Your message dated Fri, 28 Apr 2023 11:18:25 +0200 with message-id <e762bca1-90d8-091a-eb5f-6f7be5c5b...@debian.org> and subject line golang-1.8 has been removed from Debian has caused the Debian Bug report #921549, regarding golang-1.8: Security update of golang-1.8 breaks pieces of cgo pkg-config support to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 921549: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921549 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: golang-1.8 Version: 1.8.1-1+deb9u1 Severity: grave Dear Maintainer, with libyara-dev, libyara3, golang-github-hillu-go-yara-dev from stretch-backports, the attached trivial tool used to build fine, both with and without build tag "yara_static" which causes pkg-config to be called using the "--static" parameter. ,---- | $ export GOPATH=/usr/share/gocode | $ /usr/lib/go-1.8/bin/go build -x -tags yara_static t.go | WORK=/tmp/go-build964606946 | mkdir -p $WORK/github.com/hillu/go-yara/_obj/ | mkdir -p $WORK/github.com/hillu/ | pkg-config --cflags --static yara | pkg-config --libs --static yara | [...] `---- (We can't really build a real statically-linked executable using glibc, but never mind, this is just intended as a a demo / reproducer.) After upgrading golang-1.8 to version 1.8.1-1+deb9u1, this breaks because cgo no longer likes the pkg-config parameters: ,---- | $ /usr/lib/go-1.8/bin/go build -x -tags yara_static t.go | WORK=/tmp/go-build227067233 | mkdir -p $WORK/github.com/hillu/go-yara/_obj/ | mkdir -p $WORK/github.com/hillu/ | go build github.com/hillu/go-yara: invalid pkg-config package name: --static `---- I am pretty sure that this was introduced with the fix for CVE-2018-6574 which introduced the following check: ,---- | for _, pkg := range pkgs { | if !SafeArg(pkg) { | return nil, nil, fmt.Errorf("invalid pkg-config package name: %s", pkg) | } | } `---- Cheers, -Hilkopackage main import "github.com/hillu/go-yara" func main() { yara.NewCompiler() }
--- End Message ---
--- Begin Message ---Version: 1.8.5-1+rm src:golang-1.8 was last released with Debian 9 (stretch) in June 2017 and was removed from the Debian archive afterwards. See https://bugs.debian.org/915437 for details on the removal. After regular security support for stretch ended in July 2020 and LTS support ended in July 2022, I'm closing the remaining bug reports now. Andreas
--- End Message ---
