Re: Request for vendored package: chezmoi dotfile manager

On Fri, 4 Aug 2023 at 19:48, Nilesh Patra <nilesh@debian.org> wrote:

On Fri, Aug 04, 2023 at 07:20:32PM +0200, Tom Payne wrote:
> On Thu, 3 Aug 2023 at 05:03, Nilesh Patra <nilesh@debian.org> wrote:
> > On Thu, Aug 03, 2023 at 01:28:44AM +0200, Tom Payne wrote:
> They're every month or so. For example, Go 1.19 has had twelve patch
> releases to address security problems since it's release on year ago. Of
> course, not all of these affect chezmoi.
>
> Security problems in other dependencies are less frequent, maybe a few per
> year. I have a scheduled daily govulncheck run and fix problems as soon as
> I can, usually within a few hours.

so, allow me to clarify this -- where are the vulnerabilities usually
found?

a) In chezmoi code itself
b) In the dependencies of chezmoi
c) In the libraries vendored by chezmoi (i.e. in vendor/ directory if it
has one).

If it's "b" then I don't think you need to do much except for tagging
the CVE with updated version in go.mod.

Not all security problems get CVEs, and not all CVEs are security problems, but I was curious about the govulncheck output for a version 2.19.0 of chezmoi, which was released about one year ago. govulncheck reports 23 vulnerabilities, 2 from modules, and the rest from the standard library. Output attached.

You can reproduce this output with the following commands:

go install golang.org/x/vuln/cmd/govulncheck@latest

curl -LO https://github.com/twpayne/chezmoi/releases/download/v2.19.0/chezmoi-linux-amd64

govulncheck -mode=binary chezmoi-linux-amd64

As far as I know, there have been no code vulnerabilities in chezmoi itself. An astute user spotted a typo pointing to a domain squatting page in chezmoi's documentation (fixed in this commit within one hour of being reported). Vulnerabilities have been in the Go standard library and direct dependencies of chezmoi (golang.org/x/net and golang.org/x/text).

Running govulncheck on the latest release of chezmoi lists one vulnerability. This is already fixed in chezmoi, and will be included in the next release of chezmoi (likely this weekend or next) as it is unlikely to be exploited in practice.

> > If so, do note that the debian release cycle may have quirks with
> > the same. Debian is released once in ~2 years and the stable version
> > needs support for ~3 years. Except for very urgent cases, packages
> > are not updated in stable.
> >
> > If a security bug hits the version in stable, do you find it a possibility
> > to support backporting security patches?
> >
>
> Yes-ish. Go itself only supports security fixes up to ~1 year, so I'm not
> sure how chezmoi (or Debian) can do better than that. Are you backporting
> security fixes from Go 1.20.7 (which has a recent security fix) to Go 1.15
> (which was released ~3 years ago)?

Can you provide the exact CVE number you are referring to?

Example CVE numbers CVE-2022-41723, CVE-2022-41724, CVE-2022-41725. You can find more be looking for the string "security" in the Go releases page, following the "milestone" link in the description. The GitHub issue titles include the CVE numbers.

> Would vendoring-in chezmoi's dependencies be sufficient from
> upstream (i.e. me)?

If the dependencies are very frequently updated, then _probably_ yes.
That said, since I did not dive deep into the package, I can't comment
with certainity. Maybe Ryan could chime in here?

Great! I'll prepare a PR and wait for Ryan's input.

