Hi all,
CVE-2022-27191 was published recently for golang-x-crypto and a BZ ticket[2] has been opened for every package that depends on it. It has a 7.5 score for CVSS 3.x.
FWIU, in order to fix this CVE, a new version of golang-x-crypto and rebuilding all dependent packages is required.
I opened a PR[3] to update golang-x-crypto as the first step. As I'm still not part of go-sig, can someone review, merge if OK and build it for current Fedora releases? I applied today to be a member of go-sig[4] to help with this and other tasks, but don't know how long it will take to be accepted.
Kind regards, Mikel Olasagasti (mikelo2)
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-27191 [2] https://bugzilla.redhat.com/show_bug.cgi?id=2064702 [3] https://src.fedoraproject.org/rpms/golang-x-crypto/pull-request/2 [4] https://pagure.io/GoSIG/go-sig/issue/1#comment-792166
Hi Mikelo,
I can help with the PR, but not with the group sponsorship.
Shall we re-build also all packages depending on x/crypto?
Best, Fale
On Wed, Apr 13, 2022, at 15:37, Mikel Olasagasti wrote:
Hi all,
CVE-2022-27191 was published recently for golang-x-crypto and a BZ ticket[2] has been opened for every package that depends on it. It has a 7.5 score for CVSS 3.x.
FWIU, in order to fix this CVE, a new version of golang-x-crypto and rebuilding all dependent packages is required.
I opened a PR[3] to update golang-x-crypto as the first step. As I'm still not part of go-sig, can someone review, merge if OK and build it for current Fedora releases? I applied today to be a member of go-sig[4] to help with this and other tasks, but don't know how long it will take to be accepted.
Kind regards, Mikel Olasagasti (mikelo2)
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-27191 [2] https://bugzilla.redhat.com/show_bug.cgi?id=2064702 [3] https://src.fedoraproject.org/rpms/golang-x-crypto/pull-request/2 [4] https://pagure.io/GoSIG/go-sig/issue/1#comment-792166 _______________________________________________ golang mailing list -- golang@lists.fedoraproject.org To unsubscribe send an email to golang-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Wednesday, April 13, 2022 4:37:27 PM IDT Mikel Olasagasti wrote:
FWIU, in order to fix this CVE, a new version of golang-x-crypto and rebuilding all dependent packages is required.
If the CVE only affects golang.org/x/crypto/ssh, couldn't we just rebuild packages that depend on `golang(golang.org/x/crypto/ssh)`? `golang-x-crypto-devel` has a lot of dependent packages (over 600), so it would be beneficial to avoid having to rebuild all of them.
Also, keep in a mind that there are several go-sig packages that FTBFS, which might cause issues during the rebuild. As a new member of the SIG, fixing some of these is probably a good place to start. Here[1] is a list of all the current open go-sig FTBFS bugs.
[1]: https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGN...
I applied today to be a member of go-sig[4] to help with this and other tasks, but don't know how long it will take to be accepted.
If you don't get a timely response on the ticket, you can also try asking in #fedora-golang.
On Wed, Apr 13, 2022, at 21:48, Maxwell G wrote:
On Wednesday, April 13, 2022 4:37:27 PM IDT Mikel Olasagasti wrote:
FWIU, in order to fix this CVE, a new version of golang-x-crypto and rebuilding all dependent packages is required.
If the CVE only affects golang.org/x/crypto/ssh, couldn't we just rebuild packages that depend on `golang(golang.org/x/crypto/ssh)`? `golang-x-crypto-devel` has a lot of dependent packages (over 600), so it would be beneficial to avoid having to rebuild all of them.
Hi,
If I'm correct, we are looking for: * packages that depend on golang.org/x/crypto/ssh * packages that contain at least a non-devel package (ie: a compiled part)
If my understand of repoquery is correct, this would be the command to get them:
sudo dnf repoquery -q --repo=rawhide{,-source} --whatrequires "golang(golang.org/x/crypto/ssh)" --recursive | grep src$ | pkgname | sort | uniq
Which create a 326 packages long list. We have halfed them (if my query is correct) :-).
Also, keep in a mind that there are several go-sig packages that FTBFS, which might cause issues during the rebuild. As a new member of the SIG, fixing some of these is probably a good place to start. Here[1] is a list of all the current open go-sig FTBFS bugs.
This feels like a major issue to automate the process.
Fale
On Thursday, April 14, 2022 12:37:37 AM IDT Fabio Alessandro Locati wrote:
If I'm correct, we are looking for:
- packages that depend on golang.org/x/crypto/ssh
- packages that contain at least a non-devel package (ie: a compiled part)
If my understand of repoquery is correct, this would be the command to get them:
sudo dnf repoquery -q --repo=rawhide{,-source} --whatrequires "golang(golang.org/x/crypto/ssh)" --recursive | grep src$ | pkgname | sort | uniq
That command does nothing to ensure that the packages contain binaries. `--recursive` also includes packages that indirectly depend on `golang(golang.org/x/crypto/ssh)` (i.e. package A depends on `golang(golang.org/x/crypto/ssh)` and package B depends on package A which depends on `golang(golang.org/x/crypto/ssh)`, but package B doesn't directly depend on `golang(golang.org/x/crypto/ssh)`). I am not sure that this works with packages that use `%generate_buildrequires`, either.
Here is a better command:
``` sudo dnf repoquery -q --repo=rawhide --whatrequires 'golang(golang.org/x/crypto/ssh)' | xargs sudo dnf repoquery -q --repo=rawhide --qf '%{sourcerpm}' | pkgname | xargs sudo dnf repoquery -q --repo=rawhide --latest-limit 1 | pkgname ```
You can still add `--recursive` to the first repoquery command if we deem that necessary. This command finds all the dependent dependant `-devel` packages, then finds the sourcerpm name of each package (which is the same as `%{goname}`) and then checks if there is a binary rpm with that name.
Quick update on this.
Thanks to Maxwell's and Elliot's suggestions and support, the number of packages involved has been lowered to 98 [0]. Of those, majority have @go-sig as committer, so I've been able to build them. Some of them were FTBFS. For some of those, I've created PRs to fix them [1][2][3]. I'll work on the missing FTBFS and to open PRs for the ones where @go-sig has no permission in the coming days.
Thanks a lot, Fale
[0] https://fale.fedorapeople.org/CVE-2022-27191/pkgs2 [1] https://src.fedoraproject.org/rpms/cadvisor/pull-request/1 [2] https://src.fedoraproject.org/rpms/etcd/pull-request/4 [3] https://src.fedoraproject.org/rpms/gitjacker/pull-request/1
On Sat, Apr 16, 2022, at 10:15, Maxwell G wrote:
On Thursday, April 14, 2022 12:37:37 AM IDT Fabio Alessandro Locati wrote:
If I'm correct, we are looking for:
- packages that depend on golang.org/x/crypto/ssh
- packages that contain at least a non-devel package (ie: a compiled part)
If my understand of repoquery is correct, this would be the command to get them:
sudo dnf repoquery -q --repo=rawhide{,-source} --whatrequires "golang(golang.org/x/crypto/ssh)" --recursive | grep src$ | pkgname | sort | uniq
That command does nothing to ensure that the packages contain binaries. `--recursive` also includes packages that indirectly depend on `golang(golang.org/x/crypto/ssh)` (i.e. package A depends on `golang(golang.org/x/crypto/ssh)` and package B depends on package A which depends on `golang(golang.org/x/crypto/ssh)`, but package B doesn't directly depend on `golang(golang.org/x/crypto/ssh)`). I am not sure that this works with packages that use `%generate_buildrequires`, either.
Here is a better command:
sudo dnf repoquery -q --repo=rawhide --whatrequires 'golang(golang.org/x/crypto/ssh)' | xargs sudo dnf repoquery -q --repo=rawhide --qf '%{sourcerpm}' | pkgname | xargs sudo dnf repoquery -q --repo=rawhide --latest-limit 1 | pkgnameYou can still add `--recursive` to the first repoquery command if we deem that necessary. This command finds all the dependent dependant `-devel` packages, then finds the sourcerpm name of each package (which is the same as `%{goname}`) and then checks if there is a binary rpm with that name.
-- Thanks,
Maxwell G (@gotmax23) Pronouns: He/Him/Him _______________________________________________ golang mailing list -- golang@lists.fedoraproject.org To unsubscribe send an email to golang-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
*Attachments:*
- signature.asc
golang@lists.fedoraproject.org