Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update

To: Emilio Pozuelo Monfort <pochu@debian.org>
Cc: Chris Lamb <lamby@debian.org>, "Dr. Tobias Quathamer" <toddy@debian.org>, Go Compiler Team <pkg-golang-devel@lists.alioth.debian.org>, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
From: Michael Hudson-Doyle <michael.hudson@canonical.com>
Date: Mon, 11 Feb 2019 22:13:01 +1300
Message-id: <[🔎] CAJ8wqteAH338xOP1MbvmLOLXtnTUT_vLvpK0VuQ8PY6DvjC85w@mail.gmail.com>
In-reply-to: <[🔎] d3303d26-b10b-5ec5-6c4e-8c88ccf308c2@debian.org>
References: <1549487846.1383386.1652418456.3E7F3504@webmail.messagingengine.com> <[🔎] 87sgx0czxg.fsf@curie.anarc.at> <[🔎] 1549492932.1416963.1652472560.7AF26085@webmail.messagingengine.com> <[🔎] 20190206232434.kkewmke2k4nvzchc@layer-acht.org> <[🔎] 20190208080249.GA1565@eldamar.local> <[🔎] 20190208112430.asu5lh3alyb7ze43@layer-acht.org> <[🔎] 1549639248.842811.1653755776.05F5FF4D@webmail.messagingengine.com> <[🔎] af840525-22d9-63c8-a227-bd9273042ef6@debian.org> <[🔎] 1549643465.1570497.1653807240.011EC3B6@webmail.messagingengine.com> <[🔎] 7af43752-2b38-e494-5063-e0fb6a14b247@debian.org> <[🔎] 039422b7-31fa-e1f4-88ca-dae6ac153026@debian.org> <[🔎] 1549873480.2443213.1655316832.1771B62E@webmail.messagingengine.com> <[🔎] d3303d26-b10b-5ec5-6c4e-8c88ccf308c2@debian.org>

On Mon, 11 Feb 2019 at 21:28, Emilio Pozuelo Monfort <pochu@debian.org> wrote:

On 11/02/2019 09:24, Chris Lamb wrote:
> Hi Tobias,
>
>> The remaining packages on the list maybe need a rebuild for jessie:
>>
>> aptly
>> direnv
>> golang-bindata
>> golang-gogoprotobuf
>> golang-goprotobuf
>> heartbleeder
>> kxd
>> ngrok
>> obfs4proxy
>> pt-websocket
>> slt
>
> Great stuff — thanks for this. LTS team, just as a sanity check;
> uploading each of these with "dpkg-buildpackage -S […]" should be
> sufficient, right?

Erm, why -S ? You need a source+binary upload, as usual.

Also, can't we reduce this list further? Are all those packages using the crypto
module? Or is there no easy way to determine that?

It is possible using 'go list' to be certain about transitive dependencies of the modules being compiled, but it's not super easy to get into the position of being able to use it. For a package that uses dh-golang straightforwardly like heartbleeder, I did this:

1) built it using sbuild -p never

2) entered the session for the build

3) cd-ed to the build directory

4) extracfed the "go import path" for the package:

(sid-amd64)root@ringil:/build/heartbleeder-MCxoon/heartbleeder-0.1.1# grep -i ^xs-go-import-path debian/control

XS-Go-Import-Path: github.com/titanous/heartbleeder

5) found the packages that build binaries:

(sid-amd64)root@ringil:/build/heartbleeder-MCxoon/heartbleeder-0.1.1# GOPATH=$(pwd)/obj-x86_64-linux-gnu/ go list -f '{{ if eq .Name "main" }}{{.ImportPath}}{{end}}' github.com/titanous/heartbleeder/... > packages-making-executables

6) found the packages that these packages depend on:

(sid-amd64)root@ringil:/build/heartbleeder-MCxoon/heartbleeder-0.1.1# GOPATH=$(pwd)/obj-x86_64-linux-gnu/ go list -f '{{ range .Deps }}{{ . }}

{{end}}' $(cat packages-making-executables ) | sort | uniq > dependencies

7) looked for crypto/elliptic in this list:

(sid-amd64)root@ringil:/build/heartbleeder-MCxoon/heartbleeder-0.1.1# grep crypto/elliptic dependencies

crypto/elliptic

So looks like heartbleeder should be rebuilt.

The dh_golang script in dh-golang is in a much better position to get this information at package build time and store it ... somewhere. But I've no idea where and of course that's a solution for the next CVE, not this one.

Cheers,

mwh

Reply to:

References:
- Re: [SECURITY] [DLA 1664-1] golang security update
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: [SECURITY] [DLA 1664-1] golang security update
  - From: Chris Lamb <lamby@debian.org>
- Re: [SECURITY] [DLA 1664-1] golang security update
  - From: Holger Levsen <holger@layer-acht.org>
- Re: [SECURITY] [DLA 1664-1] golang security update
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: [SECURITY] [DLA 1664-1] golang security update
  - From: Holger Levsen <holger@layer-acht.org>
- Re: [SECURITY] [DLA 1664-1] golang security update
  - From: Chris Lamb <lamby@debian.org>
- Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
  - From: "Dr. Tobias Quathamer" <toddy@debian.org>
- Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
  - From: Chris Lamb <lamby@debian.org>
- Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
  - From: "Dr. Tobias Quathamer" <toddy@debian.org>
- Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
  - From: "Dr. Tobias Quathamer" <toddy@debian.org>
- Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
  - From: Chris Lamb <lamby@debian.org>
- Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Re: PHP 5.6.40 on Jessie
Next by Date: Re: Bug#921663: Please add python-certbot update to jessie-backports
Previous by thread: Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
Next by thread: Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update
Index(es):
- Date
- Thread