golang-go.crypto: CVE-2017-3204

Debian Bug report logs - #859655
golang-go.crypto: CVE-2017-3204

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: golang-go.crypto: CVE-2017-3204

Date: Wed, 05 Apr 2017 17:05:11 +0200

Source: golang-go.crypto
Version: 1:0.0~git20161012.0.5f31782-1
Severity: grave
Tags: upstream patch security
Forwarded: https://github.com/golang/go/issues/19767

Hi,

the following vulnerability was published for golang-go.crypto.

CVE-2017-3204[0]:
| The Go SSH library (x/crypto/ssh) by default does not verify host
| keys, facilitating man-in-the-middle attacks. Default behavior changed
| in commit e4e2799 to require explicitly registering a hostkey
| verification mechanism.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-3204
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3204
[1] https://github.com/golang/go/issues/19767

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 859655@bugs.debian.org (full text, mbox, reply):

From: anarcat <anarcat@debian.org>

To: 859655@bugs.debian.org

Cc: pkg-go-maintainers@lists.alioth.debian.org

Subject: Re: Bug#859655: golang-go.crypto: CVE-2017-3204

Date: Fri, 14 Apr 2017 15:07:02 -0400

Control: user -1 debian-release@lists.debian.org
Control: usertags -1 bsp-2017-04-ca-montreal
Control: tags -1 +patch

I looked into this during the Montreal BSP, and it's unclear what we
should do here, considering there has been multiple new uploads since
the stretch freeze. 

The patch is pretty long:

https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991

... and there's no way to just backport it into stretch at this point
(IIRC).

So I'm wondering if the next step here would not just be to ask for an
exception to unblock this for stretch, or just tell the release team to
just ignore this and drop the package from stretch.

Let me know,

A.

-- 
Celui qui ne connaît pas l'histoire est condamné à la revivre.
                        - Karl Marx

Message #17 received at 859655@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: anarcat <anarcat@debian.org>

Cc: 859655@bugs.debian.org, pkg-go-maintainers@lists.alioth.debian.org

Subject: Re: [pkg-go] Bug#859655: golang-go.crypto: CVE-2017-3204

Date: Sat, 15 Apr 2017 11:04:31 +0200

[Message part 1 (text/plain, inline)]

 ❦ 14 avril 2017 15:07 -0400, anarcat <anarcat@debian.org> :

> I looked into this during the Montreal BSP, and it's unclear what we
> should do here, considering there has been multiple new uploads since
> the stretch freeze. 
>
> The patch is pretty long:
>
> https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
>
> ... and there's no way to just backport it into stretch at this point
> (IIRC).

The patch is not that big. Most of its content is in tests and
examples. The only problem is that it exposes a behavioral change that
may break reverse dependencies at runtime.

> So I'm wondering if the next step here would not just be to ask for an
> exception to unblock this for stretch, or just tell the release team to
> just ignore this and drop the package from stretch.

There are many reverse dependencies that would be removed by removing
this package, including some high profile ones, like etcd, rkt,
influxdb. Their removal will in turn remove a lot of additional
packages.
-- 
A is for Apple.
		-- Hester Pryne

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 859655@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: Vincent Bernat <bernat@debian.org>

Cc: 859655@bugs.debian.org, pkg-go-maintainers@lists.alioth.debian.org

Subject: Re: [pkg-go] Bug#859655: golang-go.crypto: CVE-2017-3204

Date: Sat, 15 Apr 2017 09:42:38 -0400

On 2017-04-15 11:04:31, Vincent Bernat wrote:
>  ❦ 14 avril 2017 15:07 -0400, anarcat <anarcat@debian.org> :
>
>> I looked into this during the Montreal BSP, and it's unclear what we
>> should do here, considering there has been multiple new uploads since
>> the stretch freeze. 
>>
>> The patch is pretty long:
>>
>> https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
>>
>> ... and there's no way to just backport it into stretch at this point
>> (IIRC).
>
> The patch is not that big. Most of its content is in tests and
> examples. The only problem is that it exposes a behavioral change that
> may break reverse dependencies at runtime.
>
>> So I'm wondering if the next step here would not just be to ask for an
>> exception to unblock this for stretch, or just tell the release team to
>> just ignore this and drop the package from stretch.
>
> There are many reverse dependencies that would be removed by removing
> this package, including some high profile ones, like etcd, rkt,
> influxdb. Their removal will in turn remove a lot of additional
> packages.

