[pkg-golang-devel] Bug#921549: golang-1.8: Security update of golang-1.8 breaks pieces of cgo pkg-config support

[Hilko Bengen]

Source: golang-1.8
Version: 1.8.1-1+deb9u1
Severity: grave

Dear Maintainer,

with libyara-dev, libyara3, golang-github-hillu-go-yara-dev from
stretch-backports, the attached trivial tool used to build fine, both
with and without build tag "yara_static" which causes pkg-config to be
called using the "--static" parameter.

,----
| $ export GOPATH=/usr/share/gocode
| $ /usr/lib/go-1.8/bin/go build -x -tags yara_static t.go
| WORK=/tmp/go-build964606946
| mkdir -p $WORK/github.com/hillu/go-yara/_obj/
| mkdir -p $WORK/github.com/hillu/
| pkg-config --cflags --static yara
| pkg-config --libs --static yara
| [...]
`----

(We can't really build a real statically-linked executable using glibc,
but never mind, this is just intended as a a demo / reproducer.)

After upgrading golang-1.8 to version 1.8.1-1+deb9u1, this breaks
because cgo no longer likes the pkg-config parameters:

,----
| $ /usr/lib/go-1.8/bin/go build -x -tags yara_static t.go
| WORK=/tmp/go-build227067233
| mkdir -p $WORK/github.com/hillu/go-yara/_obj/
| mkdir -p $WORK/github.com/hillu/
| go build github.com/hillu/go-yara: invalid pkg-config package name: --static
`----

I am pretty sure that this was introduced with the fix for
CVE-2018-6574 which introduced the following check:

,----
| for _, pkg := range pkgs {
|         if !SafeArg(pkg) {
|                 return nil, nil, fmt.Errorf("invalid pkg-config package name: %s", pkg)
|         }
| }
`----

Cheers,
-Hilko
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-golang-devel/attachments/20190206/577972c5/attachment.ksh>