Vulnerability issues #58

New Issue

Open

opened 2024-12-31 06:17:20 +00:00 by pin · 0 comments

pin commented 2024-12-31 06:17:20 +00:00

Copy Link

Hi,

Long time, no see. I've noticed quite a lot of recent activity in this repository, which is good :)

You are probably aware of this but, it has been flagged on NetBSD along with a bunch of other Go packages, https://www.netbsd.org/~bsiegert/go-pkg-vulnerabilies/2024-12-22.html

For gospt case, it reads,

audio/gospt

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.12.0
    Fixed in: golang.org/x/net@v0.23.0
    Example traces found:
      #1: src/youtube/youtube.go:107:36: youtube.Search calls youtube.NewService, which eventually calls http2.ConfigureTransports
      #2: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.ConnectionError.Error
      #3: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.ErrCode.String
      #4: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.FrameHeader.String
      #5: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.FrameType.String
      #6: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.ReadFrame
      #7: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteContinuation
      #8: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteData
      #9: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteHeaders
      #10: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WritePing
      #11: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteRSTStream
      #12: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteSettings
      #13: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteSettingsAck
      #14: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteWindowUpdate
      #15: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.GoAwayError.Error
      #16: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.Setting.String
      #17: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.SettingID.String
      #18: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.SettingsFrame.ForeachSetting
      #19: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.StreamError.Error
      #20: src/auth/auth.go:82:43: auth.GetClient calls http.Transport.RoundTrip, which eventually calls http2.Transport.NewClientConn
      #21: src/auth/auth.go:82:43: auth.GetClient calls http.Transport.RoundTrip, which eventually calls http2.Transport.RoundTrip
      #22: src/commands/commands.go:1030:12: commands.Commands.PrintPlaying calls fmt.Printf, which eventually calls http2.chunkWriter.Write
      #23: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.connError.Error
      #24: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.duplicatePseudoHeaderError.Error
      #25: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which calls http2.gzipReader.Close
      #26: src/commands/commands.go:1261:33: commands.Commands.activateDevice calls io.ReadAll, which calls http2.gzipReader.Read
      #27: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.headerFieldNameError.Error
      #28: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.headerFieldValueError.Error
      #29: src/auth/auth.go:82:43: auth.GetClient calls http.Transport.RoundTrip, which eventually calls http2.noDialH2RoundTripper.RoundTrip
      #30: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.pseudoHeaderError.Error
      #31: src/commands/commands.go:1030:12: commands.Commands.PrintPlaying calls fmt.Printf, which eventually calls http2.stickyErrWriter.Write
      #32: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which calls http2.transportResponseBody.Close
      #33: src/commands/commands.go:1261:33: commands.Commands.activateDevice calls io.ReadAll, which calls http2.transportResponseBody.Read
      #34: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.writeData.String

Vulnerability #2: GO-2024-2611
    Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  More info: https://pkg.go.dev/vuln/GO-2024-2611
  Module: google.golang.org/protobuf
    Found in: google.golang.org/protobuf@v1.31.0
    Fixed in: google.golang.org/protobuf@v1.33.0
    Example traces found:
      #1: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which eventually calls json.Decoder.Peek
      #2: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which eventually calls json.Decoder.Read
      #3: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which eventually calls protojson.Unmarshal

Your code is affected by 2 vulnerabilities from 2 modules.
This scan also found 2 vulnerabilities in packages you import and 4
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

So, my question is, are you planning on a new release in the near future?

Happy 2025.

Regards,
/pin

Hi, Long time, no see. I've noticed quite a lot of recent activity in this repository, which is good :) You are probably aware of this but, it has been flagged on NetBSD along with a bunch of other Go packages, https://www.netbsd.org/~bsiegert/go-pkg-vulnerabilies/2024-12-22.html For `gospt` case, it reads, ``` audio/gospt === Symbol Results === Vulnerability #1: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/net@v0.12.0 Fixed in: golang.org/x/net@v0.23.0 Example traces found: #1: src/youtube/youtube.go:107:36: youtube.Search calls youtube.NewService, which eventually calls http2.ConfigureTransports #2: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.ConnectionError.Error #3: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.ErrCode.String #4: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.FrameHeader.String #5: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.FrameType.String #6: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.ReadFrame #7: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteContinuation #8: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteData #9: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteHeaders #10: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WritePing #11: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteRSTStream #12: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteSettings #13: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteSettingsAck #14: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteWindowUpdate #15: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.GoAwayError.Error #16: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.Setting.String #17: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.SettingID.String #18: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.SettingsFrame.ForeachSetting #19: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.StreamError.Error #20: src/auth/auth.go:82:43: auth.GetClient calls http.Transport.RoundTrip, which eventually calls http2.Transport.NewClientConn #21: src/auth/auth.go:82:43: auth.GetClient calls http.Transport.RoundTrip, which eventually calls http2.Transport.RoundTrip #22: src/commands/commands.go:1030:12: commands.Commands.PrintPlaying calls fmt.Printf, which eventually calls http2.chunkWriter.Write #23: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.connError.Error #24: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.duplicatePseudoHeaderError.Error #25: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which calls http2.gzipReader.Close #26: src/commands/commands.go:1261:33: commands.Commands.activateDevice calls io.ReadAll, which calls http2.gzipReader.Read #27: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.headerFieldNameError.Error #28: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.headerFieldValueError.Error #29: src/auth/auth.go:82:43: auth.GetClient calls http.Transport.RoundTrip, which eventually calls http2.noDialH2RoundTripper.RoundTrip #30: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.pseudoHeaderError.Error #31: src/commands/commands.go:1030:12: commands.Commands.PrintPlaying calls fmt.Printf, which eventually calls http2.stickyErrWriter.Write #32: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which calls http2.transportResponseBody.Close #33: src/commands/commands.go:1261:33: commands.Commands.activateDevice calls io.ReadAll, which calls http2.transportResponseBody.Read #34: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.writeData.String Vulnerability #2: GO-2024-2611 Infinite loop in JSON unmarshaling in google.golang.org/protobuf More info: https://pkg.go.dev/vuln/GO-2024-2611 Module: google.golang.org/protobuf Found in: google.golang.org/protobuf@v1.31.0 Fixed in: google.golang.org/protobuf@v1.33.0 Example traces found: #1: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which eventually calls json.Decoder.Peek #2: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which eventually calls json.Decoder.Read #3: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which eventually calls protojson.Unmarshal Your code is affected by 2 vulnerabilities from 2 modules. This scan also found 2 vulnerabilities in packages you import and 4 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. ``` So, my question is, are you planning on a new release in the near future? Happy 2025. Regards, /pin

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

renovate/google.golang.org-api-0.x

renovate/golang.org-x-net-0.x

renovate/golang.org-x-oauth2-0.x

renovate/golang.org-x-sync-0.x

renovate/github.com-charmbracelet-lipgloss-0.x

renovate/github.com-charmbracelet-bubbletea-0.x

renovate/github.com-charmbracelet-bubbles-0.x

renovate/github.com-zmb3-spotify-v2-2.x

renovate/github.com-cristalhq-aconfig-0.x

listenbrainz

renovate/golang-1.x

println

fix2

dev

v0.0.52

v0.0.51

v0.0.50

v0.0.49

v0.0.48

v0.0.47

v0.0.46

v0.0.42

v0.0.41

v0.0.40

v0.0.39

v0.0.38

v0.0.37

v0.0.36

v0.0.35

v0.0.34

v0.0.33

v0.0.32

v0.0.31

v0.0.30

v0.0.29

v0.0.28

v0.0.27

v0.0.26

v0.0.25

v0.0.24

v0.0.23

v0.0.22

v0.0.21

v0.0.20

v0.0.19

v0.0.18

v0.0.17

v0.0.16

v0.0.15

v0.0.14

v0.0.13

v0.0.12

v0.0.11

v0.0.10

v0.0.9

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

question

More information is needed

  

wontfix

This won't be fixed

No Label

bug

duplicate

enhancement

help wanted

question

wontfix

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: abs3nt/gospt#58

No description provided.