go gnupg/clearsign issues

Bug #1828905 reported by Seth Arnold on 2019-05-14
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
aptly (Ubuntu)
Undecided
Unassigned
autodeb (Ubuntu)
Undecided
Unassigned
candid (Ubuntu)
Undecided
Unassigned
charm (Ubuntu)
Undecided
Unassigned
golang-go.crypto (Ubuntu)
Undecided
Unassigned
golang-pault-go-archive (Ubuntu)
Undecided
Unassigned
golang-pault-go-debian (Ubuntu)
Undecided
Unassigned
juju-core (Ubuntu)
Undecided
Unassigned
juju-core-1 (Ubuntu)
Undecided
Unassigned
lxd (Ubuntu)
Undecided
Unassigned
mongo-tools (Ubuntu)
Undecided
Unassigned
mongodb (Ubuntu)
Undecided
Unassigned
singularity-container (Ubuntu)
Undecided
Unassigned

Bug Description

Hello, SEC Consult has reported an issue with Go's implementation of openpgp clear signatures:

https://seclists.org/fulldisclosure/2019/May/16
https://sec-consult.com/en/blog/advisories/cleartext-message-spoofing-in-go-cryptography-libraries-cve-2019-11841/

This appears to affect a lot of code in the archive.

CVE-2019-11841 has been assigned to this issue.

Thanks

Seth Arnold (seth-arnold) wrote :
Download full text (10.1 KiB)

$ rg -j 8 -uu -g '*.go' golang.org/x/crypto/openpgp/clearsign
universe/g/golang-pault-go-archive/golang-pault-go-archive_1.0-1/archive.go
14: "golang.org/x/crypto/openpgp/clearsign"

universe/a/aptly/aptly_1.3.0-6/pgp/internal.go
17: "golang.org/x/crypto/openpgp/clearsign"

universe/a/aptly/aptly_1.3.0+ds1-2.2/pgp/internal.go
17: "golang.org/x/crypto/openpgp/clearsign"

universe/a/aptly/aptly_1.3.0+ds1-2/pgp/internal.go
17: "golang.org/x/crypto/openpgp/clearsign"

universe/a/aptly/aptly_1.2.0-3/pgp/internal.go
17: "golang.org/x/crypto/openpgp/clearsign"

universe/g/golang-pault-go-debian/golang-pault-go-debian_0.4-1/control/parse.go
29: "golang.org/x/crypto/openpgp/clearsign"

universe/g/golang-pault-go-debian/golang-pault-go-debian_0.5-1/control/parse.go
33: "golang.org/x/crypto/openpgp/clearsign"

universe/g/golang-pault-go-debian/golang-pault-go-debian_0.9-1/control/parse.go
33: "golang.org/x/crypto/openpgp/clearsign"

main/g/golang-go.crypto/golang-go.crypto_0.0~git20151201.0.7b85b09-2/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

main/g/golang-go.crypto/golang-go.crypto_0.0~git20170629.0.5ef0053-1ubuntu1/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

universe/s/singularity-container/singularity-container_3.0.3+ds-1/pkg/signing/signing.go
20: "golang.org/x/crypto/openpgp/clearsign"

universe/a/autodeb/autodeb_0.20.0-1/internal/pgp/pgp.go
12: "golang.org/x/crypto/openpgp/clearsign"

universe/g/golang-go.crypto/golang-go.crypto_0.0~git20181203.505ab14-1/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

universe/g/golang-go.crypto/golang-go.crypto_0.0~git20170629.0.5ef0053-2/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

universe/g/golang-go.crypto/golang-go.crypto_0.0~git20180614.a8fb68e-1/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-core_2.0~beta4-0ubuntu2/src/golang.org/x/crypto/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-core_2.0.2-0ubuntu0.16.04.2/src/golang.org/x/crypto/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-core_2.0~beta4-0ubuntu2/src/github.com/juju/juju/environs/simplestreams/encode.go
12: "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-core_2.0~beta4-0ubuntu2/src/github.com/juju/juju/environs/simplestreams/decode.go
13: "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-core_2.3.7-0ubuntu0.16.04.1/src/golang.org/x/crypto/openpgp/clearsign/clearsign.go
10:package clearsign // import "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-core_2.0.2-0ubuntu0.16.04.2/src/github.com/juju/juju/environs/simplestreams/decode.go
13: "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-core_2.0.2-0ubuntu0.16.04.2/src/github.com/juju/juju/environs/simplestreams/encode.go
12: "golang.org/x/crypto/openpgp/clearsign"

main/j/juju-core/juju-c...

