[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2021-3121 stretch patch review request and request for test help


I do not really think it is worth it. But that is more related to the fact that I have not understood what the security problem is.

Yes, my site is down. It is concluded to be just ash right now. I have a backup so I should be able to upload the patch to somewhere else.

// Ola

On Thu, 18 Mar 2021 at 22:27, Utkarsh Gupta <utkarsh@debian.org> wrote:

On Tue, Mar 9, 2021 at 11:15 PM Sylvain Beucler <beuc@beuc.net> wrote:
> > You can find the patch here:
> > http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch

Ola, can you move that patch to somewhere else? Because I guess your
site is still down. :(

> It should be noted that golang* packages are supported in stretch but
> come with limited support, not to due to code generation but due to Go
> static linking in the first place:
> https://salsa.debian.org/debian/debian-security-support/-/blob/stretch/security-support-limited
> If you do decide to support this package, I recently documented how to
> find direct reverse build dependencies at:
> https://wiki.debian.org/LTS/TestSuites/golang
> $ dose-ceve --deb-native-arch=amd64 -r golang-github-gogo-protobuf-dev
> -T debsrc
> debsrc:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_source_Sources
> deb:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_binary-amd64_Packages
>    | grep-dctrl -n -s Package '' | sort -u
> gobgp
> golang-github-appc-goaci
> golang-github-appc-spec
> golang-github-mesos-mesos-go
> influxdb
> syncthing
> (Note: this is not recursive.)
> In addition, apt-file does provide a list of generated .pb.go files,
> though it also includes those from "plain" protobuf (of which
> gogoprotobuf if a fork) so not all are affected (the affected ones
> should contain "skippy" somewhere):
> # apt-file search .pb.go | cut -d: -f1 | sort -u
> golang-github-appc-spec-dev
> golang-github-gogo-protobuf-dev
> golang-github-golang-groupcache-dev
> golang-github-influxdb-influxdb-dev
> golang-github-mesos-mesos-go-dev
> golang-github-opencontainers-runc-dev
> golang-github-osrg-gobgp-dev
> golang-github-prometheus-alertmanager-dev
> golang-github-prometheus-client-model-dev
> golang-github-syncthing-syncthing-dev
> golang-gomega-dev
> golang-google-appengine-dev
> golang-google-genproto-dev
> golang-google-grpc-dev
> golang-gopkg-dancannon-gorethink.v1-dev
> golang-gopkg-dancannon-gorethink.v2-dev
> golang-goprotobuf-dev

I'll be happy to do the work (that is push the fix of
golang-gogoprotobuf and then rebuild all these packages) but honestly,
is it worth doing that? I don't think releasing these many DLAs makes
sense unless there's a fair trade-off, which I don't see yet.

What do y'all think?

- u

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: