[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#990825: [pre-approval] unblock: golang-1.15/1.15.9-6

On Wed, 2021-07-14 at 20:16 +0800, Shengjing Zhu wrote:

> That feels over-engineering/energy-wasting.

Another option would be to search the source code, and these findings
would need to be confirmed using grep, but looking at codesearch:

   https://codesearch.debian.net/search?q=%5C.generateClientKeyExchange&literal=0

   golang-github-marten-seemann-qtls
   golang-github-marten-seemann-qtls-go1-15
   golang-github-cloudflare-cfssl
   golang-refraction-networking-utls
   heartbleeder

As well as anything that transitively build-depends on any of these.

That said, I don't think rebuilding those packages will fix the issue,
since they have embedded code copies of key_agreement.go and possibly
use those copies instead of the code from the std library. There are
also a number of other copies of key_agreement.go as well as copies of
handshake_client.go, which calls the vulnerable code.

   $ apt-file search -I dsc key_agreement.go
   android-platform-external-boringssl: /src/ssl/test/runner/key_agreement.go
   chromium: /third_party/boringssl/src/ssl/test/runner/key_agreement.go
   gcc-avr: /gcc/libgo/go/crypto/tls/key_agreement.go
   gcc-riscv64-unknown-elf: /libgo/go/crypto/tls/key_agreement.go
   golang-1.15: /src/crypto/tls/key_agreement.go
   golang-1.16: /src/crypto/tls/key_agreement.go
   golang-github-cloudflare-cfssl: /scan/vendor/crypto/tls/key_agreement.go
   golang-github-marten-seemann-qtls: /key_agreement.go
   golang-github-marten-seemann-qtls-go1-15: /key_agreement.go
   golang-refraction-networking-utls: /key_agreement.go
   heartbleeder: /tls/key_agreement.go
   llvm-toolchain-9: /llgo/third_party/gofrontend/libgo/go/crypto/tls/key_agreement.go
   mono: /external/boringssl/ssl/test/runner/key_agreement.go
   
   $ apt-file search -I dsc handshake_client.go
   android-platform-external-boringssl: /src/ssl/test/runner/handshake_client.go
   chromium: /third_party/boringssl/src/ssl/test/runner/handshake_client.go
   gcc-avr: /gcc/libgo/go/crypto/tls/handshake_client.go
   gcc-riscv64-unknown-elf: /libgo/go/crypto/tls/handshake_client.go
   golang-1.15: /src/crypto/tls/handshake_client.go
   golang-1.16: /src/crypto/tls/handshake_client.go
   golang-github-cloudflare-cfssl: /scan/vendor/crypto/tls/handshake_client.go
   golang-github-marten-seemann-qtls: /handshake_client.go
   golang-github-marten-seemann-qtls-go1-15: /handshake_client.go
   golang-refraction-networking-utls: /handshake_client.go
   heartbleeder: /tls/handshake_client.go
   llvm-toolchain-9: /llgo/third_party/gofrontend/libgo/go/crypto/tls/handshake_client.go
   mono: /external/boringssl/ssl/test/runner/handshake_client.go

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: