Bug#999544: Package new upstream version
The aim of the first patch is to remove VSign signature verification, which requires additional dependency. It is designed to verify upstream's binary release and is useless on distributions since distributions neither creates the same binary(requires replicating upstream's reproducible build and applying no patching) nor generate its own signature. The original opengpg signature verification is no longer useful as we no longer create gpg signatures of our binary(gpg signatures do not include and verify filename or other context information in our old signature formats, this would allow an attacker to swap binaries of different versions). This file can be simply deleted to remove verify command. (patch 1) In addition to this, to remove dependency on VSign, executable resource integrity protection is also removed(patch 3). (This is not only designed to prevent someone from running that in an unsandboxed electron, but make sure we won't have merge conflict with the user's own version of these scripts when we update it. So removing it shouldn't create too many issues in Debian's case.) To remove dependency on github.com/jhump/protoreflect, an engineering feature dynamic protojson loading is removed(not very useful for end-users)(patch 2). It is used to help users with a customized build of V2Ray that have configuration elements that cannot be represented by jsonv4 format, not distribution users. On 5/5/2022 9:48 pm, Antoine Beaupré wrote: On 2021-11-12 00:16:38, Alois Micard wrote: Since Go 1.17 is now the defaults on the archive this package fails to build. It could be great to update to upstream 4.43.0 and backport the following commit [1] in order to make the package build again. I have tried to upgrade to the latest upstream (4.45) today, and failed at the first patch because it doesn't apply. I refreshed the other two patches and I'm waiting to hear from upstream (in CC) how to deal with the first. I pushed my work to the debian/experimental branch on salsa: https://salsa.debian.org/go-team/packages/golang-v2ray-core/-/merge_requests/new?merge_request%5Bsource_branch%5D=debian%2Fexperimental a. From 6f2fa9d9310a5d4371da7a527dd629c0c052982b Mon Sep 17 00:00:00 2001 From: Shelikhoo Date: Thu, 5 May 2022 22:31:40 +0100 Subject: [PATCH 1/3] Remove upstream signature verification system --- infra/control/verify.go | 64 - 1 file changed, 64 deletions(-) delete mode 100644 infra/control/verify.go diff --git a/infra/control/verify.go b/infra/control/verify.go deleted file mode 100644 index 48bed7f3.. --- a/infra/control/verify.go +++ /dev/null @@ -1,64 +0,0 @@ -package control - -import ( - "flag" - "os" - - "github.com/v2fly/VSign/signerVerify" - - "github.com/v2fly/v2ray-core/v4/common" -) - -type VerifyCommand struct{} - -func (c *VerifyCommand) Name() string { - return "verify" -} - -func (c *VerifyCommand) Description() Description { - return Description{ - Short: "Verify if a binary is officially signed.", - Usage: []string{ - "v2ctl verify --sig= file...", - "Verify the file officially signed by V2Ray.", - }, - } -} - -func (c *VerifyCommand) Execute(args []string) error { - fs := flag.NewFlagSet(c.Name(), flag.ContinueOnError) - - sigFile := fs.String("sig", "", "Path to the signature file") - - if err := fs.Parse(args); err != nil { - return err - } - - target := fs.Arg(0) - if target == "" { - return newError("empty file path.") - } - - if *sigFile == "" { - return newError("empty signature path.") - } - - sigReader, err := os.Open(os.ExpandEnv(*sigFile)) - if err != nil { - return newError("failed to open file ", *sigFile).Base(err) - } - - files := fs.Args() - - err = signerVerify.OutputAndJudge(signerVerify.CheckSignaturesV2Fly(sigReader, files)) - - if err == nil { - return nil - } - - return newError("file is not officially signed by V2Ray").Base(err) -} - -func init() { - common.Must(RegisterCommand(&VerifyCommand{})) -} -- 2.34.1 From 431fe1de7e15afd50cffe8c70ed7b0a93e0d03fb Mon Sep 17 00:00:00 2001 From: Shelikhoo Date: Thu, 5 May 2022 22:38:52 +0100 Subject: [PATCH 2/3] Remove engineering dynamic jsonpb loading function this functionality provided with stock protobuf library in jsonv5 --- go.mod | 1 - infra/conf/api.go | 12 infra/conf/services.go | 30 -- infra/conf/v2ray.go| 13 - 4 files changed, 56 deletions(-) delete mode 100644 infra/conf/services.go diff --git a/go.mod b/go.mod index ff684538..97a3366e 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,6 @@ require ( github.com/golang/protobuf v1.5.2 github.com/google/go-cmp v0.5.6 github.com/gorilla/websocket v1.4.2 - github.com/jhump/pro
