On Fri, Aug 04, 2023 at 07:20:32PM +0200, Tom Payne wrote:
> On Thu, 3 Aug 2023 at 05:03, Nilesh Patra <nilesh@debian.org> wrote:
> > On Thu, Aug 03, 2023 at 01:28:44AM +0200, Tom Payne wrote:
> They're every month or so. For example, Go 1.19 has had twelve patch
> releases to address security problems since it's release on year ago. Of
> course, not all of these affect chezmoi.
>
> Security problems in other dependencies are less frequent, maybe a few per
> year. I have a scheduled daily govulncheck run and fix problems as soon as
> I can, usually within a few hours.
so, allow me to clarify this -- where are the vulnerabilities usually
found?
a) In chezmoi code itself
b) In the dependencies of chezmoi
c) In the libraries vendored by chezmoi (i.e. in vendor/ directory if it
has one).
If it's "b" then I don't think you need to do much except for tagging
the CVE with updated version in go.mod.
> > If so, do note that the debian release cycle may have quirks with
> > the same. Debian is released once in ~2 years and the stable version
> > needs support for ~3 years. Except for very urgent cases, packages
> > are not updated in stable.
> >
> > If a security bug hits the version in stable, do you find it a possibility
> > to support backporting security patches?
> >
>
> Yes-ish. Go itself only supports security fixes up to ~1 year, so I'm not
> sure how chezmoi (or Debian) can do better than that. Are you backporting
> security fixes from Go 1.20.7 (which has a recent security fix) to Go 1.15
> (which was released ~3 years ago)?
Can you provide the exact CVE number you are referring to?
> Would vendoring-in chezmoi's dependencies be sufficient from
> upstream (i.e. me)?
If the dependencies are very frequently updated, then _probably_ yes.
That said, since I did not dive deep into the package, I can't comment
with certainity. Maybe Ryan could chime in here?
Using govulncheck@v1.0.0 with vulnerability data from https://vuln.go.dev (last modified 2023-08-02 20:33:39 +0000 UTC). Scanning your binary for known vulnerabilities... Vulnerability #1: GO-2023-1988 Improper rendering of text nodes in golang.org/x/net/html More info: https://pkg.go.dev/vuln/GO-2023-1988 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.13.0 Example traces found: #1: html.Render Vulnerability #2: GO-2023-1987 Large RSA keys can cause high CPU usage in crypto/tls More info: https://pkg.go.dev/vuln/GO-2023-1987 Standard library Found in: crypto/tls@go1.18.4 Fixed in: crypto/tls@go1.21rc4 Example traces found: #1: tls.Conn.Handshake #2: tls.Conn.HandshakeContext #3: tls.Conn.Read #4: tls.Conn.Write #5: tls.Dial #6: tls.DialWithDialer #7: tls.Dialer.Dial #8: tls.Dialer.DialContext Vulnerability #3: GO-2023-1878 Insufficient sanitization of Host header in net/http More info: https://pkg.go.dev/vuln/GO-2023-1878 Standard library Found in: net/http@go1.18.4 Fixed in: net/http@go1.20.6 Example traces found: #1: http.Client.CloseIdleConnections #2: http.Client.Do #3: http.Client.Get #4: http.Client.Head #5: http.Client.Post #6: http.Client.PostForm #7: http.Get #8: http.Head #9: http.Post #10: http.PostForm #11: http.Request.Write #12: http.Request.WriteProxy #13: http.Transport.CancelRequest #14: http.Transport.CloseIdleConnections #15: http.Transport.RoundTrip Vulnerability #4: GO-2023-1840 Unsafe behavior in setuid/setgid binaries in runtime More info: https://pkg.go.dev/vuln/GO-2023-1840 Standard library Found in: runtime@go1.18.4 Fixed in: runtime@go1.20.5 Example traces found: #1: runtime.runtime/* Vulnerability #5: GO-2023-1753 Improper handling of empty HTML attributes in html/template More info: https://pkg.go.dev/vuln/GO-2023-1753 Standard library Found in: html/template@go1.18.4 Fixed in: html/template@go1.20.4 Example traces found: #1: template.Template.Execute #2: template.Template.ExecuteTemplate Vulnerability #6: GO-2023-1752 Improper handling of JavaScript whitespace in html/template More info: https://pkg.go.dev/vuln/GO-2023-1752 Standard library Found in: html/template@go1.18.4 Fixed in: html/template@go1.20.4 Example traces found: #1: template.Template.Execute #2: template.Template.ExecuteTemplate Vulnerability #7: GO-2023-1751 Improper sanitization of CSS values in html/template More info: https://pkg.go.dev/vuln/GO-2023-1751 Standard library Found in: html/template@go1.18.4 Fixed in: html/template@go1.20.4 Example traces found: #1: template.Template.Execute #2: template.Template.ExecuteTemplate Vulnerability #8: GO-2023-1705 Excessive resource consumption in net/http, net/textproto and mime/multipart More info: https://pkg.go.dev/vuln/GO-2023-1705 Standard library Found in: mime/multipart@go1.18.4 Fixed in: mime/multipart@go1.20.3 Example traces found: #1: multipart.Reader.NextPart #2: multipart.Reader.NextRawPart #3: multipart.Reader.ReadForm #4: textproto.Reader.ReadMIMEHeader Vulnerability #9: GO-2023-1704 Excessive memory allocation in net/http and net/textproto More info: https://pkg.go.dev/vuln/GO-2023-1704 Standard library Found in: net/textproto@go1.18.4 Fixed in: net/textproto@go1.20.3 Example traces found: #1: textproto.Reader.ReadMIMEHeader Vulnerability #10: GO-2023-1703 Backticks not treated as string delimiters in html/template More info: https://pkg.go.dev/vuln/GO-2023-1703 Standard library Found in: html/template@go1.18.4 Fixed in: html/template@go1.20.3 Example traces found: #1: template.Template.Execute #2: template.Template.ExecuteTemplate Vulnerability #11: GO-2023-1702 Infinite loop in parsing in go/scanner More info: https://pkg.go.dev/vuln/GO-2023-1702 Standard library Found in: go/scanner@go1.18.4 Fixed in: go/scanner@go1.20.3 Example traces found: #1: scanner.Scanner.Scan Vulnerability #12: GO-2023-1621 Incorrect calculation on P256 curves in crypto/internal/nistec More info: https://pkg.go.dev/vuln/GO-2023-1621 Standard library Found in: crypto/internal/nistec@go1.18.4 Fixed in: crypto/internal/nistec@go1.20.2 Example traces found: #1: nistec.P256OrdInverse #2: nistec.P256Point.ScalarBaseMult #3: nistec.P256Point.ScalarMult Vulnerability #13: GO-2023-1571 Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net More info: https://pkg.go.dev/vuln/GO-2023-1571 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.7.0 Example traces found: #1: http2.ClientConn.Close #2: http2.ClientConn.Ping #3: http2.ClientConn.RoundTrip #4: http2.ClientConn.Shutdown #5: http2.ConfigureServer #6: http2.ConfigureTransport #7: http2.ConfigureTransports #8: http2.ConnectionError.Error #9: http2.ErrCode.String #10: http2.FrameHeader.String #11: http2.FrameType.String #12: http2.FrameWriteRequest.String #13: http2.Framer.ReadFrame #14: http2.Framer.WriteContinuation #15: http2.Framer.WriteData #16: http2.Framer.WriteDataPadded #17: http2.Framer.WriteGoAway #18: http2.Framer.WriteHeaders #19: http2.Framer.WritePing #20: http2.Framer.WritePriority #21: http2.Framer.WritePushPromise #22: http2.Framer.WriteRSTStream #23: http2.Framer.WriteRawFrame #24: http2.Framer.WriteSettings #25: http2.Framer.WriteSettingsAck #26: http2.Framer.WriteWindowUpdate #27: http2.GoAwayError.Error #28: http2.ReadFrameHeader #29: http2.Server.ServeConn #30: http2.Setting.String #31: http2.SettingID.String #32: http2.SettingsFrame.ForeachSetting #33: http2.StreamError.Error #34: http2.Transport.CloseIdleConnections #35: http2.Transport.NewClientConn #36: http2.Transport.RoundTrip #37: http2.Transport.RoundTripOpt #38: http2.bufferedWriter.Flush #39: http2.bufferedWriter.Write #40: http2.chunkWriter.Write #41: http2.clientConnPool.GetClientConn #42: http2.connError.Error #43: http2.dataBuffer.Read #44: http2.duplicatePseudoHeaderError.Error #45: http2.gzipReader.Close #46: http2.gzipReader.Read #47: http2.headerFieldNameError.Error #48: http2.headerFieldValueError.Error #49: http2.noDialClientConnPool.GetClientConn #50: http2.noDialH2RoundTripper.RoundTrip #51: http2.pipe.Read #52: http2.priorityWriteScheduler.CloseStream #53: http2.priorityWriteScheduler.OpenStream #54: http2.pseudoHeaderError.Error #55: http2.requestBody.Close #56: http2.requestBody.Read #57: http2.responseWriter.Flush #58: http2.responseWriter.FlushError #59: http2.responseWriter.Push #60: http2.responseWriter.SetReadDeadline #61: http2.responseWriter.SetWriteDeadline #62: http2.responseWriter.Write #63: http2.responseWriter.WriteHeader #64: http2.responseWriter.WriteString #65: http2.serverConn.CloseConn #66: http2.serverConn.Flush #67: http2.stickyErrWriter.Write #68: http2.transportResponseBody.Close #69: http2.transportResponseBody.Read #70: http2.writeData.String #71: hpack.Decoder.DecodeFull #72: hpack.Decoder.Write Standard library Found in: net/http@go1.18.4 Fixed in: net/http@go1.20.1 Example traces found: #1: http.Client.Do #2: http.Client.Get #3: http.Client.Head #4: http.Client.Post #5: http.Client.PostForm #6: http.Get #7: http.Head #8: http.ListenAndServe #9: http.ListenAndServeTLS #10: http.Post #11: http.PostForm #12: http.Serve #13: http.ServeTLS #14: http.Server.ListenAndServe #15: http.Server.ListenAndServeTLS #16: http.Server.Serve #17: http.Server.ServeTLS #18: http.Transport.RoundTrip Vulnerability #14: GO-2023-1570 Panic on large handshake records in crypto/tls More info: https://pkg.go.dev/vuln/GO-2023-1570 Standard library Found in: crypto/tls@go1.18.4 Fixed in: crypto/tls@go1.20.1 Example traces found: #1: tls.Conn.Handshake #2: tls.Conn.HandshakeContext #3: tls.Conn.Read #4: tls.Conn.Write #5: tls.ConnectionState.ExportKeyingMaterial #6: tls.Dial #7: tls.DialWithDialer #8: tls.Dialer.Dial #9: tls.Dialer.DialContext Vulnerability #15: GO-2023-1569 Excessive resource consumption in mime/multipart More info: https://pkg.go.dev/vuln/GO-2023-1569 Standard library Found in: mime/multipart@go1.18.4 Fixed in: mime/multipart@go1.20.1 Example traces found: #1: multipart.Reader.ReadForm Vulnerability #16: GO-2023-1495 Request smuggling due to improper request handling in golang.org/x/net/http2/h2c More info: https://pkg.go.dev/vuln/GO-2023-1495 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.1.1-0.20221104162952-702349b0e862 Example traces found: #1: h2c.h2cHandler.ServeHTTP Vulnerability #17: GO-2022-1144 Excessive memory growth in net/http and golang.org/x/net/http2 More info: https://pkg.go.dev/vuln/GO-2022-1144 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.4.0 Example traces found: #1: http2.Server.ServeConn Standard library Found in: net/http@go1.18.4 Fixed in: net/http@go1.19.4 Example traces found: #1: http.ListenAndServe #2: http.ListenAndServeTLS #3: http.Serve #4: http.ServeTLS #5: http.Server.ListenAndServe #6: http.Server.ListenAndServeTLS #7: http.Server.Serve #8: http.Server.ServeTLS #9: http.http2Server.ServeConn Vulnerability #18: GO-2022-1059 Denial of service via crafted Accept-Language header in golang.org/x/text/language More info: https://pkg.go.dev/vuln/GO-2022-1059 Module: golang.org/x/text Found in: golang.org/x/text@v0.3.7 Fixed in: golang.org/x/text@v0.3.8 Example traces found: #1: language.MatchStrings #2: language.ParseAcceptLanguage Vulnerability #19: GO-2022-1039 Memory exhaustion when compiling regular expressions in regexp/syntax More info: https://pkg.go.dev/vuln/GO-2022-1039 Standard library Found in: regexp/syntax@go1.18.4 Fixed in: regexp/syntax@go1.19.2 Example traces found: #1: syntax.Parse Vulnerability #20: GO-2022-1038 Incorrect sanitization of forwarded query parameters in net/http/httputil More info: https://pkg.go.dev/vuln/GO-2022-1038 Standard library Found in: net/http/httputil@go1.18.4 Fixed in: net/http/httputil@go1.19.2 Example traces found: #1: httputil.ReverseProxy.ServeHTTP Vulnerability #21: GO-2022-1037 Unbounded memory consumption when reading headers in archive/tar More info: https://pkg.go.dev/vuln/GO-2022-1037 Standard library Found in: archive/tar@go1.18.4 Fixed in: archive/tar@go1.19.2 Example traces found: #1: tar.Reader.Next #2: tar.Writer.WriteHeader Vulnerability #22: GO-2022-0969 Denial of service in net/http and golang.org/x/net/http2 More info: https://pkg.go.dev/vuln/GO-2022-0969 Module: golang.org/x/net Found in: golang.org/x/net@v0.0.0-20220708220712-1185a9018129 Fixed in: golang.org/x/net@v0.0.0-20220906165146-f3363e06e74c Example traces found: #1: http2.Server.ServeConn Standard library Found in: net/http@go1.18.4 Fixed in: net/http@go1.19.1 Example traces found: #1: http.ListenAndServe #2: http.ListenAndServeTLS #3: http.Serve #4: http.ServeTLS #5: http.Server.ListenAndServe #6: http.Server.ListenAndServeTLS #7: http.Server.Serve #8: http.Server.ServeTLS #9: http.http2Server.ServeConn Vulnerability #23: GO-2022-0537 Panic when decoding Float and Rat types in math/big More info: https://pkg.go.dev/vuln/GO-2022-0537 Standard library Found in: math/big@go1.18.4 Fixed in: math/big@go1.18.5 Example traces found: #1: big.Float.GobDecode #2: big.Rat.GobDecode Your code is affected by 23 vulnerabilities from 2 modules and the Go standard library. Share feedback at https://go.dev/s/govulncheck-feedback.