring-in chezmoi's dependencies be sufficient from > > upstream (i.e. me)? > > If the dependencies are very frequently updated, then _probably_ yes. > That said, since I did not dive deep into the package, I can't comment > with certainity. Maybe Ryan could chime in here? > Great! I'll prepare a PR and wait for Ryan's input. Thank you again for this discussion, Tom
Using govulncheck@v1.0.0 with vulnerability data from https://vuln.go.dev (last modified 2023-08-02 20:33:39 +0000 UTC). Scanning your binary for known vulnerabilities... Vulnerability #1: GO-2023-1988 Improper rendering of text nodes in golang.org/x/net/html More info: https://pkg.go.dev/vuln/GO-2023-1988 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.13.0 Example traces found: #1: html.Render Vulnerability #2: GO-2023-1987 Large RSA keys can cause high CPU usage in crypto/tls More info: https://pkg.go.dev/vuln/GO-2023-1987 Standard library Found in: crypto/tls@go1.18.4 Fixed in: crypto/tls@go1.21rc4 Example traces found: #1: tls.Conn.Handshake #2: tls.Conn.HandshakeContext #3: tls.Conn.Read #4: tls.Conn.Write #5: tls.Dial #6: tls.DialWithDialer #7: tls.Dialer.Dial #8: tls.Dialer.DialContext Vulnerability #3: GO-2023-1878 Insufficient sanitization of Host header in net/http More info: https://pkg.go.dev/vuln/GO-2023-1878 Standard library Found in: net/http@go1.18.4 Fixed in: net/http@go1.20.6 Example traces found: #1: http.Client.CloseIdleConnections #2: http.Client.Do #3: http.Client.Get #4: http.Client.Head #5: http.Client.Post #6: http.Client.PostForm #7: http.Get #8: http.Head #9: http.Post #10: http.PostForm #11: http.Request.Write #12: http.Request.WriteProxy #13: http.Transport.CancelRequest #14: http.Transport.CloseIdleConnections #15: http.Transport.RoundTrip Vulnerability #4: GO-2023-1840 Unsafe behavior in setuid/setgid binaries in runtime More info: https://pkg.go.dev/vuln/GO-2023-1840 Standard library Found in: runtime@go1.18.4 Fixed in: runtime@go1.20.5 Example traces found: #1: runtime.runtime/* Vulnerability #5: GO-2023-1753 Improper handling of empty HTML attributes in html/template More info: https://pkg.go.dev/vuln/GO-2023-1753 Standard library Found in: html/template@go1.18.4 Fixed in: html/template@go1.20.4 Example traces found: #1: template.Template.Execute #2: template.Template.ExecuteTemplate Vulnerability #6: GO-2023-1752 Improper handling of JavaScript whitespace in html/template More info: https://pkg.go.dev/vuln/GO-2023-1752 Standard library Found in: html/template@go1.18.4 Fixed in: html/template@go1.20.4 Example traces found: #1: template.Template.Execute #2: template.Template.ExecuteTemplate Vulnerability #7: GO-2023-1751 Improper sanitization of CSS values in html/template More info: https://pkg.go.dev/vuln/GO-2023-1751 Standard library Found in: html/template@go1.18.4 Fixed in: html/template@go1.20.4 Example traces found: #1: template.Template.Execute #2: template.Template.ExecuteTemplate Vulnerability #8: GO-2023-1705 Excessive resource consumption in net/http, net/textproto and mime/multipart More info: https://pkg.go.dev/vuln/GO-2023-1705 Standard library Found in: mime/multipart@go1.18.4 Fixed in: mime/multipart@go1.20.3 Example traces found: #1: multipart.Reader.NextPart #2: multipart.Reader.NextRawPart #3: multipart.Reader.ReadForm #4: textproto.Reader.ReadMIMEHeader Vulnerability #9: GO-2023-1704 Excessive memory allocation in net/http and net/textproto More info: https://pkg.go.dev/vuln/GO-2023-1704 Standard library Found in: net/textproto@go1.18.4 Fixed in: net/textproto@go1.20.3 Example traces found: #1: textproto.Reader.ReadMIMEHeader Vulnerability #10: GO-2023-1703 Backticks not treated as string delimiters in html/template More info: https://pkg.go.dev/vuln/GO-2023-1703 Standard library Found in: html/template@go1.18.4 