Security Issue: Vulnerable Version of golang.org/x/net Used

[gssandhu143]

The Pion/SRTP project currently depends on golang.org/x/net version v0.27.0, which contains a known vulnerability in the html/doctype.go file, specifically in the parseDocType function. For html/foreign.go htmlIntegrationPoint() function, for html/parse.go inBodyIM() function, inTableIM function. These vulnerabilities can be exploited for a Denial of Service (DoS) attack.

Affected Dependency:
Package: golang.org/x/net

Current Version: v0.27.0
Vulnerable Function: parseDocType in html/doctype.go

Recommended Fix:
To mitigate this issue, please update golang.org/x/net to a non-vulnerable version:
v0.36.0
v0.37.0
v0.38.0

These versions contain fixes for the vulnerability.

[gssandhu143]

We are using pion/srtp for our project and we can't move forward with these vulnerabilities. Please help us to update the version of goland/x/net.

[Sean-Der]

Hey @gssandhu143

I don't see /x/net in our go.mod. https://github.com/pion/srtp/blob/master/go.mod

I am going to close for now, but happy to help with your project if you are still having issues. Pion doesn't do any HTML parsing, so we aren't impacted by this issue.

[gssandhu143]

Hi @Sean-Der, Thanks for your quick response.

I can see the usage of /x/net in the go.sum https://github.com/pion/srtp/blob/master/go.sum

Not only that there are other vulnerabilities also like :

1. http/httpproxy/proxy.go
   useProxy(addr string)

2. proxy/per_host.go
   dialerForRequest(host string)
   AddFromString(s string)
   In above listed functions mathing of hosts against proxy pattern can improperly treat an IPv6zone ID as a hostname component. For example when the NO_PROXY environment variable set to "*.example.com", a request to "[::1%25.example.com]:80" will incorrectly match and not be proxied.

Functions listed above incorrectly parse IPv6 addresses with scope IDs. A developer unaware of this situation can create a security risk in cases where the NO-PROXY environment variable is used to bypass proxying.

[Sean-Der]

My mistake!

The issue I believe in pion/transport? So we need to create new tags in those repos.

[gssandhu143]

No, We are using pion/srtp and the issue is with golang/x/net. The version specified for /x/net at https://github.com/pion/srtp/blob/master/go.sum is vulnerable for above issues I have mentioned. So we want it should updated to Non vulnerable versions like v0.36.0 OR v0.37.0 OR v0.38.0

[gssandhu143]

@Sean-Der Sorry, yes issue is with the pion/transport we need to update the version tag.

Here are the Advisories for above mentioned issues:
GHSA-w32m-9786-jp63
GHSA-qxp5-gwg8-xv66

[gssandhu143]

@Sean-Der Please confirm if we are gonna fix this issue.

[JoTurk]

@gssandhu143 Is there any issue that directly affects Pion? we try to avoid upgrading x/net because we'll have to bump the go version to a very recent version 1.23!

[JoTurk]

I'm closing this issue because we've already addressed it on Slack. We had to revert the DTLS package upgrade (see pion/dtls#700 ) since we don't use any of the vulnerable functions

[gssandhu143]

@joeturki thank you for the confirmation. Let me check with my team, If we found any potential issue on pion then I will open the issue.