Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#61522 - Security issues when upgrading go package

Attached to Project: Arch Linux
Opened by Joel Sevilleja (jsevilleja) - Thursday, 24 January 2019, 18:47 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 24 January 2019, 18:59 GMT
Task Type Feature Request
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Hi,

when some package depends on go for building (example gitea), go includes in the resulting static binary all the libraries referenced. This means that if gitea (or any other go related software) makes use of vulnerable code included in the go package, the vulnerability will be included in gitea, and it will persist when the go package gets upgraded.

In order to solve this, Arch Linux maintainers should recompile all packages depending on go when go gets an upgrade. As far as I know, this is the behavior distributions like Gentoo are following.


This task depends upon

Closed by  Eli Schwartz (eschwartz)
Thursday, 24 January 2019, 18:59 GMT
Reason for closing:  Not a bug
Additional comments about closing:  We already do this and don't need a bug report to tell us how to do procedural, non-package-related workflow issues.

Yes, we are aware of how static libraries work.
Comment by Morten Linderud (Foxboron) - Thursday, 24 January 2019, 18:56 GMT
Yes. But rebuilding everything is tedious when you can parse the dependencies of modules and figure out the subset of packages that does need this. This is why `go list -f` is handy.

This is already being worked on along with an advisory for go.

Loading...