[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: golang-go.crypto / CVE-2019-11841

Brian May <bam@debian.org> writes:

> Package: acmetool
> Package: chasquid
> Package: coyim
> Package: go-wire
> Package: gocryptfs
> Package: golang-github-azure-azure-sdk-for-go
> Package: golang-github-azure-go-autorest
> Package: golang-github-azure-go-ntlmssp
> Package: golang-github-bowery-prompt
> Package: golang-github-coreos-ioprogress
> Package: golang-github-coreos-pkg
> Package: golang-github-elithrar-simple-scrypt
> Package: golang-github-endophage-gotuf
> Package: golang-github-howeyc-gopass
> Package: golang-github-kisom-goutils
> Package: golang-github-pkg-sftp
> Package: golang-github-rackspace-gophercloud
> Package: golang-github-weaveworks-mesh
> Package: golang-github-xenolf-lego
> Package: golang-github-xordataexchange-crypt
> Package: golang-golang-x-net-dev
> Package: golang-gopkg-dancannon-gorethink.v2
> Package: golang-gopkg-macaroon.v1
> Package: govendor
> Package: influxdb
> Package: mongo-tools
> Package: packer
> Package: rclone
> Package: restic
> Package: snapd
> Package: syncthing
> Package: tendermint-ed25519
> Package: tendermint-go-merkle
> Package: golang-ed25519-dev
> Package: golang-github-bradfitz-http2
> Package: golang-github-endophage-gotuf
> Package: golang-pault-go-debian
> Package: influxdb
> Package: obfs4proxy
> Package: pluginhook

I downloaded all binary packages associated with these source packages
and ran the following script:

(for simplicity I commented out the line that calls my script from
https://github.com/brianmay/bampkgbuild/ that uses docker to Download
the required files)

=== cut ===
#!/bin/sh
set -e
set -x

# PATH="$HOME/tree/personal/bampkgbuild:$PATH"
# download --architecture amd64 --distribution stretch --download binaries -- "$@" >&2

# Create a temporary directory and store its name in a variable ...
TMPDIR=$(mktemp -d)

# Bail out if the temp directory wasn't created successfully.
if [ ! -e $TMPDIR ]; then
    echo "Failed to create temp directory" >&2
    exit 1
fi

# Make sure it gets removed even if the script exits abnormally.
trap "exit 1"           HUP INT PIPE QUIT TERM
trap 'rm -rf "$TMPDIR"' EXIT

for i in *.deb; do
    rm -rf "$TMPDIR"
    dpkg-deb --raw-extract "$i" "$TMPDIR" >&2

    HIT=""
    if grep -qr 'src/golang.org/x/crypto/salsa20' -- $TMPDIR >&2; then
        HIT="salsa20 $HIT"
    fi
    if grep -qr 'src/golang.org/x/crypto/openpgp/clearsign' -- $TMPDIR >&2; then
        HIT="openpgp/clearsign $HIT"
    fi
    if grep -qr 'src/golang.org/x/crypto/ssh/keys' -- $TMPDIR >&2; then
        HIT="ssh/keys $HIT"
    fi

    if test -n "$HIT"; then
        echo "Package $i needs rebuilding" >&2
        source="$(dpkg-deb -f "$i" Package)"
        if test -z "$source"; then
            source="$(dpkg-deb -f "$i" Package)"
        fi
        echo "$source $HIT"
    fi
done
=== cut ===

This produced the following output to STDOUT:

=== cut ===
obfs4proxy salsa20 
packer ssh/keys 
rclone salsa20 
restic ssh/keys 
snapd salsa20
=== cut ===

So I believe this is the list of packages that need to be rebuilt.
-- 
Brian May <bam@debian.org>
Reply to: