Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/net: requires an older x/crypto version without security fix #35798

Closed
greut opened this issue Nov 23, 2019 · 4 comments
Closed

x/net: requires an older x/crypto version without security fix #35798

greut opened this issue Nov 23, 2019 · 4 comments
Labels
Milestone

Comments

@greut
Copy link

@greut greut commented Nov 23, 2019

What version of Go are you using (go version)?

$ go version
go version go1.13.4 linux/amd64

Does this issue reproduce with the latest release?

Indeed.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/yoan/.cache/go-build"
GOENV="/home/yoan/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/yoan/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/yoan/soft/net-1/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build767323679=/tmp/go-build -gno-record-gcc-switches"

What did you do?

go get -u golang.org/x/net/

What did you expect to see?

Getting a version of x/crypto that is not vulnerable to CVE-2019-11840

What did you see instead?

$ go mod graph | grep net
golang.org/x/net@v0.0.0-20191119073136-fc4aabc6c914 golang.org/x/crypto@v0.0.0-20190308221718-c2843e01d9a2
@gopherbot gopherbot added this to the Unreleased milestone Nov 23, 2019
@dmitshur dmitshur added the NeedsFix label Nov 23, 2019
@dmitshur

This comment has been minimized.

Copy link
Member

@dmitshur dmitshur commented Nov 23, 2019

The x/net module has only one package that imports something from x/crypto module. It's the h2i command, which imports golang.org/x/crypto/ssh/terminal:

https://github.com/golang/net/blob/fc4aabc6c91483155dade6fbb627cc953a723260/http2/h2i/h2i.go#L38

The fix for CVE-2019-11840 affected only the golang.org/x/crypto/salsa20/salsa package, so x/net doesn't use anything that would be affected.

Still, it's probably a good idea for x/net to require a newer version, in case someone does use that package indirectly.

/cc @FiloSottile @katiehockman

@dmitshur dmitshur changed the title x/net: is pulling insecure x/crypto x/net: requires an older x/crypto version without security fix Nov 23, 2019
@greut

This comment has been minimized.

Copy link
Author

@greut greut commented Nov 24, 2019

@dmitshur you've rephrased it perfectly. I'm requiring golang.org/x/crypto v0.0.0-20191122220453-ac88ee75c92c and end up with v0.0.0-20190308221718-c2843e01d9a2 because of the way go mod resolves dependencies.

Cheers,

@FiloSottile

This comment has been minimized.

Copy link
Member

@FiloSottile FiloSottile commented Nov 25, 2019

Vulnerability tracking is an open ecosystem question we are working on, but I don't think it should be x/net's responsibility to pull up the version of x/crypto past a vulnerability in a component that x/net doesn't depend on.

How MVS works is that each module specifies the minimum version of its dependencies it needs to work correctly, and then the go tool will pick the highest in the graph, which is expected to work for everyone thanks to semantic versioning (and the versioned import paths).

I think requiring a security fix is akin to requiring a new API: the module that needs it must specify an explicit dependency in its go.mod. Relying on you transitive dependencies to pull it up is brittle: if tomorrow you remove your dependency on x/net, you'll be silently dropping back to an insecure version of salsa20!

In summary, if your module is using golang.org/x/crypto/salsa20, you need to specify a recent version of x/crypto in your go.mod, for example by running go get golang.org/x/crypto/salsa20.

I'm requiring golang.org/x/crypto v0.0.0-20191122220453-ac88ee75c92c and end up with v0.0.0-20190308221718-c2843e01d9a2 because of the way go mod resolves dependencies.

This is not how it's supposed to work, so if that's happening please open a cmd/go issue with reproduction instructions. You can check the actual final selected version with go list -m golang.org/x/crypto.

@greut

This comment has been minimized.

Copy link
Author

@greut greut commented Nov 26, 2019

@FiloSottile Thanks for your time, I overlooked it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.