Vulnerability remediation required for stdlib 1.19.5 #1821
Comments
|
Where does that package come from and what exactly is the vulnerability? Is there an exploit vector? |
|
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution. Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels. |
|
That was a Library, When i ran the below step command it came from it. RUN JITSI_RELEASE=stable /bin/sh -c 'dpkgArch="$(dpkg --print-architecture)" && \
case "${dpkgArch##*-}" in \
"amd64") TPL_ARCH=amd64; S6_ARCH=amd64 ;; \
"arm64") TPL_ARCH=arm64; S6_ARCH=aarch64 ;; \
*) echo "unsupported architecture"; exit 1 ;; \
esac && \
apt-dpkg-wrap apt-get update && \
apt-dpkg-wrap apt-get install -y apt-transport-https apt-utils ca-certificates gnupg wget && \
wget -qO /usr/bin/tpl https://github.com/jitsi/tpl/releases/download/v1.1.1/tpl-linux-${TPL_ARCH} && \
wget -qO /tmp/s6.tar.gz https://github.com/just-containers/s6-overlay/releases/download/v1.22.1.0/s6-overlay-${S6_ARCH}.tar.gz && \
mkdir /tmp/s6 && tar xfz /tmp/s6.tar.gz -C /tmp/s6 && tar hxfz /tmp/s6.tar.gz -C / && \
rm -f /usr/bin/execlineb && cp /tmp/s6/bin/execlineb /usr/bin/ && \
rm -rf /tmp/s6* && \
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmour > /etc/apt/trusted.gpg.d/jitsi.gpg && \
echo "deb https://download.jitsi.org $JITSI_RELEASE/" > /etc/apt/sources.list.d/jitsi.list && \
echo "deb http://ftp.debian.org/debian bookworm-backports main" > /etc/apt/sources.list.d/backports.list && \
apt-dpkg-wrap apt-get update && \
apt-dpkg-wrap apt-get dist-upgrade -y && \
apt-cleanup && \
chmod +x /usr/bin/tpl' |
What problem does this cause?
Where did you take that text from? Note that the templated values don't come from the user, so I'm not sure what the attack vector is here, if any.
We don't use go crypto at all. It's likely part ot |
|
under docker desktop Image scanner
|
|
It's a templating engine, it takes no remote user input. Unless you can show an attack vector, this does not affect the setup. |
|
Thats Cool 👍 |
|
I will update tpl so it uses a more recent version of go, so there is no report. |
|
Thats Great! |
I've identified a critical vulnerability in the stdlib 1.19.5 package. To mitigate this risk, I recommend updating to version 1.19.9 as it addresses the issue.
The text was updated successfully, but these errors were encountered: