[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: golang-go.crypto / CVE-2019-11841

Emilio Pozuelo Monfort <pochu@debian.org> writes:

> I would look for an automated way to do this. E.g. by downloading and inspecting 
> the binaries to see if they have the affected code.

Hmmm. Good idea in theory, but not sure how to do this in practise.

I tried building two copies of acmetool, and comparing, but it looks
like go builds are not yet reproducible.

There is the known issue that the build path is encoded in the result.

But I am getting other differences too.

Hmm. But it looks like /usr/bin/acmetool contains strings such as:


This looks like a source file.

Wonder if it is possible to extract a list of all source files that were
used to build acmetool...

So far not getting anywhere with "readelf". But maybe "strings" might be
Brian May <bam@debian.org>

Reply to: