Security issue in
129 views
Skip to first unread message
christoph...@gmail.com
May 7, 2021, 3:05:22 AM5/7/21
to golang-nuts
I just became aware of a security problem in the package https://github.com/satori/go.uuid through this reddit thread :https://www.reddit.com/r/golang/comments/n6bnsh/cve20213538_issued_for_latest_release_of/?utm_source=share&utm_medium=ios_app&utm_name=iossmf
The issue for the security problem is here: https://github.com/satori/go.uuid/issues/73
There is a CVE identifier for this security problem: https://github.com/satori/go.uuid/issues/115
It is 3 years old and hasn't been resolved.
The problem is that the owner of the package has apparently vanished.
I report this problem here because this package is used by more than 20 thousand go packages or programs (e.g. gogs). (https://pkg.go.dev/github.com/satori/go.uuid?tab=importedby)
Now that we have this fantastic functionality of modules, I would like to know if we could imagine that the go tools would issue a warning if an imported package has a security issue reported in CVE. I have seen that there is a github tool to do that, but we don't get these notifications by default.
Axel Wagner
May 7, 2021, 3:15:54 AM5/7/21
to christoph...@gmail.com, golang-nuts
There is a draft design for a vulnerability database which could be used for this. For now, it's still a draft. But people are working on it.
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/9c18eecc-126d-4614-872d-474ebe90513cn%40googlegroups.com.
Manlio Perillo
May 7, 2021, 5:10:48 AM5/7/21
to golang-nuts
I think the problem here is not only the lack of a vulnerability database for go, but the fact that a lot of people use a module where only one person (the owner) has access to the repository.
Maybe it is time for a new site like gopkg.in, where each module has one or more maintainer and there is a review process similar to the one used for the development of Go.
Manlio
peterGo
May 7, 2021, 9:22:54 AM5/7/21
to golang-nuts
Manlio,
FYI:
Know, Prevent, Fix: A framework for shifting the discussion around vulnerabilities in open source
Rob Pike, Eric Brewer, Abhishek Arya, Anne Bertucio and Kim Lewandowski
https://security.googleblog.com/2021/02/know-prevent-fix-framework-for-shifting.html
Surviving software dependencies
Russ Cox
https://dl.acm.org/doi/10.1145/3347446
Rob Pike, Eric Brewer, Abhishek Arya, Anne Bertucio and Kim Lewandowski
https://security.googleblog.com/2021/02/know-prevent-fix-framework-for-shifting.html
Surviving software dependencies
Russ Cox
https://dl.acm.org/doi/10.1145/3347446
Peter
Lars Seipel
May 7, 2021, 8:46:33 PM5/7/21
to christoph...@gmail.com, golang-nuts
On Fri, May 07, 2021 at 12:05:22AM -0700, christoph...@gmail.com wrote:
>The issue for the security problem is here:
>https://github.com/satori/go.uuid/issues/73
><https://github.com/satori/go.uuid/issues/73#issuecomment-833337384>
>The issue for the security problem is here:
>https://github.com/satori/go.uuid/issues/73
>
>There is a CVE identifier for this security problem:
>https://github.com/satori/go.uuid/issues/115
>It is 3 years old and hasn't been resolved.
The latter statement appears to be incorrect. The bug in question is not
>There is a CVE identifier for this security problem:
>https://github.com/satori/go.uuid/issues/115
>It is 3 years old and hasn't been resolved.
included in the latest tagged release as it was introduced at a later point.
In April 2018, commit 75cca53 ("Fix potential non-random UUIDs") fixed the bug
so master is not affected either.
Reply all
Reply to author
Forward
0 new messages