affects: ubuntu → golang-pault-go-archive (Ubuntu)
Michael Hudson-Doyle (mwhudson) wrote :

Can you filter that list to source packages that build non-arch-all binary packages? They are the ones that will need to be rebuilt once the go.crypto has been fixed.

Seth Arnold (seth-arnold) wrote :
Download full text (5.9 KiB)

I'm sorry I lost track of this. Here's the packages that aren't Architecture: all:

 grep Arch $(egrep '^[mu]' /tmp/go | awk -F/ '{print $1 "/" $2 "/" $3 "/" $4 "/debian/control" ;}' | sort -u) | grep -v ":Architecture: all$"
main/g/golang-go.crypto/golang-go.crypto_0.0~git20170629.0.5ef0053-1ubuntu1/debian/control:Architecture: any
main/g/golang-go.crypto/golang-go.crypto_0.0~git20170629.0.5ef0053-1ubuntu1/debian/control:Architecture: any
main/j/juju-core/juju-core_2.0.2-0ubuntu0.16.04.2/debian/control:Architecture: any
main/j/juju-core/juju-core_2.0~beta4-0ubuntu2/debian/control:Architecture: any
main/j/juju-core/juju-core_2.3.7-0ubuntu0.16.04.1/debian/control:Architecture: any
main/l/lxd/lxd_2.0.0-0ubuntu4/debian/control:Architecture: any
main/l/lxd/lxd_2.0.0-0ubuntu4/debian/control:Architecture: any
main/l/lxd/lxd_2.0.0-0ubuntu4/debian/control:Architecture: any
main/l/lxd/lxd_2.0.11-0ubuntu1~16.04.4/debian/control:Architecture: any
main/l/lxd/lxd_2.0.11-0ubuntu1~16.04.4/debian/control:Architecture: any
main/l/lxd/lxd_2.0.11-0ubuntu1~16.04.4/debian/control:Architecture: any
main/l/lxd/lxd_2.0.2-0ubuntu1~16.04.1/debian/control:Architecture: any
main/l/lxd/lxd_2.0.2-0ubuntu1~16.04.1/debian/control:Architecture: any
main/l/lxd/lxd_2.0.2-0ubuntu1~16.04.1/debian/control:Architecture: any
main/l/lxd/lxd_2.18-0ubuntu6/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_2.18-0ubuntu6/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_2.18-0ubuntu6/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_2.21-0ubuntu3~17.10.2/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_2.21-0ubuntu3~17.10.2/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_2.21-0ubuntu3~17.10.2/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.0-0ubuntu4/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.0-0ubuntu4/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.0-0ubuntu4/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.3-0ubuntu1~16.04.1/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.3-0ubuntu1~16.04.1/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.3-0ubuntu1~16.04.1/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.3-0ubuntu1~18.04.1/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.3-0ubuntu1~18.04.1/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
main/l/lxd/lxd_3.0.3-0ubuntu1~18.04.1/debian/control:Architecture: amd64 arm64 armhf i386 ppc64el s390x
universe/a/aptly/aptly_0.9.6-1/debian/control:Architecture: any
universe/a/aptly/aptly_1.0.1-1/debian/control:Architecture: any
universe/a/aptly/aptly_1.2.0-3/debian/control:Architecture: any
universe/a/aptly/aptly_1.3.0-6/debian/control:Architecture: any
universe/a/aptly/aptly_1.3.0-6/debian/control:Architecture: any
universe/a/aptly/aptly_1.3.0+ds1-2.2/debian/control:Architecture: ...

Read more...

Stéphane Graber (stgraber) wrote :

LXD does not use clearsign.

Changed in lxd (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers