Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto: Update golang.org/x/text to 0.3.7 #51216

Closed
ristomcgehee opened this issue Feb 15, 2022 · 6 comments
Closed

x/crypto: Update golang.org/x/text to 0.3.7 #51216

ristomcgehee opened this issue Feb 15, 2022 · 6 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unreleased

Comments

@ristomcgehee
Copy link

x/crypto is currently using version 0.3.6 of golang.org/x/text which has a denial of service vulnerability: https://osv.dev/vulnerability/GO-2021-0113.

I would like to request that x/crypto updates its modules to use version 0.3.7 or higher of golang.org/x/text. Alternatively, if you're confident that x/crypto does not call the vulnerable functions, go ahead and close this issue.
@gopherbot gopherbot added this to the Unreleased milestone Feb 15, 2022
@mengzhuo
Copy link
Contributor

cc @FiloSottile @rolandshoemaker

@dmitshur dmitshur added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Feb 16, 2022
@hyangah
Copy link
Contributor

hyangah commented Feb 16, 2022

FYI govulncheck result came clean. (-all -json -tests, and even with -imports)
cc @zpavlinovic

@matthewhartstonge
Copy link

For what it's worth, golang.org/x/text is being dragged in indirectly via golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2.

This is causing some deep scanning vuln checkers to fire - i.e. Synk as it's reading go.sum.

Updating x/crypto to the latest version of /x/net will resolve this. As of 2022-01-22 x/net was updated to use x/text@v0.3.7 via golang/net@4395403

@gopherbot
Copy link

Change https://go.dev/cl/387654 mentions this issue: go.mod: update golang.org/x/net to latest

@FiloSottile
Copy link
Contributor

Vulnerability scanners that detect this as a vulnerability are firing false positives, and I wish we didn't set the example that it's ok to cause work and churn in all unaffected downstream users of a package with a vulnerability.

This is the fifth CL we get to fix a vulnerability that does not affect the modules the CLs are filed against.

https://go-review.googlesource.com/c/net/+/241127
https://go-review.googlesource.com/c/net/+/374374
https://go-review.googlesource.com/c/build/+/378934
https://go-review.googlesource.com/c/crypto/+/374278/2#message-d211e0864e678482daa7e5cd8f2497e12d816914
https://go-review.googlesource.com/c/crypto/+/387654/

This kind of busywork and noise is what discourages packages from reporting vulnerabilities to the database, and precisely what we set out to avoid with govulncheck.

/cc @golang/vulndb @golang/security

@matthewhartstonge
Copy link

@FiloSottile 💯!

Trust me, I was annoyed at Synk once I worked out was going on...

@hyangah hyangah mentioned this issue Mar 9, 2022
Closed
@golang golang locked and limited conversation to collaborators Mar 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
7 participants
@mengzhuo @FiloSottile @dmitshur @hyangah @matthewhartstonge @gopherbot @ristomcgehee