Bug#1009818: marked as done (V2Ray 4.34.0-5 (Debian Unstable ver.) Crashes when VMess Protocol is Used because an unsynchronized update of Golang and V2Ray - HMAC constructor fix not applied on Debian)

[Debian Bug Tracking System]

Your message dated Sat, 21 May 2022 04:33:48 +0000
with message-id <e1nsgog-00057s...@fasolo.debian.org>
and subject line Bug#1009818: fixed in golang-v2ray-core 4.34.0-7
has caused the Debian Bug report #1009818,
regarding V2Ray 4.34.0-5 (Debian Unstable ver.) Crashes when VMess Protocol is 
Used because an unsynchronized update of Golang and V2Ray - HMAC constructor 
fix not applied on Debian
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1009818: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009818
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: v2ray
Version: 4.34.0-5

This bug is submitted by upstream developers on behalf of end-users for a Debian specific bug.  We are ready to cooperate with the Debian side to resolve this bug.

V2Ray 4.34.0-5 (Debian Unstable ver.) crashes when VMess protocol is used because an unsynchronized update of Golang and V2Ray as HMAC constructor fix is not applied on Debian version of V2Ray.

The version of the source code currently included in Debian will not work if compiled with Golang 1.15+(or possibly 1.16+). We have already fixed this issue more than 1 year ago(https://github.com/v2fly/v2ray-core/commit/0024c6e028768d8516bdee11be9834b2617ff00c) however this changeset is not included in Debian. We recommend this commit be backported to the Debian version of V2Ray(I will exercise self-control to refrain from asking you to keep the package up to date.).

The original issue on the upstream issue tracker: https://github.com/v2fly/v2ray-core/issues/1730 [Chinese, some comments are in English] Translated below:

Issue Title:
Debian/Unstable 's v2ray package panic: crypto/hmac

Which version of V2Ray are you using:
4.34.0-5 (Debian/Unstable)

What are you using it for:
Server

What is the anomaly observed by you:

Run v2ray will report the error "panic: crypto/hmac: hash generation function does not produce unique values"

What is the expected behaviour:
V2Ray operates normally

Please submit your configuration file:
server:
================================
{
  "inbounds": [
    {
      "port": 3334,
      "protocol": "vmess",
      "settings":{
        "clients":[
          {
          "id": "3e3343e2-13d8-44c3-887f-46675e7bf313"
          }
        ]
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {}
    }
  ]
}
===============================
Please attach error message:
command: v2ray --test --config /etc/v2ray/config.json
message:
===============================
V2Ray 4.34.0 (user) 20220118-150717 (go1.17.6 linux/amd64)
A unified platform for anti-censorship.
panic: crypto/hmac: hash generation function does not produce unique values

goroutine 1 [running]:
crypto/hmac.New(0xc00015b5f0, {0xc000038a80, 0x16, 0x18})
    crypto/hmac/hmac.go:143 +0x292

v2ray.com/core/proxy/vmess/aead.KDF({0xc000171c20, 0x10, 0x10}, {0xc00015b640, 0x1, 0x10})

    v2ray.com/core/proxy/vmess/aead/kdf.go:13 +0x127
v2ray.com/core/proxy/vmess/aead.KDF16(...)
    v2ray.com/core/proxy/vmess/aead/kdf.go:22

v2ray.com/core/proxy/vmess/aead.NewCipherFromKey({0xc000171c20, 0x618573, 0xc0000d4180})

    v2ray.com/core/proxy/vmess/aead/authid.go:41 +0x4a
v2ray.com/core/proxy/vmess/aead.NewAuthIDDecoder(...)
    v2ray.com/core/proxy/vmess/aead/authid.go:53
v2ray.com/core/proxy/vmess/aead.NewAuthIDDecoderItem(...)
    v2ray.com/core/proxy/vmess/aead/authid.go:84

v2ray.com/core/proxy/vmess/aead.(*AuthIDDecoderHolder).AddUser(0xc00016e6a0, {0x92, 0x5, 0x5d, 0x4b, 0x26, 0xcf, 0xe5, 0xf3, 0xed, ...}, ...)

