Source: golang-1.8 Version: 1.8.1-1+deb9u1 Severity: grave Dear Maintainer,
with libyara-dev, libyara3, golang-github-hillu-go-yara-dev from stretch-backports, the attached trivial tool used to build fine, both with and without build tag "yara_static" which causes pkg-config to be called using the "--static" parameter. ,---- | $ export GOPATH=/usr/share/gocode | $ /usr/lib/go-1.8/bin/go build -x -tags yara_static t.go | WORK=/tmp/go-build964606946 | mkdir -p $WORK/github.com/hillu/go-yara/_obj/ | mkdir -p $WORK/github.com/hillu/ | pkg-config --cflags --static yara | pkg-config --libs --static yara | [...] `---- (We can't really build a real statically-linked executable using glibc, but never mind, this is just intended as a a demo / reproducer.) After upgrading golang-1.8 to version 1.8.1-1+deb9u1, this breaks because cgo no longer likes the pkg-config parameters: ,---- | $ /usr/lib/go-1.8/bin/go build -x -tags yara_static t.go | WORK=/tmp/go-build227067233 | mkdir -p $WORK/github.com/hillu/go-yara/_obj/ | mkdir -p $WORK/github.com/hillu/ | go build github.com/hillu/go-yara: invalid pkg-config package name: --static `---- I am pretty sure that this was introduced with the fix for CVE-2018-6574 which introduced the following check: ,---- | for _, pkg := range pkgs { | if !SafeArg(pkg) { | return nil, nil, fmt.Errorf("invalid pkg-config package name: %s", pkg) | } | } `---- Cheers, -Hilko
package main import "github.com/hillu/go-yara" func main() { yara.NewCompiler() }