Thank you again for this discussion,

Tom

Using govulncheck@v1.0.0 with vulnerability data from https://vuln.go.dev (last modified 2023-08-02 20:33:39 +0000 UTC). Scanning your binary for known vulnerabilities... Vulnerability #1: GO-2023-1988 Improper rendering of text nodes in golang.org/x/net/html More info: https://pkg.go.dev/vuln/GO-2023-1988 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.13.0 Example traces found: #1: html.Render Vulnerability #2: GO-2023-1987 Large RSA keys can cause high CPU usage in crypto/tls More info: https://pkg.go.dev/vuln/GO-2023-1987 Standard library Found in: crypto/tls@go1.18.4 Fixed in: crypto/tls@go1.21rc4 Example traces found: #1: tls.Conn.Handshake #2: tls.Conn.HandshakeContext #3: tls.Conn.Read #4: tls.Conn.Write #5: tls.Dial #6: tls.DialWithDialer #7: tls.Dialer.Dial #8: tls.Dialer.DialContext Vulnerability #3: GO-2023-1878 Insufficient sanitization of Host header in net/http More info: https://pkg.go.dev/vuln/GO-2023-1878 Standard library Found in: net/http@go1.18.4 Fixed in: net/http@go1.20.6 Example traces found: #1: http.Client.CloseIdleConnections #2: http.Client.Do #3: http.Client.Get #4: http.Client.Head #5: http.Client.Post #6: http.Client.PostForm #7: http.Get #8: http.Head #9: http.Post #10: http.PostForm #11: http.Request.Write #12: http.Request.WriteProxy #13: http.Transport.CancelRequest #14: http.Transport.CloseIdleConnections #15: http.Transport.RoundTrip Vulnerability #4: GO-2023-1840 Unsafe behavior in setuid/setgid binaries in runtime More info: https://pkg.go.dev/vuln/GO-2023-1840 Standard library Found in: runtime@go1.18.4 Fixed in: runtime@go1.20.5 Example traces found: #1: runtime.runtime/* Vulnerability #5: GO-2023-1753 Improper handling of empty HTML attributes in html/template More info: https://pkg.go.dev/vuln/GO-2023-1753 Standard library Found in: html/template@go1.18.4 Fixed in: html/template@go1.20.4 Example traces found: #1: template.Template.Execute #2: template.Template.ExecuteTemplate Vulnerability #6: GO-2023-1752 Improper handling of JavaScript whitespace in html/template More info: https://pkg.go.dev/vuln/GO-2023-1752 Standard library Found in: html/template@go1.18.4 Fixed in: html/template@go1.20.4 Example traces found: #1: template.Template.Execute #2: template.Template.ExecuteTemplate Vulnerability #7: GO-2023-1751 Improper sanitization of CSS values in html/template More info: https://pkg.go.dev/vuln/GO-2023-1751 Standard library Found in: html/template@go1.18.4 Fixed in: html/template@go1.20.4 Example traces found: #1: template.Template.Execute #2: template.Template.ExecuteTemplate Vulnerability #8: GO-2023-1705 Excessive resource consumption in net/http, net/textproto and mime/multipart More info: https://pkg.go.dev/vuln/GO-2023-1705 Standard library Found in: mime/multipart@go1.18.4 Fixed in: mime/multipart@go1.20.3 Example traces found: #1: multipart.Reader.NextPart #2: multipart.Reader.NextRawPart #3: multipart.Reader.ReadForm #4: textproto.Reader.ReadMIMEHeader Vulnerability #9: GO-2023-1704 Excessive memory allocation in net/http and net/textproto More info: https://pkg.go.dev/vuln/GO-2023-1704 Standard library Found in: net/textproto@go1.18.4 Fixed in: net/textproto@go1.20.3 Example traces found: #1: textproto.Reader.ReadMIMEHeader Vulnerability #10: GO-2023-1703 Backticks not treated as string delimiters in html/template More info: https://pkg.go.dev/vuln/GO-2023-1703 Standard library Found in: html/template@go1.18.4 Fixed in: html/template@go1.20.3 Example traces found: #1: template.Template.Execute #2: template.Template.ExecuteTemplate Vulnerability #11: GO-2023-1702 Infinite loop in parsing in go/scanner More info: