Bug#999544: Package new upstream version

2022-05-05 Thread Shelikhoo 
The aim of the first patch is to remove VSign signature verification, 
which requires additional dependency. It is designed to verify 
upstream's binary release and is useless on distributions since 
distributions neither creates the same binary(requires replicating 
upstream's reproducible build and applying no patching) nor generate its 
own signature. The original opengpg signature verification is no longer 
useful as we no longer create gpg signatures of our binary(gpg 
signatures do not include and verify filename or other context 
information in our old signature formats, this would allow an attacker 
to swap binaries of different versions).


This file can be simply deleted to remove verify command. (patch 1)


In addition to this, to remove dependency on VSign, executable resource 
integrity protection is also removed(patch 3). (This is not only 
designed to prevent someone from running that in an unsandboxed 
electron, but make sure we won't have merge conflict with the user's own 
version of these scripts when we update it. So removing it shouldn't 
create too many issues in Debian's case.)



To remove dependency on github.com/jhump/protoreflect, an engineering 
feature dynamic protojson loading is removed(not very useful for 
end-users)(patch 2). It is used to help users with a customized build of 
V2Ray that have configuration elements that cannot be represented by 
jsonv4 format, not distribution users.



On 5/5/2022 9:48 pm, Antoine Beaupré wrote:

On 2021-11-12 00:16:38, Alois Micard wrote:

Since Go 1.17 is now the defaults on the archive this package
fails to build.

It could be great to update to upstream 4.43.0 and backport the
following commit [1] in order to make the package build again.

I have tried to upgrade to the latest upstream (4.45) today, and failed
at the first patch because it doesn't apply. I refreshed the other two
patches and I'm waiting to hear from upstream (in CC) how to deal with
the first. I pushed my work to the debian/experimental branch on salsa:

https://salsa.debian.org/go-team/packages/golang-v2ray-core/-/merge_requests/new?merge_request%5Bsource_branch%5D=debian%2Fexperimental

a.
From 6f2fa9d9310a5d4371da7a527dd629c0c052982b Mon Sep 17 00:00:00 2001
From: Shelikhoo 
Date: Thu, 5 May 2022 22:31:40 +0100
Subject: [PATCH 1/3] Remove upstream signature verification system

---
 infra/control/verify.go | 64 -
 1 file changed, 64 deletions(-)
 delete mode 100644 infra/control/verify.go

diff --git a/infra/control/verify.go b/infra/control/verify.go
deleted file mode 100644
index 48bed7f3..
--- a/infra/control/verify.go
+++ /dev/null
@@ -1,64 +0,0 @@
-package control
-
-import (
-	"flag"
-	"os"
-
-	"github.com/v2fly/VSign/signerVerify"
-
-	"github.com/v2fly/v2ray-core/v4/common"
-)
-
-type VerifyCommand struct{}
-
-func (c *VerifyCommand) Name() string {
-	return "verify"
-}
-
-func (c *VerifyCommand) Description() Description {
-	return Description{
-		Short: "Verify if a binary is officially signed.",
-		Usage: []string{
-			"v2ctl verify --sig= file...",
-			"Verify the file officially signed by V2Ray.",
-		},
-	}
-}
-
-func (c *VerifyCommand) Execute(args []string) error {
-	fs := flag.NewFlagSet(c.Name(), flag.ContinueOnError)
-
-	sigFile := fs.String("sig", "", "Path to the signature file")
-
-	if err := fs.Parse(args); err != nil {
-		return err
-	}
-
-	target := fs.Arg(0)
-	if target == "" {
-		return newError("empty file path.")
-	}
-
-	if *sigFile == "" {
-		return newError("empty signature path.")
-	}
-
-	sigReader, err := os.Open(os.ExpandEnv(*sigFile))
-	if err != nil {
-		return newError("failed to open file ", *sigFile).Base(err)
-	}
-
-	files := fs.Args()
-
-	err = signerVerify.OutputAndJudge(signerVerify.CheckSignaturesV2Fly(sigReader, files))
-
-	if err == nil {
-		return nil
-	}
-
-	return newError("file is not officially signed by V2Ray").Base(err)
-}
-
-func init() {
-	common.Must(RegisterCommand(&VerifyCommand{}))
-}
-- 
2.34.1