Fixed in: html/template@go1.20.3 Example traces found: #1: template.Template.Execute #2: template.Template.ExecuteTemplate Vulnerability #11: GO-2023-1702 Infinite loop in parsing in go/scanner More info: https://pkg.go.dev/vuln/GO-2023-1702 Standard library Found in: go/scanner@go1.18.4 Fixed in: go/scanner@go1.20.3 Example traces found: #1: scanner.Scanner.Scan Vulnerability #12: GO-2023-1621 Incorrect calculation on P256 curves in crypto/internal/nistec More info: https://pkg.go.dev/vuln/GO-2023-1621 Standard library Found in: crypto/internal/nistec@go1.18.4 Fixed in: crypto/internal/nistec@go1.20.2 Example traces found: #1: nistec.P256OrdInverse #2: nistec.P256Point.ScalarBaseMult #3: nistec.P256Point.ScalarMult Vulnerability #13: GO-2023-1571 Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net More info: https://pkg.go.dev/vuln/GO-2023-1571 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.7.0 Example traces found: #1: http2.ClientConn.Close #2: http2.ClientConn.Ping #3: http2.ClientConn.RoundTrip #4: http2.ClientConn.Shutdown #5: http2.ConfigureServer #6: http2.ConfigureTransport #7: http2.ConfigureTransports #8: http2.ConnectionError.Error #9: http2.ErrCode.String #10: http2.FrameHeader.String #11: http2.FrameType.String #12: http2.FrameWriteRequest.String #13: http2.Framer.ReadFrame #14: http2.Framer.WriteContinuation #15: http2.Framer.WriteData #16: http2.Framer.WriteDataPadded #17: http2.Framer.WriteGoAway #18: http2.Framer.WriteHeaders #19: http2.Framer.WritePing #20: http2.Framer.WritePriority #21: http2.Framer.WritePushPromise #22: http2.Framer.WriteRSTStream #23: http2.Framer.WriteRawFrame #24: http2.Framer.WriteSettings #25: http2.Framer.WriteSettingsAck #26: http2.Framer.WriteWindowUpdate #27: http2.GoAwayError.Error #28: http2.ReadFrameHeader #29: http2.Server.ServeConn #30: http2.Setting.String #31: http2.SettingID.String #32: http2.SettingsFrame.ForeachSetting #33: http2.StreamError.Error #34: http2.Transport.CloseIdleConnections #35: http2.Transport.NewClientConn #36: http2.Transport.RoundTrip #37: http2.Transport.RoundTripOpt #38: http2.bufferedWriter.Flush #39: http2.bufferedWriter.Write #40: http2.chunkWriter.Write #41: http2.clientConnPool.GetClientConn #42: http2.connError.Error #43: http2.dataBuffer.Read #44: http2.duplicatePseudoHeaderError.Error #45: http2.gzipReader.Close #46: http2.gzipReader.Read #47: http2.headerFieldNameError.Error #48: http2.headerFieldValueError.Error #49: http2.noDialClientConnPool.GetClientConn #50: http2.noDialH2RoundTripper.RoundTrip #51: http2.pipe.Read #52: http2.priorityWriteScheduler.CloseStream #53: http2.priorityWriteScheduler.OpenStream #54: http2.pseudoHeaderError.Error #55: http2.requestBody.Close #56: http2.requestBody.Read #57: http2.responseWriter.Flush #58: http2.responseWriter.FlushError #59: http2.responseWriter.Push #60: http2.responseWriter.SetReadDeadline #61: http2.responseWriter.SetWriteDeadline #62: http2.responseWriter.Write #63: http2.responseWriter.WriteHeader #64: http2.responseWriter.WriteString #65: http2.serverConn.CloseConn #66: http2.serverConn.Flush #67: http2.stickyErrWriter.Write #68: http2.transportResponseBody.Close #69: http2.transportResponseBody.Read #70: http2.writeData.String #71: hpack.Decoder.DecodeFull #72: hpack.Decoder.Write Standard library Found in: net/http@go1.18.4 Fixed in: net/http@go1.20.1 Example traces found: #1: http.Client.Do #2: http.Client.Get #3: http.Client.Head #4: http.Client.Post #5: http.Client.PostForm #6: http.Get #7: http.Head #8: http.ListenAndServe #9: http.ListenAndServeTLS #10: http.Post #11: http.PostForm #12: http.Serve #13: http.ServeTLS #14: http.Server.ListenAndServe #15: http.Server.ListenAndServeTLS #16: http.Server.Serve #17: http.Server.ServeTLS #18: http.Transport.RoundTrip