Rebuild for FIPS-mode memory leak in the Go toolchain

Toolbx doesn't seem to directly use any cryptography, but go.sum does list golang.org/x/crypto, which indicates that it's present somewhere in the dependency chain. Looking inside the vendored sources, there doesn't seem to be any actual use of golang.org/x/crypto but it's still listed in the go.sum files of some of the packages. Interestingly, github.com/godbus/dbus does use crypto/rand and crypto/sha1, and the former is a cryptographically secure random number generator [1], but note that these aren't part of golang.org/x/crypto. Anyway, it's better and easier to just rebuild the package than trying to decipher if Toolbx is affected by the FIPS-mode memory leak in the Go toolchain that affects cryptographic code. [1] https://pkg.go.dev/crypto/rand Resolves: #2060769
2022-03-23 22:52:26 +01:00 · 2022-03-23 22:52:26 +01:00 · b5a0d2a45c
commit b5a0d2a45c
parent 2a480fd8da
1 changed files with 5 additions and 1 deletions
--- a/toolbox.spec
+++ b/toolbox.spec
@ -11,7 +11,7 @@ Version:       0.0.99.3
 %global goipath github.com/containers/%{name}
 %gometa

-Release:       2%{?dist}
+Release:       3%{?dist}
 Summary:       Tool for containerized command line environments on Linux

 License:       ASL 2.0
@ -124,6 +124,10 @@ install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/%{name}.conf


 %changelog
+* Mon May 16 2022 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.3-3
+- Rebuild for FIPS-mode memory leak in the Go toolchain
+Resolves: #2060769
+
 * Wed May 11 2022 Jindrich Novy <jnovy@redhat.com> - 0.0.99.3-2
 - BuildRequires: /usr/bin/go-md2man
 - Related: #2061316