    v2ray.com/core/proxy/vmess/aead/authid.go:90 +0x50

v2ray.com/core/proxy/vmess.(*TimedUserValidator).Add(0xc000172e70, 0xc000165980)

    v2ray.com/core/proxy/vmess/validator.go:152 +0x365

v2ray.com/core/proxy/vmess/inbound.(*Handler).AddUser(0xc000174300, {0xb03000, 0x0}, 0x2)

    v2ray.com/core/proxy/vmess/inbound/inbound.go:166 +0x52

v2ray.com/core/proxy/vmess/inbound.New({0xd654c0, 0xc0001655f0}, 0xc00007f5e0)

    v2ray.com/core/proxy/vmess/inbound/inbound.go:133 +0x3b0

v2ray.com/core/proxy/vmess/inbound.init.2.func1({0xd654c0, 0xc0001655f0}, {0xc1a500, 0xc00007f5e0})

    v2ray.com/core/proxy/vmess/inbound/inbound.go:355 +0x3c

v2ray.com/core/common.CreateObject({0xd654c0, 0xc0001655f0}, {0xc1a500, 0xc00007f5e0})

    v2ray.com/core/common/type.go:32 +0x1a5

v2ray.com/core/app/proxyman/inbound.NewAlwaysOnInboundHandler({0xd654c0, 0xc0001655f0}, {0x0, 0x624e0}, 0xc000172e00, {0xc1a500, 0xc00007f5e0})

    v2ray.com/core/app/proxyman/inbound/always.go:52 +0x71

v2ray.com/core/app/proxyman/inbound.NewHandler({0xd654c0, 0xc0001655f0}, 0xc0001740c0)

    v2ray.com/core/app/proxyman/inbound/inbound.go:162 +0x2c5

v2ray.com/core/app/proxyman/inbound.init.0.func2({0xd654c0, 0xc0001655f0}, {0xc0cbc0, 0xc0001740c0})

    v2ray.com/core/app/proxyman/inbound/inbound.go:176 +0x3c

v2ray.com/core/common.CreateObject({0xd654c0, 0xc0001655f0}, {0xc0cbc0, 0xc0001740c0})

    v2ray.com/core/common/type.go:32 +0x1a5
v2ray.com/core.CreateObject(0x6, {0xc0cbc0, 0xc0001740c0})
    v2ray.com/core/functions.go:21 +0x78
v2ray.com/core.AddInboundHandler(0xc00007f0e0, 0x4)
    v2ray.com/core/v2ray.go:101 +0x65

v2ray.com/core.addInboundHandlers(0xc00007f0e0, {0xc000010fd0, 0x1, 0xc00007f0e0})

    v2ray.com/core/v2ray.go:117 +0x56
v2ray.com/core.initInstanceWithConfig(0xc000166fc0, 0xc00007f0e0)
    v2ray.com/core/v2ray.go:229 +0x42b
v2ray.com/core.New(0xc4ce5c)
    v2ray.com/core/v2ray.go:164 +0x77
main.startV2Ray()
    v2ray.com/core/main/main.go:115 +0x230
main.main()
    v2ray.com/core/main/main.go:139 +0x9f
===================================

Please attach the journal log if running it as a service:
===================================
Apr 17 09:46:54 iruru systemd[1]: Started V2Ray Service.

Apr 17 09:46:54 iruru v2ray[2678]: V2Ray 4.34.0 (user) 20220118-150717 (go1.17.6 linux/amd64)

Apr 17 09:46:54 iruru v2ray[2678]: A unified platform for anti-censorship.

Apr 17 09:46:54 iruru v2ray[2678]: panic: crypto/hmac: hash generation function does not produce unique values

Apr 17 09:46:54 iruru v2ray[2678]: goroutine 1 [running]:

Apr 17 09:46:54 iruru v2ray[2678]: crypto/hmac.New(0xc00015b5f0, {0xc00003ca38, 0x16, 0x18})

Apr 17 09:46:54 iruru v2ray[2678]:         crypto/hmac/hmac.go:143 +0x292

Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/aead.KDF({0xc000171bb0, 0x10, 0x10}, {0xc00015b640, 0x1, 0x10}) Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/aead/kdf.go:13 +0x127 Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/aead.KDF16(...)

Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/aead/kdf.go:22

Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/aead.NewCipherFromKey({0xc000171bb0, 0x618573, 0xc0000d2180}) Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/aead/authid.go:41 +0x4a Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/aead.NewAuthIDDecoder(...) Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/aead/authid.go:53 Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/aead.NewAuthIDDecoderItem(...) Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/aead/authid.go:84 Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/aead.(*AuthIDDecoderHolder).AddUser(0xc00016e6a0, {0x92, 0x5, 0x5d, 0x4b> Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/aead/authid.go:90 +0x50 Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess.(*TimedUserValidator).Add(0xc000172d20, 0xc0001659e0) Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/validator.go:152 +0x365 Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/inbound.(*Handler).AddUser(0xc000176280, {0xb03000, 0x0}, 0x2) Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/inbound/inbound.go:166 +0x52 Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/inbound.New({0xd654c0, 0xc000165650}, 0xc00007f5e0) Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/inbound/inbound.go:133 +0x3b0 Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/inbound.init.2.func1({0xd654c0, 0xc000165650}, {0xc1a500, 0xc00007f5e0}) Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/inbound/inbound.go:355 +0x3c Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/common.CreateObject({0xd654c0, 0xc000165650}, {0xc1a500, 0xc00007f5e0})

Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/common/type.go:32 +0x1a5

Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/app/proxyman/inbound.NewAlwaysOnInboundHandler({0xd654c0, 0xc000165650}, {0x0, 0x624> Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/app/proxyman/inbound/always.go:52 +0x71 Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/app/proxyman/inbound.NewHandler({0xd654c0, 0xc000165650}, 0xc000176040) Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/app/proxyman/inbound/inbound.go:162 +0x2c5 Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/app/proxyman/inbound.init.0.func2({0xd654c0, 0xc000165650}, {0xc0cbc0, 0xc000176040}) Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/app/proxyman/inbound/inbound.go:176 +0x3c Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/common.CreateObject({0xd654c0, 0xc000165650}, {0xc0cbc0, 0xc000176040})

Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/common/type.go:32 +0x1a5

Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core.CreateObject(0x6, {0xc0cbc0, 0xc000176040})

Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/functions.go:21 +0x78

Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core.AddInboundHandler(0xc00007f0e0, 0x4)

Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/v2ray.go:101 +0x65

Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core.addInboundHandlers(0xc00007f0e0, {0xc000010fd0, 0x1, 0xc00007f0e0})

Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/v2ray.go:117 +0x56

Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core.initInstanceWithConfig(0xc000166fc0, 0xc00007f0e0)

Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/v2ray.go:229 +0x42b
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core.New(0xc4ce5c)
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/v2ray.go:164 +0x77
Apr 17 09:46:54 iruru v2ray[2678]: main.startV2Ray()
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/main/main.go:115 +0x230
Apr 17 09:46:54 iruru v2ray[2678]: main.main()
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/main/main.go:139 +0x9f

Apr 17 09:46:54 iruru systemd[1]: v2ray.service: Main process exited, code=exited, status=2/INVALIDARGUMENT Apr 17 09:46:54 iruru systemd[1]: v2ray.service: Failed with result 'exit-code'. Apr 17 09:46:54 iruru systemd[1]: v2ray.service: Scheduled restart job, restart counter is at 5.

Apr 17 09:46:54 iruru systemd[1]: Stopped V2Ray Service.

Apr 17 09:46:54 iruru systemd[1]: v2ray.service: Start request repeated too quickly. Apr 17 09:46:54 iruru systemd[1]: v2ray.service: Failed with result 'exit-code'.

Apr 17 09:46:54 iruru systemd[1]: Failed to start V2Ray Service.
===========================


See also: https://github.com/v2fly/v2ray-core/issues/744

See also; https://github.com/v2fly/v2ray-core/pull/686 (Some changes from this pull request are reverted.)
--- End Message ---

--- Begin Message ---

Source: golang-v2ray-core
Source-Version: 4.34.0-7
Done: Roger Shimizu <r...@debian.org>

We believe that the bug you reported is fixed in the latest version of
golang-v2ray-core, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1009...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roger Shimizu <r...@debian.org> (supplier of updated golang-v2ray-core package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 21 May 2022 13:14:29 +0900
Source: golang-v2ray-core
Architecture: source
Version: 4.34.0-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Roger Shimizu <r...@debian.org>
Closes: 1009818 1010377
Changes:
 golang-v2ray-core (4.34.0-7) unstable; urgency=medium
 .
   * debian/patches:
     - Cherry pick from upstream to fix issues:
       + Crashes when VMess Protocol is used (Closes: #1009818).
       + CVE-2021-4070 DoS by Authenticated VMess Server
         (Closes: #1010377).
Checksums-Sha1:
 e2a8cf621a24af9b93e45650c553f49021c33dd7 2595 golang-v2ray-core_4.34.0-7.dsc
 c0ff034d9d909dc74cbdf2625b54d56071b763ed 18768 
golang-v2ray-core_4.34.0-7.debian.tar.xz
 6d5c75674150665da3b374643fd68705be0dc887 5713 
golang-v2ray-core_4.34.0-7_source.buildinfo
Checksums-Sha256:
 20efa952d56f7dc42e5838004ef15fab8a7ac8c1d66b019323da7f09430f0029 2595 
golang-v2ray-core_4.34.0-7.dsc
 4155cf2b379ffbc9575514d994e8aecc45151f763729979952769e0e3389a56e 18768 
golang-v2ray-core_4.34.0-7.debian.tar.xz
 88c76616ab8936fb8265fc030b0ec8e447ac852b1f80a9f8c70394c37390509d 5713 
golang-v2ray-core_4.34.0-7_source.buildinfo
Files:
 a899ba4272bcb9f3e50da9f0372039df 2595 devel optional 
golang-v2ray-core_4.34.0-7.dsc
 9c1c221b0cb810ca6027b656b2512e5b 18768 devel optional 
golang-v2ray-core_4.34.0-7.debian.tar.xz
 6e5d5cdd8b358a482cc1bdb4adc7f63d 5713 devel optional 
golang-v2ray-core_4.34.0-7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEECjKtvoA5m+cWOFnspHhrDacDNKgFAmKIZ2cQHHJvc2hAZGVi
aWFuLm9yZwAKCRCkeGsNpwM0qFcFEACpI5PfvdR8GfNdWSOVbawjigtN1ZVanXy8
TLpqEHEmrMWybF9cet7OWMMRCWFVsh1QXx3O8CGeuEu6QQ7aXUIqsGZyqJZmixqa
GrBcC0G/M7QtpzI93V7Wng++x/jlM4QjK+Kj6FLJNBqnRkD6i3GQd7et0RiOViAx
c0mF5ipUClwf5nuoSb+v1ZCGhh4Z7cjzfHNpsc5qme748o4JmyxLGcwivDLLFVBx
oG7ZsXa41kv3p1z/dD9gRc2oEdTHw9btR7Ap9MvFov+7h921HhXPF9yGmaVT8COq
2DR3VJGcvIcvCj1MSKuySJgp/ex4sOxH9eRmYBi4gOCjhXf3SLTJY8XJ209umKX7
1Ggbv0+RULRaNcgJd9y1v/FeZakYVbnQfglxbYAoaEo5OTd9xWptFQKFhtxUry5F
p6V1j1dIS0WQj6bfqWdMqH2zUQgaQrLab15FnHBiPaNp2lkYptSdTqV1hKpgAGm/
qZCHAtr734Pd4BGBBWH/NZ6S2d36xKpjcyMVN9oAZn3s5uHVapsIKYUIBilKfQHM
GkhNu9WKqn7aEn47Z32TTY0lXzoLBbNWtwoJRetrxRmMLiQRVRrBc2AV9SrG+Dku
jm/GB+APgehERx3SwfK8K6HcZ1uDl28beW1uV8bJjabbUTWQjfwGtxCo2HYVf/Wu
40yaf3HGLg==
=3r7j
-----END PGP SIGNATURE-----

--- End Message ---