go gnupg/clearsign issues

Bug #1828905 reported by Seth Arnold
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
aptly (Ubuntu)
Confirmed
Undecided
Unassigned
autodeb (Ubuntu)
Confirmed
Undecided
Unassigned
candid (Ubuntu)
Confirmed
Undecided
Unassigned
charm (Ubuntu)
Confirmed
Undecided
Unassigned
golang-go.crypto (Ubuntu)
Confirmed
Undecided
Unassigned
golang-pault-go-archive (Ubuntu)
Confirmed
Undecided
Unassigned
golang-pault-go-debian (Ubuntu)
Confirmed
Undecided
Unassigned
juju-core (Ubuntu)
Confirmed
Undecided
Unassigned
juju-core-1 (Ubuntu)
Confirmed
Undecided
Unassigned
lxd (Ubuntu)
Invalid
Undecided
Unassigned
mongo-tools (Ubuntu)
Confirmed
Undecided
Unassigned
mongodb (Ubuntu)
Confirmed
Undecided
Unassigned
singularity-container (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Hello, SEC Consult has reported an issue with Go's implementation of openpgp clear signatures:

https://seclists.org/fulldisclosure/2019/May/16
https://sec-consult.com/en/blog/advisories/cleartext-message-spoofing-in-go-cryptography-libraries-cve-2019-11841/

This appears to affect a lot of code in the archive.

CVE-2019-11841 has been assigned to this issue.

Thanks

Revision history for this message
Seth Arnold (seth-arnold) wrote :
Download full text (10.1 KiB)

$ rg -j 8 -uu -g '*.go' golang.org/x/crypto/openpgp/clearsign
universe/g/golang-pault-go-archive/golang-pault-go-archive_1.0-1/archive.go
14: "golang.org/x/crypto/openpgp/clearsign"

universe/a/aptly/aptly_1.3.0-6/pgp/internal.go
17: "golang.org/x/crypto/openpgp/clearsign"

universe/a/aptly/aptly_1.3.0+ds1-2.2/pgp/internal.go
17: "golang.org/x/crypto/openpgp/clearsign"

universe/a/aptly/aptly_1.3.0+ds1-2/pgp/internal.go
17: "golang.org/x/crypto/openpgp/clearsign"

universe/a/aptly/aptly_1.2.0-3/pgp/internal.go
17: "golang.org/x/crypto/openpgp/clearsign"

universe/g/golang-pault-go-debian/golang-pault-go-debian_0.4-1/control/parse.go
29: "golang.org/x/crypto/openpgp/clearsign"

universe/g/golang-pault-go-debian/golang-pault-go-debian_0.5-1/control/parse.go
33: "golang.org/x/crypto/openpgp/clearsign"

universe/g/golang-pault-go-debian/golang-pault-go-debian_0.9-1/control/parse.go
33: "golang.org/x/crypto/openpgp/clearsign"

main/g/golang-go.crypto/golang-go.crypto_0.0~git20151201.0.7b85b09-2/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

main/g/golang-go.crypto/golang-go.crypto_0.0~git20170629.0.5ef0053-1ubuntu1/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

universe/s/singularity-container/singularity-container_3.0.3+ds-1/pkg/signing/signing.go
20: "golang.org/x/crypto/openpgp/clearsign"

universe/a/autodeb/autodeb_0.20.0-1/internal/pgp/pgp.go
12: "golang.org/x/crypto/openpgp/clearsign"

universe/g/golang-go.crypto/golang-go.crypto_0.0~git20181203.505ab14-1/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

universe/g/golang-go.crypto/golang-go.crypto_0.0~git20170629.0.5ef0053-2/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

universe/g/golang-go.crypto/golang-go.crypto_0.0~git20180614.a8fb68e-1/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-core_2.0~beta4-0ubuntu2/src/golang.org/x/crypto/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-core_2.0.2-0ubuntu0.16.04.2/src/golang.org/x/crypto/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-core_2.0~beta4-0ubuntu2/src/github.com/juju/juju/environs/simplestreams/encode.go
12: "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-core_2.0~beta4-0ubuntu2/src/github.com/juju/juju/environs/simplestreams/decode.go
13: "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-core_2.3.7-0ubuntu0.16.04.1/src/golang.org/x/crypto/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-core_2.0.2-0ubuntu0.16.04.2/src/github.com/juju/juju/environs/simplestreams/decode.go
13: "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-core_2.0.2-0ubuntu0.16.04.2/src/github.com/juju/juju/environs/simplestreams/encode.go
12: "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-c...

affects: ubuntu → golang-pault-go-archive (Ubuntu)
Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Can you filter that list to source packages that build non-arch-all binary packages? They are the ones that will need to be rebuilt once the go.crypto has been fixed.

