Skip to content

x/vuln: incorrect version is suggested as a fixed version for a vulnerability with multiple packages #54913

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
hyangah opened this issue Sep 7, 2022 · 2 comments
Closed

x/vuln: incorrect version is suggested as a fixed version for a vulnerability with multiple packages #54913

hyangah opened this issue Sep 7, 2022 · 2 comments
Assignees
@zpavlinovic
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@hyangah
Copy link
Contributor

hyangah commented Sep 7, 2022
edited
Loading

What version of Go are you using (go version)?

$ go version
go version go1.19 darwin/amd64

$ go version -m ~/go/bin/govulncheck
/Users/hakim/go/bin/govulncheck: go1.19
        path    golang.org/x/vuln/cmd/govulncheck
        mod     golang.org/x/vuln       v0.0.0-20220902211423-27dd78d2ca39      h1:501+NfNjDh4IT4HOzdeezTOFD7njtY49aXJN1oY3E1s=
        dep     golang.org/x/exp        v0.0.0-20220722155223-a9213eeb770e      h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA=
        dep     golang.org/x/mod        v0.6.0-dev.0.20220419223038-86c51ed26bb4        h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
        dep     golang.org/x/sys        v0.0.0-20220722155257-8c9f86f7a55f      h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s=
        dep     golang.org/x/tools      v0.1.13-0.20220803210227-8b9a1fbdf5c3   h1:aE4T3aJwdCNz+s35ScSQYUzeGu7BOLDHZ1bBHVurqqY=
        build   -compiler=gc
        build   CGO_ENABLED=1
        build   CGO_CFLAGS=
        build   CGO_CPPFLAGS=
        build   CGO_CXXFLAGS=
        build   CGO_LDFLAGS=
        build   GOARCH=amd64
        build   GOOS=darwin
        build   GOAMD64=v1

Does this issue reproduce at the latest version of golang.org/x/vuln?

yes

What did you do?

$ git clone https://github.com/hashicorp/vault 
$ git checkout v1.7.0
$ govulncheck ./...

See the reports on GO-2021-0061 (affecting vulnerability) and GO-2022-0493 (in the 'informational' section).

What did you expect to see?

GO-2021-0061: This project imports 'github.com/go-yaml/yaml'. According to https://pkg.go.dev/vuln/GO-2021-0061 there is no known fix for this module. I expect govulncheck to tell this, or suggest users migrate to gopkg.in/yaml.v2@v2.2.3.

GO-2022-0493: This project imports affected golang.org/x/sys/unix (v0.0.0-20210124154548-22da62e12c0c). I expect govulncheck to recommend v0.0.0-20220412211240-33da011f77ad (as listed in https://pkg.go.dev/vuln/GO-2022-0493) or a reasonable version.

What did you see instead?

govulncheck suggests 'github.com/go-yaml/yaml@v2.2.3' and 'golang.org/x/sys/unix@v1.18.2' which aren't valid.

Vulnerability #1: GO-2021-0061
  Due to unbounded alias chasing, a maliciously crafted YAML file
  can cause the system to consume significant system resources. If
  parsing user input, this may be used as a denial of service
  vector.

  Call stacks in your code:
      builtin/credential/okta/path_config.go:326:40: github.com/hashicorp/vault/builtin/credential/okta.ConfigEntry.OktaClient calls github.com/okta/okta-sdk-golang/v2/okta.NewClient, which eventually calls github.com/go-yaml/yaml.Unmarshal

  Found in: github.com/go-yaml/yaml@v2.1.0+incompatible
  Fixed in: github.com/go-yaml/yaml@v2.2.3
  More info: https://pkg.go.dev/vuln/GO-2021-0061

...
Vulnerability #2: GO-2022-0493
  When called with a non-zero flags parameter, the Faccessat function
  can incorrectly report that a file is accessible.

  Found in: golang.org/x/sys/unix@v0.0.0-20210124154548-22da62e12c0c
  Fixed in: golang.org/x/sys/unix@v1.18.2
  More info: https://pkg.go.dev/vuln/GO-2022-0493
@hyangah hyangah added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 7, 2022
@gopherbot gopherbot added this to the Unreleased milestone Sep 7, 2022
@hyangah hyangah changed the title x/vuln: incorrect version is suggested as a fixed version for GO-2022-0493 x/vuln: incorrect version is suggested as a fixed version for a vulnerability with multiple packages Sep 7, 2022
@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Sep 7, 2022
@julieqiu julieqiu modified the milestones: Unreleased, vuln/unplanned Sep 8, 2022
@julieqiu julieqiu removed the x/vuln label Sep 10, 2022
@hyangah
Copy link
Contributor Author

hyangah commented Sep 19, 2022
edited
Loading

With the latest version v0.0.0-20220919155316-41b1fc70d0a6 this is already fixed. Thanks @zpavlinovic

Vulnerability #2: GO-2021-0061
  Due to unbounded alias chasing, a maliciously crafted YAML file
  can cause the system to consume significant system resources. If
  parsing user input, this may be used as a denial of service
  vector.

  Call stacks in your code:
      builtin/credential/okta/path_config.go:326:40: github.com/hashicorp/vault/builtin/credential/okta.ConfigEntry.OktaClient calls github.com/okta/okta-sdk-golang/v2/okta.NewClient, which eventually calls github.com/go-yaml/yaml.Unmarshal

  Found in: github.com/go-yaml/yaml@v2.1.0+incompatible
  Fixed in: N/A
  More info: https://pkg.go.dev/vuln/GO-2021-0061
...
Vulnerability #2: GO-2022-0493
  When called with a non-zero flags parameter, the Faccessat function
  can incorrectly report that a file is accessible.

  Found in: golang.org/x/sys/unix@v0.0.0-20210124154548-22da62e12c0c
  Fixed in: golang.org/x/sys/unix@v0.0.0-20220412211240-33da011f77ad
  More info: https://pkg.go.dev/vuln/GO-2022-0493

@hyangah hyangah closed this as completed Sep 19, 2022
@hyangah hyangah moved this to Done in Go Security Sep 19, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/432076 mentions this issue: gopls: update x/vuln to pick fix for incorrect version suggestion

gopherbot pushed a commit to golang/tools that referenced this issue Sep 20, 2022
@hyangah
gopls: update x/vuln to pick fix for incorrect version suggestion
835bfdf 
Fixed in https://go-review.git.corp.google.com/c/vuln/+/430684

Updates golang/go#54913

Change-Id: I1932a09bdd2a2192c6b61458cef28978c2e7f660
Reviewed-on: https://go-review.googlesource.com/c/tools/+/432076
gopls-CI: kokoro <noreply+kokoro@google.com>
Reviewed-by: Suzy Mueller <suzmue@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com>
@golang golang locked and limited conversation to collaborators Sep 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zpavlinovic zpavlinovic

Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Go Security
Status: Done
Milestone
vuln/unplanned
Development

No branches or pull requests
5 participants
@zpavlinovic @mknyszek @hyangah @julieqiu @gopherbot