Vulnerability #14: GO-2023-1570 Panic on large handshake records in crypto/tls More info: https://pkg.go.dev/vuln/GO-2023-1570 Standard library Found in: crypto/tls@go1.18.4 Fixed in: crypto/tls@go1.20.1 Example traces found: #1: tls.Conn.Handshake #2: tls.Conn.HandshakeContext #3: tls.Conn.Read #4: tls.Conn.Write #5: tls.ConnectionState.ExportKeyingMaterial #6: tls.Dial #7: tls.DialWithDialer #8: tls.Dialer.Dial #9: tls.Dialer.DialContext Vulnerability #15: GO-2023-1569 Excessive resource consumption in mime/multipart More info: https://pkg.go.dev/vuln/GO-2023-1569 Standard library Found in: mime/multipart@go1.18.4 Fixed in: mime/multipart@go1.20.1 Example traces found: #1: multipart.Reader.ReadForm Vulnerability #16: GO-2023-1495 Request smuggling due to improper request handling in golang.org/x/net/http2/h2c More info: https://pkg.go.dev/vuln/GO-2023-1495 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.1.1-0.20221104162952-702349b0e862 Example traces found: #1: h2c.h2cHandler.ServeHTTP Vulnerability #17: GO-2022-1144 Excessive memory growth in net/http and golang.org/x/net/http2 More info: https://pkg.go.dev/vuln/GO-2022-1144 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.4.0 Example traces found: #1: http2.Server.ServeConn Standard library Found in: net/http@go1.18.4 Fixed in: net/http@go1.19.4 Example traces found: #1: http.ListenAndServe #2: http.ListenAndServeTLS #3: http.Serve #4: http.ServeTLS #5: http.Server.ListenAndServe #6: http.Server.ListenAndServeTLS #7: http.Server.Serve #8: http.Server.ServeTLS #9: http.http2Server.ServeConn Vulnerability #18: GO-2022-1059 Denial of service via crafted Accept-Language header in golang.org/x/text/language More info: https://pkg.go.dev/vuln/GO-2022-1059 Module: golang.org/x/text Found in: golang.org/x/text@v0.3.7 Fixed in: golang.org/x/text@v0.3.8 Example traces found: #1: language.MatchStrings #2: language.ParseAcceptLanguage Vulnerability #19: GO-2022-1039 Memory exhaustion when compiling regular expressions in regexp/syntax More info: https://pkg.go.dev/vuln/GO-2022-1039 Standard library Found in: regexp/syntax@go1.18.4 Fixed in: regexp/syntax@go1.19.2 Example traces found: #1: syntax.Parse Vulnerability #20: GO-2022-1038 Incorrect sanitization of forwarded query parameters in net/http/httputil More info: https://pkg.go.dev/vuln/GO-2022-1038 Standard library Found in: net/http/httputil@go1.18.4 Fixed in: net/http/httputil@go1.19.2 Example traces found: #1: httputil.ReverseProxy.ServeHTTP Vulnerability #21: GO-2022-1037 Unbounded memory consumption when reading headers in archive/tar More info: https://pkg.go.dev/vuln/GO-2022-1037 Standard library Found in: archive/tar@go1.18.4 Fixed in: archive/tar@go1.19.2 Example traces found: #1: tar.Reader.Next #2: tar.Writer.WriteHeader Vulnerability #22: GO-2022-0969 Denial of service in net/http and golang.org/x/net/http2 More info: https://pkg.go.dev/vuln/GO-2022-0969 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.0.0-20220906165146-f3363e06e74c Example traces found: #1: http2.Server.ServeConn Standard library Found in: net/http@go1.18.4 Fixed in: net/http@go1.19.1 Example traces found: #1: http.ListenAndServe #2: http.ListenAndServeTLS #3: http.Serve #4: http.ServeTLS #5: http.Server.ListenAndServe #6: http.Server.ListenAndServeTLS #7: http.Server.Serve #8: http.Server.ServeTLS #9: http.http2Server.ServeConn Vulnerability #23: GO-2022-0537 Panic when decoding Float and Rat types in math/big More info: https://pkg.go.dev/vuln/GO-2022-0537 Standard library Found in: math/big@go1.18.4 Fixed in: math/big@go1.18.5 Example traces found: #1: big.Float.GobDecode #2: big.Rat.GobDecode Your code is affected by 23 vulnerabilities from 2 modules and the Go standard library. Share feedback at https://go.dev/s/govulncheck-feedback.