From 431fe1de7e15afd50cffe8c70ed7b0a93e0d03fb Mon Sep 17 00:00:00 2001
From: Shelikhoo 
Date: Thu, 5 May 2022 22:38:52 +0100
Subject: [PATCH 2/3] Remove engineering dynamic jsonpb loading function

this functionality provided with stock protobuf library in jsonv5
---
 go.mod |  1 -
 infra/conf/api.go  | 12 
 infra/conf/services.go | 30 --
 infra/conf/v2ray.go| 13 -
 4 files changed, 56 deletions(-)
 delete mode 100644 infra/conf/services.go

diff --git a/go.mod b/go.mod
index ff684538..97a3366e 100644
--- a/go.mod
+++ b/go.mod
@@ -7,7 +7,6 @@ require (
 	github.com/golang/protobuf v1.5.2
 	github.com/google/go-cmp v0.5.6
 	github.com/gorilla/websocket v1.4.2
-	github.com/jhump/pro

Bug#1010377: V2Ray CVE-2021-4070 DoS by Authenticated VMess Server patch not applied

2022-04-29 Thread Shelikhoo 

Package: v2ray

Version: 4.34.0-1

Control: severity -1 serious


This bug is submitted by upstream developers for a serious DoS bug 
within V2Ray that have been patched in upstream since 05 Dec 2021, and 
subsequently published but remain unpatched in Debian. The fix for this 
bug is included in v4.44.0 
(https://github.com/v2fly/v2ray-core/releases/tag/v4.44.0).


It have been identified as:

CVE-2021-4070 (https://nvd.nist.gov/vuln/detail/CVE-2021-4070)

This vulnerability allows a VMess Server controlled by an attacker to 
crash a VMess Client by sending a specially crafted handshake response 
reply with an (optional) VMess SwitchAccount Command that is one byte 
shorter than expected. This vulnerability does NOT allow the attacker to 
retrieve any information from a client other than it used an unpatched 
version of the software and does NOT allow attacker to control the 
unpatched software or system. It is strongly recommended for all users 
to apply this security update at the earliest possible opportunity. We 
would like to thank geeknik for the responsible disclosure of this 
vulnerability.


Fix: 
https://github.com/v2fly/v2ray-core/commit/c1af2bfd7aa59a4482aa7f6ec4b9208c1d350b5c

Bug#1009818: V2Ray 4.34.0-5 (Debian Unstable ver.) Crashes when VMess Protocol is Used because an unsynchronized update of Golang and V2Ray - HMAC constructor fix not applied on Debian

2022-04-28 Thread Shelikhoo 
The reason this package is often out of update is that whenever a new 
dependency is introduced, that dependency will need to be packaged.



We, the developer, could develop with the dependency availability in 
mind. Or create make dependencies and associated functions optional. If 
that is necessary for other functional updates to be delivered in a 
timely manner.



On 28/4/2022 3:05 pm, Antoine Beaupré wrote:

Control: tags -1 +patch
Control: found -1 4.34.0-1
Control: severity -1 grave

On 2022-04-18 17:40:13, Shelikhoo wrote:

This bug is submitted by upstream developers on behalf of end-users for
a Debian specific bug.  We are ready to cooperate with the Debian side
to resolve this bug.

V2Ray 4.34.0-5 (Debian Unstable ver.) crashes when VMess protocol is
used because an unsynchronized update of Golang and V2Ray as HMAC
constructor fix is not applied on Debian version of V2Ray.

The version of the source code currently included in Debian will not
work if compiled with Golang 1.15+(or possibly 1.16+). We have already
fixed this issue more than 1 year
ago(https://github.com/v2fly/v2ray-core/commit/0024c6e028768d8516bdee11be9834b2617ff00c)
however this changeset is not included in Debian. We recommend this
commit be backported to the Debian version of V2Ray(I will exercise
self-control to refrain from asking you to keep the package up to date.).

No need for self control! The package should be kept up to date, and
feel free to file a bug to report this problem. :)

I think this probably also applies to stable (because it doesn't have a
different set of patches than unstable), so I marked it as affecting
that as well.

Finally, this seems to be more serious than "normal", as it completely
crashes the program ("makes the package in question unusable or mostly
so"), so I bumped the severity as well.

I think the way forward here is to update to latest upstream in
unstable. I don't see why that should be kept out. For stable, that
would need a stable update and it's a little more involved,
specifically:

https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security

or:

https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#upload-stable

a.

Bug#1009818: V2Ray 4.34.0-5 (Debian Unstable ver.) Crashes when VMess Protocol is Used because an unsynchronized update of Golang and V2Ray - HMAC constructor fix not applied on Debian

2022-04-18 Thread Shelikhoo 

Package: v2ray
Version: 4.34.0-5

This bug is submitted by upstream developers on behalf of end-users for 
a Debian specific bug.  We are ready to cooperate with the Debian side 
to resolve this bug.


V2Ray 4.34.0-5 (Debian Unstable ver.) crashes when VMess protocol is 
used because an unsynchronized update of Golang and V2Ray as HMAC 
constructor fix is not applied on Debian version of V2Ray.


The version of the source code currently included in Debian will not 
work if compiled with Golang 1.15+(or possibly 1.16+). We have already 
fixed this issue more than 1 year 
ago(https://github.com/v2fly/v2ray-core/commit/0024c6e028768d8516bdee11be9834b2617ff00c) 
however this changeset is not included in Debian. We recommend this 
commit be backported to the Debian version of V2Ray(I will exercise 
self-control to refrain from asking you to keep the package up to date.).


The original issue on the upstream issue tracker: 
https://github.com/v2fly/v2ray-core/issues/1730 [Chinese, some comments 
are in English] Translated below:


Issue Title:
Debian/Unstable 's v2ray package panic: crypto/hmac

Which version of V2Ray are you using:
4.34.0-5 (Debian/Unstable)

What are you using it for:
Server

What is the anomaly observed by you:
Run v2ray will report the error "panic: crypto/hmac: hash generation 
function does not produce unique values"


What is the expected behaviour:
V2Ray operates normally

Please submit your configuration file:
server:

{
  "inbounds": [
    {
  "port": 3334,
  "protocol": "vmess",
  "settings":{
    "clients":[
  {
  "id": "3e3343e2-13d8-44c3-887f-46675e7bf313"
  }
    ]
  }
    }
  ],
  "outbounds": [
    {
  "protocol": "freedom",
  "settings": {}
    }
  ]
}
===
Please attach error message:
command: v2ray --test --config /etc/v2ray/config.json
message:
===
V2Ray 4.34.0 (user) 20220118-150717 (go1.17.6 linux/amd64)
A unified platform for anti-censorship.
panic: crypto/hmac: hash generation function does not produce unique values

goroutine 1 [running]:
crypto/hmac.New(0xc00015b5f0, {0xc38a80, 0x16, 0x18})
    crypto/hmac/hmac.go:143 +0x292
v2ray.com/core/proxy/vmess/aead.KDF({0xc000171c20, 0x10, 0x10}, 
{0xc00015b640, 0x1, 0x10})

    v2ray.com/core/proxy/vmess/aead/kdf.go:13 +0x127
v2ray.com/core/proxy/vmess/aead.KDF16(...)
    v2ray.com/core/proxy/vmess/aead/kdf.go:22
v2ray.com/core/proxy/vmess/aead.NewCipherFromKey({0xc000171c20, 
0x618573, 0xcd4180})

