Hi,
I'll let the Go packagers answer authoritatively but as I'm currently
working on golang fixes I'd like to share a few points:
On 08/03/2021 22:48, Ola Lundqvist wrote:
I have prepared a patch for CVE-2021-3121 described in:
https://security-tracker.debian.org/tracker/CVE-2021-3121
You can find the patch here:
http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch
The patch is based on the following commit:
https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc
My conclusion is that the field function in stretch is unaffected. The
reason is that there is no skippy check there at all in the stretch version.
For the generate function the iNdEx check was not in place so I added
it, similar to the patch.
I do have a problem, and that is to check whether the code introduce
some regression issue. Also since the CVE lack a description of the
effect of this problem I have little knowledge on what the result of
this may be.
Therefore I would highly appreciate a description of what this problem
is and how to regression test the package.
This appears to be a tricky issue to fix.
First, due to static linking in Go, dependencies need to be rebuilt too,
but even then, the vulnerability lies in generated code.
(see below for a list of deps)
Then, the vulnerability appears to be a serialization issue but even the
netapp report is vague.
To test the fix, the package comes with a testsuite, though the original
patch includes dozens of testsuite changes (mostly regenerated files).
Then all the dependencies (that need a rebuild) do provide another way
to check if something broke.
It should be noted that golang* packages are supported in stretch but
come with limited support, not to due to code generation but due to Go
static linking in the first place:
https://salsa.debian.org/debian/debian-security-support/-/blob/stretch/security-support-limited
If you do decide to support this package, I recently documented how to
find direct reverse build dependencies at:
https://wiki.debian.org/LTS/TestSuites/golang
$ dose-ceve --deb-native-arch=amd64 -r golang-github-gogo-protobuf-dev
-T debsrc
debsrc:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_source_Sources
deb:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_binary-amd64_Packages
| grep-dctrl -n -s Package '' | sort -u
gobgp
golang-github-appc-goaci
golang-github-appc-spec
golang-github-mesos-mesos-go
influxdb
syncthing
(Note: this is not recursive.)
In addition, apt-file does provide a list of generated .pb.go files,
though it also includes those from "plain" protobuf (of which
gogoprotobuf if a fork) so not all are affected (the affected ones
should contain "skippy" somewhere):
# apt-file search .pb.go | cut -d: -f1 | sort -u
golang-github-appc-spec-dev
golang-github-gogo-protobuf-dev
golang-github-golang-groupcache-dev
golang-github-influxdb-influxdb-dev
golang-github-mesos-mesos-go-dev
golang-github-opencontainers-runc-dev
golang-github-osrg-gobgp-dev
golang-github-prometheus-alertmanager-dev
golang-github-prometheus-client-model-dev
golang-github-syncthing-syncthing-dev
golang-gomega-dev
golang-google-appengine-dev
golang-google-genproto-dev
golang-google-grpc-dev
golang-gopkg-dancannon-gorethink.v1-dev
golang-gopkg-dancannon-gorethink.v2-dev
golang-goprotobuf-dev
Cheers!
Sylvain
