833156 – (CVE-2022-23772, CVE-2022-23773, CVE-2022-23806) <dev-lang/go-1.17.7: multiple vulnerabilities

Bug 833156 (CVE-2022-23772, CVE-2022-23773, CVE-2022-23806) - <dev-lang/go-1.17.7: multiple vulnerabilities

Summary: <dev-lang/go-1.17.7: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2022-23772, CVE-2022-23773, CVE-2022-23806

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://groups.google.com/g/golang-an...
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	833200
Blocks:
	Show dependency tree

Reported:	2022-02-12 03:59 UTC by John Helmert III
Modified:	2022-08-04 14:14 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-02-12 03:59:03 UTC

CVE-2022-23772:

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.

CVE-2022-23773:

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

CVE-2022-23806:

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

Please bump to Go 1.17.7.

Comment 1 John Helmert III archtester

2022-02-12 17:34:39 UTC

Please stabilize 1.17.7.

commit d0147235053078b6f9987a56239099c077282fbc
Author: William Hubbs <williamh@gentoo.org>
Date:   Fri Feb 11 10:08:11 2022 -0600

    dev-lang/go: 1.17.7 bump

    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>

Comment 2 John Helmert III archtester

2022-02-15 22:22:50 UTC

Please cleanup

Comment 3 Larry the Git Cow gentoo-dev

2022-08-04 14:02:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca

commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:53:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:34 +0000

    [ GLSA 202208-02 ] Go: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754210
    Bug: https://bugs.gentoo.org/766216
    Bug: https://bugs.gentoo.org/775326
    Bug: https://bugs.gentoo.org/788640
    Bug: https://bugs.gentoo.org/794784
    Bug: https://bugs.gentoo.org/802054
    Bug: https://bugs.gentoo.org/806659
    Bug: https://bugs.gentoo.org/807049
    Bug: https://bugs.gentoo.org/816912
    Bug: https://bugs.gentoo.org/821859
    Bug: https://bugs.gentoo.org/828655
    Bug: https://bugs.gentoo.org/833156
    Bug: https://bugs.gentoo.org/834635
    Bug: https://bugs.gentoo.org/838130
    Bug: https://bugs.gentoo.org/843644
    Bug: https://bugs.gentoo.org/849290
    Bug: https://bugs.gentoo.org/857822
    Bug: https://bugs.gentoo.org/862822
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)

Comment 4 John Helmert III archtester

2022-08-04 14:14:51 UTC

GLSA released, all done!