    v2ray.com/core/proxy/vmess/aead/authid.go:41 +0x4a
v2ray.com/core/proxy/vmess/aead.NewAuthIDDecoder(...)
    v2ray.com/core/proxy/vmess/aead/authid.go:53
v2ray.com/core/proxy/vmess/aead.NewAuthIDDecoderItem(...)
    v2ray.com/core/proxy/vmess/aead/authid.go:84
v2ray.com/core/proxy/vmess/aead.(*AuthIDDecoderHolder).AddUser(0xc00016e6a0, 
{0x92, 0x5, 0x5d, 0x4b, 0x26, 0xcf, 0xe5, 0xf3, 0xed, ...}, ...)

    v2ray.com/core/proxy/vmess/aead/authid.go:90 +0x50
v2ray.com/core/proxy/vmess.(*TimedUserValidator).Add(0xc000172e70, 
0xc000165980)

    v2ray.com/core/proxy/vmess/validator.go:152 +0x365
v2ray.com/core/proxy/vmess/inbound.(*Handler).AddUser(0xc000174300, 
{0xb03000, 0x0}, 0x2)

    v2ray.com/core/proxy/vmess/inbound/inbound.go:166 +0x52
v2ray.com/core/proxy/vmess/inbound.New({0xd654c0, 0xc0001655f0}, 
0xc7f5e0)

    v2ray.com/core/proxy/vmess/inbound/inbound.go:133 +0x3b0
v2ray.com/core/proxy/vmess/inbound.init.2.func1({0xd654c0, 
0xc0001655f0}, {0xc1a500, 0xc7f5e0})

    v2ray.com/core/proxy/vmess/inbound/inbound.go:355 +0x3c
v2ray.com/core/common.CreateObject({0xd654c0, 0xc0001655f0}, {0xc1a500, 
0xc7f5e0})

    v2ray.com/core/common/type.go:32 +0x1a5
v2ray.com/core/app/proxyman/inbound.NewAlwaysOnInboundHandler({0xd654c0, 
0xc0001655f0}, {0x0, 0x624e0}, 0xc000172e00, {0xc1a500, 0xc7f5e0})

    v2ray.com/core/app/proxyman/inbound/always.go:52 +0x71
v2ray.com/core/app/proxyman/inbound.NewHandler({0xd654c0, 0xc0001655f0}, 
0xc0001740c0)

    v2ray.com/core/app/proxyman/inbound/inbound.go:162 +0x2c5
v2ray.com/core/app/proxyman/inbound.init.0.func2({0xd654c0, 
0xc0001655f0}, {0xc0cbc0, 0xc0001740c0})

    v2ray.com/core/app/proxyman/inbound/inbound.go:176 +0x3c
v2ray.com/core/common.CreateObject({0xd654c0, 0xc0001655f0}, {0xc0cbc0, 
0xc0001740c0})

    v2ray.com/core/common/type.go:32 +0x1a5
v2ray.com/core.CreateObject(0x6, {0xc0cbc0, 0xc0001740c0})
    v2ray.com/core/functions.go:21 +0x78
v2ray.com/core.AddInboundHandler(0xc7f0e0, 0x4)
    v2ray.com/core/v2ray.go:101 +0x65
v2ray.com/core.addInboundHandlers(0xc7f0e0, {0xc10fd0, 0x1, 
0xc7f0e0})

    v2ray.com/core/v2ray.go:117 +0x56
v2ray.com/core.initInstanceWithConfig(0xc000166fc0, 0xc7f0e0)
    v2ray.com/core/v2ray.go:229 +0x42b
v2ray.com/core.New(0xc4ce5c)
    v2ray.com/core/v2ray.go:164 +0x77
main.startV2Ray()
    v2ray.com/core/main/main.go:115 +0x230
main.main()
    v2ray.com/core/main/