Re: CVE-2021-3121 stretch patch review request and request for test help
Hi Sylvain and all
Sylvain Thank you for pointing me to this.
I have checked the first three packages in the list you gave and all have "skippy in it". Some many times.
All: The conclusion I draw is that we should not fix CVE-2021-3121 or any other golang packages.
Or should we rebuild as we seem to plan to do for the other CVEs that we have in dla-needed.
However before that it would be good with more information about the issue to conclude its severity...
I start to realize that there are other people that have better knowledge about maintaining go packages and will therefore give this package to someone else to conclude.
On Tue, 9 Mar 2021 at 18:45, Sylvain Beucler <firstname.lastname@example.org
I'll let the Go packagers answer authoritatively but as I'm currently
working on golang fixes I'd like to share a few points:
On 08/03/2021 22:48, Ola Lundqvist wrote:
> I have prepared a patch for CVE-2021-3121 described in:
> You can find the patch here:
> The patch is based on the following commit:
> My conclusion is that the field function in stretch is unaffected. The
> reason is that there is no skippy check there at all in the stretch version.
> For the generate function the iNdEx check was not in place so I added
> it, similar to the patch.
> I do have a problem, and that is to check whether the code introduce
> some regression issue. Also since the CVE lack a description of the
> effect of this problem I have little knowledge on what the result of
> this may be.
> Therefore I would highly appreciate a description of what this problem
> is and how to regression test the package.
This appears to be a tricky issue to fix.
First, due to static linking in Go, dependencies need to be rebuilt too,
but even then, the vulnerability lies in generated code.
(see below for a list of deps)
Then, the vulnerability appears to be a serialization issue but even the
netapp report is vague.
To test the fix, the package comes with a testsuite, though the original
patch includes dozens of testsuite changes (mostly regenerated files).
Then all the dependencies (that need a rebuild) do provide another way
to check if something broke.
It should be noted that golang* packages are supported in stretch but
come with limited support, not to due to code generation but due to Go
static linking in the first place:
If you do decide to support this package, I recently documented how to
find direct reverse build dependencies at:
$ dose-ceve --deb-native-arch=amd64 -r golang-github-gogo-protobuf-dev
| grep-dctrl -n -s Package '' | sort -u
(Note: this is not recursive.)
In addition, apt-file does provide a list of generated .pb.go files,
though it also includes those from "plain" protobuf (of which
gogoprotobuf if a fork) so not all are affected (the affected ones
should contain "skippy" somewhere):
# apt-file search .pb.go | cut -d: -f1 | sort -u
--- Inguza Technology AB --- MSc in Information Technology ----