Revision history for this message
Seth Arnold (seth-arnold) wrote :
Download full text (5.9 KiB)

I'm sorry I lost track of this. Here's the packages that aren't Architecture: all:

 grep Arch $(egrep '^[mu]' /tmp/go | awk -F/ '{print $1 "/" $2 "/" $3 "/" $4 "/debian/control" ;}' | sort -u) | grep -v ":Architecture: all$"
main/g/golang-go.crypto/golang-go.crypto_0.0~git20170629.0.5ef0053-1ubuntu1/debian/control:Architecture: any
main/g/golang-go.crypto/golang-go.crypto_0.0~git20170629.0.5ef0053-1ubuntu1/debian/control:Architecture: any
main/j/juju-core/juju-core_2.0.2-0ubuntu0.16.04.2/debian/control:Architecture: any
main/j/juju-core/juju-core_2.0~beta4-0ubuntu2/debian/control:Architecture: any
main/j/juju-core/juju-core_2.3.7-0ubuntu0.16.04.1/debian/control:Architecture: any
main/l/lxd/lxd_2.0.0-0ubuntu4/debian/control:Architecture: any
main/l/lxd/lxd_2.0.0-0ubuntu4/debian/control:Architecture: any
main/l/lxd/lxd_2.0.0-0ubuntu4/debian/control:Architecture: any
main/l/lxd/lxd_2.0.11-0ubuntu1~16.04.4/debian/control:Architecture: any
main/l/lxd/lxd_2.0.11-0ubuntu1~16.04.4/debian/control:Architecture: any
main/l/lxd/lxd_2.0.11-0ubuntu1~16.04.4/debian/control:Architecture: any
main/l/lxd/lxd_2.0.2-0ubuntu1~16.04.1/debian/control:Architecture: any
main/l/lxd/lxd_2.0.2-0ubuntu1~16.04.1/debian/control:Architecture: any
main/l/lxd/lxd_2.0.2-0ubuntu1~16.04.1/debian/control:Architecture: any
main/l/lxd/lxd_2.18-0ubuntu6/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_2.18-0ubuntu6/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_2.18-0ubuntu6/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_2.21-0ubuntu3~17.10.2/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_2.21-0ubuntu3~17.10.2/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_2.21-0ubuntu3~17.10.2/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.0-0ubuntu4/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.0-0ubuntu4/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.0-0ubuntu4/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.3-0ubuntu1~16.04.1/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.3-0ubuntu1~16.04.1/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.3-0ubuntu1~16.04.1/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.3-0ubuntu1~18.04.1/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.3-0ubuntu1~18.04.1/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.3-0ubuntu1~18.04.1/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
universe/a/aptly/aptly_0.9.6-1/debian/control:Architecture: any
universe/a/aptly/aptly_1.0.1-1/debian/control:Architecture: any
universe/a/aptly/aptly_1.2.0-3/debian/control:Architecture: any
universe/a/aptly/aptly_1.3.0-6/debian/control:Architecture: any
universe/a/aptly/aptly_1.3.0-6/debian/control:Architecture: any
universe/a/aptly/aptly_1.3.0+ds1-2.2/debian/control:Architecture: ...

Read more...

Revision history for this message
Stéphane Graber (stgraber) wrote :

LXD does not use clearsign.

Changed in lxd (Ubuntu):
status: New → Invalid
Changed in aptly (Ubuntu):
status: New → Confirmed
Changed in autodeb (Ubuntu):
status: New → Confirmed
Changed in candid (Ubuntu):
status: New → Confirmed
Changed in charm (Ubuntu):
status: New → Confirmed
Changed in golang-go.crypto (Ubuntu):
status: New → Confirmed
Changed in golang-pault-go-archive (Ubuntu):
status: New → Confirmed
Changed in golang-pault-go-debian (Ubuntu):
status: New → Confirmed
Changed in juju-core (Ubuntu):
status: New → Confirmed
Changed in juju-core-1 (Ubuntu):
status: New → Confirmed
Changed in mongo-tools (Ubuntu):
status: New → Confirmed
Changed in mongodb (Ubuntu):
status: New → Confirmed
Changed in singularity-container (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.