Re: CVE-2021-3121 stretch patch review request and request for test help
Now the patch is available again in case you want to do the update.
I do not really think it is worth it. But that is more related to the fact that I have not understood what the security problem is.
Yes, my site is down. It is concluded to be just ash right now. I have a backup so I should be able to upload the patch to somewhere else.
On Tue, Mar 9, 2021 at 11:15 PM Sylvain Beucler <firstname.lastname@example.org> wrote:
> > You can find the patch here:
> > http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch
Ola, can you move that patch to somewhere else? Because I guess your
site is still down. :(
> It should be noted that golang* packages are supported in stretch but
> come with limited support, not to due to code generation but due to Go
> static linking in the first place:
> If you do decide to support this package, I recently documented how to
> find direct reverse build dependencies at:
> $ dose-ceve --deb-native-arch=amd64 -r golang-github-gogo-protobuf-dev
> -T debsrc
> | grep-dctrl -n -s Package '' | sort -u
> (Note: this is not recursive.)
> In addition, apt-file does provide a list of generated .pb.go files,
> though it also includes those from "plain" protobuf (of which
> gogoprotobuf if a fork) so not all are affected (the affected ones
> should contain "skippy" somewhere):
> # apt-file search .pb.go | cut -d: -f1 | sort -u
I'll be happy to do the work (that is push the fix of
golang-gogoprotobuf and then rebuild all these packages) but honestly,
is it worth doing that? I don't think releasing these many DLAs makes
sense unless there's a fair trade-off, which I don't see yet.
What do y'all think?
--- Inguza Technology AB --- MSc in Information Technology ----