Hi,
I'll let the Go packagers answer authoritatively but as I'm currently
working on golang fixes I'd like to share a few points:
On 08/03/2021 22:48, Ola Lundqvist wrote:
> I have prepared a patch for CVE-2021-3121 described in:
> https://security-tracker.debian.org/tracker/CVE-2021-3121
>
> You can find the patch here:
> http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch
>
> The patch is based on the following commit:
> https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc
>
> My conclusion is that the field function in stretch is unaffected. The
> reason is that there is no skippy check there at all in the stretch version.
> For the generate function the iNdEx check was not in place so I added
> it, similar to the patch.
>
> I do have a problem, and that is to check whether the code introduce
> some regression issue. Also since the CVE lack a description of the
> effect of this problem I have little knowledge on what the result of
> this may be.
>
> Therefore I would highly appreciate a description of what this problem
> is and how to regression test the package.
This appears to be a tricky issue to fix.
First, due to static linking in Go, dependencies need to be rebuilt too,
but even then, the vulnerability lies in generated code.
(see below for a list of deps)
Then, the vulnerability appears to be a serialization issue but even the
netapp report is vague.
To test the fix, the package comes with a testsuite, though the original
patch includes dozens of testsuite changes (mostly regenerated files).
Then all the dependencies (that need a rebuild) do provide another way
to check if something broke.
It should be noted that golang* packages are supported in stretch but
come with limited support, not to due to code generation but due to Go
static linking in the first place:
https://salsa.debian.org/debian/debian-security-support/-/blob/stretch/security-support-limited
If you do decide to support this package, I recently documented how to
find direct reverse build dependencies at:
https://wiki.debian.org/LTS/TestSuites/golang
$ dose-ceve --deb-native-arch=amd64 -r golang-github-gogo-protobuf-dev
-T debsrc
debsrc:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_source_Sources
deb:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_binary-amd64_Packages
| grep-dctrl -n -s Package '' | sort -u
gobgp
golang-github-appc-goaci
golang-github-appc-spec
golang-github-mesos-mesos-go
influxdb
syncthing
(Note: this is not recursive.)
In addition, apt-file does provide a list of generated .pb.go files,
though it also includes those from "plain" protobuf (of which
gogoprotobuf if a fork) so not all are affected (the affected ones
should contain "skippy" somewhere):
# apt-file search .pb.go | cut -d: -f1 | sort -u
golang-github-appc-spec-dev
golang-github-gogo-protobuf-dev
golang-github-golang-groupcache-dev
golang-github-influxdb-influxdb-dev
golang-github-mesos-mesos-go-dev
golang-github-opencontainers-runc-dev
golang-github-osrg-gobgp-dev
golang-github-prometheus-alertmanager-dev
golang-github-prometheus-client-model-dev
golang-github-syncthing-syncthing-dev
golang-gomega-dev
golang-google-appengine-dev
golang-google-genproto-dev
golang-google-grpc-dev
golang-gopkg-dancannon-gorethink.v1-dev
golang-gopkg-dancannon-gorethink.v2-dev
golang-goprotobuf-dev
Cheers!
Sylvain