From 74f747e80bfb89ee7ac07d0ff4921d745dd82d65 Mon Sep 17 00:00:00 2001 From: James Shubin Date: Sun, 7 Jul 2024 12:47:14 -0400 Subject: [PATCH] util: password: Fix suspicious dep issue It seems that without warning, the author of this dep has nuked the old version, and reorganized the source tree significantly. I'm not an expert and cryptography routines, but this doesn't make me feel warm inside. I hope more expert researchers could look into this so that we avoid supply chain attacks. --- go.mod | 2 +- go.sum | 4 ++-- util/password/password.go | 6 +++++- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 451cffea..e520d2ab 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,6 @@ require ( github.com/prometheus/client_golang v1.19.0 github.com/sanity-io/litter v1.5.5 github.com/spf13/afero v1.11.0 - github.com/tredoe/osutil/v2 v2.0.0-rc.16 github.com/vishvananda/netlink v1.2.1-beta.2 github.com/yalue/merged_fs v1.3.0 go.etcd.io/etcd/api/v3 v3.5.13 @@ -128,6 +127,7 @@ require ( github.com/spf13/cobra v1.8.0 // indirect github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace // indirect github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 // indirect + github.com/tredoe/osutil v1.5.0 // indirect github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect github.com/vishvananda/netns v0.0.4 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect diff --git a/go.sum b/go.sum index 4ecba00d..fcaab50c 100644 --- a/go.sum +++ b/go.sum @@ -434,8 +434,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= -github.com/tredoe/osutil/v2 v2.0.0-rc.16 h1:5A2SKvyB2c3lhPYUIHyFtu6jbaXlaA3Hu5gWIam8Pik= -github.com/tredoe/osutil/v2 v2.0.0-rc.16/go.mod h1:uLRVx/3pb7Y4RQhG8cQFbPE9ha5r81e6MXpBsxbTAYc= +github.com/tredoe/osutil v1.5.0 h1:UGVxbbHRoZi8xXVmbNZ2vgG6XoJ15ndE4LniiQ3rJKg= +github.com/tredoe/osutil v1.5.0/go.mod h1:TEzphzUUunysbdDRfdOgqkg10POQbnfIPV50ynqOfIg= github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA= github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM= diff --git a/util/password/password.go b/util/password/password.go index 0559653e..07044dd3 100644 --- a/util/password/password.go +++ b/util/password/password.go @@ -27,6 +27,10 @@ // additional permission if he deems it necessary to achieve the goals of this // additional permission. +// Package password has some utility functions for dealing with misc passwords. +// XXX: Please note, the "github.com/tredoe/osutil/user/crypt/sha512_crypt" +// dependency is slightly suspicious and we should investigate it further to +// make sure there are no supply chain issues with it. package password import ( @@ -41,7 +45,7 @@ import ( "syscall" "time" - sha512Crypt "github.com/tredoe/osutil/v2/userutil/crypt/sha512_crypt" + sha512Crypt "github.com/tredoe/osutil/user/crypt/sha512_crypt" "golang.org/x/sys/unix" )