Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 807049 (CVE-2021-29923) - <dev-lang/go-1.17: octal IP address format confusion (CVE-2021-29923)
Summary: <dev-lang/go-1.17: octal IP address format confusion (CVE-2021-29923)
Status: RESOLVED FIXED
Alias: CVE-2021-29923
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/golang/go/issues/3...
Whiteboard: B4 [glsa+]
Keywords:
Depends on: 808829 go-1.17
Blocks:
  Show dependency tree
 
Reported: 2021-08-07 22:36 UTC by John Helmert III
Modified: 2022-08-04 14:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 22:36:57 UTC
CVE-2021-29923:

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.


Upstream apparently considers this unbackportable.
Comment 1 William Hubbs gentoo-dev 2021-08-17 01:13:04 UTC
I have added go 1.17 to the tree.

Please advise me wrt what to do with the older versions.

Thanks,

William
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-17 15:49:14 UTC
I guess we're blocked here until we can stabilize 1.17 and remove the older versions.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-29 00:20:59 UTC
Please cleanup
Comment 4 Larry the Git Cow gentoo-dev 2021-09-01 18:52:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=401ffe8e0a86c7b59dc90945b16466e88add3d41

commit 401ffe8e0a86c7b59dc90945b16466e88add3d41
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-09-01 18:51:03 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-09-01 18:52:26 +0000

    dev-lang/go: drop 1.16.x
    
    Normally we keep the two most recent versions of Go in the tree, but
    that is not the case this time because upstream is not backporting the
    fix for this vulnerability.
    
    Bug: https://bugs.gentoo.org/807049
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/go/Manifest         |   1 -
 dev-lang/go/go-1.16.7.ebuild | 194 -------------------------------------------
 2 files changed, 195 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2022-08-04 14:02:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 14:08:01 UTC
GLSA released, all done!