Bug#1010377: V2Ray CVE-2021-4070 DoS by Authenticated VMess Server patch not applied
Package: v2ray Version: 4.34.0-1 Control: severity -1 serious This bug is submitted by upstream developers for a serious DoS bug within V2Ray that have been patched in upstream since 05 Dec 2021, and subsequently published but remain unpatched in Debian. The fix for this bug is included in v4.44.0 (https://github.com/v2fly/v2ray-core/releases/tag/v4.44.0). It have been identified as: CVE-2021-4070 (https://nvd.nist.gov/vuln/detail/CVE-2021-4070) This vulnerability allows a VMess Server controlled by an attacker to crash a VMess Client by sending a specially crafted handshake response reply with an (optional) VMess SwitchAccount Command that is one byte shorter than expected. This vulnerability does NOT allow the attacker to retrieve any information from a client other than it used an unpatched version of the software and does NOT allow attacker to control the unpatched software or system. It is strongly recommended for all users to apply this security update at the earliest possible opportunity. We would like to thank geeknik for the responsible disclosure of this vulnerability. Fix: https://github.com/v2fly/v2ray-core/commit/c1af2bfd7aa59a4482aa7f6ec4b9208c1d350b5c
Bug#1009818: V2Ray 4.34.0-5 (Debian Unstable ver.) Crashes when VMess Protocol is Used because an unsynchronized update of Golang and V2Ray - HMAC constructor fix not applied on Debian
The reason this package is often out of update is that whenever a new dependency is introduced, that dependency will need to be packaged. We, the developer, could develop with the dependency availability in mind. Or create make dependencies and associated functions optional. If that is necessary for other functional updates to be delivered in a timely manner. On 28/4/2022 3:05 pm, Antoine Beaupré wrote: Control: tags -1 +patch Control: found -1 4.34.0-1 Control: severity -1 grave On 2022-04-18 17:40:13, Shelikhoo wrote: This bug is submitted by upstream developers on behalf of end-users for a Debian specific bug. We are ready to cooperate with the Debian side to resolve this bug. V2Ray 4.34.0-5 (Debian Unstable ver.) crashes when VMess protocol is used because an unsynchronized update of Golang and V2Ray as HMAC constructor fix is not applied on Debian version of V2Ray. The version of the source code currently included in Debian will not work if compiled with Golang 1.15+(or possibly 1.16+). We have already fixed this issue more than 1 year ago(https://github.com/v2fly/v2ray-core/commit/0024c6e028768d8516bdee11be9834b2617ff00c) however this changeset is not included in Debian. We recommend this commit be backported to the Debian version of V2Ray(I will exercise self-control to refrain from asking you to keep the package up to date.). No need for self control! The package should be kept up to date, and feel free to file a bug to report this problem. :) I think this probably also applies to stable (because it doesn't have a different set of patches than unstable), so I marked it as affecting that as well. Finally, this seems to be more serious than "normal", as it completely crashes the program ("makes the package in question unusable or mostly so"), so I bumped the severity as well. I think the way forward here is to update to latest upstream in unstable. I don't see why that should be kept out. For stable, that would need a stable update and it's a little more involved, specifically: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security or: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#upload-stable a.
Bug#1009818: V2Ray 4.34.0-5 (Debian Unstable ver.) Crashes when VMess Protocol is Used because an unsynchronized update of Golang and V2Ray - HMAC constructor fix not applied on Debian
