Re: golang-go.crypto / CVE-2019-11841
- To: Emilio Pozuelo Monfort <pochu@debian.org>, Utkarsh Gupta <utkarsh@debian.org>
- Cc: Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>
- Subject: Re: golang-go.crypto / CVE-2019-11841
- From: Brian May <bam@debian.org>
- Date: Thu, 05 Nov 2020 09:19:45 +1100
- Message-id: <[🔎] 87k0v0g3y6.fsf@canidae.wired.pri>
- In-reply-to: <87lfgggxw5.fsf@canidae.wired.pri>
- References: <87k0xes8kr.fsf@canidae.wired.pri> <CABY6=0nu1DP42xdGA-1whSZVY08fd0JSrarJijHAzAFMycfD7Q@mail.gmail.com> <874ko9p70k.fsf@canidae.wired.pri> <CABY6=0nbk71vcgXX3yHeKmm1kYZi=+PduFCbiyNCDx8WXDwEQA@mail.gmail.com> <871rjbq50z.fsf@canidae.wired.pri> <CABY6=0mSxsXpjhz-X+=p2wSSeXFuffVf=7X3AQ0GEyy1YRF9-A@mail.gmail.com> <87k0x2edaf.fsf@canidae.wired.pri> <CABY6=0=xDdOo1RH9iJiG=xS0T=GaQ48k+w-RSoLPSbTDcZxCUA@mail.gmail.com> <871rj6m8jr.fsf@canidae.wired.pri> <CABY6=0ku8-9tztUoYS_nU=jX_aUP_VVhyGyZefS+a3jh=tv--A@mail.gmail.com> <87a6x1ism5.fsf@canidae.wired.pri> <CAPP0f95wioPcjGJcdr5-asTvnF2Wfq-JC+fhL=7ORiKnr1P97A@mail.gmail.com> <877ds5ir5a.fsf@canidae.wired.pri> <CAPP0f95oKvN+F2mZrscoGx-Ji+=PUcGopL+HusTd47gp6oakQQ@mail.gmail.com> <87y2kjghen.fsf@canidae.wired.pri> <0f05e2e5-a26d-179f-18d4-c4abdddc5fec@debian.org> <87k0w15edd.fsf@silverfish.pri> <3722204c-542e-7be2-f4a5-49c1cfbcc472@debian.org> <87h7r55dd9.fsf@silverfish.pri> <3388c95b-f3dc-f63c-a927-453c3380c088@debian.org> <87lfgggxw5.fsf@canidae.wired.pri>
Brian May <bam@debian.org> writes:
> Package: acmetool
> Package: chasquid
> Package: coyim
> Package: go-wire
> Package: gocryptfs
> Package: golang-github-azure-azure-sdk-for-go
> Package: golang-github-azure-go-autorest
> Package: golang-github-azure-go-ntlmssp
> Package: golang-github-bowery-prompt
> Package: golang-github-coreos-ioprogress
> Package: golang-github-coreos-pkg
> Package: golang-github-elithrar-simple-scrypt
> Package: golang-github-endophage-gotuf
> Package: golang-github-howeyc-gopass
> Package: golang-github-kisom-goutils
> Package: golang-github-pkg-sftp
> Package: golang-github-rackspace-gophercloud
> Package: golang-github-weaveworks-mesh
> Package: golang-github-xenolf-lego
> Package: golang-github-xordataexchange-crypt
> Package: golang-golang-x-net-dev
> Package: golang-gopkg-dancannon-gorethink.v2
> Package: golang-gopkg-macaroon.v1
> Package: govendor
> Package: influxdb
> Package: mongo-tools
> Package: packer
> Package: rclone
> Package: restic
> Package: snapd
> Package: syncthing
> Package: tendermint-ed25519
> Package: tendermint-go-merkle
> Package: golang-ed25519-dev
> Package: golang-github-bradfitz-http2
> Package: golang-github-endophage-gotuf
> Package: golang-pault-go-debian
> Package: influxdb
> Package: obfs4proxy
> Package: pluginhook
I downloaded all binary packages associated with these source packages
and ran the following script:
(for simplicity I commented out the line that calls my script from
https://github.com/brianmay/bampkgbuild/ that uses docker to Download
the required files)
=== cut ===
#!/bin/sh
set -e
set -x
# PATH="$HOME/tree/personal/bampkgbuild:$PATH"
# download --architecture amd64 --distribution stretch --download binaries -- "$@" >&2
# Create a temporary directory and store its name in a variable ...
TMPDIR=$(mktemp -d)
# Bail out if the temp directory wasn't created successfully.
if [ ! -e $TMPDIR ]; then
echo "Failed to create temp directory" >&2
exit 1
fi
# Make sure it gets removed even if the script exits abnormally.
trap "exit 1" HUP INT PIPE QUIT TERM
trap 'rm -rf "$TMPDIR"' EXIT
for i in *.deb; do
rm -rf "$TMPDIR"
dpkg-deb --raw-extract "$i" "$TMPDIR" >&2
HIT=""
if grep -qr 'src/golang.org/x/crypto/salsa20' -- $TMPDIR >&2; then
HIT="salsa20 $HIT"
fi
if grep -qr 'src/golang.org/x/crypto/openpgp/clearsign' -- $TMPDIR >&2; then
HIT="openpgp/clearsign $HIT"
fi
if grep -qr 'src/golang.org/x/crypto/ssh/keys' -- $TMPDIR >&2; then
HIT="ssh/keys $HIT"
fi
if test -n "$HIT"; then
echo "Package $i needs rebuilding" >&2
source="$(dpkg-deb -f "$i" Package)"
if test -z "$source"; then
source="$(dpkg-deb -f "$i" Package)"
fi
echo "$source $HIT"
fi
done
=== cut ===
This produced the following output to STDOUT:
=== cut ===
obfs4proxy salsa20
packer ssh/keys
rclone salsa20
restic ssh/keys
snapd salsa20
=== cut ===
So I believe this is the list of packages that need to be rebuilt.
--
Brian May <bam@debian.org>
Reply to: