Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/net: requires an older x/crypto version without security fix #35798

Closed
greut opened this issue Nov 23, 2019 · 4 comments
Closed

x/net: requires an older x/crypto version without security fix #35798

greut opened this issue Nov 23, 2019 · 4 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Unreleased

Comments

@greut
Copy link

greut commented Nov 23, 2019

What version of Go are you using (go version)?

$ go version
go version go1.13.4 linux/amd64

Does this issue reproduce with the latest release?

Indeed.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/yoan/.cache/go-build"
GOENV="/home/yoan/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/yoan/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/yoan/soft/net-1/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build767323679=/tmp/go-build -gno-record-gcc-switches"

What did you do?

go get -u golang.org/x/net/

What did you expect to see?

Getting a version of x/crypto that is not vulnerable to CVE-2019-11840

What did you see instead?

$ go mod graph | grep net
golang.org/x/net@v0.0.0-20191119073136-fc4aabc6c914 golang.org/x/crypto@v0.0.0-20190308221718-c2843e01d9a2
@gopherbot gopherbot added this to the Unreleased milestone Nov 23, 2019
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Nov 23, 2019
@dmitshur
Copy link
Contributor

dmitshur commented Nov 23, 2019
edited

The x/net module has only one package that imports something from x/crypto module. It's the h2i command, which imports golang.org/x/crypto/ssh/terminal:

https://github.com/golang/net/blob/fc4aabc6c91483155dade6fbb627cc953a723260/http2/h2i/h2i.go#L38

The fix for CVE-2019-11840 affected only the golang.org/x/crypto/salsa20/salsa package, so x/net doesn't use anything that would be affected.

Still, it's probably a good idea for x/net to require a newer version, in case someone does use that package indirectly.

/cc @FiloSottile @katiehockman

@dmitshur dmitshur changed the title x/net: is pulling insecure x/crypto x/net: requires an older x/crypto version without security fix Nov 23, 2019
@greut
Copy link
Author

greut commented Nov 24, 2019

@dmitshur you've rephrased it perfectly. I'm requiring golang.org/x/crypto v0.0.0-20191122220453-ac88ee75c92c and end up with v0.0.0-20190308221718-c2843e01d9a2 because of the way go mod resolves dependencies.

Cheers,

@FiloSottile
Copy link
Contributor

Vulnerability tracking is an open ecosystem question we are working on, but I don't think it should be x/net's responsibility to pull up the version of x/crypto past a vulnerability in a component that x/net doesn't depend on.

How MVS works is that each module specifies the minimum version of its dependencies it needs to work correctly, and then the go tool will pick the highest in the graph, which is expected to work for everyone thanks to semantic versioning (and the versioned import paths).

I think requiring a security fix is akin to requiring a new API: the module that needs it must specify an explicit dependency in its go.mod. Relying on you transitive dependencies to pull it up is brittle: if tomorrow you remove your dependency on x/net, you'll be silently dropping back to an insecure version of salsa20!

In summary, if your module is using golang.org/x/crypto/salsa20, you need to specify a recent version of x/crypto in your go.mod, for example by running go get golang.org/x/crypto/salsa20.

I'm requiring golang.org/x/crypto v0.0.0-20191122220453-ac88ee75c92c and end up with v0.0.0-20190308221718-c2843e01d9a2 because of the way go mod resolves dependencies.

This is not how it's supposed to work, so if that's happening please open a cmd/go issue with reproduction instructions. You can check the actual final selected version with go list -m golang.org/x/crypto.

@greut
Copy link
Author

greut commented Nov 26, 2019

@FiloSottile Thanks for your time, I overlooked it.

@tmthrgd tmthrgd mentioned this issue Dec 14, 2019
Closed
@golang golang locked and limited conversation to collaborators Nov 25, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
4 participants
@greut @FiloSottile @dmitshur @gopherbot