Re: CVE-2021-3121 stretch patch review request and request for test help

[Sylvain Beucler <beuc@beuc.net>]

Hi,

I'll let the Go packagers answer authoritatively but as I'm currently 
working on golang fixes I'd like to share a few points:

On 08/03/2021 22:48, Ola Lundqvist wrote:
> I have prepared a patch for CVE-2021-3121 described in:
> https://security-tracker.debian.org/tracker/CVE-2021-3121 
>
> You can find the patch here:
> http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch 
>
> The patch is based on the following commit:
> https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc 
>
> My conclusion is that the field function in stretch is unaffected. The 
> reason is that there is no skippy check there at all in the stretch version.
> For the generate function the iNdEx check was not in place so I added 
> it, similar to the patch.
>
> I do have a problem, and that is to check whether the code introduce 
> some regression issue. Also since the CVE lack a description of the 
> effect of this problem I have little knowledge on what the result of 
> this may be.
>
> Therefore I would highly appreciate a description of what this problem 
> is and how to regression test the package.

This appears to be a tricky issue to fix.

First, due to static linking in Go, dependencies need to be rebuilt too, 
but even then, the vulnerability lies in generated code.
(see below for a list of deps)

Then, the vulnerability appears to be a serialization issue but even the 
netapp report is vague.

To test the fix, the package comes with a testsuite, though the original 
patch includes dozens of testsuite changes (mostly regenerated files). 
Then all the dependencies (that need a rebuild) do provide another way 
to check if something broke.

It should be noted that golang* packages are supported in stretch but 
come with limited support, not to due to code generation but due to Go 
static linking in the first place:
https://salsa.debian.org/debian/debian-security-support/-/blob/stretch/security-support-limited


If you do decide to support this package, I recently documented how to 
find direct reverse build dependencies at:
https://wiki.debian.org/LTS/TestSuites/golang

$ dose-ceve --deb-native-arch=amd64 -r golang-github-gogo-protobuf-dev 
-T debsrc 
debsrc:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_source_Sources 

deb:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_binary-amd64_Packages 
  | grep-dctrl -n -s Package '' | sort -u
gobgp
golang-github-appc-goaci
golang-github-appc-spec
golang-github-mesos-mesos-go
influxdb
syncthing
(Note: this is not recursive.)


In addition, apt-file does provide a list of generated .pb.go files, 
though it also includes those from "plain" protobuf (of which 
gogoprotobuf if a fork) so not all are affected (the affected ones 
should contain "skippy" somewhere):
# apt-file search .pb.go | cut -d: -f1 | sort -u
golang-github-appc-spec-dev
golang-github-gogo-protobuf-dev
golang-github-golang-groupcache-dev
golang-github-influxdb-influxdb-dev
golang-github-mesos-mesos-go-dev
golang-github-opencontainers-runc-dev
golang-github-osrg-gobgp-dev
golang-github-prometheus-alertmanager-dev
golang-github-prometheus-client-model-dev
golang-github-syncthing-syncthing-dev
golang-gomega-dev
golang-google-appengine-dev
golang-google-genproto-dev
golang-google-grpc-dev
golang-gopkg-dancannon-gorethink.v1-dev
golang-gopkg-dancannon-gorethink.v2-dev
golang-goprotobuf-dev


Cheers!
Sylvain