Package: v2ray Version: 4.34.0-5 This bug is submitted by upstream developers on behalf of end-users for a Debian specific bug. We are ready to cooperate with the Debian side to resolve this bug. V2Ray 4.34.0-5 (Debian Unstable ver.) crashes when VMess protocol is used because an unsynchronized update of Golang and V2Ray as HMAC constructor fix is not applied on Debian version of V2Ray. The version of the source code currently included in Debian will not work if compiled with Golang 1.15+(or possibly 1.16+). We have already fixed this issue more than 1 year ago(https://github.com/v2fly/v2ray-core/commit/0024c6e028768d8516bdee11be9834b2617ff00c) however this changeset is not included in Debian. We recommend this commit be backported to the Debian version of V2Ray(I will exercise self-control to refrain from asking you to keep the package up to date.). The original issue on the upstream issue tracker: https://github.com/v2fly/v2ray-core/issues/1730 [Chinese, some comments are in English] Translated below: Issue Title: Debian/Unstable 's v2ray package panic: crypto/hmac Which version of V2Ray are you using: 4.34.0-5 (Debian/Unstable) What are you using it for: Server What is the anomaly observed by you: Run v2ray will report the error "panic: crypto/hmac: hash generation function does not produce unique values" What is the expected behaviour: V2Ray operates normally Please submit your configuration file: server: { "inbounds": [ { "port": 3334, "protocol": "vmess", "settings":{ "clients":[ { "id": "3e3343e2-13d8-44c3-887f-46675e7bf313" } ] } } ], "outbounds": [ { "protocol": "freedom", "settings": {} } ] } === Please attach error message: command: v2ray --test --config /etc/v2ray/config.json message: === V2Ray 4.34.0 (user) 20220118-150717 (go1.17.6 linux/amd64) A unified platform for anti-censorship. panic: crypto/hmac: hash generation function does not produce unique values goroutine 1 [running]: crypto/hmac.New(0xc00015b5f0, {0xc38a80, 0x16, 0x18}) crypto/hmac/hmac.go:143 +0x292 v2ray.com/core/proxy/vmess/aead.KDF({0xc000171c20, 0x10, 0x10}, {0xc00015b640, 0x1, 0x10}) v2ray.com/core/proxy/vmess/aead/kdf.go:13 +0x127 v2ray.com/core/proxy/vmess/aead.KDF16(...) v2ray.com/core/proxy/vmess/aead/kdf.go:22 v2ray.com/core/proxy/vmess/aead.NewCipherFromKey({0xc000171c20, 0x618573, 0xcd4180}) v2ray.com/core/proxy/vmess/aead/authid.go:41 +0x4a v2ray.com/core/proxy/vmess/aead.NewAuthIDDecoder(...) v2ray.com/core/proxy/vmess/aead/authid.go:53 v2ray.com/core/proxy/vmess/aead.NewAuthIDDecoderItem(...) v2ray.com/core/proxy/vmess/aead/authid.go:84 v2ray.com/core/proxy/vmess/aead.(*AuthIDDecoderHolder).AddUser(0xc00016e6a0, {0x92, 0x5, 0x5d, 0x4b, 0x26, 0xcf, 0xe5, 0xf3, 0xed, ...}, ...) v2ray.com/core/proxy/vmess/aead/authid.go:90 +0x50 v2ray.com/core/proxy/vmess.(*TimedUserValidator).Add(0xc000172e70, 0xc000165980) v2ray.com/core/proxy/vmess/validator.go:152 +0x365 v2ray.com/core/proxy/vmess/inbound.(*Handler).AddUser(0xc000174300, {0xb03000, 0x0}, 0x2) v2ray.com/core/proxy/vmess/inbound/inbound.go:166 +0x52 v2ray.com/core/proxy/vmess/inbound.New({0xd654c0, 0xc0001655f0}, 0xc7f5e0) v2ray.com/core/proxy/vmess/inbound/inbound.go:133 +0x3b0 v2ray.com/core/proxy/vmess/inbound.init.2.func1({0xd654c0, 0xc0001655f0}, {0xc1a500, 0xc7f5e0}) v2ray.com/core/proxy/vmess/inbound/inbound.go:355 +0x3c v2ray.com/core/common.CreateObject({0xd654c0, 0xc0001655f0}, {0xc1a500, 0xc7f5e0}) v2ray.com/core/common/type.go:32 +0x1a5 v2ray.com/core/app/proxyman/inbound.NewAlwaysOnInboundHandler({0xd654c0, 0xc0001655f0}, {0x0, 0x624e0}, 0xc000172e00, {0xc1a500, 0xc7f5e0}) v2ray.com/core/app/proxyman/inbound/always.go:52 +0x71 v2ray.com/core/app/proxyman/inbound.NewHandler({0xd654c0, 0xc0001655f0}, 0xc0001740c0) v2ray.com/core/app/proxyman/inbound/inbound.go:162 +0x2c5 v2ray.com/core/app/proxyman/inbound.init.0.func2({0xd654c0, 0xc0001655f0}, {0xc0cbc0, 0xc0001740c0}) v2ray.com/core/app/proxyman/inbound/inbound.go:176 +0x3c v2ray.com/core/common.CreateObject({0xd654c0, 0xc0001655f0}, {0xc0cbc0, 0xc0001740c0}) v2ray.com/core/common/type.go:32 +0x1a5 v2ray.com/core.CreateObject(0x6, {0xc0cbc0, 0xc0001740c0}) v2ray.com/core/functions.go:21 +0x78 v2ray.com/core.AddInboundHandler(0xc7f0e0, 0x4) v2ray.com/core/v2ray.go:101 +0x65 v2ray.com/core.addInboundHandlers(0xc7f0e0, {0xc10fd0, 0x1, 0xc7f0e0}) v2ray.com/core/v2ray.go:117 +0x56 v2ray.com/core.initInstanceWithConfig(0xc000166fc0, 0xc7f0e0) v2ray.com/core/v2ray.go:229 +0x42b v2ray.com/core.New(0xc4ce5c) v2ray.com/core/v2ray.go:164 +0x77 main.startV2Ray() v2ray.com/core/main/main.go:115 +0x230 main.main() v2ray.com/core/main/