abs3nt/gospt
1
2
Fork 0
Code Issues3 Pull Requests10 Packages Projects Releases20 Wiki Activity

Vulnerability issues #58

New Issue
Open
opened 2024-12-31 06:17:20 +00:00 by pin · 0 comments
pin commented 2024-12-31 06:17:20 +00:00

Hi,

Long time, no see. I've noticed quite a lot of recent activity in this repository, which is good :)

You are probably aware of this but, it has been flagged on NetBSD along with a bunch of other Go packages, https://www.netbsd.org/~bsiegert/go-pkg-vulnerabilies/2024-12-22.html

For gospt case, it reads,

audio/gospt

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.12.0
    Fixed in: golang.org/x/net@v0.23.0
    Example traces found:
      #1: src/youtube/youtube.go:107:36: youtube.Search calls youtube.NewService, which eventually calls http2.ConfigureTransports
      #2: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.ConnectionError.Error
      #3: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.ErrCode.String
      #4: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.FrameHeader.String
      #5: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.FrameType.String
      #6: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.ReadFrame
      #7: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteContinuation
      #8: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteData
      #9: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteHeaders
      #10: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WritePing
      #11: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteRSTStream
      #12: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteSettings
      #13: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteSettingsAck
      #14: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteWindowUpdate
      #15: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.GoAwayError.Error
      #16: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.Setting.String
      #17: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.SettingID.String
      #18: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.SettingsFrame.ForeachSetting
      #19: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.StreamError.Error
      #20: src/auth/auth.go:82:43: auth.GetClient calls http.Transport.RoundTrip, which eventually calls http2.Transport.NewClientConn
      #21: src/auth/auth.go:82:43: auth.GetClient calls http.Transport.RoundTrip, which eventually calls http2.Transport.RoundTrip
      #22: src/commands/commands.go:1030:12: commands.Commands.PrintPlaying calls fmt.Printf, which eventually calls http2.chunkWriter.Write
      #23: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.connError.Error
      #24: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.duplicatePseudoHeaderError.Error
      #25: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which calls http2.gzipReader.Close
      #26: src/commands/commands.go:1261:33: commands.Commands.activateDevice calls io.ReadAll, which calls http2.gzipReader.Read
      #27: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.headerFieldNameError.Error
      #28: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.headerFieldValueError.Error
      #29: src/auth/auth.go:82:43: auth.GetClient calls http.Transport.RoundTrip, which eventually calls http2.noDialH2RoundTripper.RoundTrip
      #30: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.pseudoHeaderError.Error
      #31: src/commands/commands.go:1030:12: commands.Commands.PrintPlaying calls fmt.Printf, which eventually calls http2.stickyErrWriter.Write
      #32: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which calls http2.transportResponseBody.Close
      #33: src/commands/commands.go:1261:33: commands.Commands.activateDevice calls io.ReadAll, which calls http2.transportResponseBody.Read
      #34: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.writeData.String

Vulnerability #2: GO-2024-2611
    Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  More info: https://pkg.go.dev/vuln/GO-2024-2611
  Module: google.golang.org/protobuf
    Found in: google.golang.org/protobuf@v1.31.0
    Fixed in: google.golang.org/protobuf@v1.33.0
    Example traces found:
      #1: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which eventually calls json.Decoder.Peek
      #2: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which eventually calls json.Decoder.Read
      #3: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which eventually calls protojson.Unmarshal

Your code is affected by 2 vulnerabilities from 2 modules.
This scan also found 2 vulnerabilities in packages you import and 4
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

So, my question is, are you planning on a new release in the near future?

Happy 2025.

Regards,
/pin

Hi, Long time, no see. I've noticed quite a lot of recent activity in this repository, which is good :) You are probably aware of this but, it has been flagged on NetBSD along with a bunch of other Go packages, https://www.netbsd.org/~bsiegert/go-pkg-vulnerabilies/2024-12-22.html For `gospt` case, it reads, ``` audio/gospt === Symbol Results === Vulnerability #1: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/net@v0.12.0 Fixed in: golang.org/x/net@v0.23.0 Example traces found: #1: src/youtube/youtube.go:107:36: youtube.Search calls youtube.NewService, which eventually calls http2.ConfigureTransports #2: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.ConnectionError.Error #3: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.ErrCode.String #4: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.FrameHeader.String #5: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.FrameType.String #6: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.ReadFrame #7: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteContinuation #8: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteData #9: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteHeaders #10: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WritePing #11: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteRSTStream #12: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteSettings #13: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteSettingsAck #14: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.Framer.WriteWindowUpdate #15: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.GoAwayError.Error #16: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.Setting.String #17: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.SettingID.String #18: src/auth/auth.go:111:24: auth.GetClient calls http.Server.ListenAndServe, which eventually calls http2.SettingsFrame.ForeachSetting #19: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.StreamError.Error #20: src/auth/auth.go:82:43: auth.GetClient calls http.Transport.RoundTrip, which eventually calls http2.Transport.NewClientConn #21: src/auth/auth.go:82:43: auth.GetClient calls http.Transport.RoundTrip, which eventually calls http2.Transport.RoundTrip #22: src/commands/commands.go:1030:12: commands.Commands.PrintPlaying calls fmt.Printf, which eventually calls http2.chunkWriter.Write #23: src/commands/commands.go:1061:35: commands.isNoActiveError calls http2.connError.Error #24: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.duplicatePseudoHeaderError.Error #25: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which calls http2.gzipReader.Close #26: src/commands/commands.go:1261:33: commands.Commands.activateDevice calls io.ReadAll, which calls http2.gzipReader.Read #27: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.headerFieldNameError.Error #28: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.headerFieldValueError.Error #29: src/auth/auth.go:82:43: auth.GetClient calls http.Transport.RoundTrip, which eventually calls http2.noDialH2RoundTripper.RoundTrip #30: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.pseudoHeaderError.Error #31: src/commands/commands.go:1030:12: commands.Commands.PrintPlaying calls fmt.Printf, which eventually calls http2.stickyErrWriter.Write #32: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which calls http2.transportResponseBody.Close #33: src/commands/commands.go:1261:33: commands.Commands.activateDevice calls io.ReadAll, which calls http2.transportResponseBody.Read #34: src/gctx/context.go:23:25: gctx.Context.Println calls fmt.Sprint, which eventually calls http2.writeData.String Vulnerability #2: GO-2024-2611 Infinite loop in JSON unmarshaling in google.golang.org/protobuf More info: https://pkg.go.dev/vuln/GO-2024-2611 Module: google.golang.org/protobuf Found in: google.golang.org/protobuf@v1.31.0 Fixed in: google.golang.org/protobuf@v1.33.0 Example traces found: #1: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which eventually calls json.Decoder.Peek #2: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which eventually calls json.Decoder.Read #3: src/youtube/youtube.go:112:26: youtube.Search calls youtube.SearchListCall.Do, which eventually calls protojson.Unmarshal Your code is affected by 2 vulnerabilities from 2 modules. This scan also found 2 vulnerabilities in packages you import and 4 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. ``` So, my question is, are you planning on a new release in the near future? Happy 2025. Regards, /pin
Sign in to join this conversation.
No Label
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: abs3nt/gospt#58
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?