https://pkg.go.dev/vuln/GO-2023-1702 Standard library Found in: go/scanner@go1.18.4 Fixed in: go/scanner@go1.20.3 Example traces found: #1: scanner.Scanner.Scan Vulnerability #12: GO-2023-1621 Incorrect calculation on P256 curves in crypto/internal/nistec More info: https://pkg.go.dev/vuln/GO-2023-1621 Standard library Found in: crypto/internal/nistec@go1.18.4 Fixed in: crypto/internal/nistec@go1.20.2 Example traces found: #1: nistec.P256OrdInverse #2: nistec.P256Point.ScalarBaseMult #3: nistec.P256Point.ScalarMult Vulnerability #13: GO-2023-1571 Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net More info: https://pkg.go.dev/vuln/GO-2023-1571 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.7.0 Example traces found: #1: http2.ClientConn.Close #2: http2.ClientConn.Ping #3: http2.ClientConn.RoundTrip #4: http2.ClientConn.Shutdown #5: http2.ConfigureServer #6: http2.ConfigureTransport #7: http2.ConfigureTransports #8: http2.ConnectionError.Error #9: http2.ErrCode.String #10: http2.FrameHeader.String #11: http2.FrameType.String #12: http2.FrameWriteRequest.String #13: http2.Framer.ReadFrame #14: http2.Framer.WriteContinuation #15: http2.Framer.WriteData #16: http2.Framer.WriteDataPadded #17: http2.Framer.WriteGoAway #18: http2.Framer.WriteHeaders #19: http2.Framer.WritePing #20: http2.Framer.WritePriority #21: http2.Framer.WritePushPromise #22: http2.Framer.WriteRSTStream #23: http2.Framer.WriteRawFrame #24: http2.Framer.WriteSettings #25: http2.Framer.WriteSettingsAck #26: http2.Framer.WriteWindowUpdate #27: http2.GoAwayError.Error #28: http2.ReadFrameHeader #29: http2.Server.ServeConn #30: http2.Setting.String #31: http2.SettingID.String #32: http2.SettingsFrame.ForeachSetting #33: http2.StreamError.Error #34: http2.Transport.CloseIdleConnections #35: http2.Transport.NewClientConn #36: http2.Transport.RoundTrip #37: http2.Transport.RoundTripOpt #38: http2.bufferedWriter.Flush #39: http2.bufferedWriter.Write #40: http2.chunkWriter.Write #41: http2.clientConnPool.GetClientConn #42: http2.connError.Error #43: http2.dataBuffer.Read #44: http2.duplicatePseudoHeaderError.Error #45: http2.gzipReader.Close #46: http2.gzipReader.Read #47: http2.headerFieldNameError.Error #48: http2.headerFieldValueError.Error #49: http2.noDialClientConnPool.GetClientConn #50: http2.noDialH2RoundTripper.RoundTrip #51: http2.pipe.Read #52: http2.priorityWriteScheduler.CloseStream #53: http2.priorityWriteScheduler.OpenStream #54: http2.pseudoHeaderError.Error #55: http2.requestBody.Close #56: http2.requestBody.Read #57: http2.responseWriter.Flush #58: http2.responseWriter.FlushError #59: http2.responseWriter.Push #60: http2.responseWriter.SetReadDeadline #61: http2.responseWriter.SetWriteDeadline #62: http2.responseWriter.Write #63: http2.responseWriter.WriteHeader #64: http2.responseWriter.WriteString #65: http2.serverConn.CloseConn #66: http2.serverConn.Flush #67: http2.stickyErrWriter.Write #68: http2.transportResponseBody.Close #69: http2.transportResponseBody.Read #70: http2.writeData.String #71: hpack.Decoder.DecodeFull #72: hpack.Decoder.Write Standard library Found in: net/http@go1.18.4 Fixed in: net/http@go1.20.1 Example traces found: #1: http.Client.Do #2: http.Client.Get #3: http.Client.Head #4: http.Client.Post #5: http.Client.PostForm #6: http.Get #7: http.Head #8: http.ListenAndServe #9: http.ListenAndServeTLS #10: http.Post #11: http.PostForm #12: http.Serve #13: http.ServeTLS #14: http.Server.ListenAndServe #15: http.Server.ListenAndServeTLS #16: http.Server.Serve #17: http.Server.ServeTLS #18: http.Transport.RoundTrip Vulnerability #14: GO-2023-1570 Panic on large handshake records in crypto/tls More info: https://pkg.go.dev/vuln/GO-2023-1570 Standard library Found in: crypto/tls@go1.18.4 Fixed in: crypto/tls@go1.20.1 Example traces found: #1: tls.Conn.Handshake #2: tls.Conn.HandshakeContext #3: tls.Conn.Read #4: tls.Conn.Write #5: tls.ConnectionState.ExportKeyingMaterial #6: tls.Dial #7: tls.DialWithDialer #8: tls.Dialer.Dial #9: tls.Dialer.DialContext Vulnerability #15: GO-2023-1569 Excessive resource consumption in mime/multipart More info: https://pkg.go.dev/vuln/GO-2023-1569 Standard library Found in: mime/multipart@go1.18.4 Fixed in: mime/multipart@go1.20.1 Example traces found: #1: multipart.Reader.ReadForm Vulnerability #16: GO-2023-1495 Request smuggling due to improper request handling in golang.org/x/net/http2/h2c More info: https://pkg.go.dev/vuln/GO-2023-1495 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.1.1-0.20221104162952-702349b0e862 Example traces found: #1: h2c.h2cHandler.ServeHTTP Vulnerability #17: GO-2022-1144 Excessive memory growth in net/http and golang.org/x/net/http2 More info: https://pkg.go.dev/vuln/GO-2022-1144 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.4.0 Example traces found: #1: http2.Server.ServeConn Standard library Found in: net/http@go1.18.4 Fixed in: net/http@go1.19.4 Example traces found: #1: http.ListenAndServe #2: http.ListenAndServeTLS #3: http.Serve #4: http.ServeTLS #5: http.Server.ListenAndServe #6: http.Server.ListenAndServeTLS #7: http.Server.Serve #8: http.Server.ServeTLS #9: http.http2Server.ServeConn Vulnerability #18: GO-2022-1059 Denial of service via crafted Accept-Language header in golang.org/x/text/language More info: https://pkg.go.dev/vuln/GO-2022-1059 Module: golang.org/x/text Found in: golang.org/x/text@v0.3.7 Fixed in: golang.org/x/text@v0.3.8 Example traces found: #1: language.MatchStrings #2: language.ParseAcceptLanguage Vulnerability #19: GO-2022-1039 Memory exhaustion when compiling regular expressions in regexp/syntax More info: https://pkg.go.dev/vuln/GO-2022-1039 Standard library Found in: regexp/syntax@go1.18.4 Fixed in: regexp/syntax@go1.19.2 Example traces found: #1: syntax.Parse Vulnerability #20: GO-2022-1038 Incorrect sanitization of forwarded query parameters in net/http/httputil More info: https://pkg.go.dev/vuln/GO-2022-1038 Standard library Found in: net/http/httputil@go1.18.4 Fixed in: net/http/httputil@go1.19.2 Example traces found: #1: httputil.ReverseProxy.ServeHTTP Vulnerability #21: GO-2022-1037 Unbounded memory consumption when reading headers in archive/tar More info: https://pkg.go.dev/vuln/GO-2022-1037 Standard library Found in: archive/tar@go1.18.4 Fixed in: archive/tar@go1.19.2 Example traces found: #1: tar.Reader.Next #2: tar.Writer.WriteHeader Vulnerability #22: GO-2022-0969 Denial of service in net/http and golang.org/x/net/http2 More info: https://pkg.go.dev/vuln/GO-2022-0969 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.0.0-20220906165146-f3363e06e74c Example traces found: #1: http2.Server.ServeConn Standard library Found in: net/http@go1.18.4 Fixed in: net/http@go1.19.1 Example traces found: #1: http.ListenAndServe #2: http.ListenAndServeTLS #3: http.Serve #4: http.ServeTLS #5: http.Server.ListenAndServe #6: http.Server.ListenAndServeTLS #7: http.Server.Serve #8: http.Server.ServeTLS #9: http.http2Server.ServeConn Vulnerability #23: GO-2022-0537 Panic when decoding Float and Rat types in math/big More info: https://pkg.go.dev/vuln/GO-2022-0537 Standard library Found in: math/big@go1.18.4 Fixed in: math/big@go1.18.5 Example traces found: #1: big.Float.GobDecode #2: big.Rat.GobDecode Your code is affected by 23 vulnerabilities from 2 modules and the Go standard library. Share feedback at https://go.dev/s/govulncheck-feedback.

Reply to: