Re: golang-go.crypto / CVE-2019-11841

To: Emilio Pozuelo Monfort <pochu@debian.org>, Utkarsh Gupta <utkarsh@debian.org>
Cc: Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>, Adrian Bunk <bunk@debian.org>
Subject: Re: golang-go.crypto / CVE-2019-11841
From: Brian May <bam@debian.org>
Date: Mon, 12 Oct 2020 09:31:36 +1100
Message-id: <[🔎] 87h7r04con.fsf@canidae.wired.pri>
In-reply-to: <[🔎] a00e7aa6-efdc-b6c7-6428-daeb7569bdb3@debian.org>
References: <87k0xes8kr.fsf@canidae.wired.pri> <874ko9p70k.fsf@canidae.wired.pri> <CABY6=0nbk71vcgXX3yHeKmm1kYZi=+PduFCbiyNCDx8WXDwEQA@mail.gmail.com> <871rjbq50z.fsf@canidae.wired.pri> <CABY6=0mSxsXpjhz-X+=p2wSSeXFuffVf=7X3AQ0GEyy1YRF9-A@mail.gmail.com> <87k0x2edaf.fsf@canidae.wired.pri> <CABY6=0=xDdOo1RH9iJiG=xS0T=GaQ48k+w-RSoLPSbTDcZxCUA@mail.gmail.com> <871rj6m8jr.fsf@canidae.wired.pri> <CABY6=0ku8-9tztUoYS_nU=jX_aUP_VVhyGyZefS+a3jh=tv--A@mail.gmail.com> <[🔎] 87a6x1ism5.fsf@canidae.wired.pri> <[🔎] CAPP0f95wioPcjGJcdr5-asTvnF2Wfq-JC+fhL=7ORiKnr1P97A@mail.gmail.com> <[🔎] 877ds5ir5a.fsf@canidae.wired.pri> <[🔎] CAPP0f95oKvN+F2mZrscoGx-Ji+=PUcGopL+HusTd47gp6oakQQ@mail.gmail.com> <[🔎] 87y2kjghen.fsf@canidae.wired.pri> <[🔎] 0f05e2e5-a26d-179f-18d4-c4abdddc5fec@debian.org> <[🔎] 87k0w15edd.fsf@silverfish.pri> <[🔎] 3722204c-542e-7be2-f4a5-49c1cfbcc472@debian.org> <[🔎] 87h7r55dd9.fsf@silverfish.pri> <[🔎] 3388c95b-f3dc-f63c-a927-453c3380c088@debian.org> <[🔎] 87lfgggxw5.fsf@canidae.wired.pri> <[🔎] a00e7aa6-efdc-b6c7-6428-daeb7569bdb3@debian.org>

Emilio Pozuelo Monfort <pochu@debian.org> writes:

> I would look for an automated way to do this. E.g. by downloading and inspecting 
> the binaries to see if they have the affected code.

Hmmm. Good idea in theory, but not sure how to do this in practise.

I tried building two copies of acmetool, and comparing, but it looks
like go builds are not yet reproducible.

There is the known issue that the build path is encoded in the result.

But I am getting other differences too.

Hmm. But it looks like /usr/bin/acmetool contains strings such as:

/tmp/brian/tmpxbsh4mst/build/amd64/source/obj-x86_64-linux-gnu/src/golang.org/x/crypto/ocsp/ocsp.go

This looks like a source file.

Wonder if it is possible to extract a list of all source files that were
used to build acmetool...

So far not getting anywhere with "readelf". But maybe "strings" might be
sufficient.
-- 
Brian May <bam@debian.org>

Reply to:

References:
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Utkarsh Gupta <utkarsh@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Utkarsh Gupta <utkarsh@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Re: golang-go.crypto / CVE-2019-11841
Next by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Previous by thread: Re: golang-go.crypto / CVE-2019-11841
Next by thread: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Index(es):
- Date
- Thread