Okay well, you guys need to figure out what you do with this package,
because as it stands 1) it has a RC bug and 2) it is completely out of
sync with unstable. I don't understand why so many uploads were done
after stretch was frozen, but I guess you should ask the release team
for an exception at this point.

Then this patch can be added on top...

A.

-- 
There is no cloud, it's just someone else's computer.
                       - Chris Watterson

Message #27 received at 859655@bugs.debian.org (full text, mbox, reply):

From: Michael Lustfield <michael@lustfield.net>

To: 859655@bugs.debian.org

Date: Sat, 15 Apr 2017 23:14:58 -0700

Control: owner -1 !

I agree that this is a very long commit, but it makes only one change and it's
pretty easy to follow the logic. It also offers an easy way to opt-out.

Thinking about SSH, in the real world, it's typically rare that the default
host key checking behavior causes problems. I don't expect this situation would
be an exception, but that assumes no bugs in the checks themselves.

I don't believe removal is an option, but I've also never worked with a freeze
exception. To ensure this gets resolved, I will commit to doing the needful. If
anyone else has more experience and wants to coach or take over, please do.

A bit of a side note, this patch is included in current unstable and I'm not
aware of any new reproducible build failures. I will follow up on that
statement, but it at least gives me some confidence we can prevent regressions
in testing.

-- 
Michael Lustfield

Message #34 received at 859655@bugs.debian.org (full text, mbox, reply):

From: "Dr. Tobias Quathamer" <toddy@debian.org>

To: Michael Lustfield <michael@lustfield.net>, 859655@bugs.debian.org

Subject: Status update?

Date: Mon, 24 Apr 2017 13:55:35 +0200

[Message part 1 (text/plain, inline)]

Hi Michael,

how is the status of this bug? There has not been visible activity in 
the bug log for about 10 days ...

Regards,
Tobias

[signature.asc (application/pgp-signature, attachment)]

Message #39 received at 859655@bugs.debian.org (full text, mbox, reply):

From: Michael Lustfield <michael@lustfield.net>

To: 859655@bugs.debian.org

Date: Mon, 24 Apr 2017 22:42:19 -0500

unblock request: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860429
(with more discussion)

Message #44 received at 859655-close@bugs.debian.org (full text, mbox, reply):

From: Michael Lustfield <michael@lustfield.net>

To: 859655-close@bugs.debian.org

Subject: Bug#859655: fixed in golang-go.crypto 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1

Date: Wed, 26 Apr 2017 09:04:51 +0000

Source: golang-go.crypto
Source-Version: 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1

We believe that the bug you reported is fixed in the latest version of
golang-go.crypto, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 859655@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Lustfield <michael@lustfield.net> (supplier of updated golang-go.crypto package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 26 Apr 2017 02:42:23 -0500
Source: golang-go.crypto
Binary: golang-golang-x-crypto-dev golang-go.crypto-dev
Architecture: source
Version: 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Changed-By: Michael Lustfield <michael@lustfield.net>
Description:
 golang-go.crypto-dev - Transitional package for golang-golang-x-crypto-dev
 golang-golang-x-crypto-dev - Supplementary Go cryptography libraries
Closes: 859655
Changes:
 golang-go.crypto (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1) unstable; urgency=medium
 .
   * Reverts previous upload to permit freeze exception.
   * patches/0001-ssh-require-host-key-checking_CVE-2017-3204.patch:
     + CVE-2017-3204: Default behavior changed to require explicitly
       registering a hostkey verification mechanism. (Closes: #859655)
Checksums-Sha1:
 af960bc0c10cc66e332636b27534733ba2369cf2 2750 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.dsc
 ed416354f9339ceb33e5bdd60132398aecbdef79 1100132 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig.tar.xz
 9beb5eb53533312c312187791b9f3a052388836b 8852 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.debian.tar.xz
 695405c180fa8e3063eb5bc628236788af27fd41 6746 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1_amd64.buildinfo
Checksums-Sha256:
 f4bd7051d643763723933f51a1f067f178ce880d6de31635fa59c325d31f158b 2750 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.dsc
 a0697187211be58315cd5bf64831c6560295002676c41ef2a06d11536ca5f723 1100132 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig.tar.xz
 6dad49fecf782b610c3ae9e74e0bc7b9740dfb16053b7b3c5a42e2b4c7e5ee97 8852 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.debian.tar.xz
 c42b9a8da338cbc8326c028e4b1a6950de2491a5da34bade21c3503dab8cd318 6746 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1_amd64.buildinfo
Files:
 d993dccb862f691979f15280f75b976e 2750 devel extra golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.dsc
 e66ac1fd994db1dd282a3c64a6c3ae7c 1100132 devel extra golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig.tar.xz
 73d71121cafb42c3adeb677e729949d5 8852 devel extra golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.debian.tar.xz
 b6f0011376e1886abea2f662e15eccce 6746 devel extra golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJKBAEBCAA0FiEEBs1j101ZjEpH5CyWA6iJGnZa0IUFAlkAUKAWHG1pY2hhZWxA
bHVzdGZpZWxkLm5ldAAKCRADqIkadlrQhU7BEACyPG1cjCpMP3J/FmM1AC392y0c
Ko07ukya9XMcoIjIJS8US3mWJLGuB6WW3n7rhWXtTnbnbN2/JiCMSMc7AfOa6nUo
EinKeb2L0aRmcBWc6MSW1NflzZ0haFzJ0DJdHVXZcHbAK+va/BYlASWaLeB5sNjN
igK7Dp251O5KCuszHjH2EbBly6dWdCDWl3GGTBa8OFNVAkqb8I5oMNaTDlpKsZen
gAjLnHgAMUaRhz8zbeZ40Kc8I8gb/7jYVRrUaICMnZwEUizE2rNJFMNSYR4uNBl9
E43PYM8jbZbIT9i5QPvzhoydjuUl479o+5aLRnKSyguvrYrD6Vs7xwww7F3i32+D
DUr31vfusSt0mAHy+cUZYiVlTJNjJVMfBfStn1VtCJvPyUykyVpgO/dymkv11Nod
dODW4pqjIbfAP4iQTT2mESi3Z10wfxqxt6b0TV/VtNbRaHJ/wIrb1M8HW30NTwlI
Ofv4Hi6m1gBRNpHF3to5g8SvVMgju3rWc1QUuhvGP7fv9ZsM+nciCxhjK40SslLC
KAaC46ROYom6R0RGPbTARBGC06lwTyRVUeFOvRGYlRkJ23C6HI9+v7Ut/TT4dRoz
uC7F4x5HuV6afYApoKUDQRaV4fGmUBP3pZSUmuL5bQZctWx8r8cQ0Hj7UMufvbZ5
IbXLg8y46XsIAoNmBQ==
=Kgmq
-----END PGP SIGNATURE-----

Message #49 received at 859655@bugs.debian.org (full text, mbox, reply):

From: Michael Lustfield <michael@lustfield.net>

To: 859655@bugs.debian.org

Subject: (still in progress)

Date: Thu, 27 Apr 2017 21:53:50 -0500

Control: reopen 859655 !

This is obviously not resolved yet, but the fix is in unstable.

I'm currently discussing the idea of unblocking this package and requesting nmu
rebuilds. If this works out, it shouldn't take too long to get this closed.

-- 
Michael Lustfield

Message #64 received at 859655@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Michael Lustfield <michael@lustfield.net>, 859655@bugs.debian.org

Subject: Re: Bug#859655: (still in progress)

Date: Fri, 28 Apr 2017 08:42:01 +0200

Control: fixed -1 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1
Hi Michael,

On Thu, Apr 27, 2017 at 09:53:50PM -0500, Michael Lustfield wrote:
> Control: reopen 859655 !
> 
> This is obviously not resolved yet, but the fix is in unstable.

Actually reopen should not be done. The fix is in the version, and the
BTS can handle the version tracking, so there is no need to keep a bug
"open/undone" until the fix reaches all affected suites.

To not futher interfere, I only add back the fixed version (wich goes
lost if one does reopen on a bug), leaving to mark it as done to you
:-)

Regards,
Salvatore

Message #79 received at 859655-close@bugs.debian.org (full text, mbox, reply):

From: Michael Lustfield <michael@lustfield.net>

To: 859655-close@bugs.debian.org

Date: Mon, 29 May 2017 14:56:15 -0500

Unless I missed something, this has been resolved. Closing.

-- 
Michael Lustfield

Send a report